analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://online.fliphtml5.com/hvkpr/eylc/?1603125917770

Full analysis: https://app.any.run/tasks/92370ee3-59fb-4f93-9331-c5b9c0ebf42a
Verdict: Malicious activity
Analysis date: October 19, 2020, 21:12:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

15F2BFFE76B9E5FB7E073CF6F4DC57BF

SHA1:

DFEC7D134A1770349133268DFB17467EBEEF5511

SHA256:

2D181987319F891646F6952EA01CCC2A46BF882883ABCC367A2882F7AB67D67E

SSDEEP:

3:N8CIIrWTOgZWOQKV:2ChLl2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 800)

  • SUSPICIOUS

    • Reads CPU info

      • Skype.exe (PID: 2072)

    • Application launched itself

      • Skype.exe (PID: 2072)
      • Skype.exe (PID: 676)
      • Skype.exe (PID: 1468)

    • Modifies the open verb of a shell class

      • Skype.exe (PID: 2072)

    • Creates files in the user directory

      • Skype.exe (PID: 2072)
      • Skype.exe (PID: 676)
      • Skype.exe (PID: 1468)

    • Uses REG.EXE to modify Windows registry

      • Skype.exe (PID: 2072)

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1292)
      • iexplore.exe (PID: 928)
      • Skype.exe (PID: 2072)

    • Reads internet explorer settings

      • iexplore.exe (PID: 928)

    • Changes internet zones settings

      • iexplore.exe (PID: 1292)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1292)
      • iexplore.exe (PID: 928)

    • Application launched itself

      • iexplore.exe (PID: 1292)
      • chrome.exe (PID: 3920)

    • Manual execution by user

      • Skype.exe (PID: 2072)
      • chrome.exe (PID: 3920)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1292)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1292)

    • Reads the hosts file

      • Skype.exe (PID: 2072)
      • chrome.exe (PID: 3184)
      • chrome.exe (PID: 3920)

    • Dropped object may contain Bitcoin addresses

      • Skype.exe (PID: 2072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
20
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe skype.exe skype.exe reg.exe skype.exe no specs reg.exe no specs skype.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs skype.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs skype.exe

Process information

PID
CMD
Path
Indicators
Parent process
1292"C:\Program Files\Internet Explorer\iexplore.exe" https://online.fliphtml5.com/hvkpr/eylc/?1603125917770C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
928"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1292 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2072"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.29.0.50
536"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.29.0.50
800C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /fC:\Windows\system32\reg.exe
Skype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
676"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=E8F722EA92E6B6D7903398474C917FE8 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=E8F722EA92E6B6D7903398474C917FE8 --renderer-client-id=3 --mojo-platform-channel-handle=1584 /prefetch:1C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
2348C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdateC:\Windows\system32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2448"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
2
Version:
8.29.0.50
3920"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2392"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6abba9d0,0x6abba9e0,0x6abba9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
Total events
1 282
Read events
1 149
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
48
Text files
98
Unknown types
14

Dropped files

PID
Process
Filename
Type
1292iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
928iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabB907.tmp
MD5:
SHA256:
928iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarB918.tmp
MD5:
SHA256:
928iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771binary
MD5:C276B48F3F62B3F340F9DB451C107F6E
SHA256:A131E14C9BE8B058399D51402135350EB3427945F1EB17B8BE8B42B2A1C1330B
928iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:CDE63C265445E67CCAB5DC2A790C1F91
SHA256:36E3DAB1E98B29EEC6815F45C033E8FD3A883D41ED496689718699FC31C97E78
928iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DE813224C2AD6BA52F6E21228A0770E1binary
MD5:532FEE0F1063E901930E4745397FEDC2
SHA256:099345A23F6E840BB2F02996179F05F6CAA255065E0B692C8FF8689A690837CD
928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\config[1].jstext
MD5:53FC0237712FEAB0FAA2518FF2AE283D
SHA256:93516F69B74B950784BD6F3E0CC4F9FE3FCD1697010DE71EB1BA115B2DD25EC7
928iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dder
MD5:648757DF25F29CAB931E4A8D80F58427
SHA256:D689291E7AF26822494E406E7449C1DC556FE817FDF96DE356D337AD1B23F75E
928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\eylc[1].htmhtml
MD5:21CE41FBF91F82D9BD497467BA46F9B6
SHA256:7988400874393AD282622A1B22A2A1C8FC15855032363F402BCD8B002FCDDB35
928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\book_config[1].jstext
MD5:4075A13EA9087DF87B65100F15304726
SHA256:11DDB938B5F63D32AE125154C6E539E964E8B0A0EAF81C050A0D80265663C341
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
47
DNS requests
32
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
928
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
928
iexplore.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
1292
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
928
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
928
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAT%2FaBG%2BJBrPQTGNtW7lyUM%3D
US
der
471 b
whitelisted
928
iexplore.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
928
iexplore.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCE0inEJqQoMM
US
der
1.74 Kb
whitelisted
928
iexplore.exe
GET
200
192.124.249.41:80
http://crl.godaddy.com/gdig2s1-1709.crl
US
binary
68.0 Kb
whitelisted
1292
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
928
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCE0inEJqQoMM
US
der
1.74 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
928
iexplore.exe
99.86.7.19:443
online.fliphtml5.com
AT&T Services, Inc.
US
malicious
928
iexplore.exe
99.86.7.34:443
online.fliphtml5.com
AT&T Services, Inc.
US
suspicious
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
928
iexplore.exe
192.124.249.23:80
ocsp.godaddy.com
Sucuri
US
suspicious
928
iexplore.exe
192.124.249.36:80
ocsp.godaddy.com
Sucuri
US
suspicious
928
iexplore.exe
192.124.249.41:80
ocsp.godaddy.com
Sucuri
US
suspicious
1292
iexplore.exe
99.86.7.34:443
online.fliphtml5.com
AT&T Services, Inc.
US
suspicious
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
928
iexplore.exe
185.60.216.19:443
connect.facebook.net
Facebook, Inc.
IE
whitelisted
928
iexplore.exe
99.86.7.23:443
static.fliphtml5.com
AT&T Services, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
online.fliphtml5.com
  • 99.86.7.19
  • 99.86.7.34
  • 99.86.7.59
  • 99.86.7.99
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ocsp.godaddy.com
  • 192.124.249.23
  • 192.124.249.22
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.24
whitelisted
crl.godaddy.com
  • 192.124.249.41
  • 192.124.249.31
  • 192.124.249.36
whitelisted
static.fliphtml5.com
  • 99.86.7.23
  • 99.86.7.129
  • 99.86.7.82
  • 99.86.7.72
whitelisted
connect.facebook.net
  • 185.60.216.19
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
Process
Message
Skype.exe
[2448:3228:1019/221345.309:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[2448:3228:1019/221345.311:VERBOSE1:crash_service.cc(145)] window handle is 0002023E
Skype.exe
[2448:3228:1019/221345.311:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
Skype.exe
[2448:3228:1019/221345.311:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload maximum 128 reports/day reporter is electron-crash-service
Skype.exe
[2448:3228:1019/221345.312:ERROR:crash_service.cc(311)] could not start dumper
Skype.exe
[2080:4032:1019/221355.250:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[2080:4032:1019/221355.252:VERBOSE1:crash_service.cc(145)] window handle is 0003013A
Skype.exe
[2080:4032:1019/221355.252:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
Skype.exe
[2080:4032:1019/221355.252:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload maximum 128 reports/day reporter is electron-crash-service
Skype.exe
[2080:4032:1019/221355.253:ERROR:crash_service.cc(311)] could not start dumper
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://online.fliphtml5.com/hvkpr/eylc/?1603125917770