File name:

brainrot.bat

Full analysis: https://app.any.run/tasks/b3d1d652-cfe5-4198-b14d-5edc40efa175
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 23, 2025, 14:04:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
evasion
auto-reg
loader
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text
MD5:

552F258D079637F467F1ACE689BBBFB9

SHA1:

5D88CB5111A76F82520964AB7CB79A8766F8F244

SHA256:

CFBACD9DB5432307629B7C45475D6AEB664EC460E4E12B2A2DFB4B568B903AF0

SSDEEP:

24:gjMGYpTTQOhlo5/JtDSMCIWxJzlb4ajOcOQvH/cHIa7MGQPv:zx9TQclo97PWjRJtgtlo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • CCleaner64.exe (PID: 8732)
      • CCUpdate.exe (PID: 7776)

    • Scans artifacts that could help determine the target

      • OfficeC2RClient.exe (PID: 8608)
      • IntegratedOffice.exe (PID: 8972)
      • OfficeC2RClient.exe (PID: 9116)
      • IntegratedOffice.exe (PID: 8520)
      • Integrator.exe (PID: 12240)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6948)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 6876)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6948)

    • Changes the desktop background image

      • reg.exe (PID: 3100)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6948)

    • Imports DLL using pinvoke

      • powershell.exe (PID: 5284)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 4884)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6948)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 4884)
      • uninst.exe (PID: 7656)
      • CCleaner64.exe (PID: 7892)
      • CCleaner64.exe (PID: 7792)
      • Un_A.exe (PID: 8008)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8168)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8452)
      • CCleaner64.exe (PID: 8732)
      • uninstall.exe (PID: 9856)
      • Un_A.exe (PID: 10068)

    • Reads security settings of Internet Explorer

      • AdobeCollabSync.exe (PID: 5600)
      • Eula.exe (PID: 6236)
      • AdobeCollabSync.exe (PID: 436)
      • CCleaner64.exe (PID: 8072)
      • CCleaner64.exe (PID: 8052)
      • CCleaner64.exe (PID: 7792)
      • CCleaner64.exe (PID: 7892)
      • IntegratedOffice.exe (PID: 8520)
      • OfficeC2RClient.exe (PID: 8680)
      • OfficeC2RClient.exe (PID: 9036)
      • OfficeClickToRun.exe (PID: 9044)
      • OfficeC2RClient.exe (PID: 8608)
      • IntegratedOffice.exe (PID: 8972)
      • OfficeC2RClient.exe (PID: 9116)
      • officesvcmgr.exe (PID: 8844)
      • culauncher.exe (PID: 9784)
      • CCleaner64.exe (PID: 8732)
      • iediagcmd.exe (PID: 9536)
      • filezilla.exe (PID: 9796)
      • Integrator.exe (PID: 12240)
      • msiexec.exe (PID: 10652)

    • Application launched itself

      • AdobeCollabSync.exe (PID: 5600)
      • Acrobat.exe (PID: 7792)
      • CCleaner64.exe (PID: 8072)
      • CCleaner64.exe (PID: 8052)
      • CCleaner64.exe (PID: 7792)
      • CCleaner64.exe (PID: 7892)
      • setup.exe (PID: 10092)
      • msiexec.exe (PID: 8444)

    • Reads Microsoft Outlook installation path

      • Eula.exe (PID: 6236)

    • Reads Internet Explorer settings

      • Eula.exe (PID: 6236)
      • CCleaner64.exe (PID: 7892)
      • CCleaner64.exe (PID: 7792)
      • CCleaner64.exe (PID: 8732)
      • iediagcmd.exe (PID: 9536)

    • Executes application which crashes

      • adobe_licensing_wf_helper_acro.exe (PID: 1160)
      • chrome_pwa_launcher.exe (PID: 10048)

    • Reads the date of Windows installation

      • CCleaner64.exe (PID: 8072)
      • CCleaner64.exe (PID: 8052)
      • CCleaner64.exe (PID: 7892)
      • CCleaner64.exe (PID: 7792)

    • Starts itself from another location

      • uninst.exe (PID: 7656)
      • uninstall.exe (PID: 9856)

    • Checks for external IP

      • CCUpdate.exe (PID: 7776)
      • CCleaner64.exe (PID: 7892)
      • CCleaner64.exe (PID: 7792)

    • The process creates files with name similar to system file names

      • Un_A.exe (PID: 8008)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8168)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8452)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Un_A.exe (PID: 8008)

    • Searches for installed software

      • CCleaner64.exe (PID: 7792)
      • CCleaner64.exe (PID: 7892)
      • OfficeC2RClient.exe (PID: 8608)
      • OfficeC2RClient.exe (PID: 9116)
      • CCleaner64.exe (PID: 8752)
      • CCleaner64.exe (PID: 8732)
      • CCleaner64.exe (PID: 5928)
      • CCleaner64.exe (PID: 10324)

    • Process drops legitimate windows executable

      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8168)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8452)

    • Checks for Java to be installed

      • ssvagent.exe (PID: 10300)
      • jucheck.exe (PID: 10948)
      • javaw.exe (PID: 10204)

    • Reads Mozilla Firefox installation path

      • ssvagent.exe (PID: 10300)
      • javaw.exe (PID: 10204)

    • Creates/Modifies COM task schedule object

      • ssvagent.exe (PID: 10300)
      • msiexec.exe (PID: 8444)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 8444)

    • The process verifies whether the antivirus software is installed

      • CCleaner64.exe (PID: 8732)

    • The process executes via Task Scheduler

      • CCleaner.exe (PID: 11132)

    • Process uses IPCONFIG to discover network configuration

      • iediagcmd.exe (PID: 9536)

    • Uses ROUTE.EXE to obtain the routing table information

      • iediagcmd.exe (PID: 9536)

    • Suspicious use of NETSH.EXE

      • iediagcmd.exe (PID: 9536)

    • Disables SEHOP

      • msiexec.exe (PID: 8444)

    • Executes as Windows Service

      • armsvc.exe (PID: 3836)

    • Changes default file association

      • msiexec.exe (PID: 8444)

    • Changes Internet Explorer settings (feature browser emulation)

      • msiexec.exe (PID: 8444)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 6876)
      • netsh.exe (PID: 13260)

    • Checks proxy server information

      • powershell.exe (PID: 6876)
      • AdobeCollabSync.exe (PID: 5600)
      • Eula.exe (PID: 6236)
      • AdobeCollabSync.exe (PID: 436)
      • msiexec.exe (PID: 7876)
      • IntegratedOffice.exe (PID: 8520)
      • CCleaner64.exe (PID: 7792)
      • CCleaner64.exe (PID: 7892)
      • OfficeC2RClient.exe (PID: 8608)
      • OfficeClickToRun.exe (PID: 8744)
      • OfficeC2RClient.exe (PID: 9036)
      • OfficeC2RClient.exe (PID: 9116)
      • OfficeClickToRun.exe (PID: 9044)
      • IntegratedOffice.exe (PID: 8972)
      • officesvcmgr.exe (PID: 8844)
      • OfficeC2RClient.exe (PID: 8680)
      • iediagcmd.exe (PID: 9536)
      • WerFault.exe (PID: 7688)
      • WerFault.exe (PID: 8772)
      • Integrator.exe (PID: 12240)
      • dxdiag.exe (PID: 10508)
      • slui.exe (PID: 7384)

    • Checks supported languages

      • csc.exe (PID: 4884)
      • cvtres.exe (PID: 3556)
      • AcrobatInfo.exe (PID: 6648)
      • acrobat_sl.exe (PID: 5188)
      • AcroTextExtractor.exe (PID: 3460)
      • AcroBroker.exe (PID: 3740)
      • ADelRCP.exe (PID: 2400)
      • AcroCEF.exe (PID: 3488)
      • ADNotificationManager.exe (PID: 5628)
      • CRWindowsClientService.exe (PID: 4400)
      • SingleClientServicesUpdater.exe (PID: 856)
      • Eula.exe (PID: 6236)
      • AdobeCollabSync.exe (PID: 436)
      • adobe_licensing_wf_acro.exe (PID: 1180)
      • SingleClientServicesUpdater.exe (PID: 4724)
      • AdobeCollabSync.exe (PID: 5600)
      • adobe_licensing_wf_helper_acro.exe (PID: 1160)
      • CRLogTransport.exe (PID: 2976)
      • WCChromeNativeMessagingHost.exe (PID: 1212)
      • 32BitMAPIBroker.exe (PID: 3112)
      • 64BitMAPIBroker.exe (PID: 7460)
      • MSRMSPIBroker.exe (PID: 7540)
      • Acrobat.exe (PID: 7792)
      • FullTrustNotifier.exe (PID: 7596)
      • CCleanerBugReport.exe (PID: 8116)
      • Acrobat.exe (PID: 7916)
      • CCleaner.exe (PID: 7816)
      • CCleaner64.exe (PID: 8072)
      • CCleaner64.exe (PID: 8052)
      • CCleanerReactivator.exe (PID: 8164)
      • CCleanerPerformanceOptimizerService.exe (PID: 8144)
      • CCUpdate.exe (PID: 7776)
      • CCleaner64.exe (PID: 7892)
      • CCleaner64.exe (PID: 7792)
      • uninst.exe (PID: 7656)
      • Un_A.exe (PID: 8008)
      • wa_3rd_party_host_64.exe (PID: 7640)
      • setup.exe (PID: 8076)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8168)
      • Setup.exe (PID: 8240)
      • update.exe (PID: 8256)
      • IntegratedOffice.exe (PID: 8520)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8452)
      • appvcleaner.exe (PID: 8484)
      • AppVShNotify.exe (PID: 8496)
      • MavInject32.exe (PID: 8628)
      • OfficeC2RClient.exe (PID: 8608)
      • OfficeC2RClient.exe (PID: 8680)
      • msiexec.exe (PID: 8444)
      • CCleaner64.exe (PID: 8752)
      • InspectorOfficeGadget.exe (PID: 8504)
      • CCleaner64.exe (PID: 8732)
      • MavInject32.exe (PID: 9008)
      • OfficeClickToRun.exe (PID: 8744)
      • appvcleaner.exe (PID: 8884)
      • AppVShNotify.exe (PID: 8940)
      • update.exe (PID: 9000)
      • IMESharePointDictionary.exe (PID: 9100)
      • OfficeC2RClient.exe (PID: 9036)
      • IntegratedOffice.exe (PID: 8972)
      • ShapeCollector.exe (PID: 8296)
      • InputPersonalization.exe (PID: 7724)
      • officesvcmgr.exe (PID: 8844)
      • ShapeCollector.exe (PID: 9268)
      • OfficeClickToRun.exe (PID: 9044)
      • officesvcmgr.exe (PID: 9052)
      • InspectorOfficeGadget.exe (PID: 8948)
      • OfficeC2RClient.exe (PID: 9116)
      • mip.exe (PID: 7704)
      • TabTip.exe (PID: 9688)
      • culauncher.exe (PID: 9784)
      • LICLUA.EXE (PID: 9760)
      • msinfo32.exe (PID: 9728)
      • VSTOInstaller.exe (PID: 9772)
      • uninstall.exe (PID: 9856)
      • filezilla.exe (PID: 9796)
      • chrome_pwa_launcher.exe (PID: 10048)
      • InputPersonalization.exe (PID: 10140)
      • fzsftp.exe (PID: 9820)
      • elevated_tracing_service.exe (PID: 10120)
      • fzstorj.exe (PID: 9832)
      • fzputtygen.exe (PID: 9804)
      • elevation_service.exe (PID: 9204)
      • chrome_proxy.exe (PID: 10036)
      • Un_A.exe (PID: 10068)
      • os_update_handler.exe (PID: 9712)
      • ExtExport.exe (PID: 10232)
      • setup.exe (PID: 10092)
      • setup.exe (PID: 10016)
      • ieinstal.exe (PID: 10144)
      • notification_helper.exe (PID: 9660)
      • javaw.exe (PID: 10200)
      • jp2launcher.exe (PID: 10460)
      • java-rmi.exe (PID: 3820)
      • ielowutil.exe (PID: 3932)
      • javacpl.exe (PID: 9040)
      • javaws.exe (PID: 9440)
      • jabswitch.exe (PID: 1356)
      • iediagcmd.exe (PID: 9536)
      • policytool.exe (PID: 10860)
      • pack200.exe (PID: 10852)
      • orbd.exe (PID: 10844)
      • kinit.exe (PID: 10812)
      • keytool.exe (PID: 10656)
      • ssvagent.exe (PID: 10300)
      • java.exe (PID: 6420)
      • jjs.exe (PID: 8788)
      • ktab.exe (PID: 10836)
      • klist.exe (PID: 10828)
      • rmiregistry.exe (PID: 10880)
      • rmid.exe (PID: 10872)
      • servertool.exe (PID: 11240)
      • unpack200.exe (PID: 10224)
      • tnameserv.exe (PID: 8984)
      • OSPPREARM.EXE (PID: 8584)
      • AppVDllSurrogate32.exe (PID: 11612)
      • AppVLP.exe (PID: 12100)
      • AppVDllSurrogate.exe (PID: 11272)
      • AppVDllSurrogate64.exe (PID: 11784)
      • msiexec.exe (PID: 11468)
      • javaw.exe (PID: 10204)
      • jucheck.exe (PID: 10948)
      • msiexec.exe (PID: 11612)
      • CCleaner64.exe (PID: 5400)
      • msiexec.exe (PID: 10280)
      • Integrator.exe (PID: 12240)
      • CCleaner.exe (PID: 11132)
      • CCleaner64.exe (PID: 5928)
      • identity_helper.exe (PID: 12576)
      • msiexec.exe (PID: 10652)
      • MSIB4EA.tmp (PID: 10536)
      • makecab.exe (PID: 12852)
      • armsvc.exe (PID: 3836)
      • SingleClientServicesUpdater.exe (PID: 12508)
      • msiexec.exe (PID: 12948)
      • CCleaner64.exe (PID: 10324)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 4884)
      • AdobeCollabSync.exe (PID: 436)
      • CCUpdate.exe (PID: 7776)
      • CCleanerBugReport.exe (PID: 8116)
      • CCleaner64.exe (PID: 7792)
      • CCleaner64.exe (PID: 7892)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8168)
      • appvcleaner.exe (PID: 8484)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8452)
      • InspectorOfficeGadget.exe (PID: 8504)
      • CCleaner64.exe (PID: 8732)
      • appvcleaner.exe (PID: 8884)
      • CCleaner64.exe (PID: 8752)
      • IntegratedOffice.exe (PID: 8520)
      • InspectorOfficeGadget.exe (PID: 8948)
      • IntegratedOffice.exe (PID: 8972)
      • OfficeC2RClient.exe (PID: 9036)
      • OfficeClickToRun.exe (PID: 9044)
      • officesvcmgr.exe (PID: 8844)
      • culauncher.exe (PID: 9784)
      • VSTOInstaller.exe (PID: 9772)
      • javaw.exe (PID: 10204)
      • rmiregistry.exe (PID: 10880)
      • orbd.exe (PID: 10844)
      • tnameserv.exe (PID: 8984)
      • rmid.exe (PID: 10872)
      • Integrator.exe (PID: 12240)
      • CCleaner64.exe (PID: 5928)
      • iediagcmd.exe (PID: 9536)
      • CCleaner64.exe (PID: 10324)

    • Create files in a temporary directory

      • csc.exe (PID: 4884)
      • cvtres.exe (PID: 3556)
      • uninst.exe (PID: 7656)
      • Un_A.exe (PID: 8008)
      • OfficeC2RClient.exe (PID: 8608)
      • OfficeC2RClient.exe (PID: 9036)
      • OfficeC2RClient.exe (PID: 9116)
      • OfficeC2RClient.exe (PID: 8680)
      • OfficeClickToRun.exe (PID: 8744)
      • uninstall.exe (PID: 9856)
      • Un_A.exe (PID: 10068)
      • IntegratedOffice.exe (PID: 8520)
      • javaw.exe (PID: 10200)
      • IntegratedOffice.exe (PID: 8972)
      • OfficeClickToRun.exe (PID: 9044)
      • javaw.exe (PID: 10204)
      • java.exe (PID: 6420)
      • jjs.exe (PID: 8788)
      • policytool.exe (PID: 10860)
      • ktab.exe (PID: 10836)
      • pack200.exe (PID: 10852)
      • java-rmi.exe (PID: 3820)
      • rmid.exe (PID: 10872)
      • rmiregistry.exe (PID: 10880)
      • orbd.exe (PID: 10844)
      • keytool.exe (PID: 10656)
      • kinit.exe (PID: 10812)
      • klist.exe (PID: 10828)
      • servertool.exe (PID: 11240)
      • tnameserv.exe (PID: 8984)
      • jucheck.exe (PID: 10948)
      • Integrator.exe (PID: 12240)
      • dxdiag.exe (PID: 10508)
      • iediagcmd.exe (PID: 9536)
      • makecab.exe (PID: 12852)

    • Reads the computer name

      • AcroBroker.exe (PID: 3740)
      • AdobeCollabSync.exe (PID: 5600)
      • AdobeCollabSync.exe (PID: 436)
      • Eula.exe (PID: 6236)
      • FullTrustNotifier.exe (PID: 7596)
      • Acrobat.exe (PID: 7792)
      • Acrobat.exe (PID: 7916)
      • CCleaner.exe (PID: 7816)
      • CCleaner64.exe (PID: 8052)
      • CCleaner64.exe (PID: 8072)
      • CCleanerBugReport.exe (PID: 8116)
      • CCUpdate.exe (PID: 7776)
      • CCleaner64.exe (PID: 7892)
      • CCleaner64.exe (PID: 7792)
      • CCleanerPerformanceOptimizerService.exe (PID: 8144)
      • Un_A.exe (PID: 8008)
      • setup.exe (PID: 8076)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8168)
      • Setup.exe (PID: 8240)
      • update.exe (PID: 8256)
      • msiexec.exe (PID: 8444)
      • AppVShNotify.exe (PID: 8496)
      • IntegratedOffice.exe (PID: 8520)
      • OfficeC2RClient.exe (PID: 8608)
      • OfficeC2RClient.exe (PID: 8680)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8452)
      • CCleaner64.exe (PID: 8732)
      • CCleaner64.exe (PID: 8752)
      • InspectorOfficeGadget.exe (PID: 8504)
      • OfficeClickToRun.exe (PID: 8744)
      • update.exe (PID: 9000)
      • InputPersonalization.exe (PID: 7724)
      • AppVShNotify.exe (PID: 8940)
      • ShapeCollector.exe (PID: 8296)
      • OfficeClickToRun.exe (PID: 9044)
      • IntegratedOffice.exe (PID: 8972)
      • officesvcmgr.exe (PID: 8844)
      • mip.exe (PID: 7704)
      • OfficeC2RClient.exe (PID: 9036)
      • OfficeC2RClient.exe (PID: 9116)
      • officesvcmgr.exe (PID: 9052)
      • ShapeCollector.exe (PID: 9268)
      • InspectorOfficeGadget.exe (PID: 8948)
      • LICLUA.EXE (PID: 9760)
      • msinfo32.exe (PID: 9728)
      • VSTOInstaller.exe (PID: 9772)
      • culauncher.exe (PID: 9784)
      • InputPersonalization.exe (PID: 10140)
      • elevated_tracing_service.exe (PID: 10120)
      • Un_A.exe (PID: 10068)
      • elevation_service.exe (PID: 9204)
      • filezilla.exe (PID: 9796)
      • setup.exe (PID: 10092)
      • iediagcmd.exe (PID: 9536)
      • javaw.exe (PID: 10204)
      • rmiregistry.exe (PID: 10880)
      • rmid.exe (PID: 10872)
      • servertool.exe (PID: 11240)
      • tnameserv.exe (PID: 8984)
      • orbd.exe (PID: 10844)
      • OSPPREARM.EXE (PID: 8584)
      • policytool.exe (PID: 10860)
      • AppVLP.exe (PID: 12100)
      • msiexec.exe (PID: 11468)
      • jucheck.exe (PID: 10948)
      • Integrator.exe (PID: 12240)
      • msiexec.exe (PID: 11612)
      • CCleaner64.exe (PID: 5400)
      • msiexec.exe (PID: 10280)
      • CCleaner.exe (PID: 11132)
      • CCleaner64.exe (PID: 5928)
      • identity_helper.exe (PID: 12576)
      • msiexec.exe (PID: 10652)
      • MSIB4EA.tmp (PID: 10536)
      • msiexec.exe (PID: 12948)
      • armsvc.exe (PID: 3836)
      • CCleaner64.exe (PID: 10324)

    • Application launched itself

      • Acrobat.exe (PID: 4476)
      • Acrobat.exe (PID: 3112)
      • AcroCEF.exe (PID: 3572)
      • chrome.exe (PID: 10128)
      • chrome.exe (PID: 10024)
      • chrmstp.exe (PID: 9892)
      • chrome.exe (PID: 10160)
      • chrome.exe (PID: 10120)
      • msedge.exe (PID: 10664)

    • Creates files or folders in the user directory

      • AdobeCollabSync.exe (PID: 436)
      • msiexec.exe (PID: 7876)
      • filezilla.exe (PID: 9796)
      • CCleaner64.exe (PID: 7792)
      • CCleaner64.exe (PID: 7892)
      • OfficeC2RClient.exe (PID: 9036)
      • OfficeClickToRun.exe (PID: 9044)
      • officesvcmgr.exe (PID: 8844)
      • javaw.exe (PID: 10204)
      • IntegratedOffice.exe (PID: 8520)
      • OfficeC2RClient.exe (PID: 8608)
      • WerFault.exe (PID: 7688)
      • WerFault.exe (PID: 8772)
      • InputPersonalization.exe (PID: 7724)
      • Integrator.exe (PID: 12240)
      • dxdiag.exe (PID: 10508)
      • iediagcmd.exe (PID: 9536)
      • OfficeC2RClient.exe (PID: 9116)

    • Reads Environment values

      • CCleaner.exe (PID: 7816)
      • CCleaner64.exe (PID: 8052)
      • CCleaner64.exe (PID: 8072)
      • CCleaner64.exe (PID: 7892)
      • CCleaner64.exe (PID: 7792)
      • CCleaner64.exe (PID: 8752)
      • culauncher.exe (PID: 9784)
      • CCleaner64.exe (PID: 8732)
      • IntegratedOffice.exe (PID: 8520)
      • OfficeC2RClient.exe (PID: 8608)
      • OfficeC2RClient.exe (PID: 9116)
      • IntegratedOffice.exe (PID: 8972)
      • OSPPREARM.EXE (PID: 8584)
      • msiexec.exe (PID: 11612)
      • CCleaner64.exe (PID: 5400)
      • CCleaner.exe (PID: 11132)
      • CCleaner64.exe (PID: 5928)
      • identity_helper.exe (PID: 12576)
      • Integrator.exe (PID: 12240)
      • CCleaner64.exe (PID: 10324)

    • Process checks computer location settings

      • CCleaner64.exe (PID: 8072)
      • CCleaner64.exe (PID: 8052)
      • CCleaner64.exe (PID: 7892)
      • IntegratedOffice.exe (PID: 8520)
      • CCleaner64.exe (PID: 7792)
      • OfficeC2RClient.exe (PID: 8608)
      • OfficeC2RClient.exe (PID: 8680)
      • IntegratedOffice.exe (PID: 8972)
      • OfficeClickToRun.exe (PID: 9044)
      • OfficeC2RClient.exe (PID: 9116)
      • OfficeC2RClient.exe (PID: 9036)
      • Integrator.exe (PID: 12240)

    • Reads CPU info

      • CCleanerBugReport.exe (PID: 8116)
      • CCleaner64.exe (PID: 7792)
      • CCleaner64.exe (PID: 7892)
      • CCleaner64.exe (PID: 8752)
      • CCleaner64.exe (PID: 8732)
      • Integrator.exe (PID: 12240)
      • CCleaner64.exe (PID: 5928)
      • CCleaner64.exe (PID: 10324)

    • Reads the software policy settings

      • CCUpdate.exe (PID: 7776)
      • CCleaner64.exe (PID: 7892)
      • CCleaner64.exe (PID: 7792)
      • msiexec.exe (PID: 7876)
      • IntegratedOffice.exe (PID: 8520)
      • IntegratedOffice.exe (PID: 8972)
      • OfficeClickToRun.exe (PID: 9044)
      • OfficeC2RClient.exe (PID: 9036)
      • CCleaner64.exe (PID: 8752)
      • officesvcmgr.exe (PID: 8844)
      • culauncher.exe (PID: 9784)
      • CCleaner64.exe (PID: 8732)
      • WerFault.exe (PID: 7688)
      • dxdiag.exe (PID: 10508)
      • WerFault.exe (PID: 8772)
      • Integrator.exe (PID: 12240)
      • CCleaner64.exe (PID: 5928)
      • iediagcmd.exe (PID: 9536)
      • CCleaner64.exe (PID: 10324)
      • slui.exe (PID: 7384)

    • The sample compiled with english language support

      • uninst.exe (PID: 7656)
      • CCleaner64.exe (PID: 7892)
      • CCleaner64.exe (PID: 7792)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8168)
      • WindowsInstaller-KB893803-v2-x86.exe (PID: 8452)
      • CCleaner64.exe (PID: 8732)
      • uninstall.exe (PID: 9856)
      • msiexec.exe (PID: 7876)
      • msiexec.exe (PID: 8444)
      • msiexec.exe (PID: 10652)

    • Reads product name

      • CCleaner64.exe (PID: 7792)
      • CCleaner64.exe (PID: 7892)
      • CCleaner64.exe (PID: 8732)

    • Creates files in the program directory

      • CCleaner64.exe (PID: 7892)
      • CCleaner64.exe (PID: 7792)
      • CCUpdate.exe (PID: 7776)
      • CCleaner64.exe (PID: 8732)
      • javaw.exe (PID: 10200)
      • SingleClientServicesUpdater.exe (PID: 12508)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 7876)
      • dxdiag.exe (PID: 10508)
      • netsh.exe (PID: 6420)

    • Reads Microsoft Office registry keys

      • IntegratedOffice.exe (PID: 8520)
      • OfficeClickToRun.exe (PID: 8744)
      • OfficeC2RClient.exe (PID: 8608)
      • OfficeC2RClient.exe (PID: 8680)
      • OfficeC2RClient.exe (PID: 9036)
      • OfficeClickToRun.exe (PID: 9044)
      • OfficeC2RClient.exe (PID: 9116)
      • IntegratedOffice.exe (PID: 8972)
      • officesvcmgr.exe (PID: 8844)
      • officesvcmgr.exe (PID: 9052)
      • AppVLP.exe (PID: 12100)
      • Integrator.exe (PID: 12240)

    • Launching a file from a Registry key

      • CCleaner64.exe (PID: 8732)
      • CCUpdate.exe (PID: 7776)

    • FileZilla executable

      • cmd.exe (PID: 6948)
      • uninstall.exe (PID: 9856)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7876)
      • msiexec.exe (PID: 8444)
      • msiexec.exe (PID: 10652)

    • Manual execution by a user

      • CCleaner64.exe (PID: 5400)
      • ccupdate637_free.exe (PID: 11988)

    • Prints a route via ROUTE.EXE

      • ROUTE.EXE (PID: 13196)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 8444)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 8444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
441
Monitored processes
289
Malicious processes
17
Suspicious processes
10

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe reg.exe no specs reg.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs timeout.exe no specs acrobat.exe no specs acrobatinfo.exe no specs acrobat_sl.exe no specs acrobroker.exe no specs acrotextextractor.exe no specs adelrcp.exe no specs acrobat.exe no specs acrocef.exe no specs acrobat.exe no specs acrobat.exe no specs adelrcp.exe no specs adelrcp.exe adnotificationmanager.exe no specs adobecollabsync.exe no specs crlogtransport.exe no specs conhost.exe no specs crwindowsclientservice.exe no specs eula.exe no specs logtransport2.exe no specs acrocef.exe no specs conhost.exe no specs singleclientservicesupdater.exe no specs acrocef.exe no specs adobecollabsync.exe no specs singleclientservicesupdater.exe no specs wcchromenativemessaginghost.exe no specs conhost.exe no specs adobe_licensing_wf_acro.exe no specs adobe_licensing_wf_helper_acro.exe acrocef.exe no specs 32bitmapibroker.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs 64bitmapibroker.exe no specs msrmspibroker.exe no specs fulltrustnotifier.exe werfault.exe acrobat.exe no specs ccleaner.exe no specs acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs ccleaner64.exe no specs ccleaner64.exe no specs ccleanerbugreport.exe conhost.exe no specs ccleanerperformanceoptimizerservice.exe no specs ccleanerreactivator.exe no specs ccupdate.exe no specs conhost.exe no specs ccupdate.exe no specs ccupdate.exe uninst.exe no specs uninst.exe no specs ccleaner64.exe ccleaner64.exe uninst.exe wa_3rd_party_host_64.exe no specs conhost.exe no specs setup.exe no specs un_a.exe setup.exe no specs setup.exe windowsinstaller-kb893803-v2-x86.exe no specs windowsinstaller-kb893803-v2-x86.exe no specs msiexec.exe windowsinstaller-kb893803-v2-x86.exe setup.exe no specs setup.exe no specs setup.exe update.exe no specs windowsinstaller-kb893803-v2-x86.exe no specs windowsinstaller-kb893803-v2-x86.exe no specs msiexec.exe no specs msiexec.exe windowsinstaller-kb893803-v2-x86.exe appvcleaner.exe no specs appvshnotify.exe no specs inspectorofficegadget.exe no specs integratedoffice.exe conhost.exe no specs officec2rclient.exe mavinject32.exe no specs officec2rclient.exe ccleaner64.exe officeclicktorun.exe ccleaner64.exe officesvcmgr.exe appvcleaner.exe no specs conhost.exe no specs appvshnotify.exe no specs inspectorofficegadget.exe no specs integratedoffice.exe update.exe no specs mavinject32.exe no specs conhost.exe no specs officec2rclient.exe officeclicktorun.exe officesvcmgr.exe no specs imesharepointdictionary.exe no specs conhost.exe no specs inputpersonalization.exe no specs mip.exe no specs shapecollector.exe no specs tabtip.exe no specs officec2rclient.exe shapecollector.exe no specs tabtip.exe no specs tabtip.exe msinfo32.exe no specs liclua.exe no specs vstoinstaller.exe no specs culauncher.exe no specs filezilla.exe no specs fzputtygen.exe no specs fzsftp.exe no specs fzstorj.exe no specs conhost.exe no specs uninstall.exe conhost.exe no specs conhost.exe no specs chrome.exe chrome_proxy.exe no specs chrome_pwa_launcher.exe un_a.exe elevated_tracing_service.exe chrome.exe no specs inputpersonalization.exe no specs chrome.exe no specs chrome.exe no specs werfault.exe elevation_service.exe notification_helper.exe no specs os_update_handler.exe no specs chrmstp.exe no specs setup.exe no specs chrmstp.exe no specs chrome.exe no specs chrome.exe no specs extexport.exe no specs iediagcmd.exe conhost.exe no specs setup.exe no specs ieinstal.exe no specs chrome.exe no specs ielowutil.exe no specs iexplore.exe no specs chrome.exe no specs jabswitch.exe no specs conhost.exe no specs java-rmi.exe no specs conhost.exe no specs java.exe no specs conhost.exe no specs javacpl.exe no specs javaw.exe no specs javaw.exe no specs javaws.exe no specs jjs.exe no specs conhost.exe no specs jp2launcher.exe no specs dxdiag.exe icacls.exe no specs conhost.exe no specs keytool.exe no specs msedge.exe conhost.exe no specs kinit.exe no specs klist.exe no specs ktab.exe no specs orbd.exe no specs pack200.exe no specs policytool.exe no specs rmid.exe no specs rmiregistry.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs servertool.exe no specs conhost.exe no specs ssvagent.exe no specs tnameserv.exe no specs conhost.exe no specs unpack200.exe no specs conhost.exe no specs ospprearm.exe no specs conhost.exe no specs appvdllsurrogate.exe no specs conhost.exe no specs appvdllsurrogate32.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs conhost.exe no specs appvdllsurrogate64.exe no specs chrome.exe no specs chrome.exe no specs conhost.exe no specs chrome.exe no specs appvlp.exe no specs chrome.exe no specs integrator.exe conhost.exe no specs msiexec.exe no specs jucheck.exe no specs msiexec.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msiexec.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ccleaner64.exe no specs msedge.exe no specs msedge.exe no specs ccleaner.exe no specs ccleaner64.exe chrome.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ipconfig.exe no specs conhost.exe no specs route.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs slui.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msiexec.exe msib4ea.tmp no specs makecab.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs singleclientservicesupdater.exe no specs msiexec.exe no specs armsvc.exe no specs msedge.exe no specs msedge.exe no specs ccleaner64.exe ccupdate637_free.exe no specs chrome.exe no specs msedge.exe no specs chrome.exe no specs msedge.exe no specs chrome.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" --type=renderer /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeAcrobat.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrobat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
436"C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" --type=collab-renderer --proc=5600C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeAdobeCollabSync.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Acrobat Collaboration Synchronizer 23.1
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\adobecollabsync.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
856"C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe" C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.execmd.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe WebInstaller 23.1
Exit code:
21
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef\singleclientservicesupdater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1036"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --first-renderer-process --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1636,i,9616329388690712125,8650463191164118700,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1100"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=4344,i,10028209989747064442,17165656487277096358,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1160"C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe" C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
cmd.exe
User:
admin
Company:
Adobe Inc.
Integrity Level:
MEDIUM
Description:
Adobe Licensing WF Helper
Exit code:
3228369022
Version:
1.6.0.4
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\adobe_licensing_wf_helper_acro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1180"C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe" C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.execmd.exe
User:
admin
Company:
Adobe Inc.
Integrity Level:
MEDIUM
Description:
Adobe Licensing WF
Version:
1.6.0.4
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\ngl\cefworkflow\adobe_licensing_wf_acro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
1204reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d 0 /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1212"C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe" C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.execmd.exe
User:
admin
Company:
Adobe Systems Inc.
Integrity Level:
MEDIUM
Description:
Adobe Create PDF plug-in listener for Chrome
Exit code:
0
Version:
23.1.20064.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\browser\wcchromeextn\wcchromenativemessaginghost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1356"C:\Program Files\Java\jre1.8.0_271\bin\jabswitch.exe" C:\Program Files\Java\jre1.8.0_271\bin\jabswitch.execmd.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\java\jre1.8.0_271\bin\jabswitch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
235 442
Read events
229 530
Write events
5 646
Delete events
266

Modification events

(PID) Process:(3100) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:WallpaperStyle
Value:
2
(PID) Process:(1204) reg.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:TileWallpaper
Value:
0
(PID) Process:(4476) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(3112) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(304) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(3540) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:iSLExitTimeHighPart
Value:
31194074
(PID) Process:(3540) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:writeName:iSLExitTimeLowPart
Value:
(PID) Process:(3112) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\Privileged
Operation:writeName:bProtectedMode
Value:
1
(PID) Process:(2400) ADelRCP.exeKey:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/pdf
Operation:writeName:CLSID
Value:
{CA8A9780-280D-11CF-A24D-444553540000}
(PID) Process:(2400) ADelRCP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
19
Executable files
133
Suspicious files
770
Text files
1 582
Unknown types
166

Dropped files

PID
Process
Filename
Type
6876powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vnpcj4gi.lrj.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6876powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:44F96AB430401DFD8D413FA7B1CE7AE1
SHA256:2F064F25A25423CA6D46FE4BAFB050AAC799CFAED5BB38273885B4FF13F9A6C2
5284powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_01zdse0e.rc0.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5284powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3z0x1vxo.4ll.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4884csc.exeC:\Users\admin\AppData\Local\Temp\CSC608CAB8415624D38A5467E1140626021.TMPres
MD5:2897B34A6CB3A19F214C150074420EE5
SHA256:2B2ADD33F803BAB4D8211D10F3758408AA9D8F1220F5DF2907F485E5E15AEFFD
3572AcroCEF.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\MANIFEST-000001binary
MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
3572AcroCEF.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\indexbinary
MD5:54CB446F628B2EA4A5BCE5769910512E
SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
3572AcroCEF.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\000001.dbtmptext
MD5:46295CAC801E5D4857D09837238A6394
SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
3572AcroCEF.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\indexbinary
MD5:54CB446F628B2EA4A5BCE5769910512E
SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
3572AcroCEF.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\CURRENTtext
MD5:46295CAC801E5D4857D09837238A6394
SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
228
TCP/UDP connections
167
DNS requests
110
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3572
RUXIMICS.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3572
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.131:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
GET
200
140.82.121.4:443
https://raw.githubusercontent.com/Suppy-spec/Image-hosting-/main/tung.jpeg
unknown
image
56.3 Kb
whitelisted
POST
400
40.126.32.138:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
3572
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1268
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3572
RUXIMICS.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.14
  • 23.216.77.5
  • 23.216.77.8
  • 23.216.77.7
  • 23.216.77.21
  • 23.216.77.39
  • 23.216.77.28
  • 23.216.77.26
  • 23.216.77.25
  • 23.216.77.32
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.44.239.154
  • 4.231.128.59
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.72
  • 40.126.32.138
  • 20.190.160.2
  • 20.190.160.3
  • 20.190.160.130
  • 20.190.160.5
  • 20.190.160.66
whitelisted
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.109.133
whitelisted
ip-info.ff.avast.com
  • 34.111.175.102
whitelisted
ncc.avast.com
  • 23.50.131.77
  • 23.50.131.88
  • 2.16.168.106
  • 2.16.168.113
whitelisted
emupdate.avcdn.net
  • 23.50.131.89
  • 23.50.131.76
whitelisted
ccleaner.tools.avcdn.net
  • 23.50.131.74
  • 23.50.131.72
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2200
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
2200
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
7776
CCUpdate.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Potential Corporate Privacy Violation
ET INFO External IP Lookup (avast .com)
7792
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
7892
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Potential Corporate Privacy Violation
ET INFO External IP Lookup (avast .com)
Potential Corporate Privacy Violation
ET INFO External IP Lookup (avast .com)
Process
Message
FullTrustNotifier.exe
FullTrustNotifier
FullTrustNotifier.exe
FullTrustNotifier.exe
FN NewNotifcationHasArrived from UWP
FullTrustNotifier.exe
FullTrustNotifier.exe
FN ConnectToAppService create the async task
FullTrustNotifier.exe
FullTrustNotifier.exe
FN ConnectToAppServiceAsync
FullTrustNotifier.exe
FullTrustNotifier.exe
ConnectToAppServiceAsync AppNotInstalled
FullTrustNotifier.exe
FullTrustNotifier Exit
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
brainrot.bat