File name:

Xenos64.exe

Full analysis: https://app.any.run/tasks/f2a9a816-aced-4d87-90e4-56136a4b200e
Verdict: Malicious activity
Analysis date: January 01, 2025, 02:33:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

E2BE25EC1C860B98EA99A835CC981D28

SHA1:

CD0498EF91CD6C7CE9EBF78B3EE43032D65DEEE2

SHA256:

922163713B973CF8C4AD80F16CF69305ED0CA319B314E7EC8AE1982ED5F2A9ED

SSDEEP:

24576:iSBsKAhjPTMl1xPiZvL9IyK4LEaDnmfSVgPCS3tMrMyj3F9hIF1SqY5cbaFY:iSBsvPTMlLqR6N4waDWSVE3tMx3FE1S+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • CCleaner64.exe (PID: 5300)

    • Application was injected by another process

      • RuntimeBroker.exe (PID: 4676)
      • dllhost.exe (PID: 1816)
      • svchost.exe (PID: 1260)

    • Runs injected code in another process

      • Xenos64.exe (PID: 6524)

  • SUSPICIOUS

    • Application launched itself

      • CCleaner64.exe (PID: 6156)
      • CCleaner64.exe (PID: 5712)

    • Reads the date of Windows installation

      • CCleaner64.exe (PID: 6156)
      • CCleaner64.exe (PID: 5712)

    • Executable content was dropped or overwritten

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 5300)

    • Reads Internet Explorer settings

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 5300)

    • Reads security settings of Internet Explorer

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 5300)
      • Xenos64.exe (PID: 6524)
      • CCleaner64.exe (PID: 6156)

    • Checks Windows Trust Settings

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 5300)

    • Searches for installed software

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 5300)

    • The process verifies whether the antivirus software is installed

      • CCleaner64.exe (PID: 5300)

    • Checks for external IP

      • CCleaner64.exe (PID: 5712)

    • Creates file in the systems drive root

      • Xenos64.exe (PID: 6524)

  • INFO

    • Manual execution by a user

      • CCleaner64.exe (PID: 6156)
      • msedge.exe (PID: 6900)

    • Checks supported languages

      • CCleaner64.exe (PID: 6156)
      • CCleaner64.exe (PID: 5712)
      • Xenos64.exe (PID: 6524)
      • CCleaner64.exe (PID: 5300)
      • identity_helper.exe (PID: 6772)
      • identity_helper.exe (PID: 2676)

    • Reads the computer name

      • CCleaner64.exe (PID: 5712)
      • Xenos64.exe (PID: 6524)
      • CCleaner64.exe (PID: 5300)
      • identity_helper.exe (PID: 6772)
      • identity_helper.exe (PID: 2676)
      • CCleaner64.exe (PID: 6156)

    • Creates files in the program directory

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 5300)

    • Sends debugging messages

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 5300)

    • Reads the machine GUID from the registry

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 5300)

    • Reads Environment values

      • Xenos64.exe (PID: 6524)
      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 5300)
      • identity_helper.exe (PID: 6772)
      • identity_helper.exe (PID: 2676)
      • CCleaner64.exe (PID: 6156)

    • Reads the software policy settings

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 5300)

    • Reads CPU info

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 5300)

    • Process checks computer location settings

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 6156)

    • Checks proxy server information

      • CCleaner64.exe (PID: 5712)

    • Reads product name

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 5300)

    • The process uses the downloaded file

      • CCleaner64.exe (PID: 5712)
      • CCleaner64.exe (PID: 6156)

    • Creates files or folders in the user directory

      • CCleaner64.exe (PID: 5712)

    • The sample compiled with english language support

      • CCleaner64.exe (PID: 5300)
      • CCleaner64.exe (PID: 5712)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 6748)

    • Create files in a temporary directory

      • Xenos64.exe (PID: 6524)

    • Application launched itself

      • msedge.exe (PID: 6900)
      • msedge.exe (PID: 6740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2018:05:21 11:01:08+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.14
CodeSize: 764416
InitializedDataSize: 645120
UninitializedDataSize: -
EntryPoint: 0x703fc
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.3.2.0
ProductVersionNumber: 2.3.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Process default
CharacterSet: Unicode
FileDescription: PE injector
FileVersion: 2.3.2.0
InternalName: Xenos.exe
LegalCopyright: Copyright (C) 2017
OriginalFileName: Xenos.exe
ProductName: Xenos
ProductVersion: 2.3.2.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
177
Monitored processes
49
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start xenos64.exe ccleaner64.exe no specs ccleaner64.exe ccleaner64.exe rundll32.exe no specs Copy/Move/Rename/Delete/Link Object no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe dllhost.exe runtimebroker.exe xenos64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
432"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5736 --field-trial-handle=2428,i,1579006183227616352,1891919773220337670,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
880"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6616 --field-trial-handle=2428,i,1579006183227616352,1891919773220337670,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1200"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6872 --field-trial-handle=2428,i,1579006183227616352,1891919773220337670,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1216"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5032 --field-trial-handle=1480,i,3544524174285866025,7233037053392278424,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1260C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvcC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1344"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2460 --field-trial-handle=2428,i,1579006183227616352,1891919773220337670,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1448"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2532 --field-trial-handle=1480,i,3544524174285866025,7233037053392278424,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1804"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3708 --field-trial-handle=2428,i,1579006183227616352,1891919773220337670,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1816C:\WINDOWS\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}C:\Windows\System32\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2084"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2228 --field-trial-handle=1480,i,3544524174285866025,7233037053392278424,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
29 843
Read events
29 572
Write events
195
Delete events
76

Modification events

(PID) Process:(6524) Xenos64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xpr64
Operation:writeName:Content Type
Value:
Application/xml
(PID) Process:(5712) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:writeName:DAST
Value:
01/01/2025 02:33:38
(PID) Process:(5712) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:writeName:T8062
Value:
0
(PID) Process:(5712) CCleaner64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:writeName:SystemRestorePointCreationFrequency
Value:
0
(PID) Process:(5712) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:CCleaner PostInstall
Value:
(PID) Process:(5712) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:writeName:FTU
Value:
06/02/2024|3|1
(PID) Process:(5712) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:delete valueName:GUID
Value:
(PID) Process:(5712) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:delete valueName:GD
Value:
(PID) Process:(5712) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:delete valueName:SetupGD
Value:
(PID) Process:(5712) CCleaner64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Piriform\CCleaner
Operation:writeName:NumOfOutdatedDrivers
Value:
0
Executable files
39
Suspicious files
629
Text files
140
Unknown types
1

Dropped files

PID
Process
Filename
Type
5712CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-msbinary
MD5:2DF464783FE682B1BF7B9E977197E351
SHA256:61DB56B90461B58D5E6F9042B8A5B1FD267CB72D70FCF8D27A7C25D7E5167ECA
5712CCleaner64.exeC:\Program Files\CCleaner\gcapi_dll.dllexecutable
MD5:F17F96322F8741FE86699963A1812897
SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
5712CCleaner64.exeC:\Program Files\CCleaner\gcapi_17356988185712.dllexecutable
MD5:F17F96322F8741FE86699963A1812897
SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
5712CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:B4B4E80720B450F5F053401629F82708
SHA256:2532D0EEE9993AE9813DDAAC6B9C1E3B9DBBC3FB43B188D61F0A5A73FB574C9D
5712CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-ms~RF13a6a3.TMPbinary
MD5:715D03F2C851242AE02F082C92170337
SHA256:52F9047E9A072554A68045FD0215B8484C2D6D758FEE82543FBAA7C7F7D163D9
5712CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D21GHYEDGUH2XTSB59QF.tempbinary
MD5:2DF464783FE682B1BF7B9E977197E351
SHA256:61DB56B90461B58D5E6F9042B8A5B1FD267CB72D70FCF8D27A7C25D7E5167ECA
6748dllhost.exeC:\Program Files\CCleaner\CCleaner64.dll
MD5:
SHA256:
5712CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:E3BD8122AA85A0444EC3A0570CBE5690
SHA256:A111AF0F8A29E8144519D3D6A4C5D35CFA4915B448382FD49BBCFE11AF1D8510
5712CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:E935BC5762068CAF3E24A2683B1B8A88
SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
5712CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:16612E2A26F6C92FCECF94F15B5B256C
SHA256:E955AF5DBD813551849F4B8465B91387BD93EDA6B1A51C7A9735DA951B454294
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
106
DNS requests
106
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5892
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5712
CCleaner64.exe
GET
200
2.16.168.113:80
http://ncc.avast.com/ncc.txt
unknown
whitelisted
5712
CCleaner64.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
5300
CCleaner64.exe
GET
200
2.16.168.113:80
http://ncc.avast.com/ncc.txt
unknown
whitelisted
5712
CCleaner64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
5712
CCleaner64.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
5712
CCleaner64.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAXfj0A2M0oL7zuU%2F%2F2jetU%3D
unknown
whitelisted
6612
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
unknown
4712
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5892
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5064
SearchApp.exe
2.23.209.133:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.bing.com
  • 2.23.209.133
  • 2.23.209.187
  • 104.126.37.128
  • 104.126.37.131
  • 104.126.37.139
  • 2.23.209.130
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.2
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.23
  • 20.190.159.75
  • 20.190.159.4
  • 40.126.31.67
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
ncc.avast.com
  • 2.16.168.113
  • 2.16.168.106
whitelisted
analytics.avcdn.net
  • 34.117.223.223
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
5712
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Process
Message
CCleaner64.exe
[2025-01-01 02:33:38.072] [error ] [settings ] [ 5712: 5720] [000000: 0] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2025-01-01 02:33:38.072] [error ] [ini_access ] [ 5712: 5720] [000000: 0] Incorrect ini_accessor configuration! Fixing relative input path to avoid recursion. Input was: Setup
CCleaner64.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner64.exe
OnLanguage - en
CCleaner64.exe
[2025-01-01 02:33:38.775] [error ] [settings ] [ 5712: 6504] [D2EC45: 356] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2025-01-01 02:33:38.791] [error ] [Burger ] [ 5712: 6504] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
[2025-01-01 02:33:38.791] [error ] [Burger ] [ 5712: 6504] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
file:///tis/optimizer.tis(1288) : warning :'async' does not contain any 'await'
CCleaner64.exe
file:///tis/optimizer.tis(1131) : warning :'await' should be used only inside 'async' or 'event'
CCleaner64.exe
OnLanguage - en
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Xenos64.exe