File name: | flower.exe |
Full analysis: | https://app.any.run/tasks/97f10eba-2a30-406d-ad77-edbc0b77379c |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 08:44:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | 0877CBBBC5E976486B9CAF9D373E5277 |
SHA1: | D7D3A0C298C21A9A4AF1192E7950D3E5671D8084 |
SHA256: | 1696E19F3B0357D437F54BAA548E764625CC710EA2F13B1F9F58C5ACDBEC44CE |
SSDEEP: | 12:G22222222222222222222222222222222222222222222222222222222222222y:n |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3120 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3164 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2880 | "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" | C:\Windows\system32\mmc.exe | — | taskmgr.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3140 | "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" | C:\Windows\system32\mmc.exe | taskmgr.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3032 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | explorer.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.29.0.50 | ||||
2492 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.29.0.50 | ||||
2700 | C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /f | C:\Windows\system32\reg.exe | Skype.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1464 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=B161FE6A0CBE0EFE71ABB78446D6B2AF --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=B161FE6A0CBE0EFE71ABB78446D6B2AF --renderer-client-id=3 --mojo-platform-channel-handle=1544 /prefetch:1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 8.29.0.50 | ||||
280 | C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate | C:\Windows\system32\reg.exe | — | Skype.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3236 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 2 Version: 8.29.0.50 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3120 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsAC7F.tmp | — | |
MD5:— | SHA256:— | |||
3120 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsAC80.tmp | — | |
MD5:— | SHA256:— | |||
3032 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G7VDJKNN7P9FRXWO89GP.temp | — | |
MD5:— | SHA256:— | |||
3032 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe | — | |
MD5:— | SHA256:— | |||
1464 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-2839204298.blog | — | |
MD5:— | SHA256:— | |||
3236 | Skype.exe | C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\operation_log.txt | text | |
MD5:F2F26E703C99DB0B88762E5E8A3506C2 | SHA256:2F334E777077C4CBBF92E590DD9B4B5C8D65857781FF9F16C0782C4405DCCCB3 | |||
3032 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms | binary | |
MD5:FF17E86FAAFB072686D650443C84A7D6 | SHA256:3AD89CB552952707F86D8BDF449FBC9E6486943D07985F49009C477595A659CB | |||
3032 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json | text | |
MD5:58E20CA1E633885321EEB814130F4A7F | SHA256:BE62B7675CA31CE481E671CC8B51D77C07137B828CA27F9745DC5DA942A06BF3 | |||
3032 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-ms~RF1577d9.TMP | binary | |
MD5:FF17E86FAAFB072686D650443C84A7D6 | SHA256:3AD89CB552952707F86D8BDF449FBC9E6486943D07985F49009C477595A659CB | |||
768 | CCleaner.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
768 | CCleaner.exe | GET | 301 | 151.101.0.64:80 | http://www.piriform.com/auto?a=0&p=cc&v=5.35.6210&l=1033&lk=&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-VJCA&o=6.1W3&au=1&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gu=00000000-0000-4000-8000-d6f7f2be5127 | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3032 | Skype.exe | 52.114.128.10:443 | pipe.skype.com | Microsoft Corporation | US | whitelisted |
3032 | Skype.exe | 13.90.95.57:443 | get.skype.com | Microsoft Corporation | US | whitelisted |
3032 | Skype.exe | 152.199.19.160:443 | endpoint920510.azureedge.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3032 | Skype.exe | 40.79.33.178:443 | avatar.skype.com | Microsoft Corporation | US | whitelisted |
768 | CCleaner.exe | 151.101.0.64:443 | www.piriform.com | Fastly | US | whitelisted |
3032 | Skype.exe | 52.114.132.22:443 | browser.pipe.aria.microsoft.com | Microsoft Corporation | US | whitelisted |
3032 | Skype.exe | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
3032 | Skype.exe | 157.55.135.134:443 | login.live.com | Microsoft Corporation | US | whitelisted |
768 | CCleaner.exe | 151.101.2.202:443 | www.ccleaner.com | Fastly | US | suspicious |
3032 | Skype.exe | 216.58.215.234:443 | www.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
get.skype.com |
| whitelisted |
a.config.skype.com |
| whitelisted |
pipe.skype.com |
| whitelisted |
endpoint920510.azureedge.net |
| whitelisted |
login.live.com |
| whitelisted |
www.googleapis.com |
| whitelisted |
avatar.skype.com |
| whitelisted |
browser.pipe.aria.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
auth.gfx.ms |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3032 | Skype.exe | unknown | SURICATA TCPv4 invalid checksum |
3032 | Skype.exe | unknown | SURICATA IPv4 invalid checksum |
768 | CCleaner.exe | A Network Trojan was detected | SC MINER Miner Possible Bitcoin Miner Windows |
Process | Message |
---|---|
Skype.exe | [3236:3232:1218/084714.315:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
|
Skype.exe | [3236:3232:1218/084714.317:VERBOSE1:crash_service.cc(145)] window handle is 00020186
|
Skype.exe | [3236:3232:1218/084714.318:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service
dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
|
Skype.exe | [3236:3232:1218/084714.318:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt
server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload
maximum 128 reports/day
reporter is electron-crash-service
|
Skype.exe | [3236:3232:1218/084714.319:ERROR:crash_service.cc(311)] could not start dumper
|
Skype.exe | [2364:360:1218/084721.198:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
|
Skype.exe | [2364:360:1218/084721.200:VERBOSE1:crash_service.cc(145)] window handle is 00020180
|
Skype.exe | [2364:360:1218/084721.200:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service
dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
|
Skype.exe | [2364:360:1218/084721.200:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt
server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload
maximum 128 reports/day
reporter is electron-crash-service
|
Skype.exe | [2364:360:1218/084721.200:ERROR:crash_service.cc(311)] could not start dumper
|