File name:

visus808.zip

Full analysis: https://app.any.run/tasks/a4347a94-51dd-406f-96bc-eafbce71726d
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: November 28, 2023, 12:23:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EB299415A6E71BD37D445E98846818A4

SHA1:

4280920B500E17B8CBFCECC898D9558901A6A436

SHA256:

042C1EEC17FE3E40D8029DFBD6054AB13C51AE7ABE81CA6D77DFEDE1FBE6DD1E

SSDEEP:

98304:ZFkoTFiR9vHMjMcKCvmJGs3Q+bmTKfKBls38V/LsTdmZPNPnpakNTOjZw4oVbhYK:HMs5w4LKAdg+tZZjr/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • setup.exe (PID: 2432)
      • Setup1.exe (PID: 2204)
      • Setup.exe (PID: 4076)
      • CCleaner.exe (PID: 1864)
      • CCleaner.exe (PID: 2940)
      • msiexec.exe (PID: 3364)

    • Create files in the Startup directory

      • setup.exe (PID: 2432)

    • Creates a writable file in the system directory

      • setup.exe (PID: 2432)

    • Actions looks like stealing of personal data

      • CCleaner.exe (PID: 1864)
      • CCleaner.exe (PID: 2940)

    • Steals credentials from Web Browsers

      • CCleaner.exe (PID: 1864)
      • CCleaner.exe (PID: 2940)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • setup.exe (PID: 2432)
      • Setup.exe (PID: 4076)
      • WinRAR.exe (PID: 2692)

    • Searches for installed software

      • Setup1.exe (PID: 2204)
      • Setup.exe (PID: 4076)
      • dllhost.exe (PID: 2892)
      • CCleaner.exe (PID: 2940)
      • CCleaner.exe (PID: 1864)

    • Creates files like ransomware instruction

      • WinRAR.exe (PID: 2692)

    • Reads security settings of Internet Explorer

      • Setup.exe (PID: 4076)
      • CCleaner.exe (PID: 1864)
      • CCleaner.exe (PID: 2940)

    • Reads the Internet Settings

      • Setup.exe (PID: 4076)
      • CCleaner.exe (PID: 3912)
      • CCleaner.exe (PID: 3540)
      • CCleaner.exe (PID: 2940)
      • CCleaner.exe (PID: 1864)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3716)

    • Checks Windows Trust Settings

      • Setup.exe (PID: 4076)
      • CCleaner.exe (PID: 1864)
      • CCleaner.exe (PID: 2940)

    • Reads settings of System Certificates

      • Setup.exe (PID: 4076)
      • CCleaner.exe (PID: 1864)
      • CCleaner.exe (PID: 2940)

    • Application launched itself

      • CCleaner.exe (PID: 3540)
      • CCleaner.exe (PID: 3912)

    • Reads Internet Explorer settings

      • CCleaner.exe (PID: 1864)
      • CCleaner.exe (PID: 2940)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3364)

    • Reads Microsoft Outlook installation path

      • CCleaner.exe (PID: 2940)
      • CCleaner.exe (PID: 1864)

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 2848)
      • setup.exe (PID: 2432)
      • Setup1.exe (PID: 2204)
      • Setup.exe (PID: 4076)
      • CCleaner.exe (PID: 3540)
      • CCleaner.exe (PID: 3912)
      • visustin.exe (PID: 3856)
      • CCleaner.exe (PID: 2940)
      • CCleaner.exe (PID: 1864)
      • msiexec.exe (PID: 3364)
      • msiexec.exe (PID: 2584)
      • wmpnscfg.exe (PID: 4956)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2848)
      • setup.exe (PID: 2432)
      • Setup1.exe (PID: 2204)
      • visustin.exe (PID: 3856)
      • Setup.exe (PID: 4076)
      • CCleaner.exe (PID: 3912)
      • CCleaner.exe (PID: 3540)
      • msiexec.exe (PID: 3364)
      • CCleaner.exe (PID: 2940)
      • msiexec.exe (PID: 2584)
      • wmpnscfg.exe (PID: 4956)
      • CCleaner.exe (PID: 1864)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 2848)
      • Setup1.exe (PID: 2204)
      • visustin.exe (PID: 3856)
      • Setup.exe (PID: 4076)
      • CCleaner.exe (PID: 2940)
      • msiexec.exe (PID: 3364)
      • CCleaner.exe (PID: 1864)
      • msiexec.exe (PID: 2584)
      • wmpnscfg.exe (PID: 4956)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2848)
      • WINWORD.EXE (PID: 2316)
      • visustin.exe (PID: 3856)
      • WINWORD.EXE (PID: 3624)
      • setup.exe (PID: 1444)
      • WINWORD.EXE (PID: 3288)
      • setup.exe (PID: 2432)
      • CCleaner.exe (PID: 3540)
      • CCleaner.exe (PID: 3912)
      • msedge.exe (PID: 3008)
      • AcroRd32.exe (PID: 148)
      • wmpnscfg.exe (PID: 4956)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2692)
      • RdrCEF.exe (PID: 448)

    • Creates files or folders in the user directory

      • setup.exe (PID: 2432)
      • visustin.exe (PID: 3856)
      • CCleaner.exe (PID: 2940)
      • CCleaner.exe (PID: 1864)

    • Create files in a temporary directory

      • Setup1.exe (PID: 2204)
      • visustin.exe (PID: 3856)
      • setup.exe (PID: 2432)
      • Setup.exe (PID: 4076)

    • Creates files in the program directory

      • Setup1.exe (PID: 2204)
      • CCleaner.exe (PID: 1864)

    • Reads Microsoft Office registry keys

      • Setup.exe (PID: 4076)
      • msiexec.exe (PID: 3364)

    • Reads Environment values

      • CCleaner.exe (PID: 3540)
      • CCleaner.exe (PID: 3912)
      • CCleaner.exe (PID: 1864)
      • CCleaner.exe (PID: 2940)

    • Reads CPU info

      • CCleaner.exe (PID: 1864)
      • CCleaner.exe (PID: 2940)

    • Reads product name

      • CCleaner.exe (PID: 1864)
      • CCleaner.exe (PID: 2940)

    • Application launched itself

      • msedge.exe (PID: 3008)
      • msiexec.exe (PID: 3364)
      • AcroRd32.exe (PID: 148)
      • RdrCEF.exe (PID: 448)

    • Checks proxy server information

      • CCleaner.exe (PID: 1864)
      • CCleaner.exe (PID: 2940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2016:11:05 11:07:26
ZipCRC: 0x2e912f1d
ZipCompressedSize: 3798
ZipUncompressedSize: 9775
ZipFileName: license.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
102
Monitored processes
43
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs wmpnscfg.exe no specs setup.exe no specs setup.exe setup1.exe no specs visustin.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs appwiz.cpl no specs setup.exe no specs vssvc.exe no specs ccleaner.exe no specs ccleaner.exe no specs ccleaner.exe ccleaner.exe msiexec.exe no specs msedge.exe msedge.exe no specs msiexec.exe no specs acrord32.exe acrord32.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rdrcef.exe rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
148"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
448"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1088"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1156,1453779040297304358,3571996932041001642,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=11667735053350490858 --mojo-platform-channel-handle=1212 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1364"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1156,1453779040297304358,3571996932041001642,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7995584911506000907 --renderer-client-id=6 --mojo-platform-channel-handle=1500 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1416"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1400,i,2376815059249479714,4443376142882865717,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1444"C:\Users\admin\Desktop\setup.exe" C:\Users\admin\Desktop\setup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Setup Bootstrap for Visual Basic Setup Toolkit
Exit code:
3221226540
Version:
6.00.9782
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
1612"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xdc,0x5db9f598,0x5db9f5a8,0x5db9f5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1864"C:\Program Files\CCleaner\CCleaner.exe" /uacC:\Program Files\CCleaner\CCleaner.exe
CCleaner.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Exit code:
0
Version:
6.14.0.10584
Modules
Images
c:\program files\ccleaner\ccleaner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
1948"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1156,1453779040297304358,3571996932041001642,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=11855406857659894090 --mojo-platform-channel-handle=1208 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1992"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1400,i,2376815059249479714,4443376142882865717,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
69 230
Read events
68 124
Write events
777
Delete events
329

Modification events

(PID) Process:(2692) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2692) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2848) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{4D7A1E58-76A4-4897-A544-BEC7FEE9603E}\{54CF9944-C7E5-40EF-8CDC-DCEB6F9A20E9}
Operation:delete keyName:(default)
Value:
(PID) Process:(2848) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{4D7A1E58-76A4-4897-A544-BEC7FEE9603E}
Operation:delete keyName:(default)
Value:
Executable files
77
Suspicious files
1 107
Text files
64
Unknown types
0

Dropped files

PID
Process
Filename
Type
2692WinRAR.exeC:\Users\admin\Desktop\visustin.CAB
MD5:
SHA256:
2432setup.exeC:\WINDOWS\visustin.CAB
MD5:
SHA256:
2692WinRAR.exeC:\Users\admin\Desktop\readme.txttext
MD5:6AE9CA54BDE195082C74D5DEE012A7CA
SHA256:2C707D563FC9F556F0D7FC6DD62088849DBDEF2CEFE7E196E651434F8D9C6EB5
2692WinRAR.exeC:\Users\admin\Desktop\Setup.Lstini
MD5:6580BE5EA8BA136D2EE1F7C0FF500A4F
SHA256:739A6715E47830833BAB9F16AFB1E926E7EFDF39E314A175B96B38B255A2D96A
2432setup.exeC:\WINDOWS\ST6UNST.000text
MD5:9940604D92C6460226F33C3EFF667846
SHA256:A60E84F4CE6F1FC0742D797571F89FB9D329603BDC0C4021E20ABF1E4729F5C6
2432setup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ST6UNST Uninstaller.LNKbinary
MD5:20EA4292D233D98A8491BA40E4C943AB
SHA256:9806EA9B7B17755115161088BCE090478EF3E1D59064E37B50B71205AEFA6B04
2432setup.exeC:\WINDOWS\temp.000executable
MD5:231B64E93495E236493CAD77D1E79BA3
SHA256:1690431CD28081BFBF186CA92600B1AD73E2F70CFA2D00E338D15A36A035D57A
2204Setup1.exeC:\Program Files\Visustin Demo\temp.000executable
MD5:543E8A607FCFC7908250842C75DEE0A9
SHA256:882568A11B737830D3DBF03D74FD27125FBC12A8328B226740F7A77FCF021798
2204Setup1.exeC:\Program Files\Visustin Demo\visustin.chmbinary
MD5:598452329D606B10DCD01D1D26EABF7F
SHA256:061321F0BB6D98F39978FC2A810C885A42CBF453EC83ACE2909BEBD887ECD223
2204Setup1.exeC:\Users\admin\AppData\Local\Temp\msftqws.pdw\visustin.chmbinary
MD5:598452329D606B10DCD01D1D26EABF7F
SHA256:061321F0BB6D98F39978FC2A810C885A42CBF453EC83ACE2909BEBD887ECD223
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
67
DNS requests
69
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2940
CCleaner.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
1864
CCleaner.exe
GET
200
2.19.126.75:80
http://ncc.avast.com/ncc.txt
unknown
text
26 b
unknown
2940
CCleaner.exe
GET
200
2.19.126.75:80
http://ncc.avast.com/ncc.txt
unknown
text
26 b
unknown
2940
CCleaner.exe
GET
200
87.248.204.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c14e5796731a36d8
unknown
compressed
4.66 Kb
unknown
1864
CCleaner.exe
GET
200
87.248.204.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7104e14b84309bfd
unknown
compressed
4.66 Kb
unknown
1864
CCleaner.exe
GET
200
87.248.204.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3a2ec6c4922a44de
unknown
compressed
4.66 Kb
unknown
1864
CCleaner.exe
GET
200
87.248.204.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1227cc0b93237e48
unknown
compressed
4.66 Kb
unknown
2940
CCleaner.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/s/gts1d4/VcE3oVK8Y7w/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSMBFDqU0NJQdZdEGU3bkhj0FoRrQQUJeIYDrJXkZQq5dRdhpCD3lOzuJICEQCazWGSsgPbSQnI0sPJ6DzW
unknown
binary
472 b
unknown
2940
CCleaner.exe
GET
200
87.248.204.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f7598789e9e593c2
unknown
compressed
4.66 Kb
unknown
1080
svchost.exe
GET
200
87.248.204.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?68f52e492152febd
unknown
compressed
4.66 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
868
svchost.exe
95.101.148.135:80
armmf.adobe.com
Akamai International B.V.
NL
unknown
1864
CCleaner.exe
2.19.126.75:80
ncc.avast.com
Akamai International B.V.
DE
unknown
2940
CCleaner.exe
2.19.126.75:80
ncc.avast.com
Akamai International B.V.
DE
unknown
3008
msedge.exe
239.255.255.250:1900
unknown
2940
CCleaner.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
1864
CCleaner.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
3720
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3720
msedge.exe
204.79.197.203:443
ntp.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
armmf.adobe.com
  • 95.101.148.135
  • 184.30.20.134
whitelisted
ncc.avast.com
  • 2.19.126.75
  • 2.19.126.86
whitelisted
analytics.ff.avast.com
  • 34.117.223.223
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
ntp.msn.com
  • 204.79.197.203
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
assets.msn.com
  • 2.23.209.6
  • 2.23.209.18
  • 2.23.209.4
  • 2.23.209.3
  • 2.23.209.5
  • 2.23.209.10
  • 2.23.209.17
  • 2.23.209.9
  • 2.23.209.12
whitelisted
deff.nelreports.net
  • 2.19.126.77
  • 2.19.126.74
whitelisted
img-s-msn-com.akamaized.net
  • 2.19.126.157
  • 2.19.126.146
whitelisted
sb.scorecardresearch.com
  • 13.32.99.23
  • 13.32.99.21
  • 13.32.99.105
  • 13.32.99.90
shared

Threats

No threats detected
Process
Message
CCleaner.exe
[2023-11-28 12:26:44.251] [error ] [settings ] [ 2940: 2132] [6000C4: 356] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner.exe
[2023-11-28 12:26:44.266] [error ] [settings ] [ 1864: 3848] [6000C4: 356] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner.exe
OnLanguage - en
CCleaner.exe
OnLanguage - en
CCleaner.exe
[2023-11-28 12:26:46.579] [error ] [settings ] [ 2940: 3196] [9434E9: 359] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner.exe
[2023-11-28 12:26:46.594] [error ] [settings ] [ 1864: 3036] [9434E9: 359] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner.exe
[2023-11-28 12:26:46.626] [error ] [Burger ] [ 2940: 3196] [FDA25D: 244] [23.1.806.0] [BurgerReporter.cpp] [244] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner.exe
[2023-11-28 12:26:46.626] [error ] [Burger ] [ 2940: 3196] [FDA25D: 244] [23.1.806.0] [BurgerReporter.cpp] [244] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
visus808.zip