File name:

CLEAN.exe

Full analysis: https://app.any.run/tasks/8a1de90b-2507-4c33-a928-6ea82ce26424
Verdict: Malicious activity
Analysis date: August 21, 2024, 15:05:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4AFD3814D46D1FC122E79F33A22A578A

SHA1:

FE4AE0952BB82A950B18056327EB163BF3C358D0

SHA256:

B4F482E2E5E7C3C145263829F6CF686DA8986AA7E4B7E7CA818709F7B8DE45A8

SSDEEP:

98304:gDgvRCG1iRlP1yUldiuyZou3Uu5bJKePKw6TF0qSgqooyNYhqQ/4eIwy15j6l2me:mghfXnhN5V8oIUcnpp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • CLEAN.exe (PID: 6552)

    • Drops the executable file immediately after the start

      • CLEAN.exe (PID: 6552)
      • CleanAvDrv.exe (PID: 6308)

    • Executable content was dropped or overwritten

      • CLEAN.exe (PID: 6552)
      • CleanAvDrv.exe (PID: 6308)

    • The process drops C-runtime libraries

      • CLEAN.exe (PID: 6552)

    • Checks Windows Trust Settings

      • Install.exe (PID: 2876)

    • Searches for installed software

      • Install.exe (PID: 2876)

    • The process creates files with name similar to system file names

      • CleanAvDrv.exe (PID: 6308)

    • The process verifies whether the antivirus software is installed

      • Install.exe (PID: 2876)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • CleanAvDrv.exe (PID: 6308)

  • INFO

    • Checks supported languages

      • CLEAN.exe (PID: 6552)
      • CleanAvDrv.exe (PID: 6308)
      • Clean_tool64.exe (PID: 6356)
      • vsdrinst64.exe (PID: 6248)
      • CleanWebSecure.exe (PID: 6320)

    • Create files in a temporary directory

      • CLEAN.exe (PID: 6552)
      • Install.exe (PID: 2876)
      • CleanAvDrv.exe (PID: 6308)

    • Reads the computer name

      • CLEAN.exe (PID: 6552)
      • vsdrinst64.exe (PID: 6248)

    • Reads the machine GUID from the registry

      • CLEAN.exe (PID: 6552)
      • Install.exe (PID: 2876)

    • Creates files in the program directory

      • Install.exe (PID: 2876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:01:31 07:53:35+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 807936
InitializedDataSize: 312832
UninitializedDataSize: -
EntryPoint: 0x76572
OSVersion: 6
ImageVersion: 1
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 15.8.190.19023
ProductVersionNumber: 15.8.190.19023
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Check Point Software Technologies Ltd.
FileDescription: ZoneAlarm
FileVersion: 15.8.190.19023
InternalName: Install
LegalCopyright: Copyright © 1998-2022, Check Point, LTD
OriginalFileName: Install.exe
ProductName: ZoneAlarm
ProductVersion: 15.8.190.19023
BuildDate: Mon, 31 Jan 2022 07:19:51
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
10
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start clean.exe install.exe dltel.exe conhost.exe no specs cleanavdrv.exe cleanwebsecure.exe no specs clean_tool64.exe vsdrinst64.exe no specs conhost.exe no specs clean.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2580"C:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\dltel.exe" unique_client=d3ed996876de4243b3a37fd4bf16d08e client_version=15.8.190.19023 type=211117 list_of_files="" meta_data1=20240821T150600 meta_data2= int_field1= int_field2= int_field3= int_field4= int_field5=0 int_field6=1 int_field7=0 int_field8= int_field9= int_field10=0 str_field1="Install-Start" str_field2="{OS_BITNESS}" str_field3="{OS_INFO}" str_field4="0000" str_field5="" str_field6="" str_field7="15.8.190.19023" str_field8="{OS_VERSION}" str_field9="Install" str_field10="d3ed996876de4243b3a37fd4bf16d08e"C:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\dltel.exe
Install.exe
User:
admin
Company:
Check Point Software Technologies Ltd.
Integrity Level:
HIGH
Description:
ZoneAlarm Datalake telemetry utility
Exit code:
0
Version:
15.8.109.19010
Modules
Images
c:\windows\syswow64\dpapi.dll
2876"C:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Install.exe"C:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Install.exe
CLEAN.exe
User:
admin
Company:
Check Point Software Technologies Ltd.
Integrity Level:
HIGH
Description:
ZoneAlarm
Version:
15.8.190.19023
Modules
Images
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\clnpkg\vsinit.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\crypt32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\msvcr90.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\msvcp90.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\msasn1.dll
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\clnpkg\unprot_13.dll
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\clnpkg\unprot_14.dll
c:\windows\syswow64\cfgmgr32.dll
6248"vsdrinst64.exe" -u {AC30BFB5-834B-46d2-B912-6CE71684EB2D}C:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\vsdrinst64.exeInstall.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\vsdrinst64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6308"CleanAvDrv.exe" /SC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\CleanAvDrv.exe
Install.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1168
Modules
Images
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\cleanavdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6320"CleanWebSecure.exe" /SC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\CleanWebSecure.exeInstall.exe
User:
admin
Company:
Check Point Software
Integrity Level:
HIGH
Description:
ZoneAlarm Web Secure Cleaner
Exit code:
0
Version:
2022.1.30.1
Modules
Images
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\cleanwebsecure.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exevsdrinst64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6356"clean_tool64.exe"C:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Clean_tool64.exe
Install.exe
User:
admin
Company:
ZoneAlarm
Integrity Level:
HIGH
Description:
Uninstal
Exit code:
2
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\{907a1104-e812-4b5c-959b-e4dab37a96ab}\clean_tool64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6464\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exedltel.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
6552"C:\Users\admin\Desktop\CLEAN.exe" C:\Users\admin\Desktop\CLEAN.exe
explorer.exe
User:
admin
Company:
Check Point Software Technologies Ltd.
Integrity Level:
HIGH
Description:
ZoneAlarm
Version:
15.8.190.19023
Modules
Images
c:\users\admin\desktop\clean.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6616"C:\Users\admin\Desktop\CLEAN.exe" C:\Users\admin\Desktop\CLEAN.exeexplorer.exe
User:
admin
Company:
Check Point Software Technologies Ltd.
Integrity Level:
MEDIUM
Description:
ZoneAlarm
Exit code:
3221226540
Version:
15.8.190.19023
Modules
Images
c:\users\admin\desktop\clean.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
8 690
Read events
8 614
Write events
64
Delete events
12

Modification events

(PID) Process:(6552) CLEAN.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\ZoneAlarm\Installed
Operation:writeName:SI
Value:
d3ed996876de4243b3a37fd4bf16d08e
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\WINDOWS\SysWOW64\ICSLTA.DLL
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:ZoneAlarm Client
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Zone Labs Client
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:ZoneAlarm Tray
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:ZoneAlarm
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\ZoneAlarm
Operation:delete valueName:ZALogPath
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\ZoneAlarm\Installed
Operation:delete valueName:INSTDATE
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\ZoneAlarm\Installed
Operation:delete valueName:OEM
Value:
(PID) Process:(2876) Install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\ZoneAlarm\Installed
Operation:delete valueName:ProductMode
Value:
Executable files
62
Suspicious files
2
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:EA4AE42721460002DC31515F295AD1C4
SHA256:668F91E94E76DB4457184909E6A1AB4655E81A8EF37DC37B4ECFE93146C29A88
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:9A4FC3727AAF02C3285B47DF5EE56244
SHA256:891CCFEB349116283326262C27B8894B43CDC89B8AFD5BA7D21B891814A68075
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:AD895B2A99A3EC18F1690BBAC1E2037A
SHA256:A11C772B2451B0C9C706B03381819E4A1DEF3E2FBBBA8362509BBE57DBD5C666
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:0A0084D4B3635E4D8EBAB587DCFCC16C
SHA256:5089484C8C56AC8E095CADC3DC971DF71EDEB52F856940632821FD37E81AE5CA
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:405BB6A7CD56CBF5276C3A8DC631963D
SHA256:F654E56C4299F507BC34271B6BAA29290FD4919B853E17D7470596CAD779F063
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Install.logtext
MD5:40942EFFFE7F21A4F4852371A00EEFA8
SHA256:72AA38F1197D3BE9F7ECEA9A05CE7047E0354FCDC6858A21A64CB39279023FB9
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:6B937FE1EFF0E440B124BBB9334DF34D
SHA256:71C87C14BC1BD0B20D9F68D4943E93C4C6DDC1B6CF252938BB15FE562552F93E
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-localization-l1-2-0.dllexecutable
MD5:41A0D67BA3833D230F1229FF058BE057
SHA256:4F11443A2FA6C714D3E33597F0D08DE4E11A6A2FDB7DE2E4A01ADDD5977665C5
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-memory-l1-1-0.dllexecutable
MD5:536F07C04C316AAC61AB64A492ED9191
SHA256:50BF87DA10AE3F442C457E42D6666993B0FCA7C5D4DF521E8CD0959995FBCDDC
6552CLEAN.exeC:\Users\admin\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\api-ms-win-core-profile-l1-1-0.dllexecutable
MD5:A616102234EC5AB394FF1C77DA34F6C0
SHA256:619E5120BFDD11461672CE8798DA00166E57C528B9AFD80404D2C9CBE87E2C07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
15
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
209.87.211.157:443
https://gwevents.checkpoint.com/gwstats/services/antimalware/1_0_0/log
unknown
xml
127 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
4760
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
209.87.211.157:443
gwevents.checkpoint.com
ZONEALARM-COM
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.78
whitelisted
gwevents.checkpoint.com
  • 209.87.211.157
whitelisted

Threats

No threats detected
Process
Message
dltel.exe
Finished telemetry for type=211117
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Install.exe
WM_CLEAN_FINISH
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CLEAN.exe