| File name: | PC_Cleaner_setup.exe |
| Full analysis: | https://app.any.run/tasks/2a7c1bbe-1d81-472c-a114-b4e45ae56b0f |
| Verdict: | Malicious activity |
| Analysis date: | September 03, 2025, 17:20:59 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | DB4CB78D65D71424217AD2A227B30225 |
| SHA1: | E606CA8CE3F597D9B494A4A9FC93B202E705036C |
| SHA256: | D54B331AEEFE3B9AEF34F90D785C81C01890EB1D176363679F277566CF67B75C |
| SSDEEP: | 98304:7eRmzwh2oM+3yvyXWZ0vI8mNE9UyFTPf7TEuH0rK0FFw+cjt6/WTknWlRA6o674J:EPqB1rGE |
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:02:25 14:27:38+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.42 |
| CodeSize: | 2791424 |
| InitializedDataSize: | 5954560 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x243d3d |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 9.9.39351.5169 |
| ProductVersionNumber: | 9.9.39351.5169 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (British) |
| CharacterSet: | Unicode |
| CompanyName: | Avanquest |
| FileDescription: | PC Cleaner Installer |
| FileVersion: | 9,9,39351,5169 |
| LegalCopyright: | © Avanquest |
| InternalName: | PC Cleaner Installer |
| OriginalFileName: | PC Cleaner Installer.exe |
| ProductName: | PC Cleaner |
| ProductVersion: | 9,9,39351,5169 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 188 | C:\Windows\syswow64\MsiExec.exe -Embedding 6CC76117747AA9020827279087511B5D | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1036 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | taskkill.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1520 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2112 | C:\Windows\System32\MsiExec.exe -Embedding FA35F12CD19E3FC841815D3B6A919728 E Global\MSI0000 | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2580 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3656 | "C:\Users\admin\AppData\Local\Temp\PC_Cleaner_setup.exe" | C:\Users\admin\AppData\Local\Temp\PC_Cleaner_setup.exe | — | explorer.exe | |||||||||||
User: admin Company: Avanquest Integrity Level: MEDIUM Description: PC Cleaner Installer Exit code: 3221226540 Version: 9,9,39351,5169 Modules
| |||||||||||||||
| 3944 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5188 | "C:\Program Files\Avanquest\PC Cleaner\application\9.9.39351.5169\PC Cleaner Service.exe" | C:\Program Files\Avanquest\PC Cleaner\application\9.9.39351.5169\PC Cleaner Service.exe | services.exe | ||||||||||||
User: SYSTEM Company: Avanquest Integrity Level: SYSTEM Description: PC Cleaner Service Version: 9,9,39351,5169 Modules
| |||||||||||||||
| 5352 | "C:\WINDOWS\SysWOW64\taskkill.exe" /F /IM "PC Cleaner.exe" | C:\Windows\SysWOW64\taskkill.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5564 | C:\Windows\System32\MsiExec.exe -Embedding 6618F9F96FDE022FF1C43DE09C31A36D | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| (PID) Process: | (1520) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 480000000000000031DAFF25F71CDC01F00500000C160000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1520) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 480000000000000031DAFF25F71CDC01F00500000C160000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1520) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 48000000000000008013DC25F71CDC01F00500000C160000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1520) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 48000000000000008013DC25F71CDC01F00500000C160000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1520) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 4800000000000000D85A0226F71CDC01F00500000C160000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1520) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 480000000000000008980426F71CDC01F00500000C160000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1520) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 11 | |||
| (PID) Process: | (2580) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 48000000000000005E894E26F71CDC01140A0000E0150000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2580) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 48000000000000005E894E26F71CDC01140A000070140000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2580) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 48000000000000005E894E26F71CDC01140A0000901B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6808 | PC_Cleaner_setup.exe | C:\ProgramData\Avanquest\PC Cleaner\msi-cache\944ed1b0-b138-4f5f-a338-a82217ec77b5.msi | — | |
MD5:— | SHA256:— | |||
| 1520 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 1520 | msiexec.exe | C:\Windows\Installer\191023.msi | — | |
MD5:— | SHA256:— | |||
| 1520 | msiexec.exe | C:\Windows\Installer\MSI1D43.tmp | — | |
MD5:— | SHA256:— | |||
| 6808 | PC_Cleaner_setup.exe | C:\ProgramData\Avanquest\PC Cleaner\settings\current-partner-params | binary | |
MD5:AC007C8ABFE1763AB336C048E3064A71 | SHA256:885E513DE2ED18349149C529942F04782193184E0DE6C347B605BA393862A7F6 | |||
| 6808 | PC_Cleaner_setup.exe | C:\ProgramData\Avanquest\PC Cleaner\settings\deploy-platform | binary | |
MD5:4D9697FF10B6970047D0C17BF8B8C13D | SHA256:53F4A6F02560680D79E6910EF709250FE24FAA90CB088361EB21CDA1C5D7A63F | |||
| 6808 | PC_Cleaner_setup.exe | C:\ProgramData\Avanquest\PC Cleaner\settings\installation-id | binary | |
MD5:49260C4B5DE44DAB06AC898144C9BFF8 | SHA256:8BA3C51C5A8442CD411802870E838E2A56EC7B8D70AF1482E51B7CAE8DFF5A31 | |||
| 1520 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D | binary | |
MD5:B5FA4E6124C18F88E5BDCB77243B810C | SHA256:AB4F9273334C1D30BF07F6D1FADDC05E40041E39907585DDA5C576179DB49B6C | |||
| 1520 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D | binary | |
MD5:217BDB5A1CC4C4125885A1746F4BBE97 | SHA256:95DAE32AC9458BAFE289101BBADDFACD60CA6A90393F00F39E8D3562AC420FB5 | |||
| 1520 | msiexec.exe | C:\Windows\Installer\MSI462A.tmp | executable | |
MD5:B2E2C24EBCE4F188CF28B9E1470227F5 | SHA256:233F5E43325615710CA1AA580250530E06339DEF861811073912E8A16B058C69 | |||
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
764 | lsass.exe | GET | 200 | 142.250.185.195:80 | http://c.pki.goog/r/gsr1.crl | US | binary | 1.70 Kb | whitelisted |
5724 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | DE | binary | 471 b | whitelisted |
4224 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | NL | binary | 419 b | whitelisted |
1520 | msiexec.exe | GET | 200 | 72.246.170.45:80 | http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRr2bwARTxMtEy9aspRAZg5QFhagQQUgrrWPZfOn89x6JI3r%2F2ztWk1V88CEDWvt3udNB9q%2FI%2BERqsxNSs%3D | DE | binary | 812 b | whitelisted |
1520 | msiexec.exe | GET | 200 | 72.246.170.45:80 | http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRp%2BmQDKauE4nIg%2FgknZHuBlLkfKgQUzolPglGqFaKEYsoxI2HSYfv4%2FngCEAlGWUsbJQFYeJPc6qnkoG8%3D | DE | binary | 806 b | whitelisted |
4224 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | NL | binary | 407 b | whitelisted |
764 | lsass.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAsllCLO2YEqFaBOmVKKDvo%3D | US | binary | 471 b | whitelisted |
764 | lsass.exe | GET | 200 | 184.30.131.245:80 | http://status.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJiUKgT2m88fZ4nxc1Lu6M%2FjvkagQUDNtsgkkPSmcKuBTuesRIUojrVjgCEAN2Bf4W%2BlJ5Zx7tXF2ldaI%3D | US | binary | 471 b | whitelisted |
764 | lsass.exe | GET | 200 | 142.250.185.195:80 | http://c.pki.goog/r/r4.crl | US | binary | 530 b | whitelisted |
1520 | msiexec.exe | GET | 200 | 72.246.170.45:80 | http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTLXNCzDvBhHecWjg70iJhBW0InywQUanImetAe733nO2lR1GyNn5ASZqsCEE5A5DdU7eaMAAAAAFHTlH8%3D | DE | binary | 1.54 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4196 | RUXIMICS.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1268 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6808 | PC_Cleaner_setup.exe | 104.16.149.130:443 | partner-tracking.lavasoft.com | CLOUDFLARENET | — | whitelisted |
764 | lsass.exe | 142.250.185.195:80 | c.pki.goog | GOOGLE | US | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5724 | svchost.exe | 20.190.160.132:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6808 | PC_Cleaner_setup.exe | 104.16.212.94:443 | acdn.adaware.com | CLOUDFLARENET | — | whitelisted |
5724 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
partner-tracking.lavasoft.com |
| whitelisted |
c.pki.goog |
| whitelisted |
login.live.com |
| whitelisted |
acdn.adaware.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |