analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://teams.microsoft.com/dl/launcher/launcher.html?url=%2f_%23%2fl%2fteam%2f19%3a8cf7dfcae0d14efeaa057dbc99bee101%40thread.skype%2fconversations%3ftenantId%3d7087a6be-5e7d-49e8-9ee5-3c7ffd3f1e65&type=team&deeplinkId=ca329099-d6db-4a01-832c-2703c9453ae2&directDl=true&msLaunch=true&enableMobilePage=true&suppressPrompt=true

Full analysis: https://app.any.run/tasks/18f231fd-f4a4-4c1a-b63f-41e3013b570b
Verdict: Malicious activity
Analysis date: September 10, 2019, 21:42:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

95231AF6639855AAF40E1830BD69ACC0

SHA1:

779D71D656ED3E505B583A723B1C9FA48550E352

SHA256:

D5E73BCD9A49F0F6938785286C073CAE49B6A223F647FE08378657A22B5D6D1A

SSDEEP:

6:2In+DIeG531EgCDy1DNQotzMSj6Rsxv/iPsEtnZdEbALLjd:2In+DIeY31xDNntURsN+ltZdEb8jd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Teams_windows_s_8D73638194D5326-2-0_.exe (PID: 2932)
      • Update.exe (PID: 3044)
      • update.exe (PID: 3800)
      • Squirrel.exe (PID: 2472)

    • Loads dropped or rewritten executable

      • Teams.exe (PID: 1156)
      • Teams.exe (PID: 3792)
      • Teams.exe (PID: 1260)
      • regsvr32.exe (PID: 528)
      • Teams.exe (PID: 2528)
      • Teams.exe (PID: 3568)
      • Teams.exe (PID: 2244)
      • Teams.exe (PID: 3148)
      • Teams.exe (PID: 2588)
      • Teams.exe (PID: 3644)
      • Teams.exe (PID: 2360)
      • Teams.exe (PID: 3596)
      • Teams.exe (PID: 3564)
      • Teams.exe (PID: 2572)
      • Teams.exe (PID: 1360)
      • Teams.exe (PID: 2824)
      • Teams.exe (PID: 552)
      • Teams.exe (PID: 4068)
      • Teams.exe (PID: 3192)
      • Teams.exe (PID: 3632)
      • Teams.exe (PID: 3052)
      • Teams.exe (PID: 3224)
      • Teams.exe (PID: 1816)
      • Teams.exe (PID: 3680)
      • Teams.exe (PID: 1016)

    • Registers / Runs the DLL via REGSVR32.EXE

      • Update.exe (PID: 3044)

    • Changes the autorun value in the registry

      • Teams.exe (PID: 2528)
      • Teams.exe (PID: 2244)
      • Teams.exe (PID: 3632)

  • SUSPICIOUS

    • Reads CPU info

      • Teams.exe (PID: 1156)
      • Teams.exe (PID: 2528)
      • Teams.exe (PID: 2244)
      • Teams.exe (PID: 3632)

    • Executable content was dropped or overwritten

      • Teams_windows_s_8D73638194D5326-2-0_.exe (PID: 2932)
      • chrome.exe (PID: 2912)
      • Squirrel.exe (PID: 2472)
      • Update.exe (PID: 3044)

    • Creates files in the user directory

      • Teams.exe (PID: 1156)
      • update.exe (PID: 3800)
      • Teams.exe (PID: 2528)
      • Teams.exe (PID: 2244)
      • Teams.exe (PID: 3632)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2912)

    • Application launched itself

      • Teams.exe (PID: 1156)
      • Teams.exe (PID: 2528)
      • Teams.exe (PID: 2244)
      • Teams.exe (PID: 3632)

    • Reads Environment values

      • Update.exe (PID: 3044)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 528)

    • Creates a software uninstall entry

      • Update.exe (PID: 3044)

    • Modifies the open verb of a shell class

      • Teams.exe (PID: 2528)
      • Teams.exe (PID: 2244)
      • Teams.exe (PID: 3632)

    • Reads internet explorer settings

      • Teams.exe (PID: 2244)

    • Reads Internet Cache Settings

      • Teams.exe (PID: 2244)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 2912)
      • chrome.exe (PID: 2392)
      • Teams.exe (PID: 1156)
      • Teams.exe (PID: 2244)
      • Teams.exe (PID: 2528)
      • Teams.exe (PID: 3632)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2912)

    • Reads settings of System Certificates

      • chrome.exe (PID: 2392)
      • Update.exe (PID: 3044)
      • Teams.exe (PID: 2528)
      • Teams.exe (PID: 2244)

    • Application launched itself

      • chrome.exe (PID: 2912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
84
Monitored processes
50
Malicious processes
28
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs teams_windows_s_8d73638194d5326-2-0_.exe update.exe squirrel.exe teams.exe update.exe no specs teams.exe no specs teams.exe no specs teams.exe regsvr32.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs teams.exe teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs teams.exe teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs teams.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2912"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://teams.microsoft.com/dl/launcher/launcher.html?url=%2f_%23%2fl%2fteam%2f19%3a8cf7dfcae0d14efeaa057dbc99bee101%40thread.skype%2fconversations%3ftenantId%3d7087a6be-5e7d-49e8-9ee5-3c7ffd3f1e65&type=team&deeplinkId=ca329099-d6db-4a01-832c-2703c9453ae2&directDl=true&msLaunch=true&enableMobilePage=true&suppressPrompt=true"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3584"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6fdea9d0,0x6fdea9e0,0x6fdea9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2800"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2916 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
4076"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=984,15063037570338234419,11209023755964087141,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=11887315092805064951 --mojo-platform-channel-handle=1000 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2392"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=984,15063037570338234419,11209023755964087141,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=14335879791012145700 --mojo-platform-channel-handle=1568 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3860"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=984,15063037570338234419,11209023755964087141,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4072639779794736149 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2668"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=984,15063037570338234419,11209023755964087141,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13082818434744030117 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3504"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=984,15063037570338234419,11209023755964087141,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14999772758230222346 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2548 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3456"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=984,15063037570338234419,11209023755964087141,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=5993573536800396435 --mojo-platform-channel-handle=3004 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3500"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=984,15063037570338234419,11209023755964087141,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=1301821397332809957 --mojo-platform-channel-handle=3464 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
3 485
Read events
3 257
Write events
0
Delete events
0

Modification events

No data
Executable files
365
Suspicious files
51
Text files
410
Unknown types
69

Dropped files

PID
Process
Filename
Type
2912chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\9530801e-9390-44f2-ba8c-3fc9a7df4cdb.tmp
MD5:
SHA256:
2912chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
2912chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:A519780ED0A2F4336DB4F5651D79C369
SHA256:DA5B71BD0075B55757BF757BF5F4D4A1DCBCF0762CDA5B31B28680963E068C75
2912chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
2912chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF168ef6.TMPtext
MD5:A519780ED0A2F4336DB4F5651D79C369
SHA256:DA5B71BD0075B55757BF757BF5F4D4A1DCBCF0762CDA5B31B28680963E068C75
2912chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30
SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
2912chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
2912chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RF168f15.TMPtext
MD5:3D551B6E929CF62F7AA66091E718704B
SHA256:1698A1B1BC3E86676392FB8BD4C712438302A5A2220503C08F290ED4B1790404
2912chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:3D551B6E929CF62F7AA66091E718704B
SHA256:1698A1B1BC3E86676392FB8BD4C712438302A5A2220503C08F290ED4B1790404
2912chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF168ed7.TMPtext
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30
SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
54
DNS requests
33
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2392
chrome.exe
GET
302
172.217.22.78:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
515 b
whitelisted
2392
chrome.exe
GET
200
172.217.132.102:80
http://r1---sn-5hne6nsy.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.104.186.93&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1568151682&mv=m&mvi=0&pl=24&shardbypass=yes
US
crx
862 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2392
chrome.exe
172.217.18.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2392
chrome.exe
216.58.207.36:443
www.google.com
Google Inc.
US
whitelisted
2392
chrome.exe
52.142.114.2:443
c1.microsoft.com
Microsoft Corporation
IE
whitelisted
2392
chrome.exe
216.58.210.2:443
adservice.google.com
Google Inc.
US
whitelisted
2392
chrome.exe
152.199.19.160:443
az725175.vo.msecnd.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2392
chrome.exe
172.217.23.141:443
accounts.google.com
Google Inc.
US
whitelisted
2392
chrome.exe
204.79.197.200:443
c.bing.com
Microsoft Corporation
US
whitelisted
2392
chrome.exe
52.113.194.131:443
teams.microsoft.com
Microsoft Corporation
US
whitelisted
2392
chrome.exe
52.114.158.91:443
browser.pipe.aria.microsoft.com
Microsoft Corporation
US
unknown
2392
chrome.exe
104.109.67.58:443
secure.skypeassets.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.18.99
whitelisted
teams.microsoft.com
  • 52.113.194.131
whitelisted
accounts.google.com
  • 172.217.23.141
shared
statics.teams.microsoft.com
  • 52.113.194.131
whitelisted
secure.skypeassets.com
  • 104.109.67.58
whitelisted
az725175.vo.msecnd.net
  • 152.199.19.160
whitelisted
browser.pipe.aria.microsoft.com
  • 52.114.158.91
whitelisted
web.vortex.data.microsoft.com
  • 40.77.226.250
whitelisted
c1.microsoft.com
  • 52.142.114.2
whitelisted
c.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
Process
Message
Teams.exe
[native-utils/CrashHandler] starting with UseWERFlagAndErrorMode
Teams.exe
AuthenticationContext created
Teams.exe
AuthenticationRequest created
Teams.exe
AuthenticationRequest created
Teams.exe
AuthenticationRequest created
Teams.exe
AuthenticationRequest destroyed
Teams.exe
[native-utils/CrashHandler] starting with UseWERFlagAndErrorMode
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://teams.microsoft.com/dl/launcher/launcher.html?url=%2f_%23%2fl%2fteam%2f19%3a8cf7dfcae0d14efeaa057dbc99bee101%40thread.skype%2fconversations%3ftenantId%3d7087a6be-5e7d-49e8-9ee5-3c7ffd3f1e65&type=team&deeplinkId=ca329099-d6db-4a01-832c-2703c9453ae2&directDl=true&msLaunch=true&enableMobilePage=true&suppressPrompt=true