File name:

TelamonCleaner_id677bd3e9e3c42og.exe

Full analysis: https://app.any.run/tasks/338764b1-e631-4bfa-88ee-e09dfe921c4e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 06, 2025, 13:01:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

6EC1A06F540545B98BF472A11689C189

SHA1:

B2F055AE3DA9995D1EDDF119723D1C3E05A8CB32

SHA256:

80E4ECD65805CBD008DFCE58E6A3499D0D612E3AD151189BA5C72D7317CE2363

SSDEEP:

98304:I+cD4dnj28w83Q+YfOYtOEiBLsmVkjJKQbVhm3AegYcoiLZsNR3POOYGKW+7JYP2:g7Vof2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • TelamonCleaner.exe (PID: 6920)

    • Actions looks like stealing of personal data

      • TelamonCleaner.exe (PID: 6232)

    • Steals credentials from Web Browsers

      • TelamonCleaner.exe (PID: 6232)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • TelamonCleaner_id677bd3e9e3c42og.exe (PID: 6692)
      • TelamonCleaner_id677bd3e9e3c42og.exe (PID: 6884)
      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • 7za.exe (PID: 6156)
      • downloader.exe (PID: 6712)
      • uninst.exe (PID: 716)
      • Un_A.exe (PID: 2736)

    • Reads security settings of Internet Explorer

      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6740)
      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • TelamonCleaner.exe (PID: 6920)
      • downloader.exe (PID: 6712)
      • TelamonCleaner.exe (PID: 6232)
      • Un_A.exe (PID: 2736)

    • Starts CMD.EXE for commands execution

      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • Un_A.exe (PID: 2736)
      • cmd.exe (PID: 6760)

    • Reads the Windows owner or organization settings

      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)

    • The executable file from the user directory is run by the CMD process

      • tt-installer-helper.exe (PID: 4708)
      • tt-installer-helper.exe (PID: 6344)
      • tt-installer-helper.exe (PID: 5628)

    • Checks Windows Trust Settings

      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • downloader.exe (PID: 6712)
      • Un_A.exe (PID: 2736)

    • Drops 7-zip archiver for unpacking

      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)

    • Process drops legitimate windows executable

      • 7za.exe (PID: 6156)
      • downloader.exe (PID: 6712)

    • The process drops C-runtime libraries

      • 7za.exe (PID: 6156)

    • Creates a software uninstall entry

      • TelamonCleaner.exe (PID: 6920)

    • Adds/modifies Windows certificates

      • downloader.exe (PID: 6712)

    • Application launched itself

      • downloader.exe (PID: 6712)
      • cmd.exe (PID: 6760)

    • Process requests binary or script from the Internet

      • downloader.exe (PID: 6712)

    • Potential Corporate Privacy Violation

      • downloader.exe (PID: 6712)

    • Searches for installed software

      • TelamonCleaner.exe (PID: 6232)
      • Un_A.exe (PID: 2736)

    • Starts itself from another location

      • uninst.exe (PID: 716)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Un_A.exe (PID: 2736)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 488)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 6200)
      • schtasks.exe (PID: 4984)
      • schtasks.exe (PID: 4076)

    • Lists all scheduled tasks in specific format

      • schtasks.exe (PID: 3864)

  • INFO

    • Checks supported languages

      • TelamonCleaner_id677bd3e9e3c42og.exe (PID: 6692)
      • TelamonCleaner_id677bd3e9e3c42og.exe (PID: 6884)
      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • tt-installer-helper.exe (PID: 6344)
      • tt-installer-helper.exe (PID: 4708)
      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6740)
      • 7za.exe (PID: 6156)
      • TelamonCleaner.exe (PID: 6920)
      • tt-installer-helper.exe (PID: 5628)
      • downloader.exe (PID: 6712)
      • downloader.exe (PID: 6376)
      • TelamonCleaner.exe (PID: 6232)
      • QtWebEngineProcess.exe (PID: 2216)
      • Un_A.exe (PID: 2736)
      • OfficeClickToRun.exe (PID: 6536)

    • Reads the computer name

      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6740)
      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • tt-installer-helper.exe (PID: 4708)
      • 7za.exe (PID: 6156)
      • TelamonCleaner.exe (PID: 6920)
      • tt-installer-helper.exe (PID: 6344)
      • tt-installer-helper.exe (PID: 5628)
      • downloader.exe (PID: 6712)
      • TelamonCleaner.exe (PID: 6232)
      • OfficeClickToRun.exe (PID: 6536)
      • downloader.exe (PID: 6376)

    • Create files in a temporary directory

      • TelamonCleaner_id677bd3e9e3c42og.exe (PID: 6884)
      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • TelamonCleaner_id677bd3e9e3c42og.exe (PID: 6692)
      • downloader.exe (PID: 6712)
      • downloader.exe (PID: 6376)
      • Un_A.exe (PID: 2736)
      • uninst.exe (PID: 716)

    • Sends debugging messages

      • tt-installer-helper.exe (PID: 6344)
      • tt-installer-helper.exe (PID: 4708)
      • TelamonCleaner.exe (PID: 6920)
      • tt-installer-helper.exe (PID: 5628)
      • downloader.exe (PID: 6376)
      • TelamonCleaner.exe (PID: 6232)

    • Reads the software policy settings

      • tt-installer-helper.exe (PID: 6344)
      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • TelamonCleaner.exe (PID: 6920)
      • tt-installer-helper.exe (PID: 5628)
      • downloader.exe (PID: 6712)
      • TelamonCleaner.exe (PID: 6232)
      • Un_A.exe (PID: 2736)

    • Reads the machine GUID from the registry

      • tt-installer-helper.exe (PID: 4708)
      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • TelamonCleaner.exe (PID: 6920)
      • downloader.exe (PID: 6712)
      • TelamonCleaner.exe (PID: 6232)
      • Un_A.exe (PID: 2736)

    • Creates files or folders in the user directory

      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • TelamonCleaner.exe (PID: 6920)
      • downloader.exe (PID: 6712)
      • TelamonCleaner.exe (PID: 6232)
      • OfficeClickToRun.exe (PID: 6536)

    • Checks proxy server information

      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • downloader.exe (PID: 6712)
      • Un_A.exe (PID: 2736)
      • OfficeClickToRun.exe (PID: 6536)

    • Creates files in the program directory

      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • 7za.exe (PID: 6156)
      • TelamonCleaner.exe (PID: 6920)
      • TelamonCleaner.exe (PID: 6232)

    • Process checks computer location settings

      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6740)
      • QtWebEngineProcess.exe (PID: 2216)

    • The sample compiled with english language support

      • 7za.exe (PID: 6156)
      • downloader.exe (PID: 6712)
      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)
      • uninst.exe (PID: 716)
      • Un_A.exe (PID: 2736)

    • The sample compiled with russian language support

      • TelamonCleaner_id677bd3e9e3c42og.tmp (PID: 6928)

    • The process uses the downloaded file

      • TelamonCleaner.exe (PID: 6920)
      • TelamonCleaner.exe (PID: 6232)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • TelamonCleaner.exe (PID: 6232)

    • Reads Environment values

      • Un_A.exe (PID: 2736)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 6536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 175104
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 2.0.20.0
ProductVersionNumber: 2.0.20.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Zone ADS SIA
FileDescription: Telamon Cleaner Setup
FileVersion: 2.0.20.0
LegalCopyright:
OriginalFileName:
ProductName: Telamon Cleaner
ProductVersion: 2.0.20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
38
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start telamoncleaner_id677bd3e9e3c42og.exe telamoncleaner_id677bd3e9e3c42og.tmp no specs telamoncleaner_id677bd3e9e3c42og.exe telamoncleaner_id677bd3e9e3c42og.tmp cmd.exe no specs conhost.exe no specs tt-installer-helper.exe cmd.exe no specs conhost.exe no specs tt-installer-helper.exe 7za.exe conhost.exe no specs telamoncleaner.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tt-installer-helper.exe downloader.exe downloader.exe telamoncleaner.exe qtwebengineprocess.exe no specs uninst.exe un_a.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs schtasks.exe no specs findstr.exe no specs schtasks.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs ccupdate.exe no specs officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
488C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\system32\schtasks /query /fo list | findstr /i CCleanerSkipUACC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
716"C:\Program Files\CCleaner\uninst.exe"C:\Program Files\CCleaner\uninst.exe
TelamonCleaner.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner Installer
Exit code:
0
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\uninst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2216"C:\Program Files (x86)\Telamon Cleaner\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --use-gl=angle --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,BlinkGenPropertyTrees,MojoVideoCapture,NetworkServiceNotSupported,OriginTrials,SmsReceiver,UsePdfCompositorServiceForPrint,UseSurfaceLayerForVideo,VizDisplayCompositor,WebAuthentication,WebAuthenticationCable,WebPayments,WebUSB --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15737056833786772767 --renderer-client-id=3 --mojo-platform-channel-handle=2964 /prefetch:1C:\Program Files (x86)\Telamon Cleaner\QtWebEngineProcess.exeTelamonCleaner.exe
User:
admin
Company:
The Qt Company Ltd.
Integrity Level:
HIGH
Description:
Qt Qtwebengineprocess
Version:
5.14.0.0
Modules
Images
c:\program files (x86)\telamon cleaner\qtwebengineprocess.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
2736"C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Program Files\CCleaner\C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
uninst.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner Installer
Exit code:
0
Version:
6.20.0.10897
Modules
Images
c:\users\admin\appdata\local\temp\~nsua.tmp\un_a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2996"schtasks" /create /sc "onlogon" /tn "Telamon Cleaner" /tr "\"C:\Program Files (x86)\Telamon Cleaner\TelamonCleaner.exe\" --autorun" /rl "highest"C:\Windows\SysWOW64\schtasks.exeTelamonCleaner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3700\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3864C:\WINDOWS\system32\schtasks /query /fo list C:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3900findstr /i CCleanerSkipUACC:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4076C:\WINDOWS\system32\schtasks /delete /tn "CCleanerSkipUAC - admin" /fC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
34 581
Read events
34 312
Write events
90
Delete events
179

Modification events

(PID) Process:(6928) TelamonCleaner_id677bd3e9e3c42og.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Telamon
Operation:writeName:lang
Value:
English
(PID) Process:(6928) TelamonCleaner_id677bd3e9e3c42og.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Telamon
Operation:writeName:installer_path
Value:
C:\Users\admin\AppData\Local\Temp\TelamonCleaner_id677bd3e9e3c42og.exe
(PID) Process:(4708) tt-installer-helper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Telamon
Operation:writeName:installer_uid
Value:
731f789f-2276-4c86-8ae6-9f28126ebecb-dd2179199cf64a2387ec44eea70f9e9bb62dae27
(PID) Process:(6920) TelamonCleaner.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Telamon Cleaner
Operation:writeName:Publisher
Value:
Telamon Tools
(PID) Process:(6920) TelamonCleaner.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Telamon Cleaner
Operation:writeName:DisplayName
Value:
Telamon Cleaner
(PID) Process:(6920) TelamonCleaner.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Telamon Cleaner
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\Telamon Cleaner\TelamonCleaner.exe
(PID) Process:(6920) TelamonCleaner.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Telamon Cleaner
Operation:writeName:DisplayVersion
Value:
2.0.20
(PID) Process:(6920) TelamonCleaner.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Telamon Cleaner
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\Telamon Cleaner
(PID) Process:(6920) TelamonCleaner.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Telamon Cleaner
Operation:writeName:InstallDate
Value:
20250106
(PID) Process:(6920) TelamonCleaner.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Telamon Cleaner
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\Telamon Cleaner\TelamonCleaner.exe --uninstall
Executable files
96
Suspicious files
43
Text files
130
Unknown types
0

Dropped files

PID
Process
Filename
Type
6928TelamonCleaner_id677bd3e9e3c42og.tmpC:\Users\admin\AppData\Local\Temp\is-QOQAM.tmp\tt-install.zip
MD5:
SHA256:
6928TelamonCleaner_id677bd3e9e3c42og.tmpC:\Users\admin\AppData\Local\Temp\is-QOQAM.tmp\tt-installer-helper.exeexecutable
MD5:0E9502A69B37FD064A44C134D0CEBA7A
SHA256:6985984B8C80E7A4139BBA1FE27F132E741F11FEE518902D3773BFE11BDD4E49
7148cmd.exeC:\Users\admin\AppData\Local\Temp\is-QOQAM.tmp\~execwithresult.txtbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
6928TelamonCleaner_id677bd3e9e3c42og.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF402E853FCA7D398021BC62A1D7C0Bbinary
MD5:DBA8A80EB240E26633580AC397524DFF
SHA256:8AFF68C3D0BD43E34B444FC9F0A53F6854DDD99787A734366474309760687563
61567za.exeC:\Program Files (x86)\Telamon Cleaner\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:5BF7AAFD1E8AB7B806DBA539A0B33474
SHA256:D9100E99B2B915623294E18377D162AFE9FD354BF0C4A7208F1270721714A553
61567za.exeC:\Program Files (x86)\Telamon Cleaner\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:A47A7084D4ED2FB6B9181075F91729A0
SHA256:9490C5938112242CADC2C676F82B60FDCC7E5F56CAA7AA2D2BA3A6ED358683D4
6928TelamonCleaner_id677bd3e9e3c42og.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF402E853FCA7D398021BC62A1D7C0Bbinary
MD5:8CC5914F916B042E609E410F8C6254A0
SHA256:6DC6C952141755C86B4D80F804D9442291B691A7BECC7F257D055313BFEFEFA7
6928TelamonCleaner_id677bd3e9e3c42og.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
6928TelamonCleaner_id677bd3e9e3c42og.tmpC:\Users\admin\AppData\Local\Temp\is-QOQAM.tmp\7za.exeexecutable
MD5:DFD1CF824C781069DEF1D239A626D43E
SHA256:31FD52F8996986623CF52C3B4D0F7AC74A9DEC63FC16C902CEF673EED550C435
61567za.exeC:\Program Files (x86)\Telamon Cleaner\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:A960E117840ACB5FF1D2DCFBBE574E21
SHA256:5695695176A80A3E7F9EAC80BB3D92DF1A5592BE42B939B14087A3A6AE6EFADF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
387
DNS requests
49
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.16:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.30.230.103:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6928
TelamonCleaner_id677bd3e9e3c42og.tmp
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
6928
TelamonCleaner_id677bd3e9e3c42og.tmp
GET
200
95.101.54.114:80
http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgQ5bQGaaWxlFlpbhgA4K%2BJbKQ%3D%3D
unknown
whitelisted
6928
TelamonCleaner_id677bd3e9e3c42og.tmp
HEAD
301
5.189.239.208:80
http://update.telamoncleaner.com/update/v-2.0.20.zip
unknown
unknown
6928
TelamonCleaner_id677bd3e9e3c42og.tmp
GET
301
5.189.239.208:80
http://update.telamoncleaner.com/update/v-2.0.20.zip
unknown
unknown
4400
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4400
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3996
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.16:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
184.30.230.103:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.221
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.74.206
whitelisted
crl.microsoft.com
  • 2.16.164.16
  • 2.16.164.131
  • 2.16.164.98
  • 2.16.164.122
  • 2.16.164.17
  • 2.16.164.27
  • 2.16.164.97
  • 2.16.164.115
  • 2.16.164.33
whitelisted
www.microsoft.com
  • 184.30.230.103
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.134
  • 40.126.32.76
  • 40.126.32.140
  • 40.126.32.136
  • 40.126.32.133
  • 20.190.160.17
  • 20.190.160.22
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
config.telamoncleaner.com
  • 5.189.239.208
unknown
update.telamoncleaner.com
  • 5.189.239.208
unknown

Threats

PID
Process
Class
Message
6712
downloader.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6712
downloader.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6712
downloader.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
tt-installer-helper.exe
[2025-01-06 13:01:50] M http.cpp:53 WinSock init ok, version 514
tt-installer-helper.exe
[2025-01-06 13:01:50] E regstorage.cpp:62 [RegStorage] get<std::wstring>() Cannot get size of string value: RegGetValue failed. 2
TelamonCleaner.exe
[2025-01-06 13:02:18] M log.cpp:93 Logging to C:\Program Files (x86)\Telamon Cleaner\logs\tt-cln-app-2025-01-06-13-02-18.log
TelamonCleaner.exe
[2025-01-06 13:02:18] M main.cpp:52 Version: 2.0.20
TelamonCleaner.exe
[2025-01-06 13:02:18] M app.cpp:545 Found installer_path: C:\Users\admin\AppData\Local\Temp\TelamonCleaner_id677bd3e9e3c42og.exe
TelamonCleaner.exe
[2025-01-06 13:02:18] M main.cpp:51 Start main: "C:\Program Files (x86)\Telamon Cleaner\TelamonCleaner.exe" --install --l=t thread id: 848 process id: 6920
TelamonCleaner.exe
[2025-01-06 13:02:18] M http.cpp:53 WinSock init ok, version 514
TelamonCleaner.exe
[2025-01-06 13:02:19] E regstorage.cpp:62 [RegStorage] get<std::wstring>() Cannot get size of string value: RegGetValue failed. 2
tt-installer-helper.exe
[2025-01-06 13:02:47] M http.cpp:53 WinSock init ok, version 514
downloader.exe
GetLoggedUserSid(): szUserName = admin, szDomain = DESKTOP-JGLLJLD, dwSessionId = 1
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TelamonCleaner_id677bd3e9e3c42og.exe