File name:

CLEAN.exe

Full analysis: https://app.any.run/tasks/8a1de90b-2507-4c33-a928-6ea82ce26424
Verdict: Malicious activity
Analysis date: August 21, 2024, 15:05:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4AFD3814D46D1FC122E79F33A22A578A

SHA1:

FE4AE0952BB82A950B18056327EB163BF3C358D0

SHA256:

B4F482E2E5E7C3C145263829F6CF686DA8986AA7E4B7E7CA818709F7B8DE45A8

SSDEEP:

98304:gDgvRCG1iRlP1yUldiuyZou3Uu5bJKePKw6TF0qSgqooyNYhqQ/4eIwy15j6l2me:mghfXnhN5V8oIUcnpp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • CLEAN.exe (PID: 6552)

    • Drops the executable file immediately after the start

      • CLEAN.exe (PID: 6552)
      • CleanAvDrv.exe (PID: 6308)

    • The process drops C-runtime libraries

      • CLEAN.exe (PID: 6552)

    • Checks Windows Trust Settings

      • Install.exe (PID: 2876)

    • Executable content was dropped or overwritten

      • CLEAN.exe (PID: 6552)
      • CleanAvDrv.exe (PID: 6308)

    • Searches for installed software

      • Install.exe (PID: 2876)

    • The process creates files with name similar to system file names

      • CleanAvDrv.exe (PID: 6308)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • CleanAvDrv.exe (PID: 6308)

    • The process verifies whether the antivirus software is installed

      • Install.exe (PID: 2876)

  • INFO

    • Reads the computer name

      • CLEAN.exe (PID: 6552)
      • vsdrinst64.exe (PID: 6248)

    • Checks supported languages

      • CLEAN.exe (PID: 6552)
      • CleanAvDrv.exe (PID: 6308)
      • CleanWebSecure.exe (PID: 6320)
      • Clean_tool64.exe (PID: 6356)
      • vsdrinst64.exe (PID: 6248)

    • Creates files in the program directory

      • Install.exe (PID: 2876)

    • Create files in a temporary directory

      • Install.exe (PID: 2876)
      • CLEAN.exe (PID: 6552)
      • CleanAvDrv.exe (PID: 6308)

    • Reads the machine GUID from the registry

      • Install.exe (PID: 2876)
      • CLEAN.exe (PID: 6552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:01:31 07:53:35+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 807936
InitializedDataSize: 312832
UninitializedDataSize: -
EntryPoint: 0x76572
OSVersion: 6
ImageVersion: 1
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 15.8.190.19023
ProductVersionNumber: 15.8.190.19023
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Check Point Software Technologies Ltd.
FileDescription: ZoneAlarm
FileVersion: 15.8.190.19023
InternalName: Install
LegalCopyright: Copyright © 1998-2022, Check Point, LTD
OriginalFileName: Install.exe
ProductName: ZoneAlarm
ProductVersion: 15.8.190.19023
BuildDate: Mon, 31 Jan 2022 07:19:51
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
10
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start clean.exe install.exe dltel.exe conhost.exe no specs cleanavdrv.exe cleanwebsecure.exe no specs clean_tool64.exe vsdrinst64.exe no specs conhost.exe no specs clean.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2580"C:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\dltel.exe" unique_client=d3ed996876de4243b3a37fd4bf16d08e client_version=15.8.190.19023 type=211117 list_of_files="" meta_data1=20240821T150600 meta_data2= int_field1= int_field2= int_field3= int_field4= int_field5=0 int_field6=1 int_field7=0 int_field8= int_field9= int_field10=0 str_field1="Install-Start" str_field2="{OS_BITNESS}" str_field3="{OS_INFO}" str_field4="0000" str_field5="" str_field6="" str_field7="15.8.190.19023" str_field8="{OS_VERSION}" str_field9="Install" str_field10="d3ed996876de4243b3a37fd4bf16d08e"C:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\dltel.exe
Install.exe
User:
admin
Company:
Check Point Software Technologies Ltd.
Integrity Level:
HIGH
Description:
ZoneAlarm Datalake telemetry utility
Exit code:
0
Version:
15.8.109.19010
Modules
Images
c:\windows\syswow64\dpapi.dll
2876"C:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Install.exe"C:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Install.exe
CLEAN.exe
User:
admin
Company:
Check Point Software Technologies Ltd.
Integrity Level:
HIGH
Description:
ZoneAlarm
Version:
15.8.190.19023
Modules
Images
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\clnpkg\vsinit.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\crypt32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\msvcr90.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\msvcp90.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\msasn1.dll
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\clnpkg\unprot_13.dll
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\clnpkg\unprot_14.dll
c:\windows\syswow64\cfgmgr32.dll
6248"vsdrinst64.exe" -u {AC30BFB5-834B-46d2-B912-6CE71684EB2D}C:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\vsdrinst64.exeInstall.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\vsdrinst64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6308"CleanAvDrv.exe" /SC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\CleanAvDrv.exe
Install.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1168
Modules
Images
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\cleanavdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6320"CleanWebSecure.exe" /SC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\CleanWebSecure.exeInstall.exe
User:
admin
Company:
Check Point Software
Integrity Level:
HIGH
Description:
ZoneAlarm Web Secure Cleaner
Exit code:
0
Version:
2022.1.30.1
Modules
Images
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\cleanwebsecure.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exevsdrinst64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6356"clean_tool64.exe"C:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Clean_tool64.exe
Install.exe
User:
admin
Company:
ZoneAlarm
Integrity Level:
HIGH
Description:
Uninstal
Exit code:
2
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\clean_tool64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6464\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exedltel.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
6552"C:\Users\admin\Desktop\CLEAN.exe" C:\Users\admin\Desktop\CLEAN.exe
explorer.exe
User:
admin
Company:
Check Point Software Technologies Ltd.
Integrity Level:
HIGH
Description:
ZoneAlarm
Version:
15.8.190.19023
Modules
Images
c:\users\admin\desktop\clean.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6616"C:\Users\admin\Desktop\CLEAN.exe" C:\Users\admin\Desktop\CLEAN.exeexplorer.exe
User:
admin
Company:
Check Point Software Technologies Ltd.
Integrity Level:
MEDIUM
Description:
ZoneAlarm
Exit code:
3221226540
Version:
15.8.190.19023
Modules
Images
c:\users\admin\desktop\clean.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
8 690
Read events
8 614
Write events
64
Delete events
12

Modification events

(PID) Process:(6552) CLEAN.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\ZoneAlarm\Installed
Operation:writeName:SI
Value:
d3ed996876de4243b3a37fd4bf16d08e
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\WINDOWS\SysWOW64\ICSLTA.DLL
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:ZoneAlarm Client
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Zone Labs Client
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:ZoneAlarm Tray
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:ZoneAlarm
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\ZoneAlarm
Operation:delete valueName:ZALogPath
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\ZoneAlarm\Installed
Operation:delete valueName:INSTDATE
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\ZoneAlarm\Installed
Operation:delete valueName:OEM
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\ZoneAlarm\Installed
Operation:delete valueName:ProductMode
Value:
Executable files
62
Suspicious files
2
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:F4604E259459F5A0D5BE6914A6D4C5FB
SHA256:BCE066193FEB60B08EDF4CBEB490AAAA5DFFEB8A63A720CADF948748A9AF4B8F
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-memory-l1-1-0.dllexecutable
MD5:536F07C04C316AAC61AB64A492ED9191
SHA256:50BF87DA10AE3F442C457E42D6666993B0FCA7C5D4DF521E8CD0959995FBCDDC
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:405BB6A7CD56CBF5276C3A8DC631963D
SHA256:F654E56C4299F507BC34271B6BAA29290FD4919B853E17D7470596CAD779F063
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-libraryloader-l1-1-0.dllexecutable
MD5:8F239C629F09E1B49CF1F03304AB8E69
SHA256:D8D74FB87F94A587582D56934816362B992B712E47C39F13D957058F17724886
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:E205DE17A85B0C3352A6857EF9B3C6DD
SHA256:29B23370474BE0C459CC47863603167CC7191F58318BD29877225FCBF2454215
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:0A0084D4B3635E4D8EBAB587DCFCC16C
SHA256:5089484C8C56AC8E095CADC3DC971DF71EDEB52F856940632821FD37E81AE5CA
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:EA4AE42721460002DC31515F295AD1C4
SHA256:668F91E94E76DB4457184909E6A1AB4655E81A8EF37DC37B4ECFE93146C29A88
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:AD895B2A99A3EC18F1690BBAC1E2037A
SHA256:A11C772B2451B0C9C706B03381819E4A1DEF3E2FBBBA8362509BBE57DBD5C666
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-heap-l1-1-0.dllexecutable
MD5:0AEAF9CE58CBD0AF1E30D03B45C21F81
SHA256:9A5952C82CBCB1A8ECE9C51C258667D9AB96D13EC6455873999FF0BF78C3CAB0
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:6B937FE1EFF0E440B124BBB9334DF34D
SHA256:71C87C14BC1BD0B20D9F68D4943E93C4C6DDC1B6CF252938BB15FE562552F93E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
15
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
209.87.211.157:443
https://gwevents.checkpoint.com/gwstats/services/antimalware/1_0_0/log
unknown
xml
127 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
4760
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
209.87.211.157:443
gwevents.checkpoint.com
ZONEALARM-COM
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.78
whitelisted
gwevents.checkpoint.com
  • 209.87.211.157
whitelisted

Threats

No threats detected
Process
Message
dltel.exe
Finished telemetry for type=211117
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CLEAN.exe