URL:

https://download.cnet.com

Full analysis: https://app.any.run/tasks/9b759011-c00f-4474-868b-a4ee1db5e838
Verdict: Malicious activity
Analysis date: November 30, 2020, 04:41:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

C723A854F6DC861558ED1F1113640514

SHA1:

EF6B096B4FD229FFA0D2DCDF11363856CD9C21CE

SHA256:

4E48F50212796E0E285D4A35AAF822C2DAE1D1325360CE9FB956BE82F03593E7

SSDEEP:

3:N8SElbKn:2SKmn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ccsetup570.exe (PID: 3392)
      • ccsetup570.exe (PID: 3808)
      • avira_en_sptl1_329929279-1606711496__adwg.exe (PID: 4004)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 3724)
      • avira_en_sptl1_329929279-1606711496__adwg.exe (PID: 3188)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 1768)
      • Avira.OE.Setup.Bundle.exe (PID: 2588)
      • Avira.OE.Setup.Prerequisites.exe (PID: 2692)
      • Avira.OE.Setup.Prerequisites.exe (PID: 2712)
      • Avira.ServiceHost.exe (PID: 2080)
      • ccsetup570.exe (PID: 904)
      • Avira.Systray.exe (PID: 2172)
      • Avira.Systray.exe (PID: 2952)
      • ccsetup570.exe (PID: 620)
      • avira_system_speedup.exe (PID: 2548)
      • Avira.SystemSpeedup.Core.Common.Starter.exe (PID: 4056)

    • Loads dropped or rewritten executable

      • ccsetup570.exe (PID: 3808)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 1768)
      • rundll32.exe (PID: 3308)
      • rundll32.exe (PID: 3592)
      • rundll32.exe (PID: 3480)
      • rundll32.exe (PID: 2424)
      • rundll32.exe (PID: 3876)
      • rundll32.exe (PID: 2052)
      • rundll32.exe (PID: 3304)
      • rundll32.exe (PID: 1716)
      • rundll32.exe (PID: 2828)
      • rundll32.exe (PID: 1704)
      • rundll32.exe (PID: 1068)
      • rundll32.exe (PID: 3324)
      • rundll32.exe (PID: 2552)
      • Avira.ServiceHost.exe (PID: 2080)
      • rundll32.exe (PID: 3044)
      • rundll32.exe (PID: 2924)
      • Avira.Systray.exe (PID: 2172)
      • rundll32.exe (PID: 328)
      • rundll32.exe (PID: 4020)
      • rundll32.exe (PID: 1996)
      • Avira.Systray.exe (PID: 2952)
      • ccsetup570.exe (PID: 620)
      • Avira.SystemSpeedup.Core.Common.Starter.exe (PID: 4056)

    • Changes settings of System certificates

      • ccsetup570.exe (PID: 3808)
      • Avira.Spotlight.Bootstrapper.exe (PID: 2216)
      • Avira.ServiceHost.exe (PID: 2080)

    • Actions looks like stealing of personal data

      • ccsetup570.exe (PID: 3808)
      • Avira.ServiceHost.exe (PID: 2080)

    • Drops executable file immediately after starts

      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 3724)
      • Avira.OE.Setup.Bundle.exe (PID: 2588)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 1768)
      • rundll32.exe (PID: 2424)
      • rundll32.exe (PID: 3308)
      • rundll32.exe (PID: 3480)
      • rundll32.exe (PID: 2052)
      • rundll32.exe (PID: 1716)
      • rundll32.exe (PID: 2828)
      • rundll32.exe (PID: 1068)
      • rundll32.exe (PID: 2552)
      • rundll32.exe (PID: 3044)
      • rundll32.exe (PID: 2924)
      • rundll32.exe (PID: 4020)
      • rundll32.exe (PID: 328)
      • rundll32.exe (PID: 1996)
      • avira_system_speedup.tmp (PID: 2340)
      • avira_system_speedup.exe (PID: 2548)
      • cmd.exe (PID: 1140)

    • Changes the autorun value in the registry

      • Avira.OE.Setup.Bundle.exe (PID: 2588)

    • Uses Task Scheduler to run other applications

      • MsiExec.exe (PID: 2488)
      • avira_system_speedup.tmp (PID: 2340)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2424)
      • schtasks.exe (PID: 1792)
      • schtasks.exe (PID: 2524)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • chrome.exe (PID: 2236)
      • MsiExec.exe (PID: 2488)

    • Drops a file with a compile date too recent

      • chrome.exe (PID: 2236)
      • Avira.Spotlight.Bootstrapper.exe (PID: 2216)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 3724)
      • Avira.OE.Setup.Bundle.exe (PID: 2588)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 1768)
      • rundll32.exe (PID: 2424)
      • rundll32.exe (PID: 3308)
      • rundll32.exe (PID: 3480)
      • rundll32.exe (PID: 2052)
      • rundll32.exe (PID: 1716)
      • msiexec.exe (PID: 2984)
      • rundll32.exe (PID: 1068)
      • rundll32.exe (PID: 2828)
      • rundll32.exe (PID: 2552)
      • rundll32.exe (PID: 3044)
      • rundll32.exe (PID: 2924)
      • rundll32.exe (PID: 4020)
      • rundll32.exe (PID: 328)
      • rundll32.exe (PID: 1996)
      • avira_system_speedup.tmp (PID: 2340)

    • Drops a file that was compiled in debug mode

      • chrome.exe (PID: 2236)
      • ccsetup570.exe (PID: 3808)
      • Avira.Spotlight.Bootstrapper.exe (PID: 2216)
      • Avira.OE.Setup.Bundle.exe (PID: 2588)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 1768)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 3724)
      • rundll32.exe (PID: 2424)
      • rundll32.exe (PID: 3308)
      • rundll32.exe (PID: 3480)
      • rundll32.exe (PID: 2052)
      • rundll32.exe (PID: 1716)
      • msiexec.exe (PID: 2984)
      • rundll32.exe (PID: 2828)
      • rundll32.exe (PID: 1068)
      • rundll32.exe (PID: 2552)
      • rundll32.exe (PID: 3044)
      • rundll32.exe (PID: 4020)
      • rundll32.exe (PID: 328)
      • rundll32.exe (PID: 2924)
      • rundll32.exe (PID: 1996)
      • avira_system_speedup.tmp (PID: 2340)
      • ccsetup570.exe (PID: 620)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2236)
      • ccsetup570.exe (PID: 3808)
      • Avira.Spotlight.Bootstrapper.exe (PID: 2216)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 3724)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 1768)
      • Avira.OE.Setup.Bundle.exe (PID: 2588)
      • rundll32.exe (PID: 2424)
      • rundll32.exe (PID: 3308)
      • rundll32.exe (PID: 3480)
      • msiexec.exe (PID: 2984)
      • rundll32.exe (PID: 2052)
      • rundll32.exe (PID: 1716)
      • rundll32.exe (PID: 2828)
      • rundll32.exe (PID: 1068)
      • rundll32.exe (PID: 2552)
      • rundll32.exe (PID: 3044)
      • rundll32.exe (PID: 4020)
      • rundll32.exe (PID: 328)
      • rundll32.exe (PID: 2924)
      • rundll32.exe (PID: 1996)
      • ccsetup570.exe (PID: 620)
      • avira_system_speedup.tmp (PID: 2340)
      • avira_system_speedup.exe (PID: 2548)
      • cmd.exe (PID: 1140)

    • Low-level read access rights to disk partition

      • ccsetup570.exe (PID: 3808)
      • ccsetup570.exe (PID: 620)

    • Adds / modifies Windows certificates

      • ccsetup570.exe (PID: 3808)
      • Avira.Spotlight.Bootstrapper.exe (PID: 2216)
      • Avira.ServiceHost.exe (PID: 2080)

    • Reads CPU info

      • ccsetup570.exe (PID: 3808)
      • ccsetup570.exe (PID: 620)

    • Starts application with an unusual extension

      • ccsetup570.exe (PID: 3808)
      • ccsetup570.exe (PID: 620)

    • Reads Environment values

      • ccsetup570.exe (PID: 3808)
      • Avira.Spotlight.Bootstrapper.exe (PID: 2216)
      • Avira.ServiceHost.exe (PID: 2080)
      • avira_system_speedup.tmp (PID: 2340)
      • ccsetup570.exe (PID: 620)

    • Reads internet explorer settings

      • ccsetup570.exe (PID: 3808)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 1768)

    • Reads the cookies of Mozilla Firefox

      • ccsetup570.exe (PID: 3808)
      • Avira.ServiceHost.exe (PID: 2080)

    • Reads the cookies of Google Chrome

      • ccsetup570.exe (PID: 3808)
      • Avira.ServiceHost.exe (PID: 2080)

    • Creates files in the user directory

      • ccsetup570.exe (PID: 3808)
      • Avira.ServiceHost.exe (PID: 2080)

    • Searches for installed software

      • Avira.Spotlight.Bootstrapper.exe (PID: 2216)
      • Avira.ServiceHost.exe (PID: 2080)

    • Creates files in the Windows directory

      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 3724)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 1768)
      • Avira.ServiceHost.exe (PID: 2080)
      • avira_system_speedup.tmp (PID: 2340)

    • Starts itself from another location

      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 1768)

    • Creates a software uninstall entry

      • Avira.OE.Setup.Bundle.exe (PID: 2588)
      • rundll32.exe (PID: 1716)
      • rundll32.exe (PID: 3044)

    • Creates files in the program directory

      • Avira.OE.Setup.Bundle.exe (PID: 2588)
      • rundll32.exe (PID: 3592)
      • rundll32.exe (PID: 1704)
      • Avira.ServiceHost.exe (PID: 2080)
      • rundll32.exe (PID: 4020)
      • Avira.Systray.exe (PID: 2952)
      • cmd.exe (PID: 1140)

    • Changes IE settings (feature browser emulation)

      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 1768)
      • Avira.Systray.exe (PID: 2172)
      • Avira.Systray.exe (PID: 2952)

    • Removes files from Windows directory

      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 1768)
      • Avira.ServiceHost.exe (PID: 2080)
      • avira_en__329929279-1606711496__adwg-spotlight-default.exe (PID: 3724)

    • Creates a directory in Program Files

      • msiexec.exe (PID: 2984)
      • avira_system_speedup.tmp (PID: 2340)

    • Drops a file with too old compile date

      • msiexec.exe (PID: 2984)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 2984)

    • Executed as Windows Service

      • Avira.ServiceHost.exe (PID: 2080)

    • Reads Windows owner or organization settings

      • avira_system_speedup.tmp (PID: 2340)

    • Reads the Windows organization settings

      • avira_system_speedup.tmp (PID: 2340)

    • Creates COM task schedule object

      • RegAsm.exe (PID: 2788)

    • Starts CMD.EXE for commands execution

      • avira_system_speedup.tmp (PID: 2340)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 2236)
      • msiexec.exe (PID: 2984)

    • Reads settings of System Certificates

      • chrome.exe (PID: 2664)
      • chrome.exe (PID: 2236)
      • Avira.Spotlight.Bootstrapper.exe (PID: 2216)
      • ccsetup570.exe (PID: 3808)
      • rundll32.exe (PID: 3876)
      • Avira.ServiceHost.exe (PID: 2080)

    • Reads the hosts file

      • chrome.exe (PID: 2664)
      • chrome.exe (PID: 2236)

    • Manual execution by user

      • explorer.exe (PID: 3896)
      • ccsetup570.exe (PID: 904)
      • ccsetup570.exe (PID: 620)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2488)
      • msiexec.exe (PID: 2984)
      • avira_system_speedup.tmp (PID: 2340)

    • Dropped object may contain Bitcoin addresses

      • msiexec.exe (PID: 2984)

    • Creates files in the program directory

      • msiexec.exe (PID: 2984)
      • avira_system_speedup.tmp (PID: 2340)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2984)

    • Application was dropped or rewritten from another process

      • avira_system_speedup.tmp (PID: 2340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
86
Malicious processes
35
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs rundll32.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs ccsetup570.exe no specs ccsetup570.exe nsc604.tmp no specs ping.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs avira_en_sptl1_329929279-1606711496__adwg.exe no specs avira_en_sptl1_329929279-1606711496__adwg.exe avira.spotlight.bootstrapper.exe avira_en__329929279-1606711496__adwg-spotlight-default.exe avira_en__329929279-1606711496__adwg-spotlight-default.exe avira.oe.setup.bundle.exe avira.oe.setup.prerequisites.exe no specs avira.oe.setup.prerequisites.exe no specs explorer.exe no specs msiexec.exe msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe no specs rundll32.exe schtasks.exe no specs rundll32.exe no specs rundll32.exe rundll32.exe no specs rundll32.exe rundll32.exe rundll32.exe no specs rundll32.exe rundll32.exe no specs msiexec.exe no specs rundll32.exe avira.servicehost.exe rundll32.exe ccsetup570.exe no specs rundll32.exe rundll32.exe avira.systray.exe no specs avira.systray.exe rundll32.exe rundll32.exe ccsetup570.exe avira_system_speedup.exe avira_system_speedup.tmp schtasks.exe no specs ns3d5d.tmp no specs ping.exe no specs regasm.exe no specs avira.systemspeedup.core.common.starter.exe cmd.exe schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
328rundll32.exe "C:\Windows\Installer\MSIBCA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1903546 235 Avira.OE.Setup.CustomActions!Avira.OE.Setup.CustomActions.ServiceHostLogFilesFolderAccess.SetServiceHostLogFileFolderAccessC:\Windows\system32\rundll32.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
560"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,15907635839552640485,10760742883903349,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5774531414306062463 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
584"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,15907635839552640485,10760742883903349,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=522988911484476397 --mojo-platform-channel-handle=5124 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
620"C:\Users\admin\Downloads\ccsetup570.exe" C:\Users\admin\Downloads\ccsetup570.exe
explorer.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner Installer
Exit code:
0
Version:
5.70.0.7909
Modules
Images
c:\users\admin\downloads\ccsetup570.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
680"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,15907635839552640485,10760742883903349,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17014137983718327764 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
700"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,15907635839552640485,10760742883903349,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15265777124904587974 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
904"C:\Users\admin\Downloads\ccsetup570.exe" C:\Users\admin\Downloads\ccsetup570.exeexplorer.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
MEDIUM
Description:
CCleaner Installer
Exit code:
3221226540
Version:
5.70.0.7909
Modules
Images
c:\users\admin\downloads\ccsetup570.exe
c:\systemroot\system32\ntdll.dll
912C:\Windows\system32\ping.exe -n 1 -w 1000 www.ccleaner.comC:\Windows\system32\ping.exens3D5D.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
988"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,15907635839552640485,10760742883903349,131072 --enable-features=PasswordImport --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=8573637663415630482 --mojo-platform-channel-handle=3856 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1068rundll32.exe "C:\Windows\Installer\MSIC174.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1884515 171 Avira.OE.Setup.CustomActions!Avira.OE.Setup.CustomActions.Configuration.SetGdprConsentDateC:\Windows\system32\rundll32.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
Total events
8 304
Read events
7 535
Write events
744
Delete events
25

Modification events

(PID) Process:(2236) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2236) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2236) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(2236) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(2236) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2804) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:2236-13251184887899125
Value:
259
(PID) Process:(2236) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(2236) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(2236) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:3252-13245750958665039
Value:
0
(PID) Process:(2236) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
Executable files
315
Suspicious files
304
Text files
785
Unknown types
35

Dropped files

PID
Process
Filename
Type
2236chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5FC477F8-8BC.pma
MD5:
SHA256:
2236chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
MD5:
SHA256:
2236chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\58125e93-3b8d-46d4-a7d4-f380e891494a.tmp
MD5:
SHA256:
2236chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp
MD5:
SHA256:
2236chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:
SHA256:
2236chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF18d329.TMPtext
MD5:
SHA256:
2236chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:
SHA256:
2236chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:
SHA256:
2236chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
2236chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old~RF18d50e.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
222
DNS requests
143
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3808
ccsetup570.exe
GET
200
151.101.0.64:80
http://service.piriform.com/installcheck.aspx?p=1&v=5.70.7909&vx=5.35.6210&l=1033&b=1&o=6.1W3&g=0&i=1&a=0&c=770&d=2&e=31&n=ccsetup570.exe&id=003&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-HZ8S&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gd=26becbe5-c9a9-47b6-b550-917d4a6baf85
US
text
4 b
whitelisted
2664
chrome.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAKXB1YM1Knrv%2BJy8eCW2II%3D
US
der
471 b
whitelisted
1768
avira_en__329929279-1606711496__adwg-spotlight-default.exe
GET
200
93.184.220.29:80
http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEAhpwjriHwb%2BBA3oHNrcctU%3D
US
der
471 b
whitelisted
3808
ccsetup570.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
3808
ccsetup570.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
3808
ccsetup570.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
3808
ccsetup570.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
3808
ccsetup570.exe
GET
200
172.217.21.195:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFcLuT0XSrlKAgAAAACAVZE%3D
US
der
471 b
whitelisted
1044
svchost.exe
GET
200
2.18.233.62:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
der
813 b
whitelisted
1768
avira_en__329929279-1606711496__adwg-spotlight-default.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2664
chrome.exe
172.217.16.205:443
accounts.google.com
Google Inc.
US
whitelisted
2664
chrome.exe
104.16.148.64:443
cdn.cookielaw.org
Cloudflare Inc
US
unknown
2664
chrome.exe
151.101.13.188:443
download.cnet.com
Fastly
US
malicious
2664
chrome.exe
151.101.129.188:443
Fastly
US
unknown
2664
chrome.exe
172.217.21.202:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2664
chrome.exe
13.224.190.125:443
static.chartbeat.com
US
unknown
2664
chrome.exe
104.75.88.141:443
c.go-mpulse.net
Akamai Technologies, Inc.
NL
unknown
2664
chrome.exe
104.20.184.68:443
geolocation.onetrust.com
Cloudflare Inc
US
shared
2664
chrome.exe
216.58.212.162:443
securepubads.g.doubleclick.net
Google Inc.
US
whitelisted
2664
chrome.exe
151.101.194.202:443
mab.chartbeat.com
Fastly
US
suspicious

DNS requests

Domain
IP
Reputation
download.cnet.com
  • 151.101.13.188
whitelisted
accounts.google.com
  • 172.217.16.205
shared
dl1.cbsistatic.com
  • 151.101.13.188
whitelisted
safebrowsing.googleapis.com
  • 172.217.21.202
whitelisted
cdn.cookielaw.org
  • 104.16.148.64
  • 104.16.149.64
whitelisted
cmg1.cbsistatic.com
  • 151.101.13.188
unknown
c.go-mpulse.net
  • 104.75.88.141
whitelisted
at.cbsi.com
  • 143.204.215.12
  • 143.204.215.61
  • 143.204.215.67
  • 143.204.215.72
suspicious
securepubads.g.doubleclick.net
  • 216.58.212.162
whitelisted
static.chartbeat.com
  • 13.224.190.125
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
avira_en__329929279-1606711496__adwg-spotlight-default.exe
Launcher Install Start
avira_en__329929279-1606711496__adwg-spotlight-default.exe
Launcher Install Start
Avira.ServiceHost.exe
SQLite error (2570): os_win.c:42430: (32) winDelete(C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal) - The process cannot access the file because it is being used by another process.
Avira.ServiceHost.exe
SQLite error (2570): os_win.c:42430: (32) winDelete(C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal) - The process cannot access the file because it is being used by another process.
Avira.ServiceHost.exe
SQLite notice (539): recovered 3 pages from C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
Avira.ServiceHost.exe
SQLite error (2570): disk I/O error
avira_en__329929279-1606711496__adwg-spotlight-default.exe
Launcher Install End
avira_en__329929279-1606711496__adwg-spotlight-default.exe
~WebBrowser: Finished
avira_en__329929279-1606711496__adwg-spotlight-default.exe
~WebBrowser: Finished
avira_system_speedup.tmp
*** Initialize
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://download.cnet.com