File name:

SonOyuncu Minecraft Launcher.exe

Full analysis: https://app.any.run/tasks/8038aaf9-4c71-4255-9225-faf11b2706ea
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 24, 2024, 20:12:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

94BB92418BF395FA8D5AC86AB036F121

SHA1:

2A62229615D627CD225A783079CAFF4F22F4005A

SHA256:

F41D12D5B736A82F4C53E3C3F242560DFD800A24076186399DD695F3B493184B

SSDEEP:

98304:5ZgOtQO4bkVCA7TtzcjERmFp7W0vkEovFFmw3sFBtHAO4wEH/0idIUjnDsTDSHjF:HlIiezVYD7BQEbCZ7zSqL7z96H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SonOyuncu Minecraft Launcher.exe (PID: 1112)
      • CCleaner64.exe (PID: 5840)
      • CCleaner64.exe (PID: 3656)

    • Actions looks like stealing of personal data

      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 5840)
      • CCleaner64.exe (PID: 3656)

    • Steals credentials from Web Browsers

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • setup.exe (PID: 4900)

    • Changes the autorun value in the registry

      • CCleaner64.exe (PID: 5840)
      • ie4uinit.exe (PID: 2824)

  • SUSPICIOUS

    • Reads the BIOS version

      • SonOyuncu Minecraft Launcher.exe (PID: 1112)

    • Reads security settings of Internet Explorer

      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)
      • StartMenuExperienceHost.exe (PID: 7804)

    • Application launched itself

      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 3656)
      • ie4uinit.exe (PID: 2824)
      • setup.exe (PID: 7780)
      • setup.exe (PID: 6524)
      • setup.exe (PID: 4624)
      • setup.exe (PID: 7032)
      • OneDriveSetup.exe (PID: 3340)
      • setup.exe (PID: 4900)

    • Reads the date of Windows installation

      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 3656)
      • StartMenuExperienceHost.exe (PID: 7804)
      • SearchApp.exe (PID: 7856)

    • Reads Internet Explorer settings

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • FirstLogonAnim.exe (PID: 8176)

    • Executable content was dropped or overwritten

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • OneDriveSetup.exe (PID: 6676)

    • Checks Windows Trust Settings

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)

    • Searches for installed software

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)

    • Checks for external IP

      • CCleaner64.exe (PID: 5840)
      • CCleaner64.exe (PID: 3656)

    • The process verifies whether the antivirus software is installed

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)

    • Starts application from unusual location

      • CCleaner64.exe (PID: 3656)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 5328)

    • Reads Microsoft Outlook installation path

      • FirstLogonAnim.exe (PID: 8176)

    • Write to the desktop.ini file (may be used to cloak folders)

      • ie4uinit.exe (PID: 2824)

    • Changes internet zones settings

      • ie4uinit.exe (PID: 2824)

    • Uses RUNDLL32.EXE to load library

      • ie4uinit.exe (PID: 4584)

    • Process drops legitimate windows executable

      • OneDriveSetup.exe (PID: 6676)

    • The process drops C-runtime libraries

      • OneDriveSetup.exe (PID: 6676)

  • INFO

    • Reads the machine GUID from the registry

      • SonOyuncu Minecraft Launcher.exe (PID: 1112)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)
      • SearchApp.exe (PID: 7856)

    • Checks supported languages

      • TextInputHost.exe (PID: 4108)
      • CCleaner64.exe (PID: 464)
      • SonOyuncu Minecraft Launcher.exe (PID: 1112)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)
      • PLUGScheduler.exe (PID: 5328)
      • setup.exe (PID: 7780)
      • setup.exe (PID: 4900)
      • setup.exe (PID: 4660)
      • setup.exe (PID: 6524)
      • setup.exe (PID: 4624)
      • setup.exe (PID: 4356)
      • setup.exe (PID: 7032)
      • setup.exe (PID: 6524)
      • TextInputHost.exe (PID: 4896)
      • StartMenuExperienceHost.exe (PID: 7804)
      • SearchApp.exe (PID: 7856)
      • setup.exe (PID: 2772)
      • setup.exe (PID: 6748)

    • Checks proxy server information

      • slui.exe (PID: 1132)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)
      • dllhost.exe (PID: 7276)
      • SearchApp.exe (PID: 7856)

    • Reads the computer name

      • SonOyuncu Minecraft Launcher.exe (PID: 1112)
      • TextInputHost.exe (PID: 4108)
      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)
      • PLUGScheduler.exe (PID: 5328)
      • setup.exe (PID: 4900)
      • setup.exe (PID: 6524)
      • setup.exe (PID: 4624)
      • setup.exe (PID: 7032)
      • TextInputHost.exe (PID: 4896)
      • StartMenuExperienceHost.exe (PID: 7804)
      • SearchApp.exe (PID: 7856)
      • setup.exe (PID: 7780)

    • Reads the software policy settings

      • SonOyuncu Minecraft Launcher.exe (PID: 1112)
      • slui.exe (PID: 1132)
      • CCleaner64.exe (PID: 3656)
      • Cortana.exe (PID: 8116)
      • CCleaner64.exe (PID: 5840)
      • dllhost.exe (PID: 7276)
      • SearchApp.exe (PID: 7856)

    • Creates files or folders in the user directory

      • SonOyuncu Minecraft Launcher.exe (PID: 1112)
      • CCleaner64.exe (PID: 3656)
      • Cortana.exe (PID: 8116)
      • SystemSettingsBroker.exe (PID: 6876)

    • Manual execution by a user

      • CCleaner64.exe (PID: 464)
      • mspaint.exe (PID: 2232)
      • mspaint.exe (PID: 1568)
      • mspaint.exe (PID: 6940)
      • WINWORD.EXE (PID: 5436)
      • FirstLogonAnim.exe (PID: 8176)
      • unregmp2.exe (PID: 2888)
      • ie4uinit.exe (PID: 2824)
      • unregmp2.exe (PID: 4696)
      • chrmstp.exe (PID: 7660)
      • OneDriveSetup.exe (PID: 3340)
      • fsquirt.exe (PID: 9124)
      • wab.exe (PID: 7688)
      • msedge.exe (PID: 4608)
      • cmd.exe (PID: 6540)
      • setup.exe (PID: 4900)

    • Process checks computer location settings

      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 3656)
      • setup.exe (PID: 7780)
      • setup.exe (PID: 7032)
      • StartMenuExperienceHost.exe (PID: 7804)
      • SearchApp.exe (PID: 7856)

    • Reads Environment values

      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)

    • Reads product name

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)

    • Creates files in the program directory

      • CCleaner64.exe (PID: 3656)
      • PLUGScheduler.exe (PID: 5328)
      • CCleaner64.exe (PID: 5840)
      • ie4uinit.exe (PID: 2824)
      • chrmstp.exe (PID: 7208)
      • chrmstp.exe (PID: 7660)
      • setup.exe (PID: 7780)
      • setup.exe (PID: 4900)
      • setup.exe (PID: 6524)
      • setup.exe (PID: 7032)
      • setup.exe (PID: 4624)

    • Reads CPU info

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)

    • Reads Microsoft Office registry keys

      • CCleaner64.exe (PID: 3656)
      • setup.exe (PID: 4900)
      • chrmstp.exe (PID: 7660)
      • msedge.exe (PID: 6384)
      • setup.exe (PID: 4624)

    • Create files in a temporary directory

      • CCleaner64.exe (PID: 3656)

    • Reads security settings of Internet Explorer

      • SystemSettingsBroker.exe (PID: 6876)
      • FirstLogonAnim.exe (PID: 8176)
      • ie4uinit.exe (PID: 2824)
      • ie4uinit.exe (PID: 4584)
      • dllhost.exe (PID: 4516)
      • dllhost.exe (PID: 468)
      • WWAHost.exe (PID: 8180)

    • Application launched itself

      • chrmstp.exe (PID: 7208)
      • chrmstp.exe (PID: 7660)
      • msedge.exe (PID: 6384)

    • Drops the executable file immediately after the start

      • OneDriveSetup.exe (PID: 6676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 3
CodeSize: 4080128
InitializedDataSize: 412672
UninitializedDataSize: -
EntryPoint: 0x10a8058
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
289
Monitored processes
77
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sonoyuncu minecraft launcher.exe slui.exe mspaint.exe no specs textinputhost.exe no specs tiworker.exe no specs ccleaner64.exe ccleaner64.exe mspaint.exe no specs ccleaner64.exe mspaint.exe no specs winword.exe ai.exe no specs cortana.exe systemsettingsbroker.exe no specs systemsettingsbroker.exe no specs plugscheduler.exe no specs sppextcomobj.exe no specs slui.exe no specs slui.exe no specs firstlogonanim.exe no specs unregmp2.exe no specs ie4uinit.exe ie4uinit.exe no specs dllhost.exe no specs rundll32.exe no specs rundll32.exe no specs unregmp2.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs setup.exe setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs msedge.exe dllhost.exe msedge.exe no specs msedge.exe no specs msedge.exe dllhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dllhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs dllhost.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe wwahost.exe no specs dllhost.exe no specs dllhost.exe no specs dllhost.exe no specs dllhost.exe no specs fsquirt.exe no specs mobsync.exe no specs dllhost.exe no specs dllhost.exe no specs onedrivesetup.exe no specs onedrivesetup.exe msedge.exe no specs wab.exe no specs cmd.exe no specs conhost.exe no specs backgroundtransferhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
464"C:\Program Files\CCleaner\CCleaner64.exe" C:\Program Files\CCleaner\CCleaner64.exe
explorer.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
468C:\WINDOWS\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}C:\Windows\System32\dllhost.exesvchost.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
628"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3508 --field-trial-handle=2232,i,3919376368307473064,10527404063335165254,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
688"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4912 --field-trial-handle=2232,i,3919376368307473064,10527404063335165254,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1112"C:\Users\admin\Desktop\SonOyuncu Minecraft Launcher.exe" C:\Users\admin\Desktop\SonOyuncu Minecraft Launcher.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\users\admin\desktop\sonoyuncu minecraft launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1132C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1268C:\WINDOWS\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}C:\Windows\System32\dllhost.exesvchost.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1568"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\sawanything.png"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1616C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\System32\rundll32.exeie4uinit.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1812"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2228 --field-trial-handle=2232,i,3919376368307473064,10527404063335165254,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
106 736
Read events
104 981
Write events
1 600
Delete events
155

Modification events

(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-462
Value:
Afghanistan Standard Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-461
Value:
Afghanistan Daylight Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-222
Value:
Alaskan Standard Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-221
Value:
Alaskan Daylight Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2392
Value:
Aleutian Standard Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2391
Value:
Aleutian Daylight Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2162
Value:
Altai Standard Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2161
Value:
Altai Daylight Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-392
Value:
Arab Standard Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-391
Value:
Arab Daylight Time
Executable files
192
Suspicious files
334
Text files
359
Unknown types
57

Dropped files

PID
Process
Filename
Type
3656CCleaner64.exe
MD5:
SHA256:
3656CCleaner64.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
MD5:
SHA256:
3656CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-ms~RFfc616.TMPbinary
MD5:715D03F2C851242AE02F082C92170337
SHA256:52F9047E9A072554A68045FD0215B8484C2D6D758FEE82543FBAA7C7F7D163D9
5840CCleaner64.exeC:\Program Files\CCleaner\gcapi_dll.dllexecutable
MD5:F17F96322F8741FE86699963A1812897
SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
3656CCleaner64.exeC:\Program Files\CCleaner\gcapi_dll.dllexecutable
MD5:F17F96322F8741FE86699963A1812897
SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
3656CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-msbinary
MD5:5F402CA9EE019275E0C34113F39E1463
SHA256:0AC00E9B5C8F5250257A464DE9AD5A0169AE5A570B6FB42C6E440C55F85EFDA2
3656CCleaner64.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3656CCleaner64.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\MANIFEST-000009binary
MD5:E7F75FCC633FCCDF57B2414B2AD146CF
SHA256:CF8E0760684D3C9C3A2D7DDA7671C05E4EC8DB058E71A48C51D7E52F081441AC
3656CCleaner64.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000009.dbtmptext
MD5:979C29C2917BED63CCF520ECE1D18CDA
SHA256:B3524365A633EE6D1FA9953638D2867946C515218C497A5EC2DBEF7DC44A7C53
3656CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SBV2D42YPNCUXF0YUL3J.tempbinary
MD5:5F402CA9EE019275E0C34113F39E1463
SHA256:0AC00E9B5C8F5250257A464DE9AD5A0169AE5A570B6FB42C6E440C55F85EFDA2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
198
DNS requests
71
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5840
CCleaner64.exe
GET
404
23.48.23.31:80
http://ncc.avast.com/ncc.txt
unknown
whitelisted
7300
msedge.exe
GET
404
23.53.42.155:80
http://assets.msn.com/staticsb/statics/latest/fre/version.json
unknown
whitelisted
6568
svchost.exe
GET
404
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
6568
svchost.exe
GET
404
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3656
CCleaner64.exe
GET
404
23.48.23.31:80
http://ncc.avast.com/ncc.txt
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4204
svchost.exe
4.209.32.67:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1112
SonOyuncu Minecraft Launcher.exe
188.132.231.10:443
launcher.sonoyuncu.network
PremierDC Veri Merkezi Anonim Sirketi
TR
unknown
4
System
192.168.100.255:137
whitelisted
1392
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4172
SystemSettings.exe
104.126.37.137:443
www.bing.com
Akamai International B.V.
DE
unknown
4172
SystemSettings.exe
184.25.219.220:443
cxcs.microsoft.net
AKAMAI-AS
DE
unknown
1132
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.238
whitelisted
launcher.sonoyuncu.network
  • 188.132.231.10
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
cxcs.microsoft.net
  • 184.25.219.220
whitelisted
www.bing.com
  • 104.126.37.137
  • 104.126.37.153
  • 104.126.37.138
  • 104.126.37.146
  • 104.126.37.170
  • 104.126.37.144
  • 104.126.37.160
  • 104.126.37.161
  • 104.126.37.152
  • 104.126.37.123
  • 104.126.37.179
  • 104.126.37.185
  • 104.126.37.162
  • 104.126.37.171
  • 104.126.37.130
  • 104.126.37.186
  • 104.126.37.168
  • 104.126.37.139
  • 104.126.37.155
  • 104.126.37.176
  • 104.126.37.163
  • 104.126.37.178
  • 104.126.37.131
  • 104.126.37.128
  • 104.126.37.136
whitelisted
ncc.avast.com
  • 23.48.23.31
  • 23.48.23.10
whitelisted
self.events.data.microsoft.com
  • 52.178.17.235
  • 20.42.65.90
whitelisted
analytics.avcdn.net
  • 34.117.223.223
whitelisted
www.ccleaner.com
  • 23.206.209.82
whitelisted

Threats

PID
Process
Class
Message
2284
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
3656
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
5840
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Process
Message
CCleaner64.exe
[2024-07-24 20:14:10.007] [error ] [settings ] [ 3656: 3560] [000000: 0] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2024-07-24 20:14:10.007] [error ] [ini_access ] [ 3656: 3560] [000000: 0] Incorrect ini_accessor configuration! Fixing relative input path to avoid recursion. Input was: Setup
CCleaner64.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner64.exe
OnLanguage - en
CCleaner64.exe
[2024-07-24 20:14:10.788] [error ] [settings ] [ 3656: 1012] [D2EC45: 356] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2024-07-24 20:14:10.804] [error ] [Burger ] [ 3656: 1012] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
[2024-07-24 20:14:10.804] [error ] [Burger ] [ 3656: 1012] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
file:///tis/optimizer.tis(1131) : warning :'await' should be used only inside 'async' or 'event'
CCleaner64.exe
file:///tis/optimizer.tis(1288) : warning :'async' does not contain any 'await'
CCleaner64.exe
startCheckingLicense()
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SonOyuncu Minecraft Launcher.exe