File name:

u_ex230323.log

Full analysis: https://app.any.run/tasks/08436308-45c2-4d29-a199-4cf1b3501303
Verdict: Malicious activity
Analysis date: April 14, 2023, 11:34:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

6FB1D24E5081290D66B043231DC45189

SHA1:

5954AE4E7D2697A8DD137906073A243CC98D9062

SHA256:

BAA1D4114BF9ADC0F0E29217277536DB86103D8881F695156644B26FFEDB8755

SSDEEP:

192:cqiX2sFsr4+bRLsBdMOgCJyHqPehJaRityPbsk3ZGa2xgCqQpC5UJcfUKkx5uPl0:2RSBKLlOqPehW1bPYNPp42hL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • CCleaner.exe (PID: 2792)

    • Actions looks like stealing of personal data

      • CCleaner.exe (PID: 2792)

    • Steals credentials from Web Browsers

      • CCleaner.exe (PID: 2792)

  • SUSPICIOUS

    • The process executes via Task Scheduler

      • CCleaner.exe (PID: 2792)

    • Executable content was dropped or overwritten

      • CCleaner.exe (PID: 2792)

    • Reads Internet Explorer settings

      • CCleaner.exe (PID: 2792)

    • Reads the Internet Settings

      • CCleaner.exe (PID: 2792)

    • Searches for installed software

      • CCleaner.exe (PID: 2792)

    • Executes as Windows Service

      • taskhost.exe (PID: 2292)

    • Checks Windows Trust Settings

      • CCleaner.exe (PID: 2792)

    • Reads settings of System Certificates

      • CCleaner.exe (PID: 2792)

    • Reads security settings of Internet Explorer

      • CCleaner.exe (PID: 2792)

    • Reads Microsoft Outlook installation path

      • CCleaner.exe (PID: 2792)

  • INFO

    • Manual execution by a user

      • WINWORD.EXE (PID: 3392)
      • CCleaner.exe (PID: 1276)
      • WINWORD.EXE (PID: 2840)

    • The process checks LSA protection

      • dllhost.exe (PID: 3840)
      • CCleaner.exe (PID: 2792)

    • Reads the computer name

      • CCleaner.exe (PID: 1276)
      • CCleaner.exe (PID: 2792)

    • Reads Environment values

      • CCleaner.exe (PID: 1276)
      • CCleaner.exe (PID: 2792)

    • Checks supported languages

      • CCleaner.exe (PID: 1276)
      • CCleaner.exe (PID: 2792)

    • Reads CPU info

      • CCleaner.exe (PID: 2792)

    • Reads product name

      • CCleaner.exe (PID: 2792)

    • Reads the machine GUID from the registry

      • CCleaner.exe (PID: 2792)

    • Drops a file that was compiled in debug mode

      • CCleaner.exe (PID: 2792)

    • Creates files in the program directory

      • CCleaner.exe (PID: 2792)

    • Checks proxy server information

      • CCleaner.exe (PID: 2792)

    • Creates files or folders in the user directory

      • CCleaner.exe (PID: 2792)

    • Application launched itself

      • iexplore.exe (PID: 2768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start notepad.exe no specs winword.exe winword.exe no specs PhotoViewer.dll no specs ccleaner.exe no specs ccleaner.exe taskhost.exe no specs iexplore.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
944"C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\AppData\Local\Temp\u_ex230323.log"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\notepad.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
1276"C:\Program Files\CCleaner\CCleaner.exe" C:\Program Files\CCleaner\CCleaner.exeexplorer.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
5.74.0.8198
Modules
Images
c:\program files\ccleaner\ccleaner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2292"taskhost.exe"C:\Windows\System32\taskhost.exeservices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2768"C:\Program Files\Internet Explorer\iexplore.exe" https://www.ccleaner.com/ccleaner/download/standard?utm_source=ccleaner&utm_medium=application&utm_campaign=/ccleaner/en-ww/toaster-campaigns_ccleaner-update_mid_variant-4&v=5.74.8198&x-acqsource=&x-flow_id=b8aa1b73-6bcb-4338-9f6d-d54c54cd07f1&x-aswparam=eyJwX2hpZCI6IjE5Y2U5NzBiLWY2YzAtNGEwOS1iYWU0LTI3NGI5NzE3MzBlMCIsImZsb3dfaWQiOiJiOGFhMWI3My02YmNiLTQzMzgtOWY2ZC1kNTRjNTRjZDA3ZjEiLCJhcHBWZXJzaW9uIjoiNS43NCIsInBfcHJvIjoiOTAiLCJwX3ZiZCI6IjgxOTgiLCJwX2NyZCI6IjFjMGZjMDdiLWM0YzctNDVkMi1hMzA0LTJmNDVkMGI2N2UyYyIsInBfYWxwIjoiMCJ9C:\Program Files\Internet Explorer\iexplore.exeCCleaner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2792"C:\Program Files\CCleaner\CCleaner.exe" /uacC:\Program Files\CCleaner\CCleaner.exe
taskeng.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Exit code:
0
Version:
5.74.0.8198
Modules
Images
c:\program files\ccleaner\ccleaner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2840"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\sincethird.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
2932"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2768 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3392"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\homepagemultiple.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\gdi32.dll
3840C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
34 784
Read events
33 824
Write events
326
Delete events
634

Modification events

(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
(PID) Process:(3392) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
On
Executable files
4
Suspicious files
116
Text files
212
Unknown types
62

Dropped files

PID
Process
Filename
Type
3392WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6B15.tmp.cvr
MD5:
SHA256:
2840WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR9774.tmp.cvr
MD5:
SHA256:
3392WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:33DC4C66F2C06D8FF354464CF5D3A3FE
SHA256:A4817786697FD9D798FAF50322CC4E7FA3A7A23034EFF30080D041E0B2349E83
3392WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:3022A6295CC0B787869AB81896ED7F7A
SHA256:D538F66B44F6FE00229D480D66B6B085E5A3DB8B9BBD544D37E649634064FFF0
3392WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B665F086-BFB3-4A93-B809-D02141810CA0}.tmpbinary
MD5:ECDEEED77F37D8F04AAC206C5EF260EE
SHA256:7AEEC998C7A2674B73B417716FAC78A75141B5703C1BCA111D1A9BC2B2546DFD
3392WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\homepagemultiple.rtf.LNKlnk
MD5:356838FEEF70ABB9265ABCFF1D3E1BF8
SHA256:B1886E47871FBA5BE2ABB6E8FD66B391E1880F6E6E3334A20D6E3BFA0A22F445
3392WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{847BCB12-0506-49C3-ABC8-B69C824AD6E1}.tmpsmt
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
2840WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7F828423-ADFA-4B76-91FA-CDD8FAA0645F}.tmpbinary
MD5:D5CA64D9BF1032D3B3E73C335F5517B4
SHA256:9E7F9F9D209276BE9DA12D3383F485E5F958F9EB4C4A0C2D3732226EBA743298
2840WINWORD.EXEC:\Users\admin\Desktop\~$ncethird.rtfpgc
MD5:91AC8ADFA1D381C79BC8DF3285BF0843
SHA256:C7DD1B5A30B19796CA52524F19987394D13481990B99674E865DA048F719A740
3392WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5C07F7DF-BFC8-4BB6-B86B-ACFEB217ECD4}.tmpdbf
MD5:1A995736947A299CA446962AC483FED5
SHA256:CAB0EB473D184796795E9B1A55E1E58990E5DBA38E8FFDE6AA26CDBFD68F10FF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
94
DNS requests
47
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2792
CCleaner.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDNOjCIpK9abBL1HpHHKJI3
US
der
472 b
whitelisted
2792
CCleaner.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?81a79401439c02d7
US
compressed
4.70 Kb
whitelisted
2792
CCleaner.exe
GET
200
2.19.126.75:80
http://ncc.avast.com/ncc.txt
DE
text
26 b
whitelisted
2792
CCleaner.exe
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2792
CCleaner.exe
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQC8tJpYbHee%2FAokT3%2BjjBc1
US
der
472 b
whitelisted
2792
CCleaner.exe
GET
200
142.250.185.163:80
http://ocsp.pki.goog/s/gts1d4/JcgIJFV2pWM/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSMBFDqU0NJQdZdEGU3bkhj0FoRrQQUJeIYDrJXkZQq5dRdhpCD3lOzuJICEAqIlfST3vHNEAzoYfpqlwg%3D
US
der
471 b
whitelisted
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEHUaR2ZbsSTyCl84GAor7Hc%3D
US
der
471 b
whitelisted
2792
CCleaner.exe
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIAjrICMzZli2TN25s%3D
US
der
724 b
whitelisted
2792
CCleaner.exe
GET
200
142.250.185.163:80
http://ocsp.pki.goog/s/gts1d4/4raLQTuACuw/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSMBFDqU0NJQdZdEGU3bkhj0FoRrQQUJeIYDrJXkZQq5dRdhpCD3lOzuJICEEysLJOPkS8aELLUr1pZx6A%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3392
WINWORD.EXE
104.103.88.140:80
go.microsoft.com
AKAMAI-AS
AT
suspicious
2792
CCleaner.exe
2.19.126.75:80
ncc.avast.com
Akamai International B.V.
DE
suspicious
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2792
CCleaner.exe
23.210.127.141:80
www.ccleaner.com
AKAMAI-AS
DE
unknown
2792
CCleaner.exe
23.210.127.141:443
www.ccleaner.com
AKAMAI-AS
DE
unknown
2792
CCleaner.exe
34.111.24.1:443
ipm-provider.ff.avast.com
GOOGLE
US
suspicious
2792
CCleaner.exe
23.37.48.55:443
license.piriform.com
AKAMAI-AS
DE
unknown
2792
CCleaner.exe
142.250.185.163:80
ocsp.pki.goog
GOOGLE
US
whitelisted
2792
CCleaner.exe
34.117.223.223:443
analytics.ff.avast.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2792
CCleaner.exe
104.107.255.206:443
ipmcdn.avast.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 104.103.88.140
whitelisted
ncc.avast.com
  • 2.19.126.75
  • 2.19.126.86
whitelisted
analytics.ff.avast.com
  • 34.117.223.223
whitelisted
www.ccleaner.com
  • 23.210.127.141
whitelisted
ipm-provider.ff.avast.com
  • 34.111.24.1
whitelisted
shepherd.ff.avast.com
  • 34.160.176.28
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ocsp.pki.goog
  • 142.250.185.163
whitelisted
license.piriform.com
  • 23.37.48.55
whitelisted

Threats

No threats detected
Process
Message
CCleaner.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner.exe
Using Sciter version 4.4.4.4-r8057
CCleaner.exe
observing currentItem changed - test
CCleaner.exe
OnLanguage - en
CCleaner.exe
startCheckingLicense()
CCleaner.exe
observing CurrentIndex changed - 0
CCleaner.exe
OnLanguage - en
CCleaner.exe
currentResultDetails - None
CCleaner.exe
currentModeType - Preview
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
u_ex230323.log