| File name: | Ultimate Custom Night.url |
| Full analysis: | https://app.any.run/tasks/13a377a1-39fe-4c7c-adf0-4a1c38d293fa |
| Verdict: | Malicious activity |
| Analysis date: | November 24, 2023, 12:15:44 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-wine-extension-ini |
| File info: | Generic INItialization configuration [InternetShortcut]\015 |
| MD5: | 8325E7F90B2EB2C0ACD86C52B1528645 |
| SHA1: | 842F470841E6D9D3A8CC1FCA9C8A656E03B47E96 |
| SHA256: | B562801B6025CA8F6469C01B96A9AEB02D17ABAB44D6F90E60C4D826FAEA06F4 |
| SSDEEP: | 6:J254vVG/4x76FJMGElvw3pZK85cUllCQTDzLD:3VW4xmFJEovK8HTPj |
MALICIOUS
Drops the executable file immediately after the start
- CCleaner.exe (PID: 3380)
Steals credentials from Web Browsers
- taskhost.exe (PID: 2776)
- CCleaner.exe (PID: 3380)
Actions looks like stealing of personal data
- CCleaner.exe (PID: 3380)
SUSPICIOUS
Application launched itself
- CCleaner.exe (PID: 2948)
Reads Internet Explorer settings
- CCleaner.exe (PID: 3380)
Reads the Internet Settings
- CCleaner.exe (PID: 2948)
- CCleaner.exe (PID: 3380)
Reads security settings of Internet Explorer
- CCleaner.exe (PID: 3380)
Checks Windows Trust Settings
- CCleaner.exe (PID: 3380)
Reads settings of System Certificates
- CCleaner.exe (PID: 3380)
Starts application from unusual location
- CCleaner.exe (PID: 3380)
Reads browser cookies
- CCleaner.exe (PID: 3380)
Searches for installed software
- CCleaner.exe (PID: 3380)
Reads Microsoft Outlook installation path
- CCleaner.exe (PID: 3380)
The process verifies whether the antivirus software is installed
- CCleaner.exe (PID: 3380)
Executes as Windows Service
- taskhost.exe (PID: 2776)
INFO
Checks supported languages
- CCleaner.exe (PID: 2948)
- CCleaner.exe (PID: 3380)
- wmpnscfg.exe (PID: 1992)
Reads the computer name
- CCleaner.exe (PID: 2948)
- CCleaner.exe (PID: 3380)
- wmpnscfg.exe (PID: 1992)
Manual execution by a user
- WINWORD.EXE (PID: 2480)
- CCleaner.exe (PID: 2948)
- wmpnscfg.exe (PID: 1992)
- msedge.exe (PID: 4068)
Creates files in the program directory
- CCleaner.exe (PID: 3380)
Reads the machine GUID from the registry
- CCleaner.exe (PID: 3380)
- wmpnscfg.exe (PID: 1992)
Reads Environment values
- CCleaner.exe (PID: 2948)
- CCleaner.exe (PID: 3380)
Reads product name
- CCleaner.exe (PID: 3380)
Reads CPU info
- CCleaner.exe (PID: 3380)
Application launched itself
- msedge.exe (PID: 4068)
- msedge.exe (PID: 900)
Checks proxy server information
- CCleaner.exe (PID: 3380)
Creates files or folders in the user directory
- CCleaner.exe (PID: 3380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .url | | | Windows URL shortcut (91.6) |
|---|---|---|
| .ini | | | Generic INI configuration (8.3) |
Total processes
65
Monitored processes
23
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 296 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2212 --field-trial-handle=1332,i,11327427207756546618,16268306862792741085,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 756 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1280 --field-trial-handle=1332,i,11327427207756546618,16268306862792741085,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 900 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://secure.ccleaner.com/502/uurl-vehigpaadv?x-source=1001&x-variant=1803&x-campaign=6&x-origin=5&utm_source=ccleaner&utm_medium=application&utm_campaign=/ccleaner/en-ww/toaster-229-toaster-campaigns_bfcm-bf-toaster-free-phase-1-90_default&v=6.14.10584&x-acqsource=&x-flow_id=0c6c9b1a-4bf3-406c-9a11-399d9bc52468&x-fid= | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | CCleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1232 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1372 --field-trial-handle=1332,i,11327427207756546618,16268306862792741085,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1992 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2084 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1428 --field-trial-handle=1332,i,11327427207756546618,16268306862792741085,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2480 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\proposedmet.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 2512 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=3688 --field-trial-handle=1332,i,11327427207756546618,16268306862792741085,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2708 | "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2776 | "taskhost.exe" | C:\Windows\System32\taskhost.exe | services.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
26 554
Read events
26 177
Write events
179
Delete events
198
Modification events
| (PID) Process: | (2480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (2480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: On | |||
| (PID) Process: | (2480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1046 |
Value: On | |||
| (PID) Process: | (2480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1036 |
Value: On | |||
| (PID) Process: | (2480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1031 |
Value: On | |||
| (PID) Process: | (2480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1040 |
Value: On | |||
| (PID) Process: | (2480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1049 |
Value: On | |||
| (PID) Process: | (2480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 3082 |
Value: On | |||
| (PID) Process: | (2480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1042 |
Value: On | |||
| (PID) Process: | (2480) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1055 |
Value: On | |||
Executable files
6
Suspicious files
147
Text files
52
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR11F9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2480 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\proposedmet.rtf.LNK | binary | |
MD5:D8406167689F77DC28A4D31073C2EE19 | SHA256:6ED27D24A5EC918444CB7126D37CCE0E7D3F7A7EFBE75586F38F514EB72DF032 | |||
| 2480 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:66C7429DC54835B6B6D88D7CCF7E4F6A | SHA256:BD04F404DCA6B061BEACB509C893381B82BE09FFAD7FCB93416FD301D8FFAE31 | |||
| 2480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{FEB68699-3AC2-4B60-9F4A-1E3B08AFD33B}.tmp | binary | |
MD5:8A424DD706D818BF5A264E8CE377A2D4 | SHA256:010E6277BDFED0D1D789BCF35DAE9C981864ABEEABCC7F9BC831E4C772292681 | |||
| 2480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7704668B-2303-4401-9579-446F2706941A}.tmp | binary | |
MD5:5D4D94EE7E06BBB0AF9584119797B23A | SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 | |||
| 2480 | WINWORD.EXE | C:\Users\admin\Desktop\~$oposedmet.rtf | binary | |
MD5:E4FB70DF37B35121655BFDDAF1A9EC9F | SHA256:B7008A5F1FDC10C3587A48CBE2B378F10E92451E7A9BDCD1F04091771A496263 | |||
| 3380 | CCleaner.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_45E3C223BCF135987E4038FB6B0DBA13 | binary | |
MD5:629DA8F00550E21A60C431FDA9F61201 | SHA256:7325A2E9E53479A92247A8FCA5F187DA655F595135C94CFBC0650155FABFBEE8 | |||
| 3380 | CCleaner.exe | C:\Program Files\CCleaner\gcapi_dll.dll | executable | |
MD5:F637D5D3C3A60FDDB5DD397556FE9B1D | SHA256:641B843CB6EE7538EC267212694C9EF0616B9AC9AB14A0ABD7CF020678D50B02 | |||
| 3380 | CCleaner.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ed7a5cc3cca8d52a.customDestinations-ms~RF1c3ffe.TMP | binary | |
MD5:DA39F131D86385E1285BF5489BA6B6F9 | SHA256:38C92C3B93D15CCF2E5E59D01D223366D60FF508037EF997C0CDCC11CEC8BAD0 | |||
| 3380 | CCleaner.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8NIT0P9OCFP19980WUC2.temp | binary | |
MD5:B1BB576E0CADB851A53E540F71BBD258 | SHA256:E76C0279CDA1AC9B3EC002D1AD4581B3742621C30DBF945A4FD25D876332D4EA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
57
DNS requests
51
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3380 | CCleaner.exe | GET | 200 | 23.48.23.31:80 | http://ncc.avast.com/ncc.txt | unknown | text | 26 b | unknown |
3380 | CCleaner.exe | GET | 200 | 23.53.40.26:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5dfa55d03cad33c0 | unknown | compressed | 4.66 Kb | unknown |
3380 | CCleaner.exe | GET | 200 | 23.53.40.26:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1441a4e28aff532a | unknown | compressed | 4.66 Kb | unknown |
3380 | CCleaner.exe | GET | 200 | 142.250.185.163:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | unknown | binary | 1.41 Kb | unknown |
3380 | CCleaner.exe | GET | 200 | 142.250.185.163:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIAjrICMzZli2TN25s%3D | unknown | binary | 724 b | unknown |
3380 | CCleaner.exe | GET | 200 | 23.53.40.26:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8dd82137bb3abad4 | unknown | compressed | 4.66 Kb | unknown |
3380 | CCleaner.exe | GET | 200 | 142.250.185.163:80 | http://ocsp.pki.goog/s/gts1d4/ApQzOF39EDk/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSMBFDqU0NJQdZdEGU3bkhj0FoRrQQUJeIYDrJXkZQq5dRdhpCD3lOzuJICEQDomrJT6Y%2FrFhKE4gUosvin | unknown | binary | 472 b | unknown |
3380 | CCleaner.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D | unknown | binary | 471 b | unknown |
3380 | CCleaner.exe | GET | 200 | 142.250.185.163:80 | http://ocsp.pki.goog/s/gts1d4/HCBR1rPY_zA/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSMBFDqU0NJQdZdEGU3bkhj0FoRrQQUJeIYDrJXkZQq5dRdhpCD3lOzuJICEQCuJrycnyDuAAkjSCsH18s3 | unknown | binary | 472 b | unknown |
3380 | CCleaner.exe | GET | 200 | 23.53.40.26:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?dd56f695ee23cf45 | unknown | compressed | 4.66 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3380 | CCleaner.exe | 23.48.23.31:80 | ncc.avast.com | Akamai International B.V. | DE | unknown |
3380 | CCleaner.exe | 34.117.223.223:443 | analytics.ff.avast.com | GOOGLE-CLOUD-PLATFORM | US | unknown |
3380 | CCleaner.exe | 34.160.176.28:443 | shepherd.ff.avast.com | GOOGLE | US | unknown |
3380 | CCleaner.exe | 34.111.24.1:443 | ipm-provider.ff.avast.com | GOOGLE | US | unknown |
3380 | CCleaner.exe | 34.149.149.62:443 | ip-info.ff.avast.com | GOOGLE | US | unknown |
3380 | CCleaner.exe | 23.206.209.82:443 | www.ccleaner.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ncc.avast.com |
| whitelisted |
analytics.ff.avast.com |
| whitelisted |
ipm-provider.ff.avast.com |
| whitelisted |
shepherd.ff.avast.com |
| whitelisted |
www.ccleaner.com |
| whitelisted |
ip-info.ff.avast.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ipmcdn.avast.com |
| whitelisted |
Threats
Process | Message |
|---|---|
CCleaner.exe | [2023-11-24 12:16:15.902] [error ] [settings ] [ 3380: 3812] [6000C4: 356] Failed to get program directory
Exception: Unable to determine program folder of product 'piriform-cc'!
Code: 0x000000c0 (192)
|
CCleaner.exe | Failed to open log file 'C:\Program Files\CCleaner' |
CCleaner.exe | OnLanguage - en
|
CCleaner.exe | [2023-11-24 12:16:16.777] [error ] [settings ] [ 3380: 3372] [9434E9: 359] Failed to get program directory
Exception: Unable to determine program folder of product 'piriform-cc'!
Code: 0x000000c0 (192)
|
CCleaner.exe | [2023-11-24 12:16:16.792] [error ] [Burger ] [ 3380: 3372] [FDA25D: 244] [23.1.806.0] [BurgerReporter.cpp] [244] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
|
CCleaner.exe | [2023-11-24 12:16:16.792] [error ] [Burger ] [ 3380: 3372] [FDA25D: 244] [23.1.806.0] [BurgerReporter.cpp] [244] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
|
CCleaner.exe | startCheckingLicense()
|
CCleaner.exe | OnLanguage - en
|
CCleaner.exe | OnLanguage - en
|
CCleaner.exe | OnLanguage - en
|