File name:

Minesweeper.exe

Full analysis: https://app.any.run/tasks/7caf55b9-37a1-4ae7-b096-c0ca2167c96c
Verdict: Malicious activity
Analysis date: June 25, 2025, 16:34:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

9C45D38B74634C9DED60BEC640C5C3CA

SHA1:

79D03B17CE9E7FF9595253A402EFB856B0888EA0

SHA256:

BCFF89311D792F6428468E813AC6929A346A979F907071C302F418D128EAAF41

SSDEEP:

3072:2YgJesFiglPZ1yxyvZcMO/6T4nIB5B3s:A5FplxAAZcR/6TkIN8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • CCleaner64.exe (PID: 7016)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Minesweeper.exe (PID: 3540)

    • Starts a Microsoft application from unusual location

      • Minesweeper.exe (PID: 3540)

    • Reads security settings of Internet Explorer

      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Reads the date of Windows installation

      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)

    • Application launched itself

      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)

    • Reads Internet Explorer settings

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Executable content was dropped or overwritten

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Searches for installed software

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Checks for external IP

      • CCleaner64.exe (PID: 6524)

    • The process verifies whether the antivirus software is installed

      • CCleaner64.exe (PID: 7016)

  • INFO

    • The sample compiled with english language support

      • Minesweeper.exe (PID: 3540)
      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Reads the software policy settings

      • slui.exe (PID: 6384)
      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Reads the computer name

      • Minesweeper.exe (PID: 3540)
      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Checks supported languages

      • Minesweeper.exe (PID: 3540)
      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Checks proxy server information

      • slui.exe (PID: 6384)
      • CCleaner64.exe (PID: 6524)

    • Manual execution by a user

      • CCleaner64.exe (PID: 4112)

    • Reads Environment values

      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Process checks computer location settings

      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)

    • Reads CPU info

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Creates files in the program directory

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Reads the machine GUID from the registry

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Reads product name

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Creates files or folders in the user directory

      • CCleaner64.exe (PID: 6524)

    • Launching a file from a Registry key

      • CCleaner64.exe (PID: 7016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:08:17 20:54:13+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7
CodeSize: 15360
InitializedDataSize: 105984
UninitializedDataSize: -
EntryPoint: 0x3e21
OSVersion: 5.1
ImageVersion: 5.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.1.2600.0
ProductVersionNumber: 5.1.2600.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Entertainment Pack Minesweeper Game
FileVersion: 5.1.2600.0 (xpclient.010817-1148)
InternalName: winmine
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WINMINE.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start minesweeper.exe no specs slui.exe ccleaner64.exe no specs ccleaner64.exe ccleaner64.exe

Process information

PID
CMD
Path
Indicators
Parent process
3540"C:\Users\admin\AppData\Local\Temp\Minesweeper.exe" C:\Users\admin\AppData\Local\Temp\Minesweeper.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Entertainment Pack Minesweeper Game
Version:
5.1.2600.0 (xpclient.010817-1148)
Modules
Images
c:\users\admin\appdata\local\temp\minesweeper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4112"C:\Program Files\CCleaner\CCleaner64.exe" C:\Program Files\CCleaner\CCleaner64.exeexplorer.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6384C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6524"C:\Program Files\CCleaner\CCleaner64.exe" /uacC:\Program Files\CCleaner\CCleaner64.exe
CCleaner64.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
7016"C:\Program Files\CCleaner\CCleaner64.exe" /monitorC:\Program Files\CCleaner\CCleaner64.exe
CCleaner64.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
17 373
Read events
17 220
Write events
101
Delete events
52

Modification events

(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Difficulty
Value:
0
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Height
Value:
9
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Width
Value:
9
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Mines
Value:
10
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Mark
Value:
1
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:AlreadyPlayed
Value:
1
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Color
Value:
1
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Sound
Value:
0
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Xpos
Value:
80
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Ypos
Value:
80
Executable files
4
Suspicious files
9
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
6524CCleaner64.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\ccupdate637_free[1].exe
MD5:
SHA256:
6524CCleaner64.exeC:\Program Files\CCleaner\temp_ccupdate\ccupdate637_free.exe
MD5:
SHA256:
6524CCleaner64.exeC:\Program Files\CCleaner\gcapi_17508693936524.dllexecutable
MD5:F17F96322F8741FE86699963A1812897
SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
6524CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:43D7CF0C8E5E6569815F1D4ED7627201
SHA256:DE003CA1699592A36F100EFF3AED04B168AF437930DB667FAA579F2C1E0C39A1
6524CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-ms~RF1921a7.TMPbinary
MD5:715D03F2C851242AE02F082C92170337
SHA256:52F9047E9A072554A68045FD0215B8484C2D6D758FEE82543FBAA7C7F7D163D9
6524CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:29AC552A52A949E49C3BB7BE95E376E7
SHA256:FED73CC03CD892D2C0467F62CE8764C1E0A8E562DEFE5C28096DBE7343F8BB9A
6524CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_AFB3BE9383420FBAFF24AD413EEA555Ebinary
MD5:76440C307CEC232EC69EB981F45DA15B
SHA256:EF50F9BDECBCBB9C4A52468E1078DB215FE409773839950FC2635BF3A8DA0397
6524CCleaner64.exeC:\Program Files\CCleaner\gcapi_dll.dllexecutable
MD5:F17F96322F8741FE86699963A1812897
SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
6524CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-msbinary
MD5:7B2BDA41EB1C10A36E0753A1A9A25B43
SHA256:CB97D1765899D83E4E6655A64CF8783298FE3FFB890E34E1708B911419DF35F0
6524CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04der
MD5:A0D80CCF62907722DC4E27714B3CBD84
SHA256:6CD0EF44739574DF02693B350245B5D3E32E26EF241546023224277A050D2834
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
37
DNS requests
26
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2612
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2692
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2692
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6524
CCleaner64.exe
GET
200
23.50.131.88:80
http://ncc.avast.com/ncc.txt
unknown
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
6524
CCleaner64.exe
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
6524
CCleaner64.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
6524
CCleaner64.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAXfj0A2M0oL7zuU%2F%2F2jetU%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3936
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2612
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2612
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.160.132
  • 20.190.160.17
  • 40.126.32.76
  • 20.190.160.2
  • 20.190.160.67
  • 40.126.32.74
  • 20.190.160.3
  • 20.190.160.128
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
6524
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Potential Corporate Privacy Violation
ET INFO External IP Lookup (avast .com)
Process
Message
CCleaner64.exe
[2025-06-25 16:36:33.416] [error ] [settings ] [ 6524: 3476] [000000: 0] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2025-06-25 16:36:33.416] [error ] [ini_access ] [ 6524: 3476] [000000: 0] Incorrect ini_accessor configuration! Fixing relative input path to avoid recursion. Input was: Setup
CCleaner64.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner64.exe
OnLanguage - en
CCleaner64.exe
[2025-06-25 16:36:33.885] [error ] [settings ] [ 6524: 6764] [D2EC45: 356] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2025-06-25 16:36:33.900] [error ] [Burger ] [ 6524: 6764] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
[2025-06-25 16:36:33.900] [error ] [Burger ] [ 6524: 6764] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
file:///tis/optimizer.tis(1288) : warning :'async' does not contain any 'await'
CCleaner64.exe
file:///tis/optimizer.tis(1131) : warning :'await' should be used only inside 'async' or 'event'
CCleaner64.exe
startCheckingLicense()
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Minesweeper.exe