analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

dovidka.chm

Full analysis: https://app.any.run/tasks/8dab2eeb-bb4f-4606-904a-c66db10ad8ad
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: October 05, 2022, 02:03:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

2556A9E1D5E9874171F51620E5C5E09A

SHA1:

AFFC2B19D9FB8080A7211C3ED0718F2C3D3887DF

SHA256:

7F0511B09B1AB3A64C8827DD8AF017ACBF7D2688DB31A5D98FEA8A5029A89D56

SSDEEP:

6144:6hK9QF9IF78JuiKgnheEVfh+x6I/c0mGkBZ6w5+2yrBnx:d9QFq78JuiBnheEVqvcBZ6ws7nx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WScript.exe (PID: 2764)
      • CCleaner.exe (PID: 2792)
    • Writes to a start menu file

      • WScript.exe (PID: 2764)
    • Loads dropped or rewritten executable

      • regasm.exe (PID: 3080)
      • CCleaner.exe (PID: 2792)
    • Loads the Task Scheduler COM API

      • CCleaner.exe (PID: 3788)
      • CCleaner.exe (PID: 2792)
    • Changes settings of System certificates

      • CCleaner.exe (PID: 2792)
    • Steals credentials from Web Browsers

      • CCleaner.exe (PID: 2792)
    • Actions looks like stealing of personal data

      • CCleaner.exe (PID: 2792)
  • SUSPICIOUS

    • Checks supported languages

      • WScript.exe (PID: 2764)
      • wscript.exe (PID: 2732)
      • regasm.exe (PID: 3080)
      • CCleaner.exe (PID: 3788)
      • CCleaner.exe (PID: 2792)
    • Reads the computer name

      • WScript.exe (PID: 2764)
      • regasm.exe (PID: 3080)
      • wscript.exe (PID: 2732)
      • CCleaner.exe (PID: 3788)
      • CCleaner.exe (PID: 2792)
    • Reads Microsoft Outlook installation path

      • hh.exe (PID: 3284)
      • hh.exe (PID: 3132)
      • CCleaner.exe (PID: 2792)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • WScript.exe (PID: 2764)
    • Executes scripts

      • hh.exe (PID: 3284)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2764)
      • CCleaner.exe (PID: 2792)
    • Reads internet explorer settings

      • hh.exe (PID: 3284)
      • hh.exe (PID: 3132)
      • CCleaner.exe (PID: 2792)
    • Drops a file with a compile date too recent

      • WScript.exe (PID: 2764)
      • CCleaner.exe (PID: 2792)
    • Creates files in the user directory

      • WScript.exe (PID: 2764)
      • CCleaner.exe (PID: 2792)
    • Reads Environment values

      • CCleaner.exe (PID: 3788)
      • CCleaner.exe (PID: 2792)
    • Executed via Task Scheduler

      • CCleaner.exe (PID: 2792)
    • Reads CPU info

      • CCleaner.exe (PID: 2792)
    • Creates files in the program directory

      • CCleaner.exe (PID: 2792)
    • Reads the date of Windows installation

      • CCleaner.exe (PID: 2792)
    • Adds / modifies Windows certificates

      • CCleaner.exe (PID: 2792)
    • Searches for installed software

      • CCleaner.exe (PID: 2792)
  • INFO

    • Reads the computer name

      • hh.exe (PID: 3284)
      • hh.exe (PID: 3132)
      • WINWORD.EXE (PID: 476)
    • Checks supported languages

      • hh.exe (PID: 3284)
      • hh.exe (PID: 3132)
      • WINWORD.EXE (PID: 476)
    • Checks Windows Trust Settings

      • WScript.exe (PID: 2764)
      • wscript.exe (PID: 2732)
      • CCleaner.exe (PID: 2792)
    • Manual execution by user

      • WINWORD.EXE (PID: 476)
      • hh.exe (PID: 3132)
      • CCleaner.exe (PID: 3788)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 476)
    • Reads the hosts file

      • CCleaner.exe (PID: 2792)
    • Reads settings of System Certificates

      • CCleaner.exe (PID: 2792)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chm | Windows HELP File (18.9)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
8
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start hh.exe no specs wscript.exe wscript.exe no specs regasm.exe winword.exe no specs hh.exe no specs ccleaner.exe no specs ccleaner.exe

Process information

PID
CMD
Path
Indicators
Parent process
3284"C:\Windows\hh.exe" "C:\Users\admin\Desktop\dovidka.chm"C:\Windows\hh.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
2764"C:\Windows\System32\WScript.exe" "C:\Users\Public\ignit.vbs" C:\Windows\System32\WScript.exe
hh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2732"C:\Windows\System32\wscript.exe" //B //E:vbs C:\Users\Public\Favorites\desktop.iniC:\Windows\System32\wscript.exehh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3080"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" /U C:\Users\Public\Libraries\core.dllC:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sspicli.dll
476"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\printerretail.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
3132"C:\Windows\hh.exe" C:\Users\admin\Desktop\dovidka.chmC:\Windows\hh.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
3788"C:\Program Files\CCleaner\CCleaner.exe" C:\Program Files\CCleaner\CCleaner.exeExplorer.EXE
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
5.74.0.8198
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\ccleaner\ccleaner.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2792"C:\Program Files\CCleaner\CCleaner.exe" /uacC:\Program Files\CCleaner\CCleaner.exe
taskeng.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Exit code:
0
Version:
5.74.0.8198
Modules
Images
c:\program files\ccleaner\ccleaner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
17 734
Read events
17 197
Write events
362
Delete events
175

Modification events

(PID) Process:(3284) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3284) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3284) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3284) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3284) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3284) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3284) hh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2732) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2732) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2732) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
3
Suspicious files
17
Text files
12
Unknown types
17

Dropped files

PID
Process
Filename
Type
476WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD90B.tmp.cvr
MD5:
SHA256:
476WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:FE49D3875D2C5212BF5B5A60BC642C24
SHA256:7CAA60F92D7AFCF973F2FD6FAA73FDC949A625AB2BD43AFF7D9DB3CA232BFF74
476WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{64F0CA63-AF87-46DF-93CC-094108437E9C}.tmpbinary
MD5:3F500CBCD35B201F155DEC3EB7E4286B
SHA256:96710C74FF490DD0995DC9BC5D49D53EE7026D9DE5ACCC1FEC301DF70A8936B4
476WINWORD.EXEC:\Users\admin\Desktop\~$interretail.rtfpgc
MD5:DFD88AA9945FE5ED0338E589D827F140
SHA256:B7228BA80E7CF1028AC446868B00720EC00AD02063F636698394376FFEB83A3D
476WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\printerretail.rtf.LNKlnk
MD5:09E5655692517FD5225F67B9C6D57821
SHA256:A27EE2202A5C8B865A2750301771045E4A95A6E14B3125F96C4443EFCB4E45E2
476WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:8876DD3B5823638F2E2C3D73B2E5BDAA
SHA256:67494543CFF5861E63F5FBB8C0464CC30EBF9205AC8F6011C5B30E4B6C4C09F2
476WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{79A2EC6B-DDD6-4A28-9FA5-2B0385F2C989}.tmpdbf
MD5:219977D57EE95E36B1608EA52A21ED23
SHA256:A6CABA5A220D2EC229F04635888FAF5F7B2ACE7E4F4D3D73063F87D34587EA50
2792CCleaner.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8C2Y6J2UROS42YOFWP7S.tempbinary
MD5:191C4D7010898254B75D6D994264762F
SHA256:56A459376EB9E14B92EEB6ED6AD577AF3AF72ABD2EBA624C543761D8DD393F02
3284hh.exeC:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.datchm
MD5:275751C7F9CE6806026AD245DCF87CD4
SHA256:640A1EF74CAFA8428D5DAABFB66DB29F64543018A8F75168282EA41B1B15E2C4
476WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4F60E4AE-205A-41CE-A469-420A4D73EC7F}.tmpsmt
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
17
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2792
CCleaner.exe
GET
301
104.109.93.201:80
http://www.ccleaner.com/auto?a=0&p=cc&v=5.74.8198&l=1033&lk=&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-HZ8S&o=6.1W3&au=0&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gd=19ce970b-f6c0-4a09-bae4-274b971730e0
NL
whitelisted
2792
CCleaner.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
2792
CCleaner.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
2792
CCleaner.exe
GET
200
172.217.17.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2792
CCleaner.exe
GET
200
8.253.95.249:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?738d7f8cc19a0aa0
US
compressed
4.70 Kb
whitelisted
2792
CCleaner.exe
GET
200
8.253.95.249:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2f4f8b38111e1cce
US
compressed
4.70 Kb
whitelisted
2792
CCleaner.exe
GET
200
8.253.95.249:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?556b0b64debc9231
US
compressed
4.70 Kb
whitelisted
2792
CCleaner.exe
GET
200
8.253.95.249:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?42d5948c282e3550
US
compressed
4.70 Kb
whitelisted
2792
CCleaner.exe
GET
200
2.16.106.193:80
http://ncc.avast.com/ncc.txt
unknown
text
26 b
whitelisted
2792
CCleaner.exe
GET
200
172.217.17.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2792
CCleaner.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
2.16.106.193:80
ncc.avast.com
Akamai International B.V.
DE
whitelisted
2792
CCleaner.exe
104.109.93.201:443
www.ccleaner.com
AKAMAI-AS
DE
unknown
2792
CCleaner.exe
104.109.93.201:80
www.ccleaner.com
AKAMAI-AS
DE
unknown
2792
CCleaner.exe
5.62.38.155:443
ipm-provider.ff.avast.com
AVAST Software s.r.o.
GB
unknown
2792
CCleaner.exe
104.125.16.83:443
ipmcdn.avast.com
AKAMAI-AS
DE
suspicious
3080
regasm.exe
194.195.211.98:8443
xbeta.online
Linode, LLC
US
malicious
2792
CCleaner.exe
104.109.59.7:443
license.piriform.com
AKAMAI-AS
DE
whitelisted
2792
CCleaner.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2792
CCleaner.exe
8.253.95.249:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious

DNS requests

Domain
IP
Reputation
xbeta.online
  • 194.195.211.98
unknown
ncc.avast.com
  • 2.16.106.193
  • 2.16.106.155
whitelisted
analytics.ff.avast.com
  • 34.117.223.223
whitelisted
www.ccleaner.com
  • 104.109.93.201
whitelisted
ctldl.windowsupdate.com
  • 8.253.95.249
  • 8.241.11.254
  • 67.27.235.126
  • 67.26.137.254
  • 67.27.233.126
whitelisted
ipm-provider.ff.avast.com
  • 5.62.38.155
  • 69.94.76.55
  • 5.62.44.217
  • 5.62.48.225
  • 69.94.76.70
  • 69.94.68.214
  • 5.62.38.44
  • 5.62.53.251
  • 69.94.68.224
  • 5.62.53.235
  • 69.94.76.96
  • 5.62.48.210
whitelisted
shepherd.ff.avast.com
  • 5.62.40.69
  • 5.62.25.43
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ipmcdn.avast.com
  • 104.125.16.83
whitelisted
ssl.google-analytics.com
  • 172.217.169.104
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET TROJAN TA445/Ghostwrite APT Related Domain in DNS Lookup (xbeta .online)
2792
CCleaner.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
Process
Message
CCleaner.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner.exe
startCheckingLicense()
CCleaner.exe
Using Sciter version 4.4.4.4-r8057
CCleaner.exe
OnLanguage - en
CCleaner.exe
OnLanguage - en
CCleaner.exe
observing CurrentIndex changed - 0
CCleaner.exe
observing CurrentIndex changed - Context.FirstTime=true CurrentIndex=0 LastIndex=4
CCleaner.exe
observing currentResultDetails changed - None
CCleaner.exe
SetStrings - Live Region updated: ,
CCleaner.exe
observing currentModeType changed - Preview