File name:

0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d

Full analysis: https://app.any.run/tasks/4ebf9825-650c-45da-bdc9-77ae9d854744
Verdict: Malicious activity
Analysis date: February 14, 2024, 00:45:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

65F7B330BCC7AEEBF8D84AFA0B23BF02

SHA1:

50FCC294C5CBA9CA4DC12613693798A5D412614A

SHA256:

0146C57CB02974DB2BAD93A85AAE7D5681A4AA98AEC6F214F72C280266CA619D

SSDEEP:

24576:GHBBPL0ANEY28PDNTJ12T3vEpIGGIvXfIHfIdh:GHDPLTuY2aNTJ12zvEpIGGIvXfI/Idh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe (PID: 3668)
      • Skype-Setup.exe (PID: 316)
      • Skype-Setup.exe (PID: 1736)
      • CCleaner.exe (PID: 908)
      • Skype-Setup.tmp (PID: 2192)

    • Changes the autorun value in the registry

      • 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe (PID: 3668)

    • Actions looks like stealing of personal data

      • CCleaner.exe (PID: 908)

    • Steals credentials from Web Browsers

      • CCleaner.exe (PID: 908)

  • SUSPICIOUS

    • Reads the Internet Settings

      • igfxext.exe (PID: 3700)
      • Skype.exe (PID: 3404)
      • Skype-Setup.tmp (PID: 2192)
      • CCleaner.exe (PID: 908)

    • Executable content was dropped or overwritten

      • 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe (PID: 3668)
      • Skype-Setup.exe (PID: 316)
      • Skype-Setup.exe (PID: 1736)
      • Skype-Setup.tmp (PID: 2192)
      • CCleaner.exe (PID: 908)

    • Reads security settings of Internet Explorer

      • igfxext.exe (PID: 3700)
      • Skype-Setup.tmp (PID: 2192)
      • CCleaner.exe (PID: 908)

    • Application launched itself

      • Skype.exe (PID: 3404)

    • Reads the Windows owner or organization settings

      • Skype-Setup.tmp (PID: 2192)

    • Searches for installed software

      • Skype-Setup.tmp (PID: 2192)
      • CCleaner.exe (PID: 908)

    • Uses TASKKILL.EXE to kill process

      • Skype-Setup.tmp (PID: 2192)

    • Process drops legitimate windows executable

      • Skype-Setup.tmp (PID: 2192)

    • The process executes via Task Scheduler

      • CCleaner.exe (PID: 908)

    • Checks Windows Trust Settings

      • CCleaner.exe (PID: 908)

    • Reads settings of System Certificates

      • CCleaner.exe (PID: 908)

    • Reads the date of Windows installation

      • CCleaner.exe (PID: 908)

    • Reads Microsoft Outlook installation path

      • CCleaner.exe (PID: 908)

    • Reads Internet Explorer settings

      • CCleaner.exe (PID: 908)

  • INFO

    • Checks supported languages

      • 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe (PID: 3668)
      • igfxext.exe (PID: 3700)
      • 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe (PID: 2332)
      • Skype.exe (PID: 3404)
      • Skype.exe (PID: 2972)
      • Skype.exe (PID: 1728)
      • Skype.exe (PID: 2172)
      • Skype-Setup.tmp (PID: 552)
      • Skype.exe (PID: 1592)
      • Skype-Setup.exe (PID: 1736)
      • Skype-Setup.tmp (PID: 2192)
      • Skype-Setup.exe (PID: 316)
      • Skype.exe (PID: 2568)
      • CCleaner.exe (PID: 908)
      • CCleaner.exe (PID: 668)
      • 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe (PID: 2444)

    • Reads product name

      • igfxext.exe (PID: 3700)
      • Skype.exe (PID: 3404)
      • CCleaner.exe (PID: 908)

    • Checks Windows language

      • igfxext.exe (PID: 3700)

    • Reads Environment values

      • igfxext.exe (PID: 3700)
      • Skype.exe (PID: 3404)
      • CCleaner.exe (PID: 668)
      • CCleaner.exe (PID: 908)

    • Creates files or folders in the user directory

      • 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe (PID: 3668)
      • Skype.exe (PID: 3404)
      • CCleaner.exe (PID: 908)

    • Checks proxy server information

      • igfxext.exe (PID: 3700)
      • CCleaner.exe (PID: 908)

    • Reads CPU info

      • igfxext.exe (PID: 3700)
      • Skype.exe (PID: 3404)
      • CCleaner.exe (PID: 908)

    • Reads the computer name

      • igfxext.exe (PID: 3700)
      • 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe (PID: 3668)
      • Skype.exe (PID: 1728)
      • Skype.exe (PID: 3404)
      • Skype.exe (PID: 2172)
      • Skype.exe (PID: 2568)
      • Skype.exe (PID: 1592)
      • Skype-Setup.tmp (PID: 552)
      • Skype-Setup.tmp (PID: 2192)
      • CCleaner.exe (PID: 668)
      • CCleaner.exe (PID: 908)

    • Reads the machine GUID from the registry

      • igfxext.exe (PID: 3700)
      • CCleaner.exe (PID: 908)

    • Manual execution by a user

      • 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe (PID: 2444)
      • 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe (PID: 2332)
      • WINWORD.EXE (PID: 2792)
      • Skype.exe (PID: 3404)
      • WINWORD.EXE (PID: 240)
      • CCleaner.exe (PID: 668)

    • Create files in a temporary directory

      • Skype-Setup.exe (PID: 1736)
      • Skype-Setup.tmp (PID: 2192)
      • Skype-Setup.exe (PID: 316)

    • Creates files in the program directory

      • Skype-Setup.tmp (PID: 2192)
      • CCleaner.exe (PID: 908)

    • Reads the software policy settings

      • CCleaner.exe (PID: 908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library - Borland C/C++ (84.2)
.scr | Windows screen saver (5)
.exe | DOS Executable Borland C++ (4.9)
.dll | Win32 Dynamic Link Library (generic) (2.5)
.exe | Win32 Executable (generic) (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:02:28 05:44:04+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 5
CodeSize: 446464
InitializedDataSize: 40960
UninitializedDataSize: -
EntryPoint: 0x1ca250
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
69
Monitored processes
21
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe igfxext.exe no specs 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe no specs 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exe no specs PhotoViewer.dll no specs winword.exe no specs winword.exe no specs PhotoViewer.dll no specs skype.exe skype.exe skype.exe no specs skype.exe no specs skype-setup.exe skype.exe no specs skype-setup.tmp no specs skype.exe no specs skype-setup.exe skype-setup.tmp taskkill.exe no specs ccleaner.exe no specs ccleaner.exe

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\flowersproject.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
316"C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe" /silent !desktopiconC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype Setup
Exit code:
5
Version:
8.110.0.218
Modules
Images
c:\users\admin\appdata\roaming\microsoft\skype for desktop\skype-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
552"C:\Users\admin\AppData\Local\Temp\is-0JI06.tmp\Skype-Setup.tmp" /SL5="$D0206,88729071,404480,C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe" /silent !desktopiconC:\Users\admin\AppData\Local\Temp\is-0JI06.tmp\Skype-Setup.tmpSkype-Setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
5
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-0ji06.tmp\skype-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
668"C:\Program Files\CCleaner\CCleaner.exe" C:\Program Files\CCleaner\CCleaner.exeexplorer.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
6.14.0.10584
Modules
Images
c:\program files\ccleaner\ccleaner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
864C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
908"C:\Program Files\CCleaner\CCleaner.exe" /uacC:\Program Files\CCleaner\CCleaner.exe
taskeng.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Exit code:
0
Version:
6.14.0.10584
Modules
Images
c:\program files\ccleaner\ccleaner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
1308C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1504"C:\Windows\System32\taskkill.exe" /f /im Skype.exeC:\Windows\System32\taskkill.exeSkype-Setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1592"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1868 --field-trial-handle=1328,i,11732618299659875745,15751516181472844588,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
LOW
Description:
Skype
Exit code:
0
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1728"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1312 --field-trial-handle=1328,i,11732618299659875745,15751516181472844588,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
LOW
Description:
Skype
Exit code:
0
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
Total events
33 978
Read events
32 790
Write events
470
Delete events
718

Modification events

(PID) Process:(3668) 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:igfxext.exe
Value:
C:\Users\admin\AppData\Roaming\Sun\Java\jre2.5.8\igfxext.exe /258
(PID) Process:(3668) 0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:tintsetp.exe
Value:
(PID) Process:(3700) igfxext.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3700) igfxext.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3700) igfxext.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3700) igfxext.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3700) igfxext.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3700) igfxext.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3700) igfxext.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3700) igfxext.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
Executable files
97
Suspicious files
30
Text files
9
Unknown types
15

Dropped files

PID
Process
Filename
Type
2792WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR659B.tmp.cvr
MD5:
SHA256:
240WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR76E0.tmp.cvr
MD5:
SHA256:
2792WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:D896C475D3F31E3BC41A0CFDBC906CAD
SHA256:EFDC69F781406CC9F2D873196249D33502A95B724BD3A785AC2D4E3F58CE1915
240WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{09B05A35-4C03-4A29-B0D8-ED5D709570EF}.tmpbinary
MD5:4E00FF783C4B05AD960FB870CBE2F183
SHA256:5902F8BEEB134EA3F72B0CA51F1ED0327153735D6AB3936C2B095F560D0C791A
3404Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\settings.datbinary
MD5:3B2AEFD32F61DB8110091B81A16A9AD1
SHA256:27A6D2020F45CD9D3F4DFCF837EC661A1D997B08D23E3CB41B94186C21A50B37
316Skype-Setup.exeC:\Users\admin\AppData\Local\Temp\is-0JI06.tmp\Skype-Setup.tmpexecutable
MD5:55364BFEA54A03CCBA0F0400DF3D629F
SHA256:94B0E7DCDE2CBE4543EB28111FC5567EA622437F5A58A5E716BB7CFE0BF8DFAE
3404Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.jsonbinary
MD5:A1550797F97F4818B4F200703AA2AC50
SHA256:C0A2602AA2E47A47BF434954436D37783448197761760A0A3A3A6367E76C3810
3404Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old~RF18a023.TMPtext
MD5:FF878337359379694741312E6B39EF79
SHA256:AFDE1D769112411CE68EBA5A2821FED0E058B8A31D0795F6047718DD324B3C8F
2792WINWORD.EXEC:\Users\admin\Desktop\~$llowjun.rtfbinary
MD5:C82D3E7BB43898D1FC728BE637CB4164
SHA256:8DBFFF21CF16DCB31E5BD5CB1E09511B1CD112B4C75B082C8E89877B50C4614C
3404Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.oldtext
MD5:AEAB6EEF48334E4749D630894ADCA674
SHA256:7B1139E4ABA3CF16CA2C097DC19F515B73C934315CC497769B6627C6252AE264
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
26
DNS requests
23
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
908
CCleaner.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?40a1aadb37d09f72
unknown
unknown
908
CCleaner.exe
GET
200
104.124.11.43:80
http://ncc.avast.com/ncc.txt
unknown
text
26 b
unknown
908
CCleaner.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9f10c451d5ad1d0a
unknown
unknown
908
CCleaner.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3ce1985a001c0f49
unknown
unknown
908
CCleaner.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f98bee47d6ee84e6
unknown
unknown
908
CCleaner.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
908
CCleaner.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
binary
471 b
unknown
908
CCleaner.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/s/gts1d4/dKa2DF3Ws7g/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSMBFDqU0NJQdZdEGU3bkhj0FoRrQQUJeIYDrJXkZQq5dRdhpCD3lOzuJICEQCirF%2F66XssownTCQRm1ZB%2F
unknown
binary
472 b
unknown
908
CCleaner.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/s/gts1d4/NR-xsrnkFN0/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSMBFDqU0NJQdZdEGU3bkhj0FoRrQQUJeIYDrJXkZQq5dRdhpCD3lOzuJICEQDy8%2F016576jRBISHseO2T7
unknown
binary
472 b
unknown
908
CCleaner.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIAjrICMzZli2TN25s%3D
unknown
binary
724 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3404
Skype.exe
52.113.194.133:443
get.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3404
Skype.exe
52.123.242.160:443
a.config.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
3404
Skype.exe
2.19.244.163:443
download.skype.com
AKAMAI-AS
DE
unknown
908
CCleaner.exe
104.124.11.43:80
ncc.avast.com
Akamai International B.V.
DE
unknown
908
CCleaner.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
908
CCleaner.exe
23.206.209.82:443
www.ccleaner.com
AKAMAI-AS
DE
unknown
908
CCleaner.exe
34.111.24.1:443
ipm-provider.ff.avast.com
GOOGLE
US
unknown

DNS requests

Domain
IP
Reputation
blonze.createandhost.com
unknown
goldblacktree.waldennetworks.com
unknown
get.skype.com
  • 52.113.194.133
whitelisted
a.config.skype.com
  • 52.123.242.160
  • 52.123.242.175
  • 52.123.255.68
  • 52.123.242.186
whitelisted
download.skype.com
  • 2.19.244.163
whitelisted
ncc.avast.com
  • 104.124.11.43
  • 104.124.11.73
whitelisted
analytics.ff.avast.com
  • 34.117.223.223
whitelisted
ipm-provider.ff.avast.com
  • 34.111.24.1
whitelisted
www.ccleaner.com
  • 23.206.209.82
whitelisted
ip-info.ff.avast.com
  • 34.149.149.62
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
908
CCleaner.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Process
Message
Skype.exe
[0214/004637.533:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\attachments\3a0ee62b-79ac-4cc3-bbd5-f65252e7a91f: The system cannot find the file specified. (0x2)
CCleaner.exe
[2024-02-14 00:46:49.961] [error ] [settings ] [ 908: 3436] [6000C4: 356] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner.exe
OnLanguage - en
CCleaner.exe
[2024-02-14 00:46:50.586] [error ] [settings ] [ 908: 3268] [9434E9: 359] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner.exe
[2024-02-14 00:46:50.602] [error ] [Burger ] [ 908: 3268] [FDA25D: 244] [23.1.806.0] [BurgerReporter.cpp] [244] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner.exe
[2024-02-14 00:46:50.602] [error ] [Burger ] [ 908: 3268] [FDA25D: 244] [23.1.806.0] [BurgerReporter.cpp] [244] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner.exe
startCheckingLicense()
CCleaner.exe
OnLanguage - en
CCleaner.exe
OnLanguage - en
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0146c57cb02974db2bad93a85aae7d5681a4aa98aec6f214f72c280266ca619d