| File name: | devicecleanup01.exe |
| Full analysis: | https://app.any.run/tasks/7f192516-b92b-4ebf-87bb-b1bb6793ed3f |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | July 05, 2025, 22:03:36 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 3 sections |
| MD5: | 9C3B555DFFB7AE399F3186E775A39207 |
| SHA1: | 179DCD8E63B3ABC3D5A3F83D4CA909A61213F232 |
| SHA256: | C1CE37611D14460EFA9523A9249843BF1855D45F2E9DF1420F555686F91AB07E |
| SSDEEP: | 1536:HzDNee6lJB1LOr+oTFVpdOxuAEE8ixyVIH4:TDsLlJB1qr/p8pHyVIH4 |
MALICIOUS
UAC/LUA settings modification
- reg.exe (PID: 4816)
Registers / Runs the DLL via REGSVR32.EXE
- cmd.exe (PID: 6940)
Starts NET.EXE for service management
- cmd.exe (PID: 6940)
- net.exe (PID: 1096)
Actions looks like stealing of personal data
- cmd.exe (PID: 6940)
Steals credentials from Web Browsers
- cmd.exe (PID: 6940)
SUSPICIOUS
Reads the date of Windows installation
- devicecleanup01.exe (PID: 2076)
Reads security settings of Internet Explorer
- devicecleanup01.exe (PID: 2076)
- ShellExperienceHost.exe (PID: 6516)
Executing commands from a ".bat" file
- devicecleanup01.exe (PID: 2076)
Starts CMD.EXE for commands execution
- devicecleanup01.exe (PID: 2076)
- cmd.exe (PID: 6940)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 6940)
Uses NETSH.EXE to add a firewall rule or allowed programs
- cmd.exe (PID: 6940)
Application launched itself
- cmd.exe (PID: 6940)
Creates or modifies Windows services
- reg.exe (PID: 6368)
- reg.exe (PID: 3588)
- reg.exe (PID: 1732)
Creates file in the systems drive root
- cmd.exe (PID: 6940)
Executable content was dropped or overwritten
- cmd.exe (PID: 6940)
INFO
Create files in a temporary directory
- devicecleanup01.exe (PID: 2076)
Process checks computer location settings
- devicecleanup01.exe (PID: 2076)
Reads the computer name
- devicecleanup01.exe (PID: 2076)
- ShellExperienceHost.exe (PID: 6516)
Checks supported languages
- devicecleanup01.exe (PID: 2076)
- ShellExperienceHost.exe (PID: 6516)
Creates files in the program directory
- cmd.exe (PID: 6940)
UPX packer has been detected
- devicecleanup01.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (87) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.4) |
| .exe | | | DOS Executable Generic (6.4) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2019:07:30 08:52:21+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 2.5 |
| CodeSize: | 57344 |
| InitializedDataSize: | 4096 |
| UninitializedDataSize: | 98304 |
| EntryPoint: | 0x25a90 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows GUI |
Total processes
154
Monitored processes
18
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1096 | net start wabimp | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1732 | reg add \"HKLM\SYSTEM\CurrentControlSet\Services\wabimp\" /v ErrorControl /t REG_DWORD /d 1 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2076 | "C:\Users\admin\Downloads\devicecleanup01.exe" | C:\Users\admin\Downloads\devicecleanup01.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 2324 | reg add \"HKLM\SYSTEM\CurrentControlSet\Services\wabimp\" /v Description /t REG_SZ /d \"Windows Address Book Import Service\" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2532 | "C:\Users\admin\Downloads\devicecleanup01.exe" | C:\Users\admin\Downloads\devicecleanup01.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 3588 | reg add \"HKLM\SYSTEM\CurrentControlSet\Services\wabimp\" /v Start /t REG_DWORD /d 2 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3704 | regsvr32 /s \"C:\Windows\System32\wabimp.dll\" | C:\Windows\System32\regsvr32.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 3 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4088 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4264 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4816 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
2 083
Read events
2 076
Write events
7
Delete events
0
Modification events
| (PID) Process: | (3588) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wabimp" |
| Operation: | write | Name: | Start |
Value: 2 | |||
| (PID) Process: | (4816) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | EnableLUA |
Value: 0 | |||
| (PID) Process: | (6368) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wabimp" |
| Operation: | write | Name: | Type |
Value: 32 | |||
| (PID) Process: | (1732) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wabimp" |
| Operation: | write | Name: | ErrorControl |
Value: 1 | |||
| (PID) Process: | (5496) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wabimp\Parameters" |
| Operation: | write | Name: | ServiceDll |
Value: "C:\Windows\System32\wabimp.dll" | |||
| (PID) Process: | (6516) ShellExperienceHost.exe | Key: | \REGISTRY\A\{f8402997-8df3-8583-875c-1e464ab22641}\LocalState |
| Operation: | write | Name: | PeekBadges |
Value: 5B005D0000003CEAEDAAF8EDDB01 | |||
| (PID) Process: | (6516) ShellExperienceHost.exe | Key: | \REGISTRY\A\{f8402997-8df3-8583-875c-1e464ab22641}\LocalState |
| Operation: | write | Name: | PeekBadges |
Value: 5B005D0000004E3BEEAAF8EDDB01 | |||
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2076 | devicecleanup01.exe | C:\Users\admin\AppData\Local\Temp\492E.tmp\492F.tmp\4930.bat | text | |
MD5:66AD1B1B852227A6DB8592C04D28020F | SHA256:08F234266D9F528A2ACB84ED2AF3641986957CB9CA7D21F0BC7F1D8600BD5CE0 | |||
| 6940 | cmd.exe | C:\Program Files\Windows Mail\7109856234.exe | executable | |
MD5:9C3B555DFFB7AE399F3186E775A39207 | SHA256:C1CE37611D14460EFA9523A9249843BF1855D45F2E9DF1420F555686F91AB07E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
14
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1268 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4156 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
3624 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
3624 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1268 | svchost.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4916 | RUXIMICS.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1268 | svchost.exe | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4156 | svchost.exe | 20.190.159.128:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4156 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |