File name:

Minesweeper.exe

Full analysis: https://app.any.run/tasks/7caf55b9-37a1-4ae7-b096-c0ca2167c96c
Verdict: Malicious activity
Analysis date: June 25, 2025, 16:34:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

9C45D38B74634C9DED60BEC640C5C3CA

SHA1:

79D03B17CE9E7FF9595253A402EFB856B0888EA0

SHA256:

BCFF89311D792F6428468E813AC6929A346A979F907071C302F418D128EAAF41

SSDEEP:

3072:2YgJesFiglPZ1yxyvZcMO/6T4nIB5B3s:A5FplxAAZcR/6TkIN8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • CCleaner64.exe (PID: 7016)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Minesweeper.exe (PID: 3540)

    • Starts a Microsoft application from unusual location

      • Minesweeper.exe (PID: 3540)

    • Reads security settings of Internet Explorer

      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Reads the date of Windows installation

      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)

    • Application launched itself

      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)

    • Reads Internet Explorer settings

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Executable content was dropped or overwritten

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Searches for installed software

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Checks for external IP

      • CCleaner64.exe (PID: 6524)

    • The process verifies whether the antivirus software is installed

      • CCleaner64.exe (PID: 7016)

  • INFO

    • The sample compiled with english language support

      • Minesweeper.exe (PID: 3540)
      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Reads the computer name

      • Minesweeper.exe (PID: 3540)
      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Checks supported languages

      • Minesweeper.exe (PID: 3540)
      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Checks proxy server information

      • slui.exe (PID: 6384)
      • CCleaner64.exe (PID: 6524)

    • Reads the software policy settings

      • slui.exe (PID: 6384)
      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Manual execution by a user

      • CCleaner64.exe (PID: 4112)

    • Reads Environment values

      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Process checks computer location settings

      • CCleaner64.exe (PID: 4112)
      • CCleaner64.exe (PID: 6524)

    • Reads CPU info

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Reads product name

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Creates files in the program directory

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Reads the machine GUID from the registry

      • CCleaner64.exe (PID: 6524)
      • CCleaner64.exe (PID: 7016)

    • Launching a file from a Registry key

      • CCleaner64.exe (PID: 7016)

    • Creates files or folders in the user directory

      • CCleaner64.exe (PID: 6524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:08:17 20:54:13+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7
CodeSize: 15360
InitializedDataSize: 105984
UninitializedDataSize: -
EntryPoint: 0x3e21
OSVersion: 5.1
ImageVersion: 5.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.1.2600.0
ProductVersionNumber: 5.1.2600.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Entertainment Pack Minesweeper Game
FileVersion: 5.1.2600.0 (xpclient.010817-1148)
InternalName: winmine
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WINMINE.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start minesweeper.exe no specs slui.exe ccleaner64.exe no specs ccleaner64.exe ccleaner64.exe

Process information

PID
CMD
Path
Indicators
Parent process
3540"C:\Users\admin\AppData\Local\Temp\Minesweeper.exe" C:\Users\admin\AppData\Local\Temp\Minesweeper.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Entertainment Pack Minesweeper Game
Version:
5.1.2600.0 (xpclient.010817-1148)
Modules
Images
c:\users\admin\appdata\local\temp\minesweeper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4112"C:\Program Files\CCleaner\CCleaner64.exe" C:\Program Files\CCleaner\CCleaner64.exeexplorer.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6384C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6524"C:\Program Files\CCleaner\CCleaner64.exe" /uacC:\Program Files\CCleaner\CCleaner64.exe
CCleaner64.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
7016"C:\Program Files\CCleaner\CCleaner64.exe" /monitorC:\Program Files\CCleaner\CCleaner64.exe
CCleaner64.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
17 373
Read events
17 220
Write events
101
Delete events
52

Modification events

(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Difficulty
Value:
0
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Height
Value:
9
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Width
Value:
9
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Mines
Value:
10
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Mark
Value:
1
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:AlreadyPlayed
Value:
1
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Color
Value:
1
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Sound
Value:
0
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Xpos
Value:
80
(PID) Process:(3540) Minesweeper.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\winmine
Operation:writeName:Ypos
Value:
80
Executable files
4
Suspicious files
9
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
6524CCleaner64.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\ccupdate637_free[1].exe
MD5:
SHA256:
6524CCleaner64.exeC:\Program Files\CCleaner\temp_ccupdate\ccupdate637_free.exe
MD5:
SHA256:
6524CCleaner64.exeC:\Program Files\CCleaner\gcapi_dll.dllexecutable
MD5:F17F96322F8741FE86699963A1812897
SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
6524CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HGT5CQF58NKGEE5GMHT0.tempbinary
MD5:7B2BDA41EB1C10A36E0753A1A9A25B43
SHA256:CB97D1765899D83E4E6655A64CF8783298FE3FFB890E34E1708B911419DF35F0
6524CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_AFB3BE9383420FBAFF24AD413EEA555Ebinary
MD5:76440C307CEC232EC69EB981F45DA15B
SHA256:EF50F9BDECBCBB9C4A52468E1078DB215FE409773839950FC2635BF3A8DA0397
6524CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199der
MD5:C22301B5245B697AA0D960E7D3A2D560
SHA256:8E63BB9D833DDFF90DB225799A6B20821540B2A10AB3764EE07767259765DA0E
6524CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:FBCD733D0AA14946558471AA23534F37
SHA256:9F3F660F5086E70C13B6E3AA003FE78EB112FD76412EED5401B584331DC95139
6524CCleaner64.exeC:\Program Files\CCleaner\gcapi_17508693936524.dllexecutable
MD5:F17F96322F8741FE86699963A1812897
SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
6524CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-msbinary
MD5:7B2BDA41EB1C10A36E0753A1A9A25B43
SHA256:CB97D1765899D83E4E6655A64CF8783298FE3FFB890E34E1708B911419DF35F0
6524CCleaner64.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:43D7CF0C8E5E6569815F1D4ED7627201
SHA256:DE003CA1699592A36F100EFF3AED04B168AF437930DB667FAA579F2C1E0C39A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
37
DNS requests
26
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
2612
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
2692
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
420 b
whitelisted
2692
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
ID
binary
734 b
whitelisted
6524
CCleaner64.exe
GET
200
23.50.131.88:80
http://ncc.avast.com/ncc.txt
DE
26 b
whitelisted
6524
CCleaner64.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAXfj0A2M0oL7zuU%2F%2F2jetU%3D
DE
binary
471 b
whitelisted
6524
CCleaner64.exe
GET
200
142.250.185.163:80
http://c.pki.goog/r/r1.crl
US
993 b
whitelisted
7016
CCleaner64.exe
GET
200
23.50.131.88:80
http://ncc.avast.com/ncc.txt
DE
26 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3936
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2612
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2612
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.160.132
  • 20.190.160.17
  • 40.126.32.76
  • 20.190.160.2
  • 20.190.160.67
  • 40.126.32.74
  • 20.190.160.3
  • 20.190.160.128
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
6524
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Potential Corporate Privacy Violation
ET INFO External IP Lookup (avast .com)
Process
Message
CCleaner64.exe
[2025-06-25 16:36:33.416] [error ] [settings ] [ 6524: 3476] [000000: 0] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2025-06-25 16:36:33.416] [error ] [ini_access ] [ 6524: 3476] [000000: 0] Incorrect ini_accessor configuration! Fixing relative input path to avoid recursion. Input was: Setup
CCleaner64.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner64.exe
OnLanguage - en
CCleaner64.exe
[2025-06-25 16:36:33.885] [error ] [settings ] [ 6524: 6764] [D2EC45: 356] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2025-06-25 16:36:33.900] [error ] [Burger ] [ 6524: 6764] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
[2025-06-25 16:36:33.900] [error ] [Burger ] [ 6524: 6764] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
file:///tis/optimizer.tis(1288) : warning :'async' does not contain any 'await'
CCleaner64.exe
file:///tis/optimizer.tis(1131) : warning :'await' should be used only inside 'async' or 'event'
CCleaner64.exe
startCheckingLicense()
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Minesweeper.exe