General Info

File name

SCAN_8986621.ace

Full analysis
https://app.any.run/tasks/ee1c5c67-a394-4af9-ad65-c97563b06533
Verdict
Malicious activity
Analysis date
1/11/2019, 10:08:07
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
pony
fareit
opendir
Indicators:

MIME:
application/octet-stream
File info:
ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid
MD5

f7d6ea73f2427181903f2b690513539e

SHA1

00c64609a37d7eedffca71fc44615d51765eb982

SHA256

41314d8e9be87aa3a658ef580e8eab9fbf3c675e00afa3ee0c20a099cb95dfa0

SSDEEP

6144:n7DlG8l41NEniB7EeTkge+xHKUJpvIkXK45IX8PtSl7Wm3EVH2F3olzKERT7d+XX:nfQzN3B7EFGKEIu57PtSJEVHg3gT7oH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • SCAN 8986621.scr (PID: 2448)
  • filename.scr (PID: 3496)
  • filename.scr (PID: 4008)
Connects to CnC server
  • filename.scr (PID: 3496)
Detected Pony/Fareit Trojan
  • filename.scr (PID: 3496)
Changes the autorun value in the registry
  • WScript.exe (PID: 3828)
  • CCleaner.exe (PID: 2988)
Loads the Task Scheduler COM API
  • CCleaner.exe (PID: 3044)
  • CCleaner.exe (PID: 2988)
Actions looks like stealing of personal data
  • CCleaner.exe (PID: 1412)
  • filename.scr (PID: 3496)
  • CCleaner.exe (PID: 2988)
Starts itself from another location
  • SCAN 8986621.scr (PID: 2448)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 2940)
  • SCAN 8986621.scr (PID: 2448)
Executes scripts
  • SCAN 8986621.scr (PID: 2448)
Starts CMD.EXE for commands execution
  • filename.scr (PID: 3496)
Application launched itself
  • filename.scr (PID: 4008)
  • CCleaner.exe (PID: 1412)
Starts application with an unusual extension
  • filename.scr (PID: 4008)
  • SCAN 8986621.scr (PID: 2448)
Reads Internet Cache Settings
  • CCleaner.exe (PID: 1412)
Reads internet explorer settings
  • CCleaner.exe (PID: 1412)
  • CCleaner.exe (PID: 2988)
Reads the cookies of Google Chrome
  • CCleaner.exe (PID: 1412)
Reads the cookies of Mozilla Firefox
  • CCleaner.exe (PID: 1412)
Low-level read access rights to disk partition
  • CCleaner.exe (PID: 1412)
Creates files in the user directory
  • CCleaner.exe (PID: 1412)
Reads settings of System Certificates
  • CCleaner.exe (PID: 1412)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.ace
|   ACE compressed archive (100%)

Screenshots

Processes

Total processes
42
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

+
start drop and start winrar.exe scan 8986621.scr wscript.exe filename.scr no specs #PONY filename.scr cmd.exe no specs ccleaner.exe no specs ccleaner.exe ccleaner.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2940
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SCAN_8986621.ace"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\program files\winrar\unacev2.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2448
CMD
"C:\Users\admin\Desktop\SCAN 8986621.scr" /S
Path
C:\Users\admin\Desktop\SCAN 8986621.scr
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
yearnfulness
Description
remonstrance
Version
8.07.0004
Modules
Image
c:\users\admin\desktop\scan 8986621.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wscript.exe
c:\users\admin\appdata\local\temp\subfolder\filename.scr

PID
3828
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\subfolder\filename.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
SCAN 8986621.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll

PID
4008
CMD
"C:\Users\admin\AppData\Local\Temp\subfolder\filename.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\subfolder\filename.scr
Indicators
No indicators
Parent process
SCAN 8986621.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
yearnfulness
Description
remonstrance
Version
8.07.0004
Modules
Image
c:\users\admin\appdata\local\temp\subfolder\filename.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll

PID
3496
CMD
C:\Users\admin\AppData\Local\Temp\subfolder\filename.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\subfolder\filename.scr
Indicators
Parent process
filename.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
yearnfulness
Description
remonstrance
Version
8.07.0004
Modules
Image
c:\users\admin\appdata\local\temp\subfolder\filename.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msi.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\mlang.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\samlib.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll

PID
3932
CMD
cmd /c ""C:\Users\admin\AppData\Local\Temp\2487531.bat" "C:\Users\admin\AppData\Local\Temp\subfolder\filename.scr" "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
filename.scr
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3044
CMD
"C:\Program Files\CCleaner\CCleaner.exe"
Path
C:\Program Files\CCleaner\CCleaner.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Piriform Ltd
Description
CCleaner
Version
5, 35, 0, 6210
Modules
Image
c:\program files\ccleaner\ccleaner.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\esent.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\winsta.dll

PID
1412
CMD
"C:\Program Files\CCleaner\CCleaner.exe" /uac
Path
C:\Program Files\CCleaner\CCleaner.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Piriform Ltd
Description
CCleaner
Version
5, 35, 0, 6210
Modules
Image
c:\program files\ccleaner\ccleaner.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\esent.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
2988
CMD
"C:\Program Files\CCleaner\CCleaner.exe" /monitor
Path
C:\Program Files\CCleaner\CCleaner.exe
Indicators
Parent process
CCleaner.exe
User
admin
Integrity Level
HIGH
Version:
Company
Piriform Ltd
Description
CCleaner
Version
5, 35, 0, 6210
Modules
Image
c:\program files\ccleaner\ccleaner.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\esent.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

Registry activity

Total events
1783
Read events
1548
Write events
235
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2940
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\SCAN_8986621.ace
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Count
0
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Name
542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B43727A674B44545659482F2E2F212125263976747217171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171700
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Size
409276
2940
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@shell32,-10162
Screen saver
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Name
542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B43727A674B44545659482F2E2F212125263976747217172F166D141F4E2F1717151717171717171517FB1717171717D780EB161717171717076B0417176D1417171737174E2F170F176B0408176B0413171737E37B0C1717151713170717170F176B04FB41E91717176D1414171717F37C0C17F37B0C172F660C17FAF7ED61CB17CB16E9E8E8E80F161760D8E8E86137176B040217171716171717171717370617171737171717037A0C175371EA61B8C823627B1417175B7A0C17437A0C171F171717191717170F171717141717171717171716800F607F7A0C171617171753660C17171517175717171717171717C343EA611717171717171717171717174F3E3014877A0C1753660C17131717171717171717171717B6C63014BA07882B1B7A0C1700
2448
SCAN 8986621.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2448
SCAN 8986621.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3828
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Registry Key Name
C:\Users\admin\AppData\Local\Temp\subfolder\filename.vbs -rr
3496
filename.scr
write
HKEY_CURRENT_USER\Software\WinRAR
HWID
7B32444142363531462D314246302D343739462D414432332D4532423532364531393746307D
3496
filename.scr
write
HKEY_CURRENT_USER\Software\WinRAR
Client Hash
6DB1FAF5BC392564DA7EFEF33127736C
3496
filename.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3496
filename.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
WipeFreeSpaceDrives
C:\
1412
CCleaner.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
CookiesToSave
*.piriform.com|facebook.com|google.com
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
RunICS
0
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
NewVersion
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
UpdateKey
01/11/2019 09:10:08 AM
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
NewVersion
5.51.6939
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
WINDOW_LEFT
240
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
WINDOW_TOP
46
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
WINDOW_WIDTH
800
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
WINDOW_HEIGHT
600
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
WINDOW_MAX
0
1412
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
SystemMonitoringRunningNotification
1
2988
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
Monitoring
1
2988
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CCleaner Monitoring
"C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
2988
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
SystemMonitoring
1
2988
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
NewVersionNotification
1
2988
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
NewVersionNotification
0
2988
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
LastMonitoringShowNewVersion
5.51.6939|01/11/2019 09:10:09 AM
2988
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
LastMonitoringNotificationTime
01/11/2019 09:10:09 AM
2988
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
LMN
2|3|0|0|0|0|4|0|0|0||||
2988
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
SystemMonitoringRunningNotification
0
2988
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
LastMonitoringNotificationTime
01/11/2019 09:10:17 AM
2988
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
LMN
2|3|0|0|0|0|1|0|0|0||||

Files activity

Executable files
2
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2940
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.21316\SCAN 8986621.scr
executable
MD5: 20d72d56fbf0502bbbe2f2842fcaeb5d
SHA256: 6fe522dcf61e1de1e9e443f1ed65171d0c8113c2233fd0fea8542ee34961fec0
2448
SCAN 8986621.scr
C:\Users\admin\AppData\Local\Temp\subfolder\filename.scr
executable
MD5: 20d72d56fbf0502bbbe2f2842fcaeb5d
SHA256: 6fe522dcf61e1de1e9e443f1ed65171d0c8113c2233fd0fea8542ee34961fec0
1412
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ed7a5cc3cca8d52a.customDestinations-ms~RF2607a8.TMP
binary
MD5: 9c3eb1a379e6c25915e1993178687d13
SHA256: cefcdbd5cc642924f4277231a2f33a72d0a0d173d75938233d78b91e8c17f69f
1412
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3JY64Q4KFU8P0I658V4X.temp
––
MD5:  ––
SHA256:  ––
1412
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ed7a5cc3cca8d52a.customDestinations-ms
binary
MD5: 9c3eb1a379e6c25915e1993178687d13
SHA256: cefcdbd5cc642924f4277231a2f33a72d0a0d173d75938233d78b91e8c17f69f
1412
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y6XW0PXX9U0EBE0FRIUV.temp
––
MD5:  ––
SHA256:  ––
1412
CCleaner.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite-shm
––
MD5:  ––
SHA256:  ––
1412
CCleaner.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
––
MD5:  ––
SHA256:  ––
3496
filename.scr
C:\Users\admin\AppData\Local\Temp\2487531.bat
text
MD5: 3880eeb1c736d853eb13b44898b718ab
SHA256: 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
4008
filename.scr
C:\Users\admin\AppData\Local\Temp\~DF411A57D83218BD7C.TMP
binary
MD5: 6c2e7c7b144698b5faffc2ee26b0d2ba
SHA256: ae9dd023606e65069fed4c17312d53ccdd73ae6af5a413067a2075e5fcd3cad6
2448
SCAN 8986621.scr
C:\Users\admin\AppData\Local\Temp\~DF906C577B358C9D41.TMP
binary
MD5: 6c2e7c7b144698b5faffc2ee26b0d2ba
SHA256: ae9dd023606e65069fed4c17312d53ccdd73ae6af5a413067a2075e5fcd3cad6
1412
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ed7a5cc3cca8d52a.customDestinations-ms~RF261d62.TMP
binary
MD5: 9c3eb1a379e6c25915e1993178687d13
SHA256: cefcdbd5cc642924f4277231a2f33a72d0a0d173d75938233d78b91e8c17f69f
2448
SCAN 8986621.scr
C:\Users\admin\AppData\Local\Temp\subfolder\filename.vbs
text
MD5: 2b1021fbd908ba5087757860e78b2c68
SHA256: 8ac74f1c33f1172e58eff6a85a581a1122f4b3c65496e9bdbf6c9ea9a4c40e30
1412
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GR5UIGKYX5ULRWMXAGHY.temp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
3
Threats
16

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3496 filename.scr POST 200 142.44.241.84:80 http://software-updater.uk/austin/pony/gate.php CA
binary
binary
malicious
3496 filename.scr GET 404 142.44.241.84:80 http://software-updater.uk/austin/pony/shit.exe CA
html
malicious
1412 CCleaner.exe GET 301 151.101.0.64:80 http://www.piriform.com/auto?a=0&p=cc&v=5.35.6210&l=1033&lk=&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-VJCA&o=6.1W3&au=1&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gu=00000000-0000-4000-8000-d6f7f2be5127 US
––
––
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3496 filename.scr 142.44.241.84:80 OVH SAS CA malicious
1412 CCleaner.exe 151.101.0.64:80 Fastly US whitelisted
1412 CCleaner.exe 151.101.0.64:443 Fastly US whitelisted
1412 CCleaner.exe 151.101.2.202:443 Fastly US unknown

DNS requests

Domain IP Reputation
software-updater.uk 142.44.241.84
malicious
www.piriform.com 151.101.0.64
151.101.64.64
151.101.128.64
151.101.192.64
whitelisted
www.ccleaner.com 151.101.2.202
151.101.66.202
151.101.130.202
151.101.194.202
whitelisted

Threats

PID Process Class Message
3496 filename.scr A Network Trojan was detected ET TROJAN Fareit/Pony Downloader Checkin 2
3496 filename.scr Potential Corporate Privacy Violation ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
3496 filename.scr Potential Corporate Privacy Violation ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
3496 filename.scr A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
3496 filename.scr A Network Trojan was detected MALWARE [PTsecurity] Pony encrypted POST Data Request
3496 filename.scr A Network Trojan was detected ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
3496 filename.scr Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
3496 filename.scr A Network Trojan was detected MALWARE [PTsecurity] Pony encrypted C2 Response
3496 filename.scr A Network Trojan was detected MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse
3496 filename.scr A Network Trojan was detected ET TROJAN Fareit/Pony Downloader Checkin 3
3496 filename.scr Potential Corporate Privacy Violation ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
3496 filename.scr A Network Trojan was detected ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
3496 filename.scr Potential Corporate Privacy Violation ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
3496 filename.scr A Network Trojan was detected SC TROJAN_DOWNLOADER Suspicious downloader - 404 Not Found for .exe
1412 CCleaner.exe A Network Trojan was detected SC MINER Miner Possible Bitcoin Miner Windows

1 ETPRO signatures available at the full report

Debug output strings

No debug info.