File name:

Clutt3.5.exe

Full analysis: https://app.any.run/tasks/d59d48ed-919f-41b7-8cad-4993b9d64bbf
Verdict: Malicious activity
Analysis date: May 25, 2025, 01:46:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
confuser
delphi
inno
installer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

1B787A18C44FFCCFA13CE18156A0E29F

SHA1:

93FA49F5BAEAE2291330396370CE52E4F2DD7792

SHA256:

57E542F11F189BA338C74406FB48CA0091279E66D2E0491E9E7C9A6C61D66B6D

SSDEEP:

12288:sUBhw5CXEvl1AdahfJyYDjWfz4IUyAxffZffBffNImh2fhSmqDP7:NBh7Uvl1AdefUYDjWfz4IUyAxffZffBl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables task manager

      • Clutt3.5.exe (PID: 2368)

  • SUSPICIOUS

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 1864)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 1864)

    • Reads the Internet Settings

      • Clutt3.5.exe (PID: 2368)
      • Skype.exe (PID: 2544)
      • Skype-Setup.tmp (PID: 3956)
      • msdt.exe (PID: 4008)

    • Starts CMD.EXE for commands execution

      • Clutt3.5.exe (PID: 2368)

    • There is functionality for taking screenshot (YARA)

      • Clutt3.5.exe (PID: 2368)

    • Reads security settings of Internet Explorer

      • Clutt3.5.exe (PID: 2368)
      • Skype-Setup.tmp (PID: 3956)

    • Application launched itself

      • Skype.exe (PID: 2544)
      • msdt.exe (PID: 4008)

    • Executable content was dropped or overwritten

      • Skype-Setup.exe (PID: 3212)
      • Skype-Setup.exe (PID: 3008)
      • Skype-Setup.tmp (PID: 3956)

    • Reads the Windows owner or organization settings

      • Skype-Setup.tmp (PID: 3956)

    • Searches for installed software

      • Skype-Setup.tmp (PID: 3956)

    • Uses TASKKILL.EXE to kill process

      • Skype-Setup.tmp (PID: 3956)

    • Process drops legitimate windows executable

      • Skype-Setup.tmp (PID: 3956)

    • The process drops C-runtime libraries

      • Skype-Setup.tmp (PID: 3956)

  • INFO

    • Reads the computer name

      • Clutt3.5.exe (PID: 2368)
      • Skype.exe (PID: 2544)
      • Skype.exe (PID: 3676)
      • Skype.exe (PID: 2920)
      • Skype.exe (PID: 3664)
      • Skype-Setup.tmp (PID: 3112)
      • Skype-Setup.tmp (PID: 3956)
      • Skype.exe (PID: 3020)

    • Reads the machine GUID from the registry

      • Clutt3.5.exe (PID: 2368)

    • Manual execution by a user

      • Skype.exe (PID: 2544)
      • WINWORD.EXE (PID: 2740)
      • msdt.exe (PID: 4008)
      • msdt.exe (PID: 580)
      • chrome.exe (PID: 3900)

    • Reads product name

      • Skype.exe (PID: 2544)

    • Checks supported languages

      • Skype.exe (PID: 3020)
      • Clutt3.5.exe (PID: 2368)
      • Skype.exe (PID: 2544)
      • Skype.exe (PID: 948)
      • Skype.exe (PID: 3676)
      • Skype-Setup.exe (PID: 3212)
      • Skype-Setup.tmp (PID: 3112)
      • Skype.exe (PID: 2920)
      • Skype.exe (PID: 3664)
      • Skype-Setup.exe (PID: 3008)
      • Skype-Setup.tmp (PID: 3956)

    • Creates files or folders in the user directory

      • Skype.exe (PID: 2544)

    • Create files in a temporary directory

      • Skype-Setup.exe (PID: 3212)
      • Skype-Setup.exe (PID: 3008)
      • Skype-Setup.tmp (PID: 3956)
      • msdt.exe (PID: 4008)
      • msdt.exe (PID: 580)
      • msdt.exe (PID: 3920)

    • The sample compiled with english language support

      • Skype-Setup.tmp (PID: 3956)
      • msdt.exe (PID: 3920)

    • Creates files in the program directory

      • Skype-Setup.tmp (PID: 3956)

    • Confuser has been detected (YARA)

      • Clutt3.5.exe (PID: 2368)

    • Detects InnoSetup installer (YARA)

      • Skype-Setup.exe (PID: 3212)
      • Skype-Setup.tmp (PID: 3112)
      • Skype-Setup.exe (PID: 3008)
      • Skype-Setup.tmp (PID: 3956)

    • Compiled with Borland Delphi (YARA)

      • Skype-Setup.exe (PID: 3212)
      • Skype-Setup.tmp (PID: 3112)
      • Skype-Setup.exe (PID: 3008)
      • Skype-Setup.tmp (PID: 3956)

    • Reads Environment values

      • Skype.exe (PID: 2544)

    • Reads security settings of Internet Explorer

      • msdt.exe (PID: 4008)
      • msdt.exe (PID: 3920)

    • Reads CPU info

      • Skype.exe (PID: 2544)

    • Reads the software policy settings

      • msdt.exe (PID: 3920)

    • Application launched itself

      • chrome.exe (PID: 3900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:03:05 12:49:56+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 135168
InitializedDataSize: 125440
UninitializedDataSize: -
EntryPoint: 0x22eae
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.5.0.0
ProductVersionNumber: 3.5.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Clutter virus
CompanyName: -
FileDescription: Clutter virus
FileVersion: 3.5
InternalName: Clutt3.5.exe
LegalCopyright: Copyright © 2023
LegalTrademarks: -
OriginalFileName: Clutt3.5.exe
ProductName: Clutt3._5.Properties
ProductVersion: 3.5
AssemblyVersion: 3.5.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
87
Monitored processes
38
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start clutt3.5.exe cmd.exe no specs takeown.exe no specs icacls.exe no specs winword.exe no specs skype.exe skype.exe skype.exe no specs skype.exe no specs skype-setup.exe skype.exe no specs skype-setup.tmp no specs skype.exe no specs skype-setup.exe skype-setup.tmp taskkill.exe no specs msdt.exe no specs msdt.exe no specs msdt.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs PhotoViewer.dll no specs clutt3.5.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
580"C:\Windows\system32\msdt.exe" -id AeroDiagnosticC:\Windows\System32\msdt.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
752takeown /f C:\Windows\System32\drivers C:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
948"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad" --url=appcenter://generic?aid=a7417433-29d9-4bc0-8826-af367733939d&iid=ad142ee9-ecfe-4580-ec0f-259fb963ccd2&uid=ad142ee9-ecfe-4580-ec0f-259fb963ccd2 --annotation=IsOfficialBuild=1 --annotation=_companyName=Skype --annotation=_productName=skype-preview --annotation=_version=8.110.0.215 "--annotation=exe=C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=19.1.8 --initial-client-data=0x334,0x338,0x33c,0x330,0x340,0x7dec2d8,0x7dec2e8,0x7dec2f4C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
1
Version:
8.110.0.215
1324"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3104 --field-trial-handle=1132,i,10043548380698393816,9502668252358688682,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
1500"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1424 --field-trial-handle=1132,i,10043548380698393816,9502668252358688682,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
1748"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2148 --field-trial-handle=1132,i,10043548380698393816,9502668252358688682,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
1776"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4044 --field-trial-handle=1132,i,10043548380698393816,9502668252358688682,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
1784icacls C:\Windows\System32\drivers /grant "admin:F" C:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1864"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && exitC:\Windows\System32\cmd.exeClutt3.5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2052"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=3284 --field-trial-handle=1132,i,10043548380698393816,9502668252358688682,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
102
Suspicious files
66
Text files
67
Unknown types
0

Dropped files

PID
Process
Filename
Type
2740WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR826A.tmp.cvr
MD5:
SHA256:
2740WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0BFD4E5F-5E62-4B8C-A5BC-17607569354E}.tmpbinary
MD5:17C6394D2EBC457ACC8AA1009625B541
SHA256:3CADC3144E3E714207F678E1A45C48488830305DDC2DA09C6F0892F81635E283
2740WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{828DBBC1-0177-4371-8977-F58EDD67F868}.tmpbinary
MD5:5F142A179326F75568C369CD0EE0899C
SHA256:4914E4D5448F299083E5DC883EFD2EC3DAE58CB470F442D299A1C86A8B47CDAB
2544Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\settings.datbinary
MD5:3B2AEFD32F61DB8110091B81A16A9AD1
SHA256:27A6D2020F45CD9D3F4DFCF837EC661A1D997B08D23E3CB41B94186C21A50B37
3212Skype-Setup.exeC:\Users\admin\AppData\Local\Temp\is-NKL42.tmp\Skype-Setup.tmpexecutable
MD5:55364BFEA54A03CCBA0F0400DF3D629F
SHA256:94B0E7DCDE2CBE4543EB28111FC5567EA622437F5A58A5E716BB7CFE0BF8DFAE
2740WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FD6BFB0D-ED38-4B99-A9C0-69DFFFF50553}.tmpbinary
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
2544Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old~RF1910cf.TMPtext
MD5:FF878337359379694741312E6B39EF79
SHA256:AFDE1D769112411CE68EBA5A2821FED0E058B8A31D0795F6047718DD324B3C8F
3008Skype-Setup.exeC:\Users\admin\AppData\Local\Temp\is-JV08R.tmp\Skype-Setup.tmpexecutable
MD5:55364BFEA54A03CCBA0F0400DF3D629F
SHA256:94B0E7DCDE2CBE4543EB28111FC5567EA622437F5A58A5E716BB7CFE0BF8DFAE
2740WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BAB95E99-24FF-4BFC-833C-FA5E0D53E662}.tmpbinary
MD5:FFA25405566789CF5CAB3A830A5CE857
SHA256:CB465800A2F4AD0E6E984112603C005B80E51CDA5F3B33BD818A53A0F7FC19C3
2544Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOGtext
MD5:2DF990FB5D269309ED1CAD5CA4FC4321
SHA256:653DF58589BAE7D43677A7CD2E80136347F83DF958ED37B5EAD014828398E905
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
20
DNS requests
19
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
2544
Skype.exe
52.113.194.133:443
get.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2544
Skype.exe
13.107.42.16:443
a.config.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3852
chrome.exe
216.58.206.35:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
3900
chrome.exe
239.255.255.250:1900
whitelisted
3852
chrome.exe
142.251.168.84:443
accounts.google.com
GOOGLE
US
whitelisted
3852
chrome.exe
142.250.185.68:443
www.google.com
GOOGLE
US
whitelisted
3852
chrome.exe
142.250.185.67:443
www.gstatic.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
get.skype.com
  • 52.113.194.133
whitelisted
a.config.skype.com
  • 13.107.42.16
whitelisted
clientservices.googleapis.com
  • 216.58.206.35
whitelisted
accounts.google.com
  • 142.251.168.84
whitelisted
www.google.com
  • 142.250.185.68
whitelisted
www.gstatic.com
  • 142.250.185.67
whitelisted
ogads-pa.clients6.google.com
  • 142.250.185.74
whitelisted
apis.google.com
  • 142.250.186.78
whitelisted
play.google.com
  • 142.250.185.78
whitelisted

Threats

No threats detected
Process
Message
Skype.exe
[0525/024715.188:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\attachments\3a0ee62b-79ac-4cc3-bbd5-f65252e7a91f: The system cannot find the file specified. (0x2)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Clutt3.5.exe