File name:	CCcleaner.zip
Full analysis:	https://app.any.run/tasks/8fd920a0-f2e5-4335-83f1-2e80006e35a0
Verdict:	Malicious activity
Analysis date:	November 21, 2023, 08:07:43
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	619601435755A37E712CF52706AD0383
SHA1:	6FD9C3C14B7263E85A60A37F5C5A339877053B5A
SHA256:	80B33A175007E37759BC6F1AD34F8C88AAFD45DC03FE452168DB85FFEC490809
SSDEEP:	98304:hZTdsDCPt9SY/Xs37pzyzL3O2ikjRFUbVDQhEiMtYDnFQ3kmvRlP2pOFyOFeqFb2:VU0B4vccv5tHHZQ44

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2023:11:15 01:53:30
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	CCleaner/


(PID) Process:	(384) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 23004100430042006C006F00620000000000000000000000010000000000000014001F50
(PID) Process:	(4928) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:	write	Name:	VerInfo
Value: 003C050012F8FE6A437AD701
(PID) Process:	(384) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconLayouts
Value: 00000000000000000000000000000000030001000100010008000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C00000019000000000000004100630072006F0062006100740020005200650061006400650072002000440043002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C00000001000000000000000200010000000000000000000100000000000000020001000000000000000000110000000600000001000000080000000000000000000000000000000000000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F0700
(PID) Process:	(384) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconNameVersion
Value: 1
(PID) Process:	(384) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconLayouts
Value: 00000000000000000000000000000000030001000100010009000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C00000019000000000000004100630072006F0062006100740020005200650061006400650072002000440043002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C00000011000000000000004300430063006C00650061006E00650072002E007A00690070003E0020002000000001000000000000000200010000000000000000000100000000000000020001000000000000000000110000000600000001000000090000000000000000000000000000000000000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F07000000803F000000400800
(PID) Process:	(384) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:	write	Name:	LastUpdate
Value: AA70CD6400000000
(PID) Process:	(4928) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\SpybotAntiBeaconPortable-safer-networking.org_3.7.0.paf.zip
(PID) Process:	(4928) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\MicrosoftEdgePolicyTemplates.cab
(PID) Process:	(4928) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\MicrosoftEdgePolicyTemplates.zip
(PID) Process:	(4928) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120

PID	Process	Filename		Type
4928	WinRAR.exe	C:\Users\admin\AppData\Roaming\WinRAR\version.dat		binary
		MD5:85BA0FB12F0CF5C5F68E6CF1EAEE5EA7	SHA256:96F70D47C20EC3BCBC04ABCBA99335BAE1242FD3769240823133758AAA7F806E
4928	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4928.7598\CCleaner\CCUpdate.exe		executable
		MD5:0F0B90A01F049665CA511335F9F0BF2E	SHA256:4AD9635351C8E8579C4D4C2BDD679EA7B135EC329ADC6FD5D8211255E2E666BE
4928	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4928.7598\CCleaner\DATA\usercfg.ini		text
		MD5:EC52E5578622921C96757BA318CC23FF	SHA256:4120751EF0A930E9BB9E9D259D465D6688625A975839797CA1C83360F54E9568
4928	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4928.7598\CCleaner\Lang\lang-1028.dll		executable
		MD5:FAA1750D34F09E1759AABBE07A58DDDC	SHA256:FEA0528A385FF6808CD344E1CF97E4103A8AD99FBFA23D7EB27E831C72F1A4F3
4928	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4928.7598\CCleaner\Lang\lang-1025.dll		executable
		MD5:5E2A85933677F7852FD56D19182A3C6C	SHA256:42BD1929BA2FD149AA2F00ABC50FCB8C52575AFC35A5B6EEAA0E38781997A1EA
4928	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4928.7598\CCleaner\Lang\lang-1027.dll		executable
		MD5:17F5CECE4737701CF57683C696547472	SHA256:E9E7E2CD174CD2CD4A309721F2FB2C68C19B6A9CA8376A572835DEBABE68D61E
4928	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4928.7598\CCleaner\Lang\lang-1032.dll		executable
		MD5:28EF01E2DE5B9B14BF2DBB44CD850148	SHA256:53AAC5F2CC2FB4B03A830F2ABDD8A3B1DE46B74C16FF50FDBF0CA9BD87AD9ECE
4928	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4928.7598\CCleaner\Lang\lang-1031.dll		executable
		MD5:10C2A4C289439EB4DD8987AC702EAAD1	SHA256:16100DB32B76A8497289F954D936324A58BAC3E27E17B63B6F747B79FDAB19A4
4928	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4928.7598\CCleaner\Lang\lang-1030.dll		executable
		MD5:25EB4CFCF5B59FDBAD7C22905D77E252	SHA256:50A2AC9AAAF89346EF729E6F4B47D7A334537051DE9B4BECD39E381A93CB7EB3
4928	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4928.7598\CCleaner\DATA\StateHistory\DUState 23-11-14 03-27-08.dat		binary
		MD5:04FE9694BCF371E67C7DCDFAADE644D9	SHA256:48D21A251C1E7723FD8925EE7187666398B1A8A820C12584F54B1DE1120B500E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1328	MoUsoCoreWorker.exe	GET	200	23.58.217.29:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	binary	814 b	unknown
1052	SIHClient.exe	GET	200	23.58.217.29:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	binary	418 b	unknown
1052	SIHClient.exe	GET	200	23.58.217.29:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	binary	409 b	unknown
5612	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D	unknown	binary	471 b	unknown
5612	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	binary	313 b	unknown
4832	svchost.exe	GET	200	23.58.217.29:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	binary	814 b	unknown
1652	svchost.exe	GET	200	23.58.217.29:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	binary	814 b	unknown
2984	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	binary	471 b	unknown
2980	svchost.exe	GET	200	104.80.241.249:80	http://x1.c.lencr.org/	unknown	binary	717 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
3792	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1328	MoUsoCoreWorker.exe	23.58.217.29:80	www.microsoft.com	AKAMAI-AS	DE	unknown
4832	svchost.exe	23.58.217.29:80	www.microsoft.com	AKAMAI-AS	DE	unknown
1652	svchost.exe	23.58.217.29:80	www.microsoft.com	AKAMAI-AS	DE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
1328	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2984	OfficeClickToRun.exe	20.189.173.13:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2984	OfficeClickToRun.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1052	SIHClient.exe	40.127.169.103:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

Domain	IP	Reputation
www.microsoft.com	23.58.217.29	whitelisted
self.events.data.microsoft.com	20.189.173.13	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
x1.c.lencr.org	104.80.241.249	whitelisted
hangdrums.fr	109.234.165.168	unknown
www.bing.com	204.79.197.200	whitelisted
r.bing.com	88.221.221.130 88.221.221.107	whitelisted
ecs.office.com	—	unknown

General Info

CCcleaner.zip

619601435755A37E712CF52706AD0383

6FD9C3C14B7263E85A60A37F5C5A339877053B5A

80B33A175007E37759BC6F1AD34F8C88AAFD45DC03FE452168DB85FFEC490809

98304:hZTdsDCPt9SY/Xs37pzyzL3O2ikjRFUbVDQhEiMtYDnFQ3kmvRlP2pOFyOFeqFb2:VU0B4vccv5tHHZQ44

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Application was injected by another process

Runs injected code in another process

SUSPICIOUS

Process drops legitimate windows executable

Executes application which crashes

Uses RUNDLL32.EXE to load library

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

Checks Windows Trust Settings

INFO

Checks supported languages

Checks proxy server information

Reads security settings of Internet Explorer

Manual execution by a user

Creates files or folders in the user directory

Reads the computer name

Reads the software policy settings

Process checks computer location settings

Process checks Internet Explorer phishing filters

Reads the machine GUID from the registry

Drops the executable file immediately after the start

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings