Malware analysis Tetris_[1MB]_[unsign].exe Malicious activity

Add for printing

File name:	Tetris_[1MB]_[unsign].exe
Full analysis:	https://app.any.run/tasks/91a8a552-a35c-4cf1-9e48-338d1dd1e770
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Malware Trends Tracker >>>
Analysis date:	October 07, 2024, 20:41:35
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lumma evasion
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	1A5D71C3599527FB28C664D6CEAC31A7
SHA1:	6E8F3B75B3BB10ACC516FF66D9C11158C8E50AD9
SHA256:	03E63519DB141D06B6B05AF9A9BCD0F9A908DAEDE372E8A7122285656D216A62
SSDEEP:	49152:vTcWF3TyGbyjvSgl+iiF5iSPgQleHgHXuYZpdABsTTBZZnSYPd/Ur9o4:ZUCFjTBZZSYPd8Bo4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- LUMMA has been detected (YARA)
  - Tetris_[1MB]_[unsign].exe (PID: 6328)
SUSPICIOUS
- There is functionality for taking screenshot (YARA)
  - Tetris_[1MB]_[unsign].exe (PID: 6328)
- Application launched itself
  - CCleaner64.exe (PID: 240)
  - CCleaner64.exe (PID: 5796)
- Executable content was dropped or overwritten
  - CCleaner64.exe (PID: 5796)
  - CCleaner64.exe (PID: 5476)
- Checks for external IP
  - CCleaner64.exe (PID: 5796)
INFO
- Reads the software policy settings
  - Tetris_[1MB]_[unsign].exe (PID: 6328)
- Checks supported languages
  - Tetris_[1MB]_[unsign].exe (PID: 6328)
- Manual execution by a user
  - Taskmgr.exe (PID: 6600)
  - CCleaner64.exe (PID: 240)
  - Taskmgr.exe (PID: 5548)
- Reads the computer name
  - Tetris_[1MB]_[unsign].exe (PID: 6328)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable Delphi generic (37.4)
.scr	\|	Windows screen saver (34.5)
.exe	\|	Win32 Executable (generic) (11.9)
.exe	\|	Win16/32 Executable Delphi generic (5.4)
.exe	\|	Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	541696
InitializedDataSize:	812032
UninitializedDataSize:	-
EntryPoint:	0x851e4
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.1.7
ProductVersionNumber:	1.0.1.7
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Van Loo Software (TM)
FileDescription:	Tetris - 2D
FileVersion:	1.0.1.7
InternalName:	-
LegalCopyright:	© 2007 - 2037 - Van Loo Software (TM)
LegalTrademarks:	Van Loo Software (TM)
OriginalFileName:	Tetris
ProductName:	SSuite Office - Games Division
ProductVersion:	1.0.0.0
Comments:	Enjoy!

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

136

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

240

"C:\Program Files\CCleaner\CCleaner64.exe"

C:\Program Files\CCleaner\CCleaner64.exe

—

explorer.exe

User:

admin

Company:

Piriform Software Ltd

Integrity Level:

MEDIUM

Description:

CCleaner

Exit code:

Version:

6.20.0.10897

Modules

Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

5476

"C:\Program Files\CCleaner\CCleaner64.exe" /monitor

C:\Program Files\CCleaner\CCleaner64.exe

CCleaner64.exe

User:

admin

Company:

Piriform Software Ltd

Integrity Level:

HIGH

Description:

CCleaner

Version:

6.20.0.10897

Modules

Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

5548

"C:\WINDOWS\system32\taskmgr.exe" /4

C:\Windows\System32\Taskmgr.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Manager

Exit code:

3221226540

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll

5796

"C:\Program Files\CCleaner\CCleaner64.exe" /uac

C:\Program Files\CCleaner\CCleaner64.exe

CCleaner64.exe

User:

admin

Company:

Piriform Software Ltd

Integrity Level:

HIGH

Description:

CCleaner

Exit code:

Version:

6.20.0.10897

Modules

Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

6328

"C:\Users\admin\AppData\Local\Temp\Tetris_[1MB]_[unsign].exe"

C:\Users\admin\AppData\Local\Temp\Tetris_[1MB]_[unsign].exe

explorer.exe

User:

admin

Company:

Van Loo Software (TM)

Integrity Level:

MEDIUM

Description:

Tetris - 2D

Exit code:

Version:

1.0.1.7

Modules

Images
c:\users\admin\appdata\local\temp\tetris_[1mb]_[unsign].exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6600

"C:\WINDOWS\system32\taskmgr.exe" /4

C:\Windows\System32\Taskmgr.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Manager

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

18 654

Read events

18 517

Write events

Delete events

Modification events


(PID) Process:	(5796) CCleaner64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:	write	Name:	DAST
Value: 10/07/2024 20:42:30
(PID) Process:	(5796) CCleaner64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:	write	Name:	T8062
Value: 0
(PID) Process:	(5796) CCleaner64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:	write	Name:	UpdateBackground
Value: 1
(PID) Process:	(5796) CCleaner64.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:	write	Name:	SystemRestorePointCreationFrequency
Value: 0
(PID) Process:	(5796) CCleaner64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	CCleaner PostInstall
Value:
(PID) Process:	(5796) CCleaner64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:	write	Name:	FTU
Value: 06/02/2024\|3\|1
(PID) Process:	(5796) CCleaner64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:	delete value	Name:	GUID
Value:
(PID) Process:	(5796) CCleaner64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:	delete value	Name:	GD
Value:
(PID) Process:	(5796) CCleaner64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:	delete value	Name:	SetupGD
Value:
(PID) Process:	(5796) CCleaner64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:	write	Name:	NumOfOutdatedDrivers
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5796	CCleaner64.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-ms~RF4019d9.TMP		binary
		MD5:715D03F2C851242AE02F082C92170337	SHA256:52F9047E9A072554A68045FD0215B8484C2D6D758FEE82543FBAA7C7F7D163D9
5796	CCleaner64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04		der
		MD5:AA94825D7DAE9B3C35CD2C70B88D542B	SHA256:C2AE99E261DFDED179BDA2AD4E010F7745B0E0F32839C81AD5393FC7BB7FC0D0
5796	CCleaner64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199		binary
		MD5:E2D3BA295C2729F9AF439A57D02C35D6	SHA256:168627ADB541986FDC5737417EEADC8297F921018654518A5E1C605BFA17A237
5796	CCleaner64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:1461FE766D7EBD3C78D43898742D1883	SHA256:2F3F2925676C04EBF896ACBBC72FBBFBFC0744659AC2E750F21010B7530E3DF8
5796	CCleaner64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_AFB3BE9383420FBAFF24AD413EEA555E		binary
		MD5:514859A4A02A76E653ABC2BF4B8732A3	SHA256:05BBF42A8DCD592F1CF66A50CA1890423E3CAE46ADD573B42B5B43994DA74328
5796	CCleaner64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04		binary
		MD5:D6A702E8FC7844543EDD438B028BD5F8	SHA256:9E9640E923BD0A8047C02C8E52D4F98CE8D5FD7B2B1EBCA36929A2B9E389F3E6
5796	CCleaner64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A461D16A056E9EB6275257364F177E4A_C668EFABF322488FA790BDC6CFF05CE6		binary
		MD5:5863AD096827F0E423F09BBC2DCEAF33	SHA256:3B857F8296898741CA4BDBCA68A100EE0082B9995B55E0B088E11880DBB19828
5796	CCleaner64.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-ms		binary
		MD5:A20853337CF2831859670AD28D85934D	SHA256:8E2D31784D2747C78CB6C20E44647A56BB081BE61B6AADE9475B9A4E725A90B5
5796	CCleaner64.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\info[2].json		binary
		MD5:42CE0E9A12C021994C0A7142FFDD578F	SHA256:F354F70476CCDE038494F8A4AFA99B7AC982FD6357EDB34C1AFD5524C6672D15
5796	CCleaner64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_AFB3BE9383420FBAFF24AD413EEA555E		binary
		MD5:F37D5530B80D4C5BC707D89ECE4BCEEA	SHA256:5847941890877C97AB48D228D2AECE57CFC2DD19DB5AEE1BA063025821BE634D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1328	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2584	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5476	CCleaner64.exe	GET	200	2.19.126.142:80	http://ncc.avast.com/ncc.txt	unknown	—	—	whitelisted
3256	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5796	CCleaner64.exe	GET	200	142.250.181.227:80	http://c.pki.goog/r/r1.crl	unknown	—	—	whitelisted
5796	CCleaner64.exe	GET	200	142.250.186.163:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	—	—	whitelisted
5796	CCleaner64.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	—	—	whitelisted
3256	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5796	CCleaner64.exe	GET	200	2.19.126.142:80	http://ncc.avast.com/ncc.txt	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
876	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4324	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6328	Tetris_[1MB]_[unsign].exe	104.21.66.23:443	persuaddetwj.biz	CLOUDFLARENET	—	unknown
1328	svchost.exe	40.126.32.136:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3260	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
www.microsoft.com	184.30.21.171 88.221.169.152	whitelisted
google.com	142.250.185.238	whitelisted
persuaddetwj.biz	104.21.66.23 172.67.155.82	unknown
login.live.com	40.126.32.136 40.126.32.76 20.190.160.20 20.190.160.14 40.126.32.138 20.190.160.17 20.190.160.22 40.126.32.134	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.218.210.69	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Misc activity	ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
5796	CCleaner64.exe	Misc activity	ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI

Add for printing

Process	Message
CCleaner64.exe	[2024-10-07 20:42:30.761] [error ] [settings ] [ 5796: 5996] [000000: 0] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe	[2024-10-07 20:42:30.761] [error ] [ini_access ] [ 5796: 5996] [000000: 0] Incorrect ini_accessor configuration! Fixing relative input path to avoid recursion. Input was: Setup
CCleaner64.exe	Failed to open log file 'C:\Program Files\CCleaner'
CCleaner64.exe	OnLanguage - en
CCleaner64.exe	[2024-10-07 20:42:31.464] [error ] [settings ] [ 5796: 3876] [D2EC45: 356] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe	[2024-10-07 20:42:31.479] [error ] [Burger ] [ 5796: 3876] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe	[2024-10-07 20:42:31.479] [error ] [Burger ] [ 5796: 3876] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe	file:///tis/optimizer.tis(1131) : warning :'await' should be used only inside 'async' or 'event'
CCleaner64.exe	file:///tis/optimizer.tis(1288) : warning :'async' does not contain any 'await'
CCleaner64.exe	startCheckingLicense()

General Info

Tetris_[1MB]_[unsign].exe

1A5D71C3599527FB28C664D6CEAC31A7

6E8F3B75B3BB10ACC516FF66D9C11158C8E50AD9

03E63519DB141D06B6B05AF9A9BCD0F9A908DAEDE372E8A7122285656D216A62

49152:vTcWF3TyGbyjvSgl+iiF5iSPgQleHgHXuYZpdABsTTBZZnSYPd/Ur9o4:ZUCFjTBZZSYPd8Bo4

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA has been detected (YARA)

SUSPICIOUS

There is functionality for taking screenshot (YARA)

Application launched itself

Executable content was dropped or overwritten

Checks for external IP

INFO

Reads the software policy settings

Checks supported languages

Manual execution by a user

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings