File name:

CleverControl .NET for oskarmart8@gmail.com.msi

Full analysis: https://app.any.run/tasks/b18577f7-4e70-4ebd-804a-be4198843762
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 09, 2024, 17:07:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
stealer
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: CleverControl, Author: CLEVERCONTROL LLC, Keywords: Installer, Comments: This installer database contains the logic and data required to install CleverControl., Create Time/Date: Wed Mar 6 11:40:38 2024, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2, Template: Intel;1033,1049,1025,1036,1031,1040,1041,1042,2070,2052,1055, Last Saved By: Intel;1034, Revision Number: {3B0C8790-2A27-425E-880F-AE1F2DAFDBE3}11.5.1035.5;{D923B2D2-3729-44BB-9D74-BD38244C4791}11.5.1035.5;{FD51EA12-D416-44E4-B078-42F080DB5CB5}, Number of Pages: 200, Number of Characters: 0
MD5:

031EEDC326397051DE20F4D9A59372C8

SHA1:

5AC1860F54B70A1B9EDA6ECA069B8FB0E7DF5CE6

SHA256:

CE7E8A8F5672F4F41C9676DD80C42656E1E5388FAC36DDF355A466B3DF3221BF

SSDEEP:

98304:TL+TJU9cIR21LidLg3/IXVDVQkdN92i43vNgqksCDiOd1yG+AE70tKwm+jyqiX3Z:AMM3A0JwUbQ/aVUTjYndDDr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3692)

    • Actions looks like stealing of personal data

      • clvhost.exe (PID: 2068)
      • clvhost.exe (PID: 704)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 2420)

    • Reads the Internet Settings

      • msiexec.exe (PID: 3692)
      • cmd.exe (PID: 3352)
      • clvhost.exe (PID: 3132)
      • sipnotify.exe (PID: 1456)
      • clvhost.exe (PID: 1152)
      • sipnotify.exe (PID: 644)
      • clvhost.exe (PID: 2068)
      • clvhost.exe (PID: 3028)
      • sipnotify.exe (PID: 1520)
      • clvhost.exe (PID: 704)
      • clvhost.exe (PID: 2436)
      • clvhost.exe (PID: 2884)

    • Adds/modifies Windows certificates

      • msiexec.exe (PID: 3692)
      • clvhost.exe (PID: 3132)
      • sipnotify.exe (PID: 1456)
      • clvhost.exe (PID: 1152)
      • sipnotify.exe (PID: 644)
      • clvhost.exe (PID: 2068)
      • clvhost.exe (PID: 3028)
      • sipnotify.exe (PID: 1520)
      • clvhost.exe (PID: 704)
      • clvhost.exe (PID: 2884)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 3692)

    • Reads settings of System Certificates

      • clvhost.exe (PID: 3132)
      • clvhost.exe (PID: 1152)
      • sipnotify.exe (PID: 1456)
      • sipnotify.exe (PID: 644)
      • clvhost.exe (PID: 2068)
      • clvhost.exe (PID: 3028)
      • sipnotify.exe (PID: 1520)
      • clvhost.exe (PID: 704)
      • clvhost.exe (PID: 2884)

    • The process executes via Task Scheduler

      • sipnotify.exe (PID: 1456)
      • ctfmon.exe (PID: 1696)
      • ctfmon.exe (PID: 1968)
      • sipnotify.exe (PID: 644)
      • sipnotify.exe (PID: 1520)
      • ctfmon.exe (PID: 1512)

    • Application launched itself

      • clvhost.exe (PID: 2068)
      • clvhost.exe (PID: 704)

    • Reads security settings of Internet Explorer

      • clvhost.exe (PID: 2068)
      • clvhost.exe (PID: 704)

    • Searches for installed software

      • clvhost.exe (PID: 3028)
      • clvhost.exe (PID: 2884)

  • INFO

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3692)
      • clvhost.exe (PID: 3132)
      • clvhost.exe (PID: 2068)
      • clvhost.exe (PID: 704)

    • Reads the software policy settings

      • msiexec.exe (PID: 3692)
      • clvhost.exe (PID: 3132)
      • clvhost.exe (PID: 1152)
      • sipnotify.exe (PID: 1456)
      • clvhost.exe (PID: 2068)
      • sipnotify.exe (PID: 644)
      • clvhost.exe (PID: 3028)
      • sipnotify.exe (PID: 1520)
      • clvhost.exe (PID: 704)
      • clvhost.exe (PID: 2884)

    • Create files in a temporary directory

      • msiexec.exe (PID: 3692)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3692)
      • sipnotify.exe (PID: 1456)
      • sipnotify.exe (PID: 644)
      • sipnotify.exe (PID: 1520)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3692)

    • Checks supported languages

      • clvhost.exe (PID: 3132)
      • IMEKLMG.EXE (PID: 316)
      • IMEKLMG.EXE (PID: 384)
      • clvhost.exe (PID: 1152)
      • wmpnscfg.exe (PID: 2464)
      • wmpnscfg.exe (PID: 2484)
      • IMEKLMG.EXE (PID: 712)
      • clvhost.exe (PID: 2068)
      • IMEKLMG.EXE (PID: 2056)
      • wmpnscfg.exe (PID: 2524)
      • wmpnscfg.exe (PID: 2612)
      • wmpnscfg.exe (PID: 2568)
      • clvhost.exe (PID: 2788)
      • clvhost.exe (PID: 3000)
      • clvhost.exe (PID: 3008)
      • clvhost.exe (PID: 2796)
      • clvhost.exe (PID: 3028)
      • clvhost.exe (PID: 3044)
      • IMEKLMG.EXE (PID: 2028)
      • IMEKLMG.EXE (PID: 360)
      • clvhost.exe (PID: 704)
      • wmpnscfg.exe (PID: 2524)
      • wmpnscfg.exe (PID: 2572)
      • clvhost.exe (PID: 2436)
      • clvhost.exe (PID: 2448)
      • clvhost.exe (PID: 2848)
      • clvhost.exe (PID: 2860)
      • clvhost.exe (PID: 2892)
      • clvhost.exe (PID: 2884)

    • Reads the computer name

      • clvhost.exe (PID: 3132)
      • IMEKLMG.EXE (PID: 316)
      • clvhost.exe (PID: 1152)
      • IMEKLMG.EXE (PID: 384)
      • wmpnscfg.exe (PID: 2464)
      • wmpnscfg.exe (PID: 2484)
      • IMEKLMG.EXE (PID: 712)
      • IMEKLMG.EXE (PID: 2056)
      • clvhost.exe (PID: 2068)
      • wmpnscfg.exe (PID: 2524)
      • wmpnscfg.exe (PID: 2568)
      • wmpnscfg.exe (PID: 2612)
      • clvhost.exe (PID: 2788)
      • clvhost.exe (PID: 2796)
      • clvhost.exe (PID: 3028)
      • clvhost.exe (PID: 3044)
      • IMEKLMG.EXE (PID: 2028)
      • IMEKLMG.EXE (PID: 360)
      • clvhost.exe (PID: 704)
      • clvhost.exe (PID: 2436)
      • clvhost.exe (PID: 2448)
      • wmpnscfg.exe (PID: 2524)
      • wmpnscfg.exe (PID: 2572)
      • clvhost.exe (PID: 2884)
      • clvhost.exe (PID: 2892)

    • Reads the machine GUID from the registry

      • clvhost.exe (PID: 3132)
      • clvhost.exe (PID: 1152)
      • clvhost.exe (PID: 2068)
      • clvhost.exe (PID: 2796)
      • clvhost.exe (PID: 2788)
      • clvhost.exe (PID: 3044)
      • clvhost.exe (PID: 3028)
      • clvhost.exe (PID: 704)
      • clvhost.exe (PID: 2436)
      • clvhost.exe (PID: 2448)
      • clvhost.exe (PID: 2884)
      • clvhost.exe (PID: 2892)

    • Application launched itself

      • msedge.exe (PID: 1504)

    • Creates files in the program directory

      • clvhost.exe (PID: 3132)
      • clvhost.exe (PID: 1152)
      • clvhost.exe (PID: 2068)
      • clvhost.exe (PID: 2796)
      • clvhost.exe (PID: 2788)
      • clvhost.exe (PID: 3028)
      • clvhost.exe (PID: 3044)
      • clvhost.exe (PID: 704)
      • clvhost.exe (PID: 2884)
      • clvhost.exe (PID: 2892)
      • clvhost.exe (PID: 2436)
      • clvhost.exe (PID: 2448)

    • Reads Environment values

      • clvhost.exe (PID: 3132)
      • clvhost.exe (PID: 1152)
      • clvhost.exe (PID: 2068)
      • clvhost.exe (PID: 2788)
      • clvhost.exe (PID: 3028)
      • clvhost.exe (PID: 704)
      • clvhost.exe (PID: 2436)
      • clvhost.exe (PID: 2884)

    • Manual execution by a user

      • IMEKLMG.EXE (PID: 316)
      • IMEKLMG.EXE (PID: 384)
      • clvhost.exe (PID: 1152)
      • wmpnscfg.exe (PID: 2484)
      • wmpnscfg.exe (PID: 2464)
      • IMEKLMG.EXE (PID: 712)
      • IMEKLMG.EXE (PID: 2056)
      • clvhost.exe (PID: 2068)
      • wmpnscfg.exe (PID: 2524)
      • wmpnscfg.exe (PID: 2568)
      • wmpnscfg.exe (PID: 2612)
      • IMEKLMG.EXE (PID: 2028)
      • IMEKLMG.EXE (PID: 360)
      • clvhost.exe (PID: 704)
      • wmpnscfg.exe (PID: 2524)
      • wmpnscfg.exe (PID: 2572)

    • Process checks whether UAC notifications are on

      • IMEKLMG.EXE (PID: 316)
      • IMEKLMG.EXE (PID: 384)
      • IMEKLMG.EXE (PID: 712)
      • IMEKLMG.EXE (PID: 2056)
      • IMEKLMG.EXE (PID: 2028)
      • IMEKLMG.EXE (PID: 360)

    • Reads Microsoft Office registry keys

      • clvhost.exe (PID: 2068)
      • clvhost.exe (PID: 704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: CleverControl
Author: CLEVERCONTROL LLC
Keywords: Installer
Comments: This installer database contains the logic and data required to install CleverControl.
RevisionNumber: {A26F0AD5-77D6-4EC8-A4D8-406932AF2259}
CreateDate: 2024:03:06 11:40:36
ModifyDate: 2024:03:06 11:40:36
Pages: 200
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
Template: Intel;1033,1049,1025,1036,1031,1040,1041,1042,2070,2052,1055,1034
LastModifiedBy: Intel;1049
Characters: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
253
Monitored processes
57
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe vssvc.exe no specs clvhost.exe cmd.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sipnotify.exe ctfmon.exe no specs imeklmg.exe no specs imeklmg.exe no specs clvhost.exe wmpnscfg.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs ctfmon.exe no specs sipnotify.exe imeklmg.exe no specs imeklmg.exe no specs clvhost.exe wmpnscfg.exe no specs wmpnscfg.exe no specs clvhost.exe no specs clvhost.exe no specs clvhost.exe no specs clvhost.exe no specs clvhost.exe clvhost.exe no specs ctfmon.exe no specs sipnotify.exe imeklmg.exe no specs imeklmg.exe no specs clvhost.exe clvhost.exe clvhost.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs clvhost.exe no specs clvhost.exe no specs clvhost.exe clvhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Modules
Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
360"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Modules
Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
384"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Modules
Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
392"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1264 --field-trial-handle=1388,i,5021524946539024416,14532862308356489667,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
572"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6bb3f598,0x6bb3f5a8,0x6bb3f5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
644C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
704"C:\ProgramData\{FO16FA1A-AA91-C56A-654F-E3865DA10DAT}\clvhost.exe" C:\ProgramData\{FO16FA1A-AA91-C56A-654F-E3865DA10DAT}\clvhost.exe
explorer.exe
User:
admin
Company:
CLEVERCONTROL LLC
Integrity Level:
MEDIUM
Description:
clvhost
Exit code:
1073807364
Version:
11.5.1035.5
Modules
Images
c:\programdata\{fo16fa1a-aa91-c56a-654f-e3865da10dat}\clvhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
712"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Modules
Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
968"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1388,i,5021524946539024416,14532862308356489667,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1152"C:\ProgramData\{FO16FA1A-AA91-C56A-654F-E3865DA10DAT}\clvhost.exe" C:\ProgramData\{FO16FA1A-AA91-C56A-654F-E3865DA10DAT}\clvhost.exe
explorer.exe
User:
admin
Company:
CLEVERCONTROL LLC
Integrity Level:
MEDIUM
Description:
clvhost
Exit code:
1073807364
Version:
11.5.1035.5
Modules
Images
c:\programdata\{fo16fa1a-aa91-c56a-654f-e3865da10dat}\clvhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
71 644
Read events
70 920
Write events
486
Delete events
238

Modification events

(PID) Process:(3692) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3692) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
Operation:delete valueName:7A2146EDB29E2EAD64AFBE7CEAD0B6085D437A32
Value:
(PID) Process:(3692) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\7A2146EDB29E2EAD64AFBE7CEAD0B6085D437A32
Operation:writeName:Blob
Value:
0300000001000000140000007A2146EDB29E2EAD64AFBE7CEAD0B6085D437A32140000000100000014000000DAB38DC02490A36B77D30CA059DD216764760B7804000000010000001000000052974C72316BBB4DA5184D0859B9233B0F0000000100000020000000B8B44319D788EA6EC3E7DEA27FAB059D25E3C4DCF09FCD1C67BE7FAED44A6B0219000000010000001000000007C477ADDDC1B0322B1B89D265744EC55C0000000100000004000000001000001800000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B42000000001000000EA060000308206E6308204CEA003020102021077BD0E03A1B708F854AB067210D90447300D06092A864886F70D01010B05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303732383030303030305A170D3330303732383030303030305A3059310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D7361312F302D06035504031326476C6F62616C5369676E204743432052343520436F64655369676E696E67204341203230323030820222300D06092A864886F70D01010105000382020F003082020A0282020100D6424DF9E34FC623F46C1D81A630F7483DCFD0E58DE52022960744355D06CF0F1D7060E62654FA53236002A85F0202F78EC96E3DA97805BD8EF54F1924997CCF11169B1F7B6BD2A37B686577ABD8B12C3FD37206325C5BAC50672C254D560636FCC1624C7D7D8616959A5D54BA50D0B07FA24419E9D66E6C3E13C29F11D45F345B516831630AF85BD0DEBA595F31AF896838403E08E853674E63B6218EEFDD8D8541559E1CBC37DC95A0C471A71F1BA5496E0A20597E89A3581597002569DFDEC26A50654E53FB6BA19F181E8A0E5F545EBDE05BCFF20C04D2DE08A11026F7B2F37A2EC28E96C13FCEA5DAF459288C3765A131960B8EA47677154984668225E7430A7752B1995142FFA1B2DD9CD2DC18D9C186A9401D41976286BCA8FFA2C7631706FD667A3694012089781F90F47BA9524E6A4F54062A80AF9EC75042FA650AE301F4B16EAC0EA8E38119A838C89E032886A474A747957E725A2A7B156A1CC469E6B0BE401999CBD27D554E229C10E0A15BC3B32E7A8BC4DEF14B1F8C287930457F6C13B63D2CFF2D4A8A2AEC280F2DCAD49C988A4A6D5A362C2FDFBACBE2414A08771888AD35619412F3A472EBEE369EA75127913CF7A21ACCFC87E597E1518769E922CC83C0B70F456C07E1434FD48C4ACECF63B1B5A4107AF90D0C28B06B34FE2168276FECF8FA26845B7542CD892679599D6BAB63716290250D0820F1FF0203010001A38201AE308201AA300E0603551D0F0101FF04040302018630130603551D25040C300A06082B0601050507030330120603551D130101FF040830060101FF020100301D0603551D0E04160414DAB38DC02490A36B77D30CA059DD216764760B78301F0603551D230418301680141F00BF46800AFC7839B7A5B443D95650BBCE963B30819306082B06010505070101048186308183303906082B06010505073001862D687474703A2F2F6F6373702E676C6F62616C7369676E2E636F6D2F636F64657369676E696E67726F6F74723435304606082B06010505073002863A687474703A2F2F7365637572652E676C6F62616C7369676E2E636F6D2F6361636572742F636F64657369676E696E67726F6F747234352E63727430410603551D1F043A30383036A034A0328630687474703A2F2F63726C2E676C6F62616C7369676E2E636F6D2F636F64657369676E696E67726F6F747234352E63726C30560603551D20044F304D304106092B06010401A03201323034303206082B06010505070201162668747470733A2F2F7777772E676C6F62616C7369676E2E636F6D2F7265706F7369746F72792F3008060667810C010401300D06092A864886F70D01010B0500038202010008887226C6AFFAAC5F06C0AA8C90DAD0B2C0A297FF6E13321654FD3EF430119F8F98F99B52DDF2A216EED97895A69A7C61B804B5F8EBCBF4611133F66525B711428BD8696EC7FF95B48143A97EAEBF82D64DCC11A383716A105E1905A7E76C7F56F4A85CC34E09AD596BB8F97EA52EB8FCDE0EC2A0FBB004D4131BC727A9B9AA2D313BCF464C9DEB4CECBC2E9CF187A37F38695F414067F6537DEA41EF8E3DFBA9D4113846DF3CEBF6CD22BD13CDF0E1E6E533A0BE3CE478D51BCC20F23073B0221CF684D69B5C0002E128524BFF124B40EAEEB01A06069E84E6E7F0DB8446FB73D92B42B6C95734C716C0A6EB21B9AA0EF7FEDBCAEBBC17CBB867EBE33E4FDBA994866455C9090AC0D904714A114B5A64C3BC7878AD4C4726650799D5CD3660A13353B3F67B2AD589403C71A5ABF89959FDE39B924BDD05BD0B0C78062BCF53D8BD129A5B2786853F91BEE078807354DFA71D672B6AB6AE4D89802408527050F301FF44AE2F9AE0E14908E1E15BD738D19E0A8A9D94279BCAA3B9DBE2366AE36FB95862E036783601FAC1A7897A2653A35CBBD2B2EB8ACB63082FFE1EF35629E2359BD8FFE9A5BD6D4B592C892C2F52BBB52990DA4347BC72DDBCD9BF80C1DCB0ABB44B1D58363764EB9BE185179A29A2FDE608D292FFA0F87CE1E9A7D1308E5F26502BC7A2E297778AEFD84D3E26EB994060F33C670CB608722935538134DC
(PID) Process:(2420) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000001C58BA524472DA01740900005C0B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2420) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000001C58BA524472DA0174090000B8020000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2420) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000001C58BA524472DA017409000088070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2420) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000001C58BA524472DA0174090000A0080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2420) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
400000000000000076BABC524472DA0174090000A0080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2420) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Leave)
Value:
400000000000000076BABC524472DA0174090000B8020000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2420) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
400000000000000076BABC524472DA017409000088070000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
Executable files
7
Suspicious files
160
Text files
84
Unknown types
153

Dropped files

PID
Process
Filename
Type
3692msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560der
MD5:E94FB54871208C00DF70F708AC47085B
SHA256:7B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF86
3692msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:753DF6889FD7410A2E9FE333DA83A429
SHA256:B42DC237E44CBC9A43400E7D3F9CBD406DBDEFD62BFE87328F8663897D69DF78
1504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF185e57.TMP
MD5:
SHA256:
1504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3692msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560binary
MD5:5A2A438B152D6564875366F0DFE4652C
SHA256:426CC5F4B8F49D80EA8BDAE754EF9CC51512E4903C56D750B4FD9AD96F785402
572msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pmabinary
MD5:886E82F2CA62ECCCE64601B30592078A
SHA256:E5E13D53601100FF3D6BB71514CBCCC4C73FE9B7EF5E930100E644187B42948E
1504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF185e57.TMP
MD5:
SHA256:
1504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
3692msiexec.exeC:\Users\admin\AppData\Local\Temp\CabFD9A.tmpcompressed
MD5:753DF6889FD7410A2E9FE333DA83A429
SHA256:B42DC237E44CBC9A43400E7D3F9CBD406DBDEFD62BFE87328F8663897D69DF78
1504msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF185e96.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
64
DNS requests
56
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3692
msiexec.exe
GET
200
151.101.66.133:80
http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt
unknown
binary
1.73 Kb
unknown
3692
msiexec.exe
GET
200
151.101.66.133:80
http://secure.globalsign.com/cacert/codesigningrootr45.crt
unknown
binary
1.37 Kb
unknown
3692
msiexec.exe
GET
200
2.19.126.163:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0ccd5e715b3eca47
unknown
compressed
67.5 Kb
unknown
3052
msedge.exe
GET
301
158.69.117.119:80
http://dashboard.clevercontrol.com/login?email=oskarmart8@gmail.com
unknown
html
169 b
unknown
1456
sipnotify.exe
HEAD
200
23.192.244.236:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133544777534370000
unknown
unknown
644
sipnotify.exe
HEAD
200
23.197.138.118:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133544777871870000
unknown
unknown
1520
sipnotify.exe
HEAD
200
104.102.39.173:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133544778221250000
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
3692
msiexec.exe
151.101.66.133:80
secure.globalsign.com
FASTLY
US
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3692
msiexec.exe
2.19.126.163:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1636
curl.exe
193.17.93.93:443
cdn.cdndownload.net
EdgeCenter LLC
RU
unknown
2348
curl.exe
193.17.93.93:443
cdn.cdndownload.net
EdgeCenter LLC
RU
unknown
2640
rundll32.exe
158.69.117.119:443
dashboard.clevercontrol.com
OVH SAS
CA
unknown
3052
msedge.exe
158.69.117.119:80
dashboard.clevercontrol.com
OVH SAS
CA
unknown

DNS requests

Domain
IP
Reputation
secure.globalsign.com
  • 151.101.66.133
  • 151.101.194.133
  • 151.101.2.133
  • 151.101.130.133
whitelisted
ctldl.windowsupdate.com
  • 2.19.126.163
  • 2.19.126.137
whitelisted
cdn.cdndownload.net
  • 193.17.93.93
unknown
dashboard.clevercontrol.com
  • 158.69.117.119
unknown
config.edge.skype.com
  • 52.123.243.73
  • 52.123.243.77
  • 52.123.243.81
  • 52.123.243.92
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
www.googletagmanager.com
  • 172.217.18.8
whitelisted
datasec24.com
  • 192.99.143.111
unknown
www.gstatic.com
  • 172.217.18.3
whitelisted
www.googleadservices.com
  • 142.250.186.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CleverControl .NET for oskarmart8@gmail.com.msi