analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

http://r4---sn-5hne6nsr.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.4

Full analysis: https://app.any.run/tasks/52088256-7742-4b50-8bfd-96e2927f19ad
Verdict: Malicious activity
Analysis date: July 17, 2019, 12:44:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-chrome-extension
File info: Google Chrome extension, version 3
MD5:

3C25A73F41438AFB76DFFF77DCE9EFB6

SHA1:

96A36E43894EE9E746CF276F71E35C28D84DE5BE

SHA256:

DE46D7FC153AEA4583FAA8A270741C473262D30F4C5575C670BC5D51DEF363DC

SSDEEP:

24576:Rkb8GiHduqm70Ya00rvB2zWbSKRH1JcPF:A8Gi6wv0YvBNtIt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 3056)
  • SUSPICIOUS

    • Reads CPU info

      • Skype.exe (PID: 3856)
    • Application launched itself

      • Skype.exe (PID: 3856)
      • Skype.exe (PID: 2020)
      • Skype.exe (PID: 2576)
    • Modifies the open verb of a shell class

      • Skype.exe (PID: 3856)
    • Creates files in the user directory

      • Skype.exe (PID: 3856)
      • Skype.exe (PID: 2576)
      • Skype.exe (PID: 2020)
    • Uses REG.EXE to modify Windows registry

      • Skype.exe (PID: 3856)
  • INFO

    • Manual execution by user

      • Skype.exe (PID: 3856)
    • Reads settings of System Certificates

      • Skype.exe (PID: 3856)
    • Dropped object may contain Bitcoin addresses

      • Skype.exe (PID: 3856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.crx | Google Chrome Extension (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs skype.exe skype.exe reg.exe skype.exe no specs reg.exe no specs skype.exe skype.exe no specs skype.exe

Process information

PID
CMD
Path
Indicators
Parent process
3876"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\7519.4C:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3856"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.29.0.50
3564"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.29.0.50
3056C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /fC:\Windows\system32\reg.exe
Skype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2576"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=22D4C0DD8C1FDCA5BE9316AEA6A6D256 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=22D4C0DD8C1FDCA5BE9316AEA6A6D256 --renderer-client-id=3 --mojo-platform-channel-handle=1544 /prefetch:1C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
2532C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdateC:\Windows\system32\reg.exeSkype.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3284"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
2
Version:
8.29.0.50
2020"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=D3A8AB22038FD6DF6FD2D98E705BCA6B --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=1 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=D3A8AB22038FD6DF6FD2D98E705BCA6B --renderer-client-id=4 --mojo-platform-channel-handle=2560 /prefetch:1C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Version:
8.29.0.50
1036"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
2
Version:
8.29.0.50
Total events
181
Read events
167
Write events
14
Delete events
0

Modification events

(PID) Process:(3056) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Skype for Desktop
Value:
C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
(PID) Process:(3856) Skype.exeKey:HKEY_CLASSES_ROOT\skype
Operation:writeName:URL Protocol
Value:
(PID) Process:(3856) Skype.exeKey:HKEY_CLASSES_ROOT\skype
Operation:writeName:
Value:
URL:skype
(PID) Process:(3856) Skype.exeKey:HKEY_CLASSES_ROOT\skype\shell\open\command
Operation:writeName:
Value:
"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" -- "%1"
(PID) Process:(3856) Skype.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
5
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
3856Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P0RDAX3EPZ4JXMD3X3HE.temp
MD5:
SHA256:
3856Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b916037c1e115fe0.customDestinations-msbinary
MD5:59FD9178DD338752902ED5C456AD9EA3
SHA256:6D231F4D38691A85FD387A1C3ED23AF91CFACD1CC226AB772C15C7AB9984246A
3856Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.logbinary
MD5:D0FD893EB1A10E93A364B25661BF5975
SHA256:32F7EF85E263BFDBE7B6E4D404D1B40644FC18F225AA7F4E7C19A32587EDDF6F
3856Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOGtext
MD5:402D2647AEBDAE16957BA511DB80235B
SHA256:18FD80F9784F10ECBF77D858FB528E6AB9320EE82550A52884107EB11FEF2EF7
3856Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000020.ldbbinary
MD5:293E0F9B607CD2B0CDD018CF9D0CDA80
SHA256:C5D2E32E6B4104D72815C2DD3FF491DC500A1BBD78FC2E2A44C211D340DE6D9B
3856Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.oldtext
MD5:7F39B22308B34B4138A09991EC4D41C5
SHA256:31C4D714AFBFAB8D23AE08F061F6A5F1E46A26B0AB20795EAC7D2134A55CCEB6
3856Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old~RFe51b5.TMPtext
MD5:0D8DB3D43BCB9F490169188E803314DE
SHA256:1A5CBD55803117484FA35A69D5535F9B6D9FB7D3272A585084C9F4B2FA3C4AC3
3856Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.oldtext
MD5:0D8DB3D43BCB9F490169188E803314DE
SHA256:1A5CBD55803117484FA35A69D5535F9B6D9FB7D3272A585084C9F4B2FA3C4AC3
3284Skype.exeC:\Users\admin\AppData\Local\Temp\skype-preview Crashes\operation_log.txttext
MD5:6DC22DB9423F36FB59243A20E174AA3B
SHA256:0D4D989C8EB1C8D333509762D9D26F5DCFE02F7CF2364645C76D31B2CC9CD598
2020Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-1-614564229.blogbinary
MD5:E4BE1178DFBC0EA818374BF7E7C3D91C
SHA256:140D5F246B15E85B7B8B13E2598C6D0D23BB40EF2EC9E6E9ACB388E9C7C55513
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
17
DNS requests
8
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
172.217.16.202:443
www.googleapis.com
Google Inc.
US
whitelisted
13.107.3.128:443
a.config.skype.com
Microsoft Corporation
US
whitelisted
3856
Skype.exe
13.107.3.128:443
a.config.skype.com
Microsoft Corporation
US
whitelisted
3856
Skype.exe
13.90.95.57:443
get.skype.com
Microsoft Corporation
US
whitelisted
52.114.7.37:443
pipe.skype.com
Microsoft Corporation
HK
unknown
3856
Skype.exe
40.79.33.178:443
avatar.skype.com
Microsoft Corporation
US
whitelisted
3856
Skype.exe
52.114.76.34:443
browser.pipe.aria.microsoft.com
Microsoft Corporation
IE
whitelisted

DNS requests

Domain
IP
Reputation
get.skype.com
  • 13.90.95.57
whitelisted
a.config.skype.com
  • 13.107.3.128
whitelisted
pipe.skype.com
  • 52.114.7.37
whitelisted
b.config.skype.com
  • 13.107.3.128
whitelisted
www.googleapis.com
  • 172.217.16.202
  • 172.217.18.106
  • 172.217.23.170
  • 172.217.21.202
  • 216.58.205.234
  • 172.217.21.234
  • 172.217.18.170
  • 172.217.23.138
  • 216.58.206.10
  • 216.58.207.42
  • 216.58.207.74
  • 172.217.16.170
  • 216.58.208.42
  • 172.217.16.138
  • 172.217.22.42
  • 172.217.22.74
whitelisted
avatar.skype.com
  • 40.79.33.178
whitelisted
config.edge.skype.com
  • 13.107.3.128
whitelisted
browser.pipe.aria.microsoft.com
  • 52.114.76.34
whitelisted

Threats

No threats detected
Process
Message
Skype.exe
[3284:988:0717/134507.621:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[3284:988:0717/134507.622:VERBOSE1:crash_service.cc(145)] window handle is 000401A8
Skype.exe
[3284:988:0717/134507.624:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
Skype.exe
[3284:988:0717/134507.625:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload maximum 128 reports/day reporter is electron-crash-service
Skype.exe
[3284:988:0717/134507.626:ERROR:crash_service.cc(311)] could not start dumper
Skype.exe
[1036:3832:0717/134512.442:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[1036:3832:0717/134512.443:VERBOSE1:crash_service.cc(145)] window handle is 00050130
Skype.exe
[1036:3832:0717/134512.443:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
Skype.exe
[1036:3832:0717/134512.446:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload maximum 128 reports/day reporter is electron-crash-service
Skype.exe
[1036:3832:0717/134512.446:ERROR:crash_service.cc(311)] could not start dumper