| File name: | kcleaner_lite-3.8.4.114.exe |
| Full analysis: | https://app.any.run/tasks/3c37ac8b-ed28-4c6f-ae66-ea6cb92df403 |
| Verdict: | Malicious activity |
| Analysis date: | February 24, 2024, 16:14:03 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 8AB6FACB05508364DF9F42FEA4E2E1D2 |
| SHA1: | EF9EAB5F9ED9D339F8BE00614383BBBD68471903 |
| SHA256: | D5D899C8C1A418DD99CCEB63E98350E04DD4982DCE95E1F1E1A939E56E44B7AF |
| SSDEEP: | 98304:d+cD4dnMxhafSsKqBpi2WPvHV/AEAXWPNt8xP2nmL77Gk8Od+Ukvk41mDmZ7DRwK:0osk |
MALICIOUS
Drops the executable file immediately after the start
- kcleaner_lite-3.8.4.114.exe (PID: 2472)
- kcleaner_lite-3.8.4.114.exe (PID: 2964)
- kcleaner_lite-3.8.4.114.tmp (PID: 2752)
Actions looks like stealing of personal data
- KCleaner.exe (PID: 3544)
SUSPICIOUS
Executable content was dropped or overwritten
- kcleaner_lite-3.8.4.114.exe (PID: 2472)
- kcleaner_lite-3.8.4.114.exe (PID: 2964)
- kcleaner_lite-3.8.4.114.tmp (PID: 2752)
Reads the Windows owner or organization settings
- kcleaner_lite-3.8.4.114.tmp (PID: 2752)
Reads the Internet Settings
- kcleaner_lite-3.8.4.114.tmp (PID: 2752)
- KCleaner.exe (PID: 3544)
- kcleaner_lite-3.8.4.114.tmp (PID: 3864)
Reads security settings of Internet Explorer
- kcleaner_lite-3.8.4.114.tmp (PID: 3864)
Searches for installed software
- KCleaner.exe (PID: 3544)
The process verifies whether the antivirus software is installed
- KCleaner.exe (PID: 3544)
INFO
Checks supported languages
- kcleaner_lite-3.8.4.114.tmp (PID: 3864)
- kcleaner_lite-3.8.4.114.exe (PID: 2472)
- kcleaner_lite-3.8.4.114.exe (PID: 2964)
- kcleaner_lite-3.8.4.114.tmp (PID: 2752)
- KCleaner.exe (PID: 3544)
Create files in a temporary directory
- kcleaner_lite-3.8.4.114.exe (PID: 2472)
- kcleaner_lite-3.8.4.114.exe (PID: 2964)
Reads the computer name
- kcleaner_lite-3.8.4.114.tmp (PID: 3864)
- kcleaner_lite-3.8.4.114.tmp (PID: 2752)
- KCleaner.exe (PID: 3544)
Creates files in the program directory
- kcleaner_lite-3.8.4.114.tmp (PID: 2752)
Creates files or folders in the user directory
- kcleaner_lite-3.8.4.114.tmp (PID: 2752)
- KCleaner.exe (PID: 3544)
Creates a software uninstall entry
- kcleaner_lite-3.8.4.114.tmp (PID: 2752)
Application launched itself
- msedge.exe (PID: 3428)
- msedge.exe (PID: 3164)
- msedge.exe (PID: 3108)
- msedge.exe (PID: 3924)
Manual execution by a user
- msedge.exe (PID: 3164)
Reads Environment values
- KCleaner.exe (PID: 3544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (53.5) |
|---|---|---|
| .exe | | | InstallShield setup (21) |
| .exe | | | Win32 EXE PECompact compressed (generic) (20.2) |
| .exe | | | Win32 Executable (generic) (2.1) |
| .exe | | | Win16/32 Executable Delphi generic (1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:04:14 16:10:23+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 741888 |
| InitializedDataSize: | 142848 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb5eec |
| OSVersion: | 6.1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.8.4.114 |
| ProductVersionNumber: | 3.8.4.114 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | KC Softwares |
| FileDescription: | KC Softwares KCleaner Setup |
| FileVersion: | 3.8.4.114 |
| LegalCopyright: | Copyright © 1998-2021 KC Softwares |
| OriginalFileName: | |
| ProductName: | KC Softwares KCleaner |
| ProductVersion: | 3.8.4.114 |
Total processes
72
Monitored processes
33
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 124 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3260 --field-trial-handle=1264,i,7596252259598908421,10474041250408820994,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 268 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2412 --field-trial-handle=1264,i,7596252259598908421,10474041250408820994,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 568 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2168 --field-trial-handle=1264,i,7596252259598908421,10474041250408820994,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 764 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1592 --field-trial-handle=1264,i,7596252259598908421,10474041250408820994,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 848 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6a61f598,0x6a61f5a8,0x6a61f5b4 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 920 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3568 --field-trial-handle=1264,i,7596252259598908421,10474041250408820994,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1308 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1264,i,7596252259598908421,10474041250408820994,131072 /prefetch:3 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | msedge.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1348 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1288 --field-trial-handle=1248,i,1039566030290632389,5708437467453537763,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2064 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1004 --field-trial-handle=1248,i,1039566030290632389,5708437467453537763,131072 /prefetch:3 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2100 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1272 --field-trial-handle=1264,i,7596252259598908421,10474041250408820994,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
Total events
17 162
Read events
15 737
Write events
1 412
Delete events
13
Modification events
| (PID) Process: | (2752) kcleaner_lite-3.8.4.114.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: C00A0000F0BBF1823C67DA01 | |||
| (PID) Process: | (2752) kcleaner_lite-3.8.4.114.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: F518647B358F5BD6C252C945C446D43DC13B82C12335EDF93ADCDFE4E7D54C78 | |||
| (PID) Process: | (2752) kcleaner_lite-3.8.4.114.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (2752) kcleaner_lite-3.8.4.114.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Program Files\KC Softwares\KCleaner\libcrypto-3.dll | |||
| (PID) Process: | (2752) kcleaner_lite-3.8.4.114.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFilesHash |
Value: 435061F2BA74BF293EECAAF9D51A8A342EA9887DABCD820A46D3E3C8CB008D6D | |||
| (PID) Process: | (2752) kcleaner_lite-3.8.4.114.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KC Softwares KCleaner_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 6.2.1 | |||
| (PID) Process: | (2752) kcleaner_lite-3.8.4.114.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KC Softwares KCleaner_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Program Files\KC Softwares\KCleaner | |||
| (PID) Process: | (2752) kcleaner_lite-3.8.4.114.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KC Softwares KCleaner_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files\KC Softwares\KCleaner\ | |||
| (PID) Process: | (2752) kcleaner_lite-3.8.4.114.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KC Softwares KCleaner_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: KC Softwares\KCleaner | |||
| (PID) Process: | (2752) kcleaner_lite-3.8.4.114.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KC Softwares KCleaner_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
Executable files
11
Suspicious files
90
Text files
77
Unknown types
55
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2472 | kcleaner_lite-3.8.4.114.exe | C:\Users\admin\AppData\Local\Temp\is-91S8B.tmp\kcleaner_lite-3.8.4.114.tmp | executable | |
MD5:77E18E36BDDAF4E596AC25C1366BDE30 | SHA256:7BC09D745184A9674496FA829C5CEC8C92393ABA4056B4E16F82F29F96735566 | |||
| 2752 | kcleaner_lite-3.8.4.114.tmp | C:\Program Files\KC Softwares\KCleaner\is-3FSSK.tmp | image | |
MD5:BC386B82F8A51D31BBE3E56CC95A917C | SHA256:C9AC35049675C056E66D9596C95E3DD065FA251486CF486F93F70E6A1EDB6948 | |||
| 2752 | kcleaner_lite-3.8.4.114.tmp | C:\Program Files\KC Softwares\KCleaner\Uninstall.ico | image | |
MD5:BC386B82F8A51D31BBE3E56CC95A917C | SHA256:C9AC35049675C056E66D9596C95E3DD065FA251486CF486F93F70E6A1EDB6948 | |||
| 2752 | kcleaner_lite-3.8.4.114.tmp | C:\Program Files\KC Softwares\KCleaner\is-DIDT8.tmp | image | |
MD5:43E9031AA4E69441C19D518A8D698BBF | SHA256:0583831D380B5CBABAFE406B4190D24F25BD878A9F28F48964EC871C32AE33B9 | |||
| 2752 | kcleaner_lite-3.8.4.114.tmp | C:\Program Files\KC Softwares\KCleaner\unins000.exe | executable | |
MD5:77E18E36BDDAF4E596AC25C1366BDE30 | SHA256:7BC09D745184A9674496FA829C5CEC8C92393ABA4056B4E16F82F29F96735566 | |||
| 2752 | kcleaner_lite-3.8.4.114.tmp | C:\Program Files\KC Softwares\KCleaner\is-C4T2U.tmp | executable | |
MD5:77E18E36BDDAF4E596AC25C1366BDE30 | SHA256:7BC09D745184A9674496FA829C5CEC8C92393ABA4056B4E16F82F29F96735566 | |||
| 2964 | kcleaner_lite-3.8.4.114.exe | C:\Users\admin\AppData\Local\Temp\is-9A7NC.tmp\kcleaner_lite-3.8.4.114.tmp | executable | |
MD5:77E18E36BDDAF4E596AC25C1366BDE30 | SHA256:7BC09D745184A9674496FA829C5CEC8C92393ABA4056B4E16F82F29F96735566 | |||
| 2752 | kcleaner_lite-3.8.4.114.tmp | C:\Program Files\KC Softwares\KCleaner\is-L24KG.tmp | binary | |
MD5:735EF42E2DAB1B02B5240F26117F90BD | SHA256:68D20A4E865F6D83BC3E539C43099E44FCFD8E696729789E9636B10BB0CF2D20 | |||
| 2752 | kcleaner_lite-3.8.4.114.tmp | C:\Program Files\KC Softwares\KCleaner\KC_00000402.SPK | binary | |
MD5:735EF42E2DAB1B02B5240F26117F90BD | SHA256:68D20A4E865F6D83BC3E539C43099E44FCFD8E696729789E9636B10BB0CF2D20 | |||
| 2752 | kcleaner_lite-3.8.4.114.tmp | C:\Program Files\KC Softwares\KCleaner\KCleaner.exe | executable | |
MD5:98CC5E6A6996FCFB234421327A4119DD | SHA256:6247FF856CD59DB8C5ED30D0FD92AEA068888C4B73E84E6C85F156CAC4F18722 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
18
DNS requests
20
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3164 | msedge.exe | 239.255.255.250:1900 | — | — | — | unknown |
1308 | msedge.exe | 46.105.204.2:443 | www.kcsoftwares.com | OVH SAS | FR | unknown |
1308 | msedge.exe | 13.107.21.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
1308 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
3164 | msedge.exe | 224.0.0.251:5353 | — | — | — | unknown |
1308 | msedge.exe | 23.36.79.19:443 | www.bing.com | Akamai International B.V. | NO | unknown |
1308 | msedge.exe | 23.36.76.152:443 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | Akamai International B.V. | NO | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.kcsoftwares.com |
| unknown |
config.edge.skype.com |
| unknown |
edge.microsoft.com |
| unknown |
www.bing.com |
| unknown |
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com |
| unknown |
Threats
Process | Message |
|---|---|
msedge.exe | [0224/161449.486:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
|
msedge.exe | [0224/161508.798:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
|