File name:

u_ex230323.log

Full analysis: https://app.any.run/tasks/08436308-45c2-4d29-a199-4cf1b3501303
Verdict: Malicious activity
Analysis date: April 14, 2023, 11:34:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

6FB1D24E5081290D66B043231DC45189

SHA1:

5954AE4E7D2697A8DD137906073A243CC98D9062

SHA256:

BAA1D4114BF9ADC0F0E29217277536DB86103D8881F695156644B26FFEDB8755

SSDEEP:

192:cqiX2sFsr4+bRLsBdMOgCJyHqPehJaRityPbsk3ZGa2xgCqQpC5UJcfUKkx5uPl0:2RSBKLlOqPehW1bPYNPp42hL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • CCleaner.exe (PID: 2792)

    • Actions looks like stealing of personal data

      • CCleaner.exe (PID: 2792)

    • Steals credentials from Web Browsers

      • CCleaner.exe (PID: 2792)

  • SUSPICIOUS

    • The process executes via Task Scheduler

      • CCleaner.exe (PID: 2792)

    • Executable content was dropped or overwritten

      • CCleaner.exe (PID: 2792)

    • Reads Internet Explorer settings

      • CCleaner.exe (PID: 2792)

    • Reads the Internet Settings

      • CCleaner.exe (PID: 2792)

    • Searches for installed software

      • CCleaner.exe (PID: 2792)

    • Reads security settings of Internet Explorer

      • CCleaner.exe (PID: 2792)

    • Reads Microsoft Outlook installation path

      • CCleaner.exe (PID: 2792)

    • Reads settings of System Certificates

      • CCleaner.exe (PID: 2792)

    • Checks Windows Trust Settings

      • CCleaner.exe (PID: 2792)

    • Executes as Windows Service

      • taskhost.exe (PID: 2292)

  • INFO

    • The process checks LSA protection

      • dllhost.exe (PID: 3840)
      • CCleaner.exe (PID: 2792)

    • Checks supported languages

      • CCleaner.exe (PID: 1276)
      • CCleaner.exe (PID: 2792)

    • Reads Environment values

      • CCleaner.exe (PID: 1276)
      • CCleaner.exe (PID: 2792)

    • Reads the computer name

      • CCleaner.exe (PID: 1276)
      • CCleaner.exe (PID: 2792)

    • Manual execution by a user

      • WINWORD.EXE (PID: 2840)
      • WINWORD.EXE (PID: 3392)
      • CCleaner.exe (PID: 1276)

    • Creates files in the program directory

      • CCleaner.exe (PID: 2792)

    • Reads product name

      • CCleaner.exe (PID: 2792)

    • Reads CPU info

      • CCleaner.exe (PID: 2792)

    • Reads the machine GUID from the registry

      • CCleaner.exe (PID: 2792)

    • Drops a file that was compiled in debug mode

      • CCleaner.exe (PID: 2792)

    • Checks proxy server information

      • CCleaner.exe (PID: 2792)

    • Application launched itself

      • iexplore.exe (PID: 2768)

    • Creates files or folders in the user directory

      • CCleaner.exe (PID: 2792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start notepad.exe no specs winword.exe winword.exe no specs PhotoViewer.dll no specs ccleaner.exe no specs ccleaner.exe taskhost.exe no specs iexplore.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
944"C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\AppData\Local\Temp\u_ex230323.log"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\notepad.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
1276"C:\Program Files\CCleaner\CCleaner.exe" C:\Program Files\CCleaner\CCleaner.exeexplorer.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
5.74.0.8198
Modules
Images
c:\program files\ccleaner\ccleaner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2292"taskhost.exe"C:\Windows\System32\taskhost.exeservices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2768"C:\Program Files\Internet Explorer\iexplore.exe" https://www.ccleaner.com/ccleaner/download/standard?utm_source=ccleaner&utm_medium=application&utm_campaign=/ccleaner/en-ww/toaster-campaigns_ccleaner-update_mid_variant-4&v=5.74.8198&x-acqsource=&x-flow_id=b8aa1b73-6bcb-4338-9f6d-d54c54cd07f1&x-aswparam=eyJwX2hpZCI6IjE5Y2U5NzBiLWY2YzAtNGEwOS1iYWU0LTI3NGI5NzE3MzBlMCIsImZsb3dfaWQiOiJiOGFhMWI3My02YmNiLTQzMzgtOWY2ZC1kNTRjNTRjZDA3ZjEiLCJhcHBWZXJzaW9uIjoiNS43NCIsInBfcHJvIjoiOTAiLCJwX3ZiZCI6IjgxOTgiLCJwX2NyZCI6IjFjMGZjMDdiLWM0YzctNDVkMi1hMzA0LTJmNDVkMGI2N2UyYyIsInBfYWxwIjoiMCJ9C:\Program Files\Internet Explorer\iexplore.exeCCleaner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2792"C:\Program Files\CCleaner\CCleaner.exe" /uacC:\Program Files\CCleaner\CCleaner.exe
taskeng.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Exit code:
0
Version:
5.74.0.8198
Modules
Images
c:\program files\ccleaner\ccleaner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2840"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\sincethird.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
2932"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2768 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3392"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\homepagemultiple.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\gdi32.dll
3840C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
34 784
Read events
33 824
Write events
326
Delete events
634

Modification events

(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
On
Executable files
4
Suspicious files
116
Text files
212
Unknown types
62

Dropped files

PID
Process
Filename
Type
3392WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6B15.tmp.cvr
MD5:
SHA256:
2840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9774.tmp.cvr
MD5:
SHA256:
3392WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\homepagemultiple.rtf.LNKlnk
MD5:356838FEEF70ABB9265ABCFF1D3E1BF8
SHA256:B1886E47871FBA5BE2ABB6E8FD66B391E1880F6E6E3334A20D6E3BFA0A22F445
3392WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{847BCB12-0506-49C3-ABC8-B69C824AD6E1}.tmpsmt
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
3392WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5C07F7DF-BFC8-4BB6-B86B-ACFEB217ECD4}.tmpdbf
MD5:1A995736947A299CA446962AC483FED5
SHA256:CAB0EB473D184796795E9B1A55E1E58990E5DBA38E8FFDE6AA26CDBFD68F10FF
3392WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:33DC4C66F2C06D8FF354464CF5D3A3FE
SHA256:A4817786697FD9D798FAF50322CC4E7FA3A7A23034EFF30080D041E0B2349E83
2840WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DA293D7B-0FB8-4D8C-B3C3-4286DD3F8614}.tmpsmt
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
2840WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\sincethird.rtf.LNKlnk
MD5:F2DC46A3BB68266924C171422181CC8B
SHA256:7F7304489AAC88FF8F17A3C98AC1E4DBAEE8D96D39D40F9537999B41A1332364
3392WINWORD.EXEC:\Users\admin\Desktop\~$mepagemultiple.rtfpgc
MD5:4E63E5E5C9FA1A278559353FA5B79EF3
SHA256:2786CA86221D2ABC455276D8B3B35090CF3203AC35AF670E48C59CE983BF11E2
3392WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:3022A6295CC0B787869AB81896ED7F7A
SHA256:D538F66B44F6FE00229D480D66B6B085E5A3DB8B9BBD544D37E649634064FFF0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
94
DNS requests
47
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2792
CCleaner.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?81a79401439c02d7
US
compressed
4.70 Kb
whitelisted
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDUt2Lw90UwcRKPEbVHBMTU
US
der
472 b
whitelisted
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEHUaR2ZbsSTyCl84GAor7Hc%3D
US
der
471 b
whitelisted
2792
CCleaner.exe
GET
200
2.19.126.75:80
http://ncc.avast.com/ncc.txt
DE
text
26 b
whitelisted
2792
CCleaner.exe
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
GET
200
192.124.249.22:80
http://ocsp.starfieldtech.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT1ZqtwV0O1KcYi0gdzcFkHM%2BuArAQUJUWBaFAmOD07LSy%2BzWrZtj2zZmMCCAMIh7TRACSF
US
der
1.80 Kb
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
2792
CCleaner.exe
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIAjrICMzZli2TN25s%3D
US
der
724 b
whitelisted
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDNOjCIpK9abBL1HpHHKJI3
US
der
472 b
whitelisted
GET
200
192.124.249.22:80
http://ocsp.starfieldtech.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQUwPiEZQ6%2FsVZNPaFToNfxx8ZwqAQUfAwyH6fZMH%2FEfWijYqihzqsHWycCAQc%3D
US
der
1.74 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2792
CCleaner.exe
34.111.24.1:443
ipm-provider.ff.avast.com
GOOGLE
US
suspicious
2792
CCleaner.exe
2.19.126.75:80
ncc.avast.com
Akamai International B.V.
DE
suspicious
2792
CCleaner.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2792
CCleaner.exe
142.250.185.163:80
ocsp.pki.goog
GOOGLE
US
whitelisted
2792
CCleaner.exe
23.37.48.55:443
license.piriform.com
AKAMAI-AS
DE
unknown
2792
CCleaner.exe
5.45.61.71:443
shep-proxy.ff.avast.com
AVAST Software s.r.o.
NL
unknown
2792
CCleaner.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2792
CCleaner.exe
142.250.185.232:443
ssl.google-analytics.com
GOOGLE
US
suspicious
2792
CCleaner.exe
40.71.11.133:443
healthcheck.ccleaner.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious
2792
CCleaner.exe
104.107.255.206:443
ipmcdn.avast.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 104.103.88.140
whitelisted
ncc.avast.com
  • 2.19.126.75
  • 2.19.126.86
whitelisted
analytics.ff.avast.com
  • 34.117.223.223
whitelisted
www.ccleaner.com
  • 23.210.127.141
whitelisted
ipm-provider.ff.avast.com
  • 34.111.24.1
whitelisted
shepherd.ff.avast.com
  • 34.160.176.28
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ocsp.pki.goog
  • 142.250.185.163
whitelisted
license.piriform.com
  • 23.37.48.55
whitelisted

Threats

No threats detected
Process
Message
CCleaner.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner.exe
Using Sciter version 4.4.4.4-r8057
CCleaner.exe
observing currentItem changed - test
CCleaner.exe
OnLanguage - en
CCleaner.exe
startCheckingLicense()
CCleaner.exe
observing CurrentIndex changed - 0
CCleaner.exe
OnLanguage - en
CCleaner.exe
currentResultDetails - None
CCleaner.exe
currentModeType - Preview
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
u_ex230323.log