File name:	ccleaner_browser_setup.exe
Full analysis:	https://app.any.run/tasks/08ca3186-80ec-41dc-ac76-57bbe09d3404
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	June 02, 2024, 05:43:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	B530A1995085B5469E9CBB01B6D91DB9
SHA1:	39D371893915D0E690EBCC2D5A6CA2FEC4ECDC1E
SHA256:	E5506D917ADFB44D12034688C1E1D7C91CE5A88613E92E2A501F26C226D7A7AE
SSDEEP:	98304:P2ul/FrAXjH3qJy6ctlfJ8lPaamqFXTGeZI5M60bdoSWl2/AUxpC1GTYVOJ2va/n:f/u1FzSXmi

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:12:16 00:50:53+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26112
InitializedDataSize:	141824
UninitializedDataSize:	2048
EntryPoint:	0x350d
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	8.11.8.7423
ProductVersionNumber:	8.11.8.7423
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Arabic
CharacterSet:	Windows, Arabic
BuildDate:	19700120T193710
BuildTimestamp:	1712230192
BuildVersion:	8.11.8.7423
CompanyName:	Gen Digital Inc.
FileDescription:	إعداد CCleaner Browser
FileVersion:	8.11.8.7423
InstallerCommit:	57459b9cdb08ab5ac027a5e3530c97b65adf58fb
InstallerEdition:	web
InstallerKeyword:	ccleaner-browser
InternalName:	CCleaner Browser
JsisCommit:	9787409e632740167533d24081ccbb49791a2fdf
LegalCopyright:	حقوق النشر 2017-2024 لشركة Gen Digital Inc.
OmahaVersion:	1.8.1691.6
ProductName:	إعداد CCleaner Browser
ProductVersion:	8.11.8.7423


(PID) Process:	(6332) ccleaner_browser_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6332) ccleaner_browser_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6332) ccleaner_browser_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6332) ccleaner_browser_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6620) aj4F49.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Piriform\Browser
Operation:	write	Name:	installer_run_count
Value: 1
(PID) Process:	(6620) aj4F49.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Browser
Operation:	write	Name:	machine_id
Value: 0000B0E1009ABA5E95F7227E57434874
(PID) Process:	(6620) aj4F49.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Piriform\Browser
Operation:	write	Name:	machine_id
Value: 0000B0E1009ABA5E95F7227E57434874
(PID) Process:	(6620) aj4F49.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6620) aj4F49.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6620) aj4F49.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
6332	ccleaner_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\nsf4303.tmp\AccessControl.dll		executable
		MD5:E021453DC6C9D91F7AAEE47513730BE3	SHA256:98FE662988D3F3BBC87F3BA9DDF9C1084D74E767FB210FA80FE944AA267019E8
6332	ccleaner_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\nsf4303.tmp\sciterui.dll		executable
		MD5:46DA14D6F32309ABF7CEFF0B2CD91622	SHA256:0DBF315893BA76CD7FA0F37523C57656E7E93EB81D44E877326CE3C5A43262DD
6332	ccleaner_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\nsf4303.tmp\thirdparty.dll		executable
		MD5:72C90B7A61DE5B1DFDC9FAE84481E803	SHA256:F26AB713695B4A36A74A6507C73F0D3E9EB46A0D3E5E17468EED4DE90CC429BB
6620	aj4F49.exe	C:\Users\admin\AppData\Local\Temp\nsw52D2.tmp\jsis.dll		executable
		MD5:C5B387FEFC8426BEDF8AF4F2A01821F7	SHA256:77AFA0816AF82D94A19E709826A065F2041F4A2659ACD151BDA152DF69EBD6CA
6620	aj4F49.exe	C:\Users\admin\AppData\Local\Temp\nsw52D2.tmp\thirdparty.dll		executable
		MD5:72C90B7A61DE5B1DFDC9FAE84481E803	SHA256:F26AB713695B4A36A74A6507C73F0D3E9EB46A0D3E5E17468EED4DE90CC429BB
6332	ccleaner_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\ccleaner-browser-web-tags		binary
		MD5:CA54161A10296C7C2AD5166E829F3420	SHA256:CC631ABF52D3FEF4A80996448901D0AE9233B4329D18EC4149C29F1F136778B0
6620	aj4F49.exe	C:\Users\admin\AppData\Local\Temp\nsw52D2.tmp\FF.places.tmp		—
		MD5:—	SHA256:—
6332	ccleaner_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\nsf4303.tmp\JsisPlugins.dll		executable
		MD5:5880EA5B4D09B44A9B14C233EE87CD76	SHA256:E5F82BC144D72BFFA89055603C7A20914EB3F31FF77CE6B7BB185D80224D3D30
6332	ccleaner_browser_setup.exe	C:\Users\admin\AppData\Local\Temp\aj4F49.exe		executable
		MD5:1C69824F1D98F40BD7E167B394D1D0AE	SHA256:601D1462AF35E7DA88C6B341AC349368247E10B5E5B8B52C7BF5418EA2A03CF6
6620	aj4F49.exe	C:\Users\admin\AppData\Local\Temp\nsw52D2.tmp\JsisPlugins.dll		executable
		MD5:5880EA5B4D09B44A9B14C233EE87CD76	SHA256:E5F82BC144D72BFFA89055603C7A20914EB3F31FF77CE6B7BB185D80224D3D30

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
528	svchost.exe	GET	200	2.19.126.133:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
528	svchost.exe	GET	—	72.246.169.155:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
1964	RUXIMICS.exe	GET	200	72.246.169.155:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
1964	RUXIMICS.exe	GET	200	2.19.126.133:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	72.246.169.155:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
6620	aj4F49.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	unknown
6620	aj4F49.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAV14ffsm9imej9hicY%2Bl7s%3D	unknown	—	—	unknown
7132	CCleanerBrowserUpdate.exe	GET	200	2.19.126.203:80	http://browser-update.ccleaner.com/browser-ccb/win/x64/124.0.25069.209/CCleanerBrowserInstaller.exe	unknown	—	—	unknown
—	—	POST	200	104.22.45.115:443	https://update.ccleanerbrowser.com/service/update2?cup2key=9:2106869628&cup2hreq=0684d51eb6905f0b4732576f696688d06bbbac5d4a054ca7fe3acb2e411e9616	unknown	xml	1020 b	—
—	—	POST	200	20.189.173.5:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
528	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	239.255.255.250:1900	—	—	—	unknown
1964	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5140	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
528	svchost.exe	2.19.126.133:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
1964	RUXIMICS.exe	2.19.126.133:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
528	svchost.exe	72.246.169.155:80	www.microsoft.com	AKAMAI-AS	DE	unknown
5140	MoUsoCoreWorker.exe	72.246.169.155:80	www.microsoft.com	AKAMAI-AS	DE	unknown
1964	RUXIMICS.exe	72.246.169.155:80	www.microsoft.com	AKAMAI-AS	DE	unknown
5456	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown

Domain	IP	Reputation
crl.microsoft.com	2.19.126.133	whitelisted
www.microsoft.com	72.246.169.155	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
stats.securebrowser.com	104.20.87.8 104.20.86.8	unknown
ocsp.digicert.com	192.229.221.95	whitelisted
update.ccleanerbrowser.com	104.22.44.115 104.22.45.115 172.67.29.127	whitelisted
browser-update.ccleaner.com	2.19.126.203 2.19.126.213	whitelisted
self.events.data.microsoft.com	20.42.73.28	whitelisted

Process	Message
ccleaner_browser_setup.exe	2024-06-02T05:44:04 [libnsis] {000018bc:000018c0} <2:Info> (893f00f663353e48\src\jsis-plugins\plugins\Plugin.cpp:82) JSIS Plugin logging enabled
ccleaner_browser_setup.exe	2024-06-02T05:44:04 [libnsis] {000018bc:000018c0} <4:Error> (893f00f663353e48\src\jsis-plugins\plugins\UtilitiesPlugin\TagData.cpp:85) 0x00000400000715 91aa05bf654a77ad\src\sbplugins\windows\RCData.cpp:62
ccleaner_browser_setup.exe	2024-06-02T05:44:04 [libnsis] {000018bc:000018c0} <1:Debug> (91aa05bf654a77ad\src\sbplugins\windows\RCData.cpp:62) Throwing exception 0x00000400000715
aj4F49.exe	2024-06-02T05:44:06 [libnsis] {000019dc:000019e0} <2:Info> (893f00f663353e48\src\jsis-plugins\plugins\Plugin.cpp:82) JSIS Plugin logging enabled
aj4F49.exe	2024-06-02T05:44:06 [libnsis] {000019dc:000019e0} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nsw52D2.tmp\CR.History.tmp
aj4F49.exe	2024-06-02T05:44:06 [libnsis] {000019dc:000019e0} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT ((visits.visit_time/1000000)-11644473600) /60 /60 / 24 AS vtime FROM 'visits' WHERE vtime >= 19846 AND vtime <= 19877 GROUP BY vtime
aj4F49.exe	2024-06-02T05:44:06 [libnsis] {000019dc:000019e0} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nsw52D2.tmp\CR.History.tmp
aj4F49.exe	2024-06-02T05:44:06 [libnsis] {000019dc:000019e0} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT ((visits.visit_time/1000000)-11644473600) /60 /60 / 24 AS vtime FROM 'visits' WHERE vtime >= 19846 AND vtime <= 19877 GROUP BY vtime
aj4F49.exe	2024-06-02T05:44:06 [libnsis] {000019dc:000019e0} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:38) Oepn Sqlite DB C:\Users\admin\AppData\Local\Temp\nsw52D2.tmp\FF.places.tmp
aj4F49.exe	2024-06-02T05:44:06 [libnsis] {000019dc:000019e0} <1:Debug> (6641f181bd7f7928\src\acu\database\Sqlite.cpp:75) Execute Sqlite query SELECT last_visit_date / 1000000 /60 /60 / 24 AS vtime FROM 'moz_places' WHERE vtime >= 19846 AND vtime <= 19877 GROUP BY vtime

General Info

ccleaner_browser_setup.exe

B530A1995085B5469E9CBB01B6D91DB9

39D371893915D0E690EBCC2D5A6CA2FEC4ECDC1E

E5506D917ADFB44D12034688C1E1D7C91CE5A88613E92E2A501F26C226D7A7AE

98304:P2ul/FrAXjH3qJy6ctlfJ8lPaamqFXTGeZI5M60bdoSWl2/AUxpC1GTYVOJ2va/n:f/u1FzSXmi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Steals credentials from Web Browsers

Actions looks like stealing of personal data

Changes the autorun value in the registry

SUSPICIOUS

The process verifies whether the antivirus software is installed

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Reads the BIOS version

Searches for installed software

Checks Windows Trust Settings

Disables SEHOP

Starts itself from another location

Creates/Modifies COM task schedule object

Executes as Windows Service

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

Application launched itself

Creates a software uninstall entry

Reads Mozilla Firefox installation path

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Reads Environment values

Reads the software policy settings

Creates files in the program directory

Checks proxy server information

Reads the machine GUID from the registry

Creates files or folders in the user directory

Process checks whether UAC notifications are on

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity