a28f4adb3387f38659beb140b9d25be7e84db5069256f9fc804ab91c1d5a79e5

Analysis

max time kernel
169s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2023 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Skype-8.97.0.404.exe
Size

85.0MB
MD5

4203fd588d094427a69a76ae21f7257b
SHA1

7e779cc8e680e8125f6c0d5392d05c8ce0498ee3
SHA256

a28f4adb3387f38659beb140b9d25be7e84db5069256f9fc804ab91c1d5a79e5
SHA512

274bc2d8375accf0d3c0d617b6dcaf770220d90290eca2083bc6c8fd65d56ef378dec6a16e62c11137e96c45386f93d6fb46e794cefce4e045cb361159194855
SSDEEP

1572864:7uvBrHmoObp/j2kDELqi8q8+91agqJnYHWvEZHjh+1WB93MjsvZNc7km4cyoHFR:7+Wb5KkDEth8+9dMf8ZFQuy+sYoHP

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1548	netsh.exe
396	netsh.exe
4864	netsh.exe
4732	netsh.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype for Desktop = "C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype for Desktop = "C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe"	reg.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	Skype.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	Skype.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	Skype.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	Skype-8.97.0.404.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	Skype.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	Skype.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-string-l1-1-0.dll	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-23QEP.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-ETM80.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-UE2G3.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\mac\is-JDKAS.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-KBHPD.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-21P0U.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-812QL.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\win\is-3SSK7.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-3727G.tmp	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-7LCUO.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-2AMVC.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-J5I89.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-A8S9Q.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-D6HH0.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\win\is-0GHEC.tmp	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-filesystem-l1-1-0.dll	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-H19MG.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-8159J.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-H3N38.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-R3NR4.tmp	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-file-l1-2-0.dll	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-BG60O.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-QUT7D.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-CHDFA.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-1NUOF.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-H7CV4.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-O63UT.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\mac\is-45ERR.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-5JII2.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-TREUI.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-53JSD.tmp	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-console-l1-1-0.dll	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\skypert.dll	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-file-l2-1-0.dll	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-7TDS5.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-2H317.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-DCHJ7.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-NKQFV.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-HHH61.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-IMGN0.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\linux\is-KSLN1.tmp	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\ssScreenVVS2.dll	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\vcruntime140.dll	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-CF1OH.tmp	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-synch-l1-2-0.dll	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-crt-convert-l1-1-0.dll	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-datetime-l1-1-0.dll	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\api-ms-win-core-errorhandling-l1-1-0.dll	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-BQGQP.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-GE12T.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-33DBH.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\is-B4FRQ.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\unins000.msg	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-E2TJD.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-1LUA1.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-L30C1.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-OFHVQ.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-3FGPO.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\is-S47CC.tmp	Skype-8.97.0.404.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\RTMPLTFM.dll	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-QB49R.tmp	Skype-8.97.0.404.tmp
File created	C:\Program Files (x86)\Microsoft\Skype for Desktop\is-N3K8T.tmp	Skype-8.97.0.404.tmp

Executes dropped EXE 16 IoCs

pid	Process
1752	Skype-8.97.0.404.tmp
1120	Skype.exe
4708	Skype.exe
3348	Skype.exe
2092	Skype.exe
5008	Skype.exe
4044	Skype.exe
2380	Skype.exe
4524	Skype.exe
3944	Skype.exe
4972	Skype.exe
2876	Skype.exe
3772	Skype.exe
2604	Skype.exe
808	Skype.exe
1192	Skype.exe

Loads dropped DLL 60 IoCs

pid	Process
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
4708	Skype.exe
1120	Skype.exe
1120	Skype.exe
3348	Skype.exe
2092	Skype.exe
3348	Skype.exe
3348	Skype.exe
3348	Skype.exe
3348	Skype.exe
3348	Skype.exe
5008	Skype.exe
5008	Skype.exe
5008	Skype.exe
1120	Skype.exe
4044	Skype.exe
4524	Skype.exe
2380	Skype.exe
5008	Skype.exe
5008	Skype.exe
5008	Skype.exe
5008	Skype.exe
5008	Skype.exe
5008	Skype.exe
5008	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
4972	Skype.exe
3944	Skype.exe
3944	Skype.exe
2876	Skype.exe
3772	Skype.exe
2876	Skype.exe
2876	Skype.exe
2876	Skype.exe
2876	Skype.exe
2876	Skype.exe
2604	Skype.exe
2604	Skype.exe
2604	Skype.exe
3944	Skype.exe
808	Skype.exe
1192	Skype.exe
2604	Skype.exe
2604	Skype.exe
2604	Skype.exe
2604	Skype.exe
2604	Skype.exe
2604	Skype.exe
2604	Skype.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Skype.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Skype.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Skype.exe

Enumerates system info in registry 2 TTPs 28 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Skype.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\	Skype.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Skype.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Skype.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Skype.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Skype.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Skype.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\	Skype.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Skype.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\	Skype.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Skype.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Skype.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Skype.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Skype.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4616	taskkill.exe

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2548970870-3691742953-3895070203-1000\{82891556-C384-4567-8A14-1E79D7BF7539}	Skype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\	Skype-8.97.0.404.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\icon = "C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe"	Skype-8.97.0.404.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skype\ = "URL:skype"	Skype-8.97.0.404.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\callto	Skype-8.97.0.404.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\callto\URL Protocol	Skype-8.97.0.404.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\DefaultIcon\ = "\"C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe\""	Skype-8.97.0.404.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skype-meetnow\ = "URL:skype-meetnow"	Skype-8.97.0.404.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tel\URL Protocol	Skype-8.97.0.404.tmp
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\command	Skype-8.97.0.404.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe\" \"%1\""	Skype-8.97.0.404.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\shell\open	Skype-8.97.0.404.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skype\URL Protocol	Skype-8.97.0.404.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\callto\ = "URL:callto"	Skype-8.97.0.404.tmp
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype	Skype-8.97.0.404.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\SkypeURL\shell\open\command	Skype-8.97.0.404.tmp
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2548970870-3691742953-3895070203-1000\{18A23B5E-CC44-4F32-A7D2-B81396DDB509}	Skype.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\shell\open\command	Skype-8.97.0.404.tmp
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SkypeURL	Skype-8.97.0.404.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\SkypeURL\DefaultIcon	Skype-8.97.0.404.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\skype-meetnow	Skype-8.97.0.404.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\tel	Skype-8.97.0.404.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\MUIVerb = "@C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\SkypeContext.dll,-101"	Skype-8.97.0.404.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ShareWithSkype\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Skype for Desktop\\Skype.exe\" --share-file=\"%V\""	Skype-8.97.0.404.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2548970870-3691742953-3895070203-1000\{DE65D85B-DC16-4953-9C57-B72880D80F9C}	Skype.exe
Key created	\REGISTRY\MACHINE\Software\Classes\skype	Skype-8.97.0.404.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tel\ = "URL:tel"	Skype-8.97.0.404.tmp
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2548970870-3691742953-3895070203-1000\{8A2D9017-00C1-416F-B626-A2A88E14CDFA}	Skype.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL	Skype-8.97.0.404.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SkypeURL\shell	Skype-8.97.0.404.tmp
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\skype-meetnow\URL Protocol	Skype-8.97.0.404.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe

Modifies registry key 1 TTPs 19 IoCs

Modify Registry

T1112

pid	Process
4156	reg.exe
5048	reg.exe
1840	reg.exe
2816	reg.exe
3600	reg.exe
3836	reg.exe
3968	reg.exe
940	reg.exe
5072	reg.exe
3076	reg.exe
4512	reg.exe
1512	reg.exe
4672	reg.exe
2812	reg.exe
2208	reg.exe
2824	reg.exe
1624	reg.exe
3500	reg.exe
116	reg.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Storage\ext\persist:e6644eda-6459-47fc-a8f9-2fe6f470a8e1\def\Local Storage\leveldb\LOG	Skype.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Storage\ext\persist:e6644eda-6459-47fc-a8f9-2fe6f470a8e1\def\Session Storage\LOG	Skype.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Storage\ext\persist:e6644eda-6459-47fc-a8f9-2fe6f470a8e1\def\Local Storage\leveldb\LOCK	Skype.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Storage\ext\persist:e6644eda-6459-47fc-a8f9-2fe6f470a8e1\def\Session Storage\LOCK	Skype.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1752	Skype-8.97.0.404.tmp
1752	Skype-8.97.0.404.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe
Token: SeCreatePagefilePrivilege	1120	Skype.exe
Token: SeShutdownPrivilege	1120	Skype.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1752	Skype-8.97.0.404.tmp
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe
3944	Skype.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe
1120	Skype.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2376	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 1752	4100	Skype-8.97.0.404.exe	82
PID 4100 wrote to memory of 1752	4100	Skype-8.97.0.404.exe	82
PID 4100 wrote to memory of 1752	4100	Skype-8.97.0.404.exe	82
PID 1752 wrote to memory of 4616	1752	Skype-8.97.0.404.tmp	86
PID 1752 wrote to memory of 4616	1752	Skype-8.97.0.404.tmp	86
PID 1752 wrote to memory of 4616	1752	Skype-8.97.0.404.tmp	86
PID 1752 wrote to memory of 1120	1752	Skype-8.97.0.404.tmp	92
PID 1752 wrote to memory of 1120	1752	Skype-8.97.0.404.tmp	92
PID 1752 wrote to memory of 1120	1752	Skype-8.97.0.404.tmp	92
PID 1120 wrote to memory of 4708	1120	Skype.exe	94
PID 1120 wrote to memory of 4708	1120	Skype.exe	94
PID 1120 wrote to memory of 4708	1120	Skype.exe	94
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 3348	1120	Skype.exe	97
PID 1120 wrote to memory of 2092	1120	Skype.exe	98
PID 1120 wrote to memory of 2092	1120	Skype.exe	98
PID 1120 wrote to memory of 2092	1120	Skype.exe	98
PID 1120 wrote to memory of 3500	1120	Skype.exe	99
PID 1120 wrote to memory of 3500	1120	Skype.exe	99
PID 1120 wrote to memory of 3500	1120	Skype.exe	99
PID 1120 wrote to memory of 5008	1120	Skype.exe	100
PID 1120 wrote to memory of 5008	1120	Skype.exe	100
PID 1120 wrote to memory of 5008	1120	Skype.exe	100

C:\Users\Admin\AppData\Local\Temp\Skype-8.97.0.404.exe
"C:\Users\Admin\AppData\Local\Temp\Skype-8.97.0.404.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\is-73LJN.tmp\Skype-8.97.0.404.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-73LJN.tmp\Skype-8.97.0.404.tmp" /SL5="$B005C,88537029,404480,C:\Users\Admin\AppData\Local\Temp\Skype-8.97.0.404.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Skype.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
    "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
      "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad" --url=appcenter://generic?aid=a7417433-29d9-4bc0-8826-af367733939d&iid=6ff116c3-d580-4d31-75aa-af479d334793&uid=6ff116c3-d580-4d31-75aa-af479d334793 --annotation=IsOfficialBuild=1 --annotation=_companyName=Skype --annotation=_productName=skype-preview --annotation=_version=8.97.0.404 "--annotation=exe=C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=19.1.8 --initial-client-data=0x584,0x588,0x58c,0x580,0x590,0x73d3398,0x73d33a8,0x73d33b4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4708
  - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
      "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 --field-trial-handle=2204,i,9864997187608570741,8218487959533112550,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3348
  - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
      "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=2460 --field-trial-handle=2204,i,9864997187608570741,8218487959533112550,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2092
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:3500
  - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
      "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2892 --field-trial-handle=2204,i,9864997187608570741,8218487959533112550,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --skype-process-type=Main --skype-window-id=__MAIN_ROOT_VIEW_ID__ /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Enumerates system info in registry
      Modifies registry class
      PID:5008
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall delete rule name=NDI_9e0957f79c277f37ec0b606aee4b12c0ea928616531524a303e84d6748ecf6d0
        5⤵
        Modifies Windows Firewall
        
        PID:396
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name=NDI_9e0957f79c277f37ec0b606aee4b12c0ea928616531524a303e84d6748ecf6d0 dir=in action=allow program="C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4864
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate
      4⤵
      Modifies registry key
      PID:116
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice /v ProgId
      4⤵
      Modifies registry key
      PID:1512
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice /v ProgId
      4⤵
      Modifies registry key
      PID:3076
  - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
      "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3972 --field-trial-handle=2204,i,9864997187608570741,8218487959533112550,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:4044
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Edge\BLBeacon /v version
      4⤵
      Modifies registry key
      PID:3600
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice /v ProgId
      4⤵
      Modifies registry key
      PID:3836
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice /v ProgId
      4⤵
      Modifies registry key
      PID:4512
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Edge\BLBeacon /v version
      4⤵
      Modifies registry key
      PID:4156
  - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
      "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=3860 --field-trial-handle=2204,i,9864997187608570741,8218487959533112550,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2380
  - - C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
      "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=4332 --field-trial-handle=2204,i,9864997187608570741,8218487959533112550,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:4524
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice /v ProgId
      4⤵
      Modifies registry key
      PID:3968
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice /v ProgId
      4⤵
      Modifies registry key
      PID:940
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve
      4⤵
      PID:4628
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Edge\BLBeacon /v version
      4⤵
      Modifies registry key
      PID:5072

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\9c889263abd048f28ee22457357e593c /t 3960 /p 3888
1⤵
PID:3008

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x50c
1⤵
PID:4728

C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:3944
- C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
  "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad" --url=appcenter://generic?aid=a7417433-29d9-4bc0-8826-af367733939d&iid=6ff116c3-d580-4d31-75aa-af479d334793&uid=6ff116c3-d580-4d31-75aa-af479d334793 --annotation=IsOfficialBuild=1 --annotation=_companyName=Skype --annotation=_productName=skype-preview --annotation=_version=8.97.0.404 "--annotation=exe=C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=19.1.8 --initial-client-data=0x588,0x58c,0x590,0x584,0x594,0x73d3398,0x73d33a8,0x73d33b4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4972
- C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
  "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 --field-trial-handle=2228,i,9839578997922084635,10995467558023050863,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2876
- C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
  "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=2356 --field-trial-handle=2228,i,9839578997922084635,10995467558023050863,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3772
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:4672
- C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
  "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --ms-disable-indexeddb-transaction-timeout --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2920 --field-trial-handle=2228,i,9839578997922084635,10995467558023050863,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --skype-process-type=Main --skype-window-id=__MAIN_ROOT_VIEW_ID__ /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  PID:2604
- - C:\Windows\SysWOW64\netsh.exe
    netsh.exe advfirewall firewall delete rule name=NDI_9e0957f79c277f37ec0b606aee4b12c0ea928616531524a303e84d6748ecf6d0
    3⤵
    - Modifies Windows Firewall
    PID:4732
- - C:\Windows\SysWOW64\netsh.exe
    netsh.exe advfirewall firewall add rule name=NDI_9e0957f79c277f37ec0b606aee4b12c0ea928616531524a303e84d6748ecf6d0 dir=in action=allow program="C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1548
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate
  2⤵
  - Modifies registry key
  PID:2812
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice /v ProgId
  2⤵
  - Modifies registry key
  PID:5048
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice /v ProgId
  2⤵
  - Modifies registry key
  PID:1840
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice /v ProgId
  2⤵
  - Modifies registry key
  PID:2816
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice /v ProgId
  2⤵
  - Modifies registry key
  PID:2208
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve
  2⤵
  PID:5008
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve
  2⤵
  PID:536
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve
  2⤵
  PID:4212
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\msedge.exe" /ve
  2⤵
  PID:1544
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Edge\BLBeacon /v version
  2⤵
  - Modifies registry key
  PID:2824
- C:\Windows\SysWOW64\reg.exe
  C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Edge\BLBeacon /v version
  2⤵
  - Modifies registry key
  PID:1624
- C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
  "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=4088 --field-trial-handle=2228,i,9839578997922084635,10995467558023050863,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:808
- C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe
  "C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop" --mojo-platform-channel-handle=3544 --field-trial-handle=2228,i,9839578997922084635,10995467558023050863,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Skype for Desktop\D3DCompiler_47.dll

Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
117.6MB

MD5
e88f2ab51f9124260caff232633c5679

SHA1
d4639556fc23a707219d1dbafb4b61c0be8d0013

SHA256
f56d0a5c800b6dd344240f6cf5ad75508d5515391b0890290ad1523cdfabc2dd

SHA512
d52cb9845c42fc95774dd031dd5e3447c974f964f51c60bdd55c021bd1dda1207eadadfc0771bad4a102642cecf5383b404cbb653e9ee5abc941a26629ccb40b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
117.6MB

MD5
e88f2ab51f9124260caff232633c5679

SHA1
d4639556fc23a707219d1dbafb4b61c0be8d0013

SHA256
f56d0a5c800b6dd344240f6cf5ad75508d5515391b0890290ad1523cdfabc2dd

SHA512
d52cb9845c42fc95774dd031dd5e3447c974f964f51c60bdd55c021bd1dda1207eadadfc0771bad4a102642cecf5383b404cbb653e9ee5abc941a26629ccb40b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
117.6MB

MD5
e88f2ab51f9124260caff232633c5679

SHA1
d4639556fc23a707219d1dbafb4b61c0be8d0013

SHA256
f56d0a5c800b6dd344240f6cf5ad75508d5515391b0890290ad1523cdfabc2dd

SHA512
d52cb9845c42fc95774dd031dd5e3447c974f964f51c60bdd55c021bd1dda1207eadadfc0771bad4a102642cecf5383b404cbb653e9ee5abc941a26629ccb40b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
117.6MB

MD5
e88f2ab51f9124260caff232633c5679

SHA1
d4639556fc23a707219d1dbafb4b61c0be8d0013

SHA256
f56d0a5c800b6dd344240f6cf5ad75508d5515391b0890290ad1523cdfabc2dd

SHA512
d52cb9845c42fc95774dd031dd5e3447c974f964f51c60bdd55c021bd1dda1207eadadfc0771bad4a102642cecf5383b404cbb653e9ee5abc941a26629ccb40b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
117.6MB

MD5
e88f2ab51f9124260caff232633c5679

SHA1
d4639556fc23a707219d1dbafb4b61c0be8d0013

SHA256
f56d0a5c800b6dd344240f6cf5ad75508d5515391b0890290ad1523cdfabc2dd

SHA512
d52cb9845c42fc95774dd031dd5e3447c974f964f51c60bdd55c021bd1dda1207eadadfc0771bad4a102642cecf5383b404cbb653e9ee5abc941a26629ccb40b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
117.6MB

MD5
e88f2ab51f9124260caff232633c5679

SHA1
d4639556fc23a707219d1dbafb4b61c0be8d0013

SHA256
f56d0a5c800b6dd344240f6cf5ad75508d5515391b0890290ad1523cdfabc2dd

SHA512
d52cb9845c42fc95774dd031dd5e3447c974f964f51c60bdd55c021bd1dda1207eadadfc0771bad4a102642cecf5383b404cbb653e9ee5abc941a26629ccb40b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe

Filesize
117.6MB

MD5
e88f2ab51f9124260caff232633c5679

SHA1
d4639556fc23a707219d1dbafb4b61c0be8d0013

SHA256
f56d0a5c800b6dd344240f6cf5ad75508d5515391b0890290ad1523cdfabc2dd

SHA512
d52cb9845c42fc95774dd031dd5e3447c974f964f51c60bdd55c021bd1dda1207eadadfc0771bad4a102642cecf5383b404cbb653e9ee5abc941a26629ccb40b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\chrome_100_percent.pak

Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\chrome_200_percent.pak

Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\d3dcompiler_47.dll

Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
2.4MB

MD5
07b028b03161d193f49232cdfd9663c3

SHA1
c63a0c014d1dd989fed058007182482bb42caf9e

SHA256
174bd45ec7945dff159d41fb8c60a7eb88c2f6230a783a8f9d763817691246ed

SHA512
3c80b75bb9a11005908ad9b5e4d8e8a6c587b39b90f0d9dc34619d2e2144b36dc4d81f47c0854bd01a1e2664363376290c54741070dc35b7ba10d083ba96e65e

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
2.4MB

MD5
07b028b03161d193f49232cdfd9663c3

SHA1
c63a0c014d1dd989fed058007182482bb42caf9e

SHA256
174bd45ec7945dff159d41fb8c60a7eb88c2f6230a783a8f9d763817691246ed

SHA512
3c80b75bb9a11005908ad9b5e4d8e8a6c587b39b90f0d9dc34619d2e2144b36dc4d81f47c0854bd01a1e2664363376290c54741070dc35b7ba10d083ba96e65e

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
2.4MB

MD5
07b028b03161d193f49232cdfd9663c3

SHA1
c63a0c014d1dd989fed058007182482bb42caf9e

SHA256
174bd45ec7945dff159d41fb8c60a7eb88c2f6230a783a8f9d763817691246ed

SHA512
3c80b75bb9a11005908ad9b5e4d8e8a6c587b39b90f0d9dc34619d2e2144b36dc4d81f47c0854bd01a1e2664363376290c54741070dc35b7ba10d083ba96e65e

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
2.4MB

MD5
07b028b03161d193f49232cdfd9663c3

SHA1
c63a0c014d1dd989fed058007182482bb42caf9e

SHA256
174bd45ec7945dff159d41fb8c60a7eb88c2f6230a783a8f9d763817691246ed

SHA512
3c80b75bb9a11005908ad9b5e4d8e8a6c587b39b90f0d9dc34619d2e2144b36dc4d81f47c0854bd01a1e2664363376290c54741070dc35b7ba10d083ba96e65e

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
2.4MB

MD5
07b028b03161d193f49232cdfd9663c3

SHA1
c63a0c014d1dd989fed058007182482bb42caf9e

SHA256
174bd45ec7945dff159d41fb8c60a7eb88c2f6230a783a8f9d763817691246ed

SHA512
3c80b75bb9a11005908ad9b5e4d8e8a6c587b39b90f0d9dc34619d2e2144b36dc4d81f47c0854bd01a1e2664363376290c54741070dc35b7ba10d083ba96e65e

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\ffmpeg.dll

Filesize
2.4MB

MD5
07b028b03161d193f49232cdfd9663c3

SHA1
c63a0c014d1dd989fed058007182482bb42caf9e

SHA256
174bd45ec7945dff159d41fb8c60a7eb88c2f6230a783a8f9d763817691246ed

SHA512
3c80b75bb9a11005908ad9b5e4d8e8a6c587b39b90f0d9dc34619d2e2144b36dc4d81f47c0854bd01a1e2664363376290c54741070dc35b7ba10d083ba96e65e

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\icudtl.dat

Filesize
9.9MB

MD5
d28641aac16f15b25a3370171299106f

SHA1
0aabe57f76173b2e21c8cd2d3ee6c9fe161425bc

SHA256
7de21b3192f4a99e3433dede998743ea9e896f5a70ce6c16bf159871fd5b0e00

SHA512
4a9afaecaf242812c788030efa59e9d8e57c361761a74399dbbff5869f00e37da18c0a3342353c38612455481b84b090aabae9caf58aa1302640ce308da4ba54

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\libEGL.dll

Filesize
373KB

MD5
6c510950f4b65c6833b4f82f5e89fb64

SHA1
286e700eda7b2a12e40e4ad34c4c2da94f35273c

SHA256
8d16df323d0e2458b8a5e0ac4744b791cd023e9bf83956f8d69da18708bc8121

SHA512
cfc8e6c1f179209097168a8c502ac0c162b7163ac7e26fd78f0f836d4e9590f3061423dc690b6ff6015245d36906c2847050f94b9fba3123507608ca4e7094d1

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\libGLESv2.dll

Filesize
6.1MB

MD5
2e95c15fa9a790d677139d607b50995e

SHA1
2a7231a860c8236c907106dcc99d67f0c3ce314f

SHA256
e03b9c759df02e65aaab7cf51d501ffbab282f9b969990d21d1a75972f0103bf

SHA512
2cf21f78c5e3522f41de19b50df8b8537343756be1f55ba4a40401c3dc180b6a6abf2d7fdcf4309c2e975f9a21ab3ad5aa9fec9b208fa45de149b81397561084

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\libegl.dll

Filesize
373KB

MD5
6c510950f4b65c6833b4f82f5e89fb64

SHA1
286e700eda7b2a12e40e4ad34c4c2da94f35273c

SHA256
8d16df323d0e2458b8a5e0ac4744b791cd023e9bf83956f8d69da18708bc8121

SHA512
cfc8e6c1f179209097168a8c502ac0c162b7163ac7e26fd78f0f836d4e9590f3061423dc690b6ff6015245d36906c2847050f94b9fba3123507608ca4e7094d1

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\libglesv2.dll

Filesize
6.1MB

MD5
2e95c15fa9a790d677139d607b50995e

SHA1
2a7231a860c8236c907106dcc99d67f0c3ce314f

SHA256
e03b9c759df02e65aaab7cf51d501ffbab282f9b969990d21d1a75972f0103bf

SHA512
2cf21f78c5e3522f41de19b50df8b8537343756be1f55ba4a40401c3dc180b6a6abf2d7fdcf4309c2e975f9a21ab3ad5aa9fec9b208fa45de149b81397561084

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\locales\en-US.pak

Filesize
112KB

MD5
a85c703969e69a5a6f7e379635fa42a5

SHA1
8c765404e54070c14ab49d2d1ef54d2a3a2f7ea6

SHA256
a9c5b333440a42b95b2ef043fecb95a2d2f4b2d0601be639643d01d86be3ba83

SHA512
8ab1106fd6f410164dece0e4f6cc67e57b8bfc72864b47a665f81d67d4028464e69f7c7f4e283956fe0556f71779cceb66466b0cd37f434dbdcb7d4f59492b82

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources.pak

Filesize
4.7MB

MD5
c98d9b704da20264eae352f9d2ef59df

SHA1
c21997a61346b8f12c9b3760fe4f4af67dd2ec53

SHA256
00f2f4e7825cde5e68e039f68cb0c41cbf72eef2013a0eb50995ae090735d251

SHA512
71f414f9537f1aa705f06d9fcd95769340c9464574f646b5805e90d43da1fd69af6493ad77e65c7632d0efe5dc397dcad2c05f2f147cf283b60b168b061728e3

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar

Filesize
49.2MB

MD5
71b2fb451ce77f783506d1ab5c8c42d2

SHA1
eeab2559787f6f08582c84433381965648af284f

SHA256
326a7a9efca951c264c0ce7bb73ea58825849e6641a0ec660cda1ec7d9c9b378

SHA512
1a2306205973cfc8d6f4d78a2bf16e9737b14c4aba7cf33c0f7914cfd057a568ae319d62a395056a6e1bdf8d156663675914081a026eba9055eb25de9b66993f

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\dot-away.png

Filesize
294B

MD5
9834fdf81fe65f1c19f9997c47b080cb

SHA1
629b1977648b6407632eebed3ff19f3f1520f305

SHA256
5f01da2a9b135f1c8879419874f87c2a662342188cfa836556f25c9557ca07d0

SHA512
0ccc33f143faf24f81cb079acb0ca7b6803ef88e6563c2acecbbeba9242ecf1853bed7a9e54196f0ad7c973ad2616e51ca271b298fb07c51b0dd31a7e61036ca

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\[email protected]

Filesize
562B

MD5
767336bb72d1ee7103b8695e9fad1bd9

SHA1
0af45423d7e86a5ed09e0a64d82387af0d8fb397

SHA256
1b5ba46a18edce48949b08882036fbf6176cfaaec41e7ecf7b9a4cb8366db809

SHA512
39d93ba8e5bab26844ff379d16975813e598349d11e4271355e251f3f43cc1b513a2fbcd51c09f4e4c09ed5cd09a18e5123e7623feb950668af8cf8182842057

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\dot-donotdisturb.png

Filesize
359B

MD5
324a5cab7741d3ec7fca3f6163be9bf8

SHA1
9d47b2078cc870efad4c208dedb6bd9fb127b0c7

SHA256
ba4ac732fa5011992fe17fe0e01e217f2ba92d3cd27c9b5d8139bada160f898b

SHA512
967cc72663b8fd9531f5708786ed2afeec702c01751f99407c4b8ae860a3b13467f2e187769ea632c160f2899efdea87719e5665f26c44adc52edbe64e669b8b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\[email protected]

Filesize
685B

MD5
5da369f999ec7bb6f670fdba2f074422

SHA1
097620c947736f83744065a58ecda8aa3b0fbe07

SHA256
bff494b55ff74602fbb7181847035f22a82d30ac2a92a6a42dc6449ea6015066

SHA512
7a89b30d42f98f814e025668ec0247703c3e402aa7c14b1cf818912cc3a74166d0cc662b418cadb82e922db6f61925b39163dc86012f174b63a8cc730ed7e4aa

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\dot-hidden.png

Filesize
398B

MD5
f847bc40a4769792230765fd101b715e

SHA1
9753ce33252a0b6ca23f36a9d6f53202d148b900

SHA256
a8be87fc996f60e0c6a9b2991e7cd757198e4ac0db80132bf4eecaea626861ae

SHA512
ff7c9950324f0c7203312f28ddca26a490877ddd1453975c083b49d088abff5f8b7fe49e1460731a7ff5ebe650d059d9eeac067ca3c10c4dbb8eee3fe458f15b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\[email protected]

Filesize
872B

MD5
5b1c0544d938f7b90d02430c91776c4b

SHA1
b508a3f8dabe5d8071b5be41bbb628785dd0f6d6

SHA256
d666683821c01485b2a46cc40a9b6956903c12d8bf344224263005589fedf330

SHA512
a3e6b6fe5fe0922c20d11897b35ea2d17b8f18425f5d5d8b753e41d097413cc33aba68a243d1bc7af25435f2256a3f2bab8817ffc3ba4af9a102875fe4bb628d

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\dot-online.png

Filesize
331B

MD5
b6f201d0aa98781ed3c62d21f5180c2b

SHA1
8fae0048e6d699e0a8bbb411e553a91721712d6b

SHA256
532b6a446404d7bc0eaf25159099f070f13149c074dc96f5dfb5609a3025277b

SHA512
24e5f1996999ebe99693be2afebb89927c94dda7ec7d3bc40376e48de5a6a086d521eb0883712493c7c2b7798d3ae82f9d85311425b5e391818f2f27991c1cdf

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\presence\[email protected]

Filesize
629B

MD5
6fe4b2fae57b1d4c0417745fab16f96a

SHA1
a8c8057a4090f65d82e18624be751d2f2e6d552c

SHA256
e540a9dd19c7e999e8a0614dcc1c01b47542bfb1c45f4944f1748cce28e187f7

SHA512
f2be6edd9e4889948c04c250e72fa4e74a5544b8d3a848ccee2b70fb7b7dab68fadbcec343dd9d4032c4550116f6dfd104ccf8c1805cef87c38f4d300e39c77f

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\images\tray\win\tray-offlineTemplate.ico

Filesize
104KB

MD5
6829d32c8496b84cefa32e6030e356da

SHA1
5f2b0331147da4185ee21ac62b890c36c48329bf

SHA256
e437c7e735977ad406d9df0c9e1a956cd7a9f98f7b387a21b39d67447ad55b04

SHA512
e85b18790a8b521476b0610358c055f54e5c12b48687946df569eec0b5237a39dca3f3b4eecc44da2a17c4187ef3279b3087e2fa40357ce9bd311c5ab4de3bd2

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\RtmControl.dll

Filesize
118KB

MD5
71739257c81876c0519e8f2b05fcb91e

SHA1
c7c609296fd7d4045ff7a86405c796dd5a2b09cd

SHA256
fb8bad3f20fede89768c8be7cccc6ca08994c089a91297ad27cc32dcf05f0dd5

SHA512
d38d822d7aa098b20cf3bab9ce61a74c8ed816286cb982e262fe7f468aac461c2bdb77cd79fe09c9deee8d4be4ffe1f3430a6b2b9378f5ce59b3ba0d289f6a5e

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\RtmControl.dll

Filesize
118KB

MD5
71739257c81876c0519e8f2b05fcb91e

SHA1
c7c609296fd7d4045ff7a86405c796dd5a2b09cd

SHA256
fb8bad3f20fede89768c8be7cccc6ca08994c089a91297ad27cc32dcf05f0dd5

SHA512
d38d822d7aa098b20cf3bab9ce61a74c8ed816286cb982e262fe7f468aac461c2bdb77cd79fe09c9deee8d4be4ffe1f3430a6b2b9378f5ce59b3ba0d289f6a5e

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\RtmPal.dll

Filesize
874KB

MD5
7b54edff920526dfe73034aa7e0defec

SHA1
a6191a7707eada8c6ac25dbde01c4f082ee1fa16

SHA256
35e4769a7efa9ba878f1f55c1dce03fa398fbcf67d9f16f9afe0533b034356e2

SHA512
b1be1114bb2683208b2854e991ce7793d09296222c18f72e17b16fdfd4922c1ed28f3e6dd76c97b3230e9996b3df8c03e86332a6d7ac0540deb99a6c2c9a9e95

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\RtmPal.dll

Filesize
874KB

MD5
7b54edff920526dfe73034aa7e0defec

SHA1
a6191a7707eada8c6ac25dbde01c4f082ee1fa16

SHA256
35e4769a7efa9ba878f1f55c1dce03fa398fbcf67d9f16f9afe0533b034356e2

SHA512
b1be1114bb2683208b2854e991ce7793d09296222c18f72e17b16fdfd4922c1ed28f3e6dd76c97b3230e9996b3df8c03e86332a6d7ac0540deb99a6c2c9a9e95

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\call_manager.node

Filesize
2.1MB

MD5
a513c5089351d9f9c5c2abfd25da9cdc

SHA1
db3c70dc101b94be0d939d075b8426e9ec617855

SHA256
dd85cc5855905490b41243895f2a8a28b8c96dc3dc5c31c821e1beb39f703497

SHA512
87eb286e199958d4334f2224c48f30a490ac54313513769f24b45d647c4be565dff082cff0f680f6e50a3f7484ff4683bc046fe10c579d4737639ecacf615f81

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\call_manager.node

Filesize
2.1MB

MD5
a513c5089351d9f9c5c2abfd25da9cdc

SHA1
db3c70dc101b94be0d939d075b8426e9ec617855

SHA256
dd85cc5855905490b41243895f2a8a28b8c96dc3dc5c31c821e1beb39f703497

SHA512
87eb286e199958d4334f2224c48f30a490ac54313513769f24b45d647c4be565dff082cff0f680f6e50a3f7484ff4683bc046fe10c579d4737639ecacf615f81

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\electron_utility.node

Filesize
825KB

MD5
3e146137835ffdc10e139fb0ea5536e6

SHA1
21ab924fe0f68a2db13aab800cf1638b5dacc927

SHA256
50950f25b60b078bbf7060ca6ba0a76b897ba9133f690b03b06e41443638abf9

SHA512
cafea8ed0552c05a77dc83316309d8aa5e2dea35284a5c850b66355889a400913b4aa44cf6fc4f881ea9fe1d4e6e5efb5ae6b10e14a3568a9937d7101b039e8b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\electron_utility.node

Filesize
825KB

MD5
3e146137835ffdc10e139fb0ea5536e6

SHA1
21ab924fe0f68a2db13aab800cf1638b5dacc927

SHA256
50950f25b60b078bbf7060ca6ba0a76b897ba9133f690b03b06e41443638abf9

SHA512
cafea8ed0552c05a77dc83316309d8aa5e2dea35284a5c850b66355889a400913b4aa44cf6fc4f881ea9fe1d4e6e5efb5ae6b10e14a3568a9937d7101b039e8b

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\keytar.node

Filesize
480KB

MD5
560e50d06f23d74d56431a3246a3cc06

SHA1
faf2bf981cfda27020dee85c8dac06bc74d0afe4

SHA256
50a7b55c201a5bf3c06f32b1711a25fb1b2cdfce58a11e79f21d855b39464b18

SHA512
2bd616bd989fc391f39e53479e61a1338d6b0dde94d4b6916f53717061082b18af48a9bf66a29788864f796f2cf7f40e84bb3f98218bd3bf0b09fefef75efa48

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\sharing-indicator.node

Filesize
104KB

MD5
5e018bc53c298d47f8e28f21d96456c0

SHA1
f026d453e261f580ba7bf31f0fcedca24dd8f58a

SHA256
cf406952fdc1dd6b7161993b4f554f2683c1aeb99bf54f2864b2e8a8e1fa83d6

SHA512
c6ee90c509655e5015c7ab80b6375da671b3b14d33c184aab6103e2ae9a7d1427f419ae05a3d5c2097934131ed7446144ec1c96111e39937ec39f793ae9fa4a2

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\sharing-indicator.node

Filesize
104KB

MD5
5e018bc53c298d47f8e28f21d96456c0

SHA1
f026d453e261f580ba7bf31f0fcedca24dd8f58a

SHA256
cf406952fdc1dd6b7161993b4f554f2683c1aeb99bf54f2864b2e8a8e1fa83d6

SHA512
c6ee90c509655e5015c7ab80b6375da671b3b14d33c184aab6103e2ae9a7d1427f419ae05a3d5c2097934131ed7446144ec1c96111e39937ec39f793ae9fa4a2

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\skypert.dll

Filesize
3.1MB

MD5
8424cbd0b043935c0944ddc2894a8ef3

SHA1
76609a93c3736b1da917afd519c217e48a34315a

SHA256
593c8c4c861d6d990074f1161d87b2157690133495442839bd08dd137d915bdf

SHA512
ba2dbd34f575dee6ed8b71d022f1550057101fd85ea8c4a381181d150f212ec37f81432eee89fca0cfccba0ff88073d766af0b56d5e0b0020a56c9cf83ec737d

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\skypert.dll

Filesize
3.1MB

MD5
8424cbd0b043935c0944ddc2894a8ef3

SHA1
76609a93c3736b1da917afd519c217e48a34315a

SHA256
593c8c4c861d6d990074f1161d87b2157690133495442839bd08dd137d915bdf

SHA512
ba2dbd34f575dee6ed8b71d022f1550057101fd85ea8c4a381181d150f212ec37f81432eee89fca0cfccba0ff88073d766af0b56d5e0b0020a56c9cf83ec737d

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\skypert.dll

Filesize
3.1MB

MD5
8424cbd0b043935c0944ddc2894a8ef3

SHA1
76609a93c3736b1da917afd519c217e48a34315a

SHA256
593c8c4c861d6d990074f1161d87b2157690133495442839bd08dd137d915bdf

SHA512
ba2dbd34f575dee6ed8b71d022f1550057101fd85ea8c4a381181d150f212ec37f81432eee89fca0cfccba0ff88073d766af0b56d5e0b0020a56c9cf83ec737d

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\skypert.dll

Filesize
3.1MB

MD5
8424cbd0b043935c0944ddc2894a8ef3

SHA1
76609a93c3736b1da917afd519c217e48a34315a

SHA256
593c8c4c861d6d990074f1161d87b2157690133495442839bd08dd137d915bdf

SHA512
ba2dbd34f575dee6ed8b71d022f1550057101fd85ea8c4a381181d150f212ec37f81432eee89fca0cfccba0ff88073d766af0b56d5e0b0020a56c9cf83ec737d

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\slimcore.node

Filesize
10.0MB

MD5
7028cd09f70ed7b86a939deb02c772eb

SHA1
796caa9d89d068981237a1c8a9614526569b71a2

SHA256
792140e8392b5dd8fb6bd66a16beeeb2ee9018d1bb7c4a9796d29f3e5ec9ede8

SHA512
5049332af4e475eb5a72e088203161223bce5477b0626a1183e0c5f43ab7e86a523525ad4281bd654f0fa637086a4829223a65b08425edd9abde72d8bb307c82

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\slimcore.node

Filesize
10.0MB

MD5
7028cd09f70ed7b86a939deb02c772eb

SHA1
796caa9d89d068981237a1c8a9614526569b71a2

SHA256
792140e8392b5dd8fb6bd66a16beeeb2ee9018d1bb7c4a9796d29f3e5ec9ede8

SHA512
5049332af4e475eb5a72e088203161223bce5477b0626a1183e0c5f43ab7e86a523525ad4281bd654f0fa637086a4829223a65b08425edd9abde72d8bb307c82

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\wam.node

Filesize
1.0MB

MD5
b0b03f8195ef9824e3cbd300eff2decd

SHA1
553040e525b5c53e3d2a076f347fd9c1606ea6ec

SHA256
35a6978279c219df1988ed6cb2972b5dddc504fdad90a773ec9f4b834d8bd314

SHA512
91e51a230c15a02b48cdca40db4d7879987a7563d24e9a8f6ccaed0b545eef4f80048e15ed3c47ec0d463ecce2bdb9896ff4d3dc3a399ee2b215db3d1a75d426

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\resources\app.asar.unpacked\modules\wam.node

Filesize
1.0MB

MD5
b0b03f8195ef9824e3cbd300eff2decd

SHA1
553040e525b5c53e3d2a076f347fd9c1606ea6ec

SHA256
35a6978279c219df1988ed6cb2972b5dddc504fdad90a773ec9f4b834d8bd314

SHA512
91e51a230c15a02b48cdca40db4d7879987a7563d24e9a8f6ccaed0b545eef4f80048e15ed3c47ec0d463ecce2bdb9896ff4d3dc3a399ee2b215db3d1a75d426

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\v8_context_snapshot.bin

Filesize
596KB

MD5
9cf618687bbd261c2027bf10671a7b73

SHA1
c0231f7fd1fb116067478338c9d69bbe0ec57d0d

SHA256
9cd23cfe0e627d930127cf27442be319a5548aa4f039d04a9216371236fede9f

SHA512
eceb31bd6974d2c16b3cabbf821c058845ca8c02f1482caa95bf3c5acd41c6a25c3d7940dd8f0ff510c05b41d7b8e2246e3e9e9a17e84d31e504104a2a9c4239

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\vk_swiftshader.dll

Filesize
4.0MB

MD5
980b1af62bbb98a9fb77599d2ef5954f

SHA1
b02aa6a725f6fa7cc2376f25deeb588bc3db1ebc

SHA256
be6a076f544952e15e4776786f33e6d33c6c0c8b9859c071c8542b124317275e

SHA512
5cb5a63ab840f6a834098022a8a070b4f977ed6ee00e0f085eb0fe84dd1a8670cef79d646caab372ee11e20097a1d924fb46532d207c13770852a30a401082d3

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\vk_swiftshader.dll

Filesize
4.0MB

MD5
980b1af62bbb98a9fb77599d2ef5954f

SHA1
b02aa6a725f6fa7cc2376f25deeb588bc3db1ebc

SHA256
be6a076f544952e15e4776786f33e6d33c6c0c8b9859c071c8542b124317275e

SHA512
5cb5a63ab840f6a834098022a8a070b4f977ed6ee00e0f085eb0fe84dd1a8670cef79d646caab372ee11e20097a1d924fb46532d207c13770852a30a401082d3

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\vulkan-1.dll

Filesize
752KB

MD5
caf5122d7d915cc96bf2686c4011f535

SHA1
b895182f1802c9b9bfb8168a9359ee8e6f412b9b

SHA256
c2754f632cae15c09e573da7d797cdfc60a3115d540b058a48a30497067d4258

SHA512
670c69f10e2ce8639c269301324dda3cd5159eb094ff457178bc1f26c4994673b79c1b6709b7d83315a6d76528a26d06f23e0c62c55140fdeaae82deb89b6aa5

Download Submit
C:\Program Files (x86)\Microsoft\Skype for Desktop\vulkan-1.dll

Filesize
752KB

MD5
caf5122d7d915cc96bf2686c4011f535

SHA1
b895182f1802c9b9bfb8168a9359ee8e6f412b9b

SHA256
c2754f632cae15c09e573da7d797cdfc60a3115d540b058a48a30497067d4258

SHA512
670c69f10e2ce8639c269301324dda3cd5159eb094ff457178bc1f26c4994673b79c1b6709b7d83315a6d76528a26d06f23e0c62c55140fdeaae82deb89b6aa5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133293192517701301.txt

Filesize
76KB

MD5
0ad9aec5c33f2939b549ca095f978abc

SHA1
f37a4dfdf6fb105ee0b00b8aabb309da11ed2815

SHA256
b92a1cb0f80316b794fdc0a7809d37ccd9aa90ce75c21aef707ca13fe8b6ba17

SHA512
8e0a02aecbad921e26046ed8da49c99032e1185c57b7df17e1dd903f4e04ae0b2abf2aedcb613b4ca87184628dbf4a7870f1b355d5b28303f052d3aeb74bba31

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-73LJN.tmp\Skype-8.97.0.404.tmp

Filesize
1.4MB

MD5
b2425552e9033276f8b711b200c6cb6c

SHA1
438709bcf3a461771c1d8535a2c77f7fed497884

SHA256
2d7adde68b506a2d5cf31527967657dc5ee1f18fe3bf900801bbd77f80b7e028

SHA512
865a57b391e11dc85be040fc9ce73082a75fa6baf56e842eb717b342a2cb677d318402c506c0cfbd706874a47d93168ea8f994cac920782509a929cc338d41ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-73LJN.tmp\Skype-8.97.0.404.tmp

Filesize
1.4MB

MD5
b2425552e9033276f8b711b200c6cb6c

SHA1
438709bcf3a461771c1d8535a2c77f7fed497884

SHA256
2d7adde68b506a2d5cf31527967657dc5ee1f18fe3bf900801bbd77f80b7e028

SHA512
865a57b391e11dc85be040fc9ce73082a75fa6baf56e842eb717b342a2cb677d318402c506c0cfbd706874a47d93168ea8f994cac920782509a929cc338d41ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.tmp

Filesize
1KB

MD5
5cce6c7d65bfe69c87c1a850453897e8

SHA1
40ecb0807371f988e86026bf9fa0522f8abb431e

SHA256
e39e106ee40558bc860a4c1342a9d3ef8ffd4e9596f16ea78009c5f979a4fb55

SHA512
785dcda505b6d3dcdc05dd0228588fa0fc45a06cf915844262dfd43aa12d728c18b64118be286fa8f3b1c574416fe2b1a4f89eec8cb9699ffc98f39ea54a5ce2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.tmp

Filesize
1KB

MD5
b0ec4efc7218ff87f84f273b2f59013e

SHA1
ede295b9c4e61bfc5821562ac8bcfebbd3e498a3

SHA256
00ae654dae74ac9c9c2d13d9bfaffdaef2f87cb256a0311f6ae0da90b828de7d

SHA512
0cfa13a072771d6a08558d2784cf4f5dc0743cb609d8898e8c8e26e619fb04882adaebb035cfa5fe897ca41f1ed1d8bc328c0ef718e86d48969765f2107f85c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.tmp

Filesize
137B

MD5
1fef7778ff2231bdb07da11a5b62555f

SHA1
88ba4c28d8b196bf86609d51b25bcad32b64eb51

SHA256
df7694bdc106021cdf404d885e4dedbe4e7f2019af816366ed5021f9722d6074

SHA512
59d4360ff6719dc809f5cbe8d39fc9e1ed4d760d61d952d75759698d50344a787dbe436db7fa4c26db95a154ce880f92bf2579b1e4c99ee8eebf2a242a95605a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.tmp

Filesize
708B

MD5
a3e4f12725a6d1a63b05268e2a5c900c

SHA1
6bca7a4c7a27f4b28da54a0b2cb3eba83d654999

SHA256
eb7043bbef4d3f34b0c1d8e2d5248a1bd94f40d3411d64c1c57e795206db245a

SHA512
7477635c88b23bdb2f2c7907742af0b5f476ff8374b740e0db5fc27be22446d4d98674138ee20c31befc2ee2f6efb6f21bbee52a83564fef2a7738a45864ba7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\CS_skylib\CS_shared.tmp

Filesize
708B

MD5
a3e4f12725a6d1a63b05268e2a5c900c

SHA1
6bca7a4c7a27f4b28da54a0b2cb3eba83d654999

SHA256
eb7043bbef4d3f34b0c1d8e2d5248a1bd94f40d3411d64c1c57e795206db245a

SHA512
7477635c88b23bdb2f2c7907742af0b5f476ff8374b740e0db5fc27be22446d4d98674138ee20c31befc2ee2f6efb6f21bbee52a83564fef2a7738a45864ba7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\settings.dat

Filesize
152B

MD5
740c412ab3f3a5acadd0038be632c38b

SHA1
d5bf23ea5a00881f848c8ba3b9b54949ad8baede

SHA256
da977f8b2a198d9de79309d60975417af8e0e01f8d10259a2ce2be2a59b954a0

SHA512
a8af2a6081f90f484dedded954433602e38f9756438ddd74094834d4b8547fe208e93f6d1a0a624ed1c9c45940efba8ef227f959c241b837dbddeb2dea56d577

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Network\Network Persistent State

Filesize
1KB

MD5
5dd4ab0fb4f4a7524073345b87389555

SHA1
fb90088ddd9d02a71a452fbf8cbb5c2c5027f057

SHA256
4744251b185c4483055a8712141eb948bca2f2f03a1738a8072757095f990a0c

SHA512
f223f759e4d4629f845da2d9673d6571ad58c3786ea90d96c39acb189e5d88d81aed0a70082e40a82cf0662b1e6683ac319f044fd091ea4c7f940cd769552c8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Network\Network Persistent State

Filesize
1KB

MD5
ee13a922cbab4e31cb287226823d6daf

SHA1
1be4f7975ac732ebc35a8611aff3ee444e1706e8

SHA256
422ec3c464f6ddc18f655b34eb61beb9447ebb4e726dd035cae02bcc8e988654

SHA512
9802a39cbe0f33757d4b1d7a5b9cdcf4dee591fa5f1ad95fc69784c396e65f1ed15d8d5439ea41ee071e328d19d6bc94662a70dc9cbcee54e986873ce7daabda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Network\TransportSecurity

Filesize
1KB

MD5
49efe594c4010e19bfdc517fe76e51c8

SHA1
2afbeb5a163ba05f0865af1694eab0a259f5ec3b

SHA256
3745cf3419e0f2e0d1e55e16ab569a60179e580ad8099396c23a26b4a6dfa79b

SHA512
87bfeef0d2ae1fb2cfdb1a22e957df8806504810eb612f7bde71fd90b8079e1ab285e8a840422f884166920795db61aa3b2fd95d6ec97dd78d7579ab973b3bab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Network\TransportSecurity

Filesize
2KB

MD5
cc86974602c674e63321f7bc44c62898

SHA1
1ddf471c4f20f208e71f7178c304ca2dc7477434

SHA256
20d3680cb6cb911185842bf343de5a33ca4e8e371e04d23720548ff149b58274

SHA512
fb0e255f76445ecfb26f3ae89b0a73b73f6ceacdf6fa12f9057046500398e94c75a2510d2abd8d1c3ac523e19eb642d5b02b9417a3d156271ac7588b0cdc47f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Network\TransportSecurity

Filesize
2KB

MD5
af4c40084412ed427b6d66ebffc04fa3

SHA1
5b0fe8417d5d55f282846d741bead32e937c6032

SHA256
03e0e490dff96a971385f903011d3b924c78cb683ee2b0dfee07a023aa3ade16

SHA512
36dc08e53c26459b62ae50263b3a5b6d8bb4bc2c3b11625a6477dd6628bb835d13b28142c506a51b71e08f40381993d9e818a1b4414f1c999e767924b0e0e5f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Network\TransportSecurity

Filesize
705B

MD5
1103ac29d35cd7303bcac394e2403fcc

SHA1
bd2b3ec8e5f53669af609d3c773486aaed39c984

SHA256
941e6df608225db71391ec23e1267521740aa4ac4c788b473379720cfb06b7fd

SHA512
4245a9dc38d1a92a768d676aae12f88508bbc1e136fa1dcc4fc31b007dd082e3007e86ebaacb561ff2222bd646484140bef796a778a8bfbd80342857acadc978

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Network\TransportSecurity~RFe58ce86.TMP

Filesize
370B

MD5
42f2f044b527b1c799a3dd14a6f51150

SHA1
7ab723ca56e053d615ff3d91f06e0d95125e497b

SHA256
e1a3ffb4652f5e6c91476b28c02168bc4c2eec89466dc2197c95683e512cdb35

SHA512
2661937bf9fed251c44cc1a41fd6ec95cca90f8248ed8bcad832c5a9b612525c65534a2052be37756b49acb7fbf1a0fad69b512d6642b877eb8b51ae5b062923

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Network\Network Persistent State

Filesize
296B

MD5
5191f497de728827fb61bc1ad059be53

SHA1
b284fe0b603f804472f5864bdaff0df71740560b

SHA256
55da4a170b0cafe826a79a959d9da95f66431f9cb92a0e44e1dbb3c9e91af306

SHA512
e2536912f42e1e90c70b696c3e73068225729b6aff1e9ef17bd7541e14f5aced5e0cfc5eec5761db1c2b746f7aadfbeac73f836b5ef1b766db31e601e12781cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Network\TransportSecurity

Filesize
371B

MD5
def0cd5a9120b35ba84c2cc037abdf13

SHA1
335dcd524498dd87bd7db7f5a30a63ec2c91c4b4

SHA256
ce92a66d1cce411f713e6e9e73151ea78b288ad630cceb2093f1063eb1113f06

SHA512
fdecfea8023ced1a96dd7bf9e675deffd1f97a0989589b65c2a272f2c4657e26bcc3b8a9fbcebd42c423bd577482904221e764e00a86e621297eda98b6fc52e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Network\TransportSecurity

Filesize
535B

MD5
9fd4dce468a73f1961b2b9e0fae4bac8

SHA1
b36a58e6ea2b4b4b968bd38c167bd9c41670770a

SHA256
78050344480a4409211aaf9daf5704f0269a02c84ed9290982b49b3dbe891538

SHA512
199bfef6353d2face38634fdf78856a86984418ad1db34caae4aec425882e7e2a19a4c40e0abf7cf3ee18b5f419983749e5767c808a407ec2b609ef63617c4aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Network\TransportSecurity

Filesize
537B

MD5
829582c6cf9e280a515cd427b59aed6d

SHA1
66a859c3ea1dd9e580e40736f390e2a86a838c04

SHA256
b5314cce9be06aa7513a0326a273f30da6e2f827e060096107d8aaba79a37d9f

SHA512
45f28dfb937de0de32511d08804c61e030d2544ca3f7c97a62abc17c81ee091a6de05235920b1ba8b60f0c9ab6b49c98503059091c089fada599233475330acb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Network\TransportSecurity~RFe588b05.TMP

Filesize
203B

MD5
924fe3d2b08bd4bac41c36ac5dbdcdb8

SHA1
da12537f6e62dfebb2240693e4ae46bd45d39008

SHA256
a0835ee888a4b50f904a63f8c105aacac9abbe5fe604632d3d790733dd35ba89

SHA512
519860662c1ab45372eb332605b352c885f8ecc8faf7cd7cfb2ccc11fce795d44be172401b0b49e795af2167a2a0c649caebc09581837947bfac9f02b5f8a503

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Network\cfd324e6-c70b-4325-9547-00b897699387.tmp

Filesize
463B

MD5
576b9d8642e71387b78fd2ec1fddf4f6

SHA1
6f3398c7b83ae8f8d9e0fad0453a2c2d838a0022

SHA256
875120709af7f63ae3cf9347a48a6232f285f46d56d83c93102c1ff5c474c9d5

SHA512
0f854a894e16cc6511e5b07404fe023e9ca61ffdfd868ce5a4549b95b96aaaefe7e8d1fdc07caa1734f85192aa9669f628107f995397fe65e679a2f91431c6da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Partitions\e6644eda-6459-47fc-a8f9-2fe6f470a8e1\Network\e9670119-b13d-451a-aef5-f934346cca7c.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Preferences

Filesize
172B

MD5
87a0cc216483c11c855cc2913274f58a

SHA1
1c532db616e6a251cf79a178215f284cca525915

SHA256
8a9d423f4ca11db148e8cdfcd1dde67ea6659646e37b945c076fabca2ec39f7d

SHA512
f7953d82aac6596d2c9a1995543162c84a85fd554d976873c5987c1f16327c683cb8e4240ec5257b1163d5d9688689865e8c2ba0b3eabce36eb3900e46b5f686

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Preferences~RFe58f22b.TMP

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\SkypeRT\persistent.tmp

Filesize
217B

MD5
5fd50ef46f9d563a0e8edcc4626623ce

SHA1
2cccb101ed2b11e546338ee04c7d9d2e9dd82196

SHA256
69de4231099f702443ccbf24eccf03bc0ad3f8b6e8db4c839640eb97060d69f5

SHA512
d48ea34ca57d88d231974172db4e0e304a6c305d5e96023e675d0de7ac90e63a11d4c5ebaea20995385215b20e3e192bb2565f833174d6b7ad38b8850aae3a19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\SkypeRT\persistent.tmp

Filesize
125B

MD5
ec4d9f439130e87d14c5d9393db81dae

SHA1
0fda55b4810285b67bb618c990cc359f774e8d1c

SHA256
ca51985fa16e3e7eb6e9d539c9dd6566fb5874cdb4a27968852334a2d3cc67c7

SHA512
1ec168ceb925730b8b4fe53a03dd3fd40b97eb30b3bb39fbe6eb13dc1ec0d6cffff5c3d09422d49f10a2ead37266ac69a5e36c7545c5387daf7e36f62c7b4138

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\SkypeRT\persistent.tmp

Filesize
179B

MD5
9f9a9fb8dea224f1f561934cc40fe8ec

SHA1
c226d04c8e788bbc930415dfd4bff7130cdef588

SHA256
642dae079393347c41138330c3183b411f84d4a47082e90969466ecc0bc598db

SHA512
7ae12702611e73f7d43799884282fcc782ec062b9ebbbce467828666f1849c17c297454dd40306864a28dcf2f4838efa2fb4e730c8fa8f8f3d5e1afde51c88d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\SkypeRT\ul.conf

Filesize
129B

MD5
675c45cb98cc0763b4d1cf1634d8cdc6

SHA1
dc7d80494c990ad4a74e1b1034829e2a2474346d

SHA256
956f0e619f503adc5aaba631dafed88e594901fdf224c67eb34d2f8fb302ff2c

SHA512
2edd43d0b9f2455e098d361403901072c6807eadd1d331033ca1614022bcddb8732629e32dbc2e366aa7fb5eaa69e4410e3255b50682f217066ea28cfa73565f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json

Filesize
293B

MD5
e1ce79f94bf77b1142d217f427a0a4a4

SHA1
ae536e9784e63b0d7b9488542a647ec619428bc4

SHA256
7bec61653b6d24d77527a48cb26b33729c35a5488d4a9565ee16bc924c3ce60e

SHA512
e4689fa8568a428973d110f0168e8462913db0345cdcc10717c19d39836be283dfd7d31dfbe699141fef64b4f7d13061bb5beda57823b77d05f7ec1a7ffd3d0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json

Filesize
293B

MD5
013e0bc620dd079db5d3697290770812

SHA1
3e7640828fafa6bc2d8dad65a92ddc999f1df4b3

SHA256
a0b355d572c27b9fc6960ca99db3f578976e039470f76d8e613635d2a5f81fe8

SHA512
ecafe5be8e6549e70e9bf0195662fb25af9242314e31525510791eedf354723452da14b9777ad152d6094e064078402048407fe4bad3b78dd279a15abc09e14e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms

Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms

Filesize
1KB

MD5
b75a05554b35bd460a801fb6db5bf9c3

SHA1
56ef0398802ba57cfbb216422bf42b6f660fe058

SHA256
a93c81d4025406c7302c0b412aa5cbf5f588d78d083a89af5fb4cc444674afee

SHA512
b5a58602eb9557c56b7b4060bacde1c2d9c957cf730544fa91146ead21513b37ba18febed96f87ce2936e2e23ab9fec20329ede279bb7a1b75e22d30e98b0d30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms

Filesize
1KB

MD5
18b884e667498bceeaa1b7567dd6ec81

SHA1
3ffc7e64a1b3b39d993d9f655ddf6cdfe0430b18

SHA256
d484b0f3b02975ef95a2d94e3070fc81b25619f48caff3b0e780d805f6456422

SHA512
d4e70d6522d08cc9ecef3732f69bfca479e2850d1b4e95e025dbe998a6774160da824d63e1465487e7dd9d52a7092fc9748a64c46633e0406efc145b63c79518

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms

Filesize
1KB

MD5
57c4a86e249b3553dbac0d470fb0b3f5

SHA1
8430963045e6390154f0644339aaaccd3df7d80f

SHA256
30300550c57afcc33e021fa6f87dd961ee400be6405ee07f5acf9bd260a8370d

SHA512
63ed644f63427a2befb61f7314cef9e94cc6eee9d3348b15d197561a02ea9facf138d32593a18239a42aca142577f53bd61145b886036ad1438e8b7a80d77b19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms

Filesize
1KB

MD5
d2e26d6198abf045eb66ba70b6573188

SHA1
eb562858a2ef920a34d870b63e6fcde619710c74

SHA256
688520104bf0861ebf23f2cc83387ac10adec4fbca7fadc18b7f527a2fae943e

SHA512
eb3c39a9c2752c21a9f00b983fbeb30f504123e076c8709578b36105c7341d50003d8acab00b7d54ac7645c209ffe2247cd1836f2a90e443dd2cc8e7b971b64b

Download Submit
memory/1752-534-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/1752-508-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/1752-250-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/1752-251-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1752-537-0x0000000000400000-0x0000000000573000-memory.dmp

Filesize
1.4MB

Download
memory/1752-138-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2376-688-0x00000188D22B0000-0x00000188D22D0000-memory.dmp

Filesize
128KB

Download
memory/2376-692-0x00000188D2690000-0x00000188D26B0000-memory.dmp

Filesize
128KB

Download
memory/2376-690-0x00000188D2270000-0x00000188D2290000-memory.dmp

Filesize
128KB

Download
memory/4100-133-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4100-538-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4100-233-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download