File name:

SonOyuncu Minecraft Launcher.exe

Full analysis: https://app.any.run/tasks/8038aaf9-4c71-4255-9225-faf11b2706ea
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 24, 2024, 20:12:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

94BB92418BF395FA8D5AC86AB036F121

SHA1:

2A62229615D627CD225A783079CAFF4F22F4005A

SHA256:

F41D12D5B736A82F4C53E3C3F242560DFD800A24076186399DD695F3B493184B

SSDEEP:

98304:5ZgOtQO4bkVCA7TtzcjERmFp7W0vkEovFFmw3sFBtHAO4wEH/0idIUjnDsTDSHjF:HlIiezVYD7BQEbCZ7zSqL7z96H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SonOyuncu Minecraft Launcher.exe (PID: 1112)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)

    • Actions looks like stealing of personal data

      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 5840)
      • CCleaner64.exe (PID: 3656)

    • Steals credentials from Web Browsers

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • setup.exe (PID: 4900)

    • Changes the autorun value in the registry

      • CCleaner64.exe (PID: 5840)
      • ie4uinit.exe (PID: 2824)

  • SUSPICIOUS

    • Reads the BIOS version

      • SonOyuncu Minecraft Launcher.exe (PID: 1112)

    • Reads the date of Windows installation

      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 3656)
      • SearchApp.exe (PID: 7856)
      • StartMenuExperienceHost.exe (PID: 7804)

    • Reads security settings of Internet Explorer

      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)
      • StartMenuExperienceHost.exe (PID: 7804)

    • Application launched itself

      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 3656)
      • ie4uinit.exe (PID: 2824)
      • setup.exe (PID: 7780)
      • setup.exe (PID: 4900)
      • setup.exe (PID: 6524)
      • setup.exe (PID: 4624)
      • setup.exe (PID: 7032)
      • OneDriveSetup.exe (PID: 3340)

    • Executable content was dropped or overwritten

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • OneDriveSetup.exe (PID: 6676)

    • Checks Windows Trust Settings

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)

    • Searches for installed software

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)

    • Reads Internet Explorer settings

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • FirstLogonAnim.exe (PID: 8176)

    • The process verifies whether the antivirus software is installed

      • CCleaner64.exe (PID: 5840)
      • CCleaner64.exe (PID: 3656)

    • Checks for external IP

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)

    • Starts application from unusual location

      • CCleaner64.exe (PID: 3656)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 5328)

    • Reads Microsoft Outlook installation path

      • FirstLogonAnim.exe (PID: 8176)

    • Write to the desktop.ini file (may be used to cloak folders)

      • ie4uinit.exe (PID: 2824)

    • Changes internet zones settings

      • ie4uinit.exe (PID: 2824)

    • Uses RUNDLL32.EXE to load library

      • ie4uinit.exe (PID: 4584)

    • The process drops C-runtime libraries

      • OneDriveSetup.exe (PID: 6676)

    • Process drops legitimate windows executable

      • OneDriveSetup.exe (PID: 6676)

  • INFO

    • Reads the software policy settings

      • slui.exe (PID: 1132)
      • SonOyuncu Minecraft Launcher.exe (PID: 1112)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)
      • dllhost.exe (PID: 7276)
      • SearchApp.exe (PID: 7856)

    • Checks supported languages

      • CCleaner64.exe (PID: 464)
      • TextInputHost.exe (PID: 4108)
      • SonOyuncu Minecraft Launcher.exe (PID: 1112)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)
      • PLUGScheduler.exe (PID: 5328)
      • setup.exe (PID: 7780)
      • setup.exe (PID: 4900)
      • setup.exe (PID: 2772)
      • setup.exe (PID: 6748)
      • setup.exe (PID: 6524)
      • setup.exe (PID: 4660)
      • setup.exe (PID: 4624)
      • setup.exe (PID: 4356)
      • setup.exe (PID: 7032)
      • TextInputHost.exe (PID: 4896)
      • StartMenuExperienceHost.exe (PID: 7804)
      • SearchApp.exe (PID: 7856)
      • setup.exe (PID: 6524)

    • Manual execution by a user

      • mspaint.exe (PID: 1568)
      • CCleaner64.exe (PID: 464)
      • mspaint.exe (PID: 2232)
      • mspaint.exe (PID: 6940)
      • WINWORD.EXE (PID: 5436)
      • FirstLogonAnim.exe (PID: 8176)
      • unregmp2.exe (PID: 2888)
      • unregmp2.exe (PID: 4696)
      • chrmstp.exe (PID: 7660)
      • ie4uinit.exe (PID: 2824)
      • setup.exe (PID: 4900)
      • fsquirt.exe (PID: 9124)
      • OneDriveSetup.exe (PID: 3340)
      • msedge.exe (PID: 4608)
      • wab.exe (PID: 7688)
      • cmd.exe (PID: 6540)

    • Reads the computer name

      • TextInputHost.exe (PID: 4108)
      • SonOyuncu Minecraft Launcher.exe (PID: 1112)
      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)
      • PLUGScheduler.exe (PID: 5328)
      • setup.exe (PID: 7780)
      • setup.exe (PID: 4900)
      • setup.exe (PID: 6524)
      • setup.exe (PID: 4624)
      • setup.exe (PID: 7032)
      • TextInputHost.exe (PID: 4896)
      • StartMenuExperienceHost.exe (PID: 7804)
      • SearchApp.exe (PID: 7856)

    • Creates files or folders in the user directory

      • SonOyuncu Minecraft Launcher.exe (PID: 1112)
      • CCleaner64.exe (PID: 3656)
      • SystemSettingsBroker.exe (PID: 6876)
      • Cortana.exe (PID: 8116)

    • Reads the machine GUID from the registry

      • SonOyuncu Minecraft Launcher.exe (PID: 1112)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)
      • SearchApp.exe (PID: 7856)

    • Reads Environment values

      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)

    • Checks proxy server information

      • slui.exe (PID: 1132)
      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • Cortana.exe (PID: 8116)
      • dllhost.exe (PID: 7276)
      • SearchApp.exe (PID: 7856)

    • Process checks computer location settings

      • CCleaner64.exe (PID: 464)
      • CCleaner64.exe (PID: 3656)
      • setup.exe (PID: 7780)
      • StartMenuExperienceHost.exe (PID: 7804)
      • SearchApp.exe (PID: 7856)
      • setup.exe (PID: 7032)

    • Reads CPU info

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)

    • Reads product name

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)

    • Creates files in the program directory

      • CCleaner64.exe (PID: 3656)
      • CCleaner64.exe (PID: 5840)
      • PLUGScheduler.exe (PID: 5328)
      • ie4uinit.exe (PID: 2824)
      • chrmstp.exe (PID: 7208)
      • chrmstp.exe (PID: 7660)
      • setup.exe (PID: 7780)
      • setup.exe (PID: 6524)
      • setup.exe (PID: 4900)
      • setup.exe (PID: 4624)
      • setup.exe (PID: 7032)

    • Reads Microsoft Office registry keys

      • CCleaner64.exe (PID: 3656)
      • chrmstp.exe (PID: 7660)
      • setup.exe (PID: 4900)
      • msedge.exe (PID: 6384)
      • setup.exe (PID: 4624)

    • Create files in a temporary directory

      • CCleaner64.exe (PID: 3656)

    • Reads security settings of Internet Explorer

      • SystemSettingsBroker.exe (PID: 6876)
      • FirstLogonAnim.exe (PID: 8176)
      • ie4uinit.exe (PID: 2824)
      • ie4uinit.exe (PID: 4584)
      • dllhost.exe (PID: 4516)
      • dllhost.exe (PID: 468)
      • WWAHost.exe (PID: 8180)

    • Application launched itself

      • chrmstp.exe (PID: 7208)
      • chrmstp.exe (PID: 7660)
      • msedge.exe (PID: 6384)

    • Drops the executable file immediately after the start

      • OneDriveSetup.exe (PID: 6676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 3
CodeSize: 4080128
InitializedDataSize: 412672
UninitializedDataSize: -
EntryPoint: 0x10a8058
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
289
Monitored processes
77
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sonoyuncu minecraft launcher.exe slui.exe mspaint.exe no specs textinputhost.exe no specs tiworker.exe no specs ccleaner64.exe ccleaner64.exe mspaint.exe no specs ccleaner64.exe mspaint.exe no specs winword.exe ai.exe no specs cortana.exe systemsettingsbroker.exe no specs systemsettingsbroker.exe no specs plugscheduler.exe no specs sppextcomobj.exe no specs slui.exe no specs slui.exe no specs firstlogonanim.exe no specs unregmp2.exe no specs ie4uinit.exe ie4uinit.exe no specs dllhost.exe no specs rundll32.exe no specs rundll32.exe no specs unregmp2.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs setup.exe setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs msedge.exe dllhost.exe msedge.exe no specs msedge.exe no specs msedge.exe dllhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dllhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs setup.exe no specs dllhost.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe wwahost.exe no specs dllhost.exe no specs dllhost.exe no specs dllhost.exe no specs dllhost.exe no specs fsquirt.exe no specs mobsync.exe no specs dllhost.exe no specs dllhost.exe no specs onedrivesetup.exe no specs onedrivesetup.exe msedge.exe no specs wab.exe no specs cmd.exe no specs conhost.exe no specs backgroundtransferhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
464"C:\Program Files\CCleaner\CCleaner64.exe" C:\Program Files\CCleaner\CCleaner64.exe
explorer.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
MEDIUM
Description:
CCleaner
Exit code:
0
Version:
6.20.0.10897
Modules
Images
c:\program files\ccleaner\ccleaner64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
468C:\WINDOWS\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}C:\Windows\System32\dllhost.exesvchost.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
628"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3508 --field-trial-handle=2232,i,3919376368307473064,10527404063335165254,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
688"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4912 --field-trial-handle=2232,i,3919376368307473064,10527404063335165254,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1112"C:\Users\admin\Desktop\SonOyuncu Minecraft Launcher.exe" C:\Users\admin\Desktop\SonOyuncu Minecraft Launcher.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\users\admin\desktop\sonoyuncu minecraft launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1132C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1268C:\WINDOWS\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}C:\Windows\System32\dllhost.exesvchost.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1568"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\sawanything.png"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1616C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\System32\rundll32.exeie4uinit.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1812"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2228 --field-trial-handle=2232,i,3919376368307473064,10527404063335165254,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
106 736
Read events
104 981
Write events
1 600
Delete events
155

Modification events

(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-462
Value:
Afghanistan Standard Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-461
Value:
Afghanistan Daylight Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-222
Value:
Alaskan Standard Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-221
Value:
Alaskan Daylight Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2392
Value:
Aleutian Standard Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2391
Value:
Aleutian Daylight Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2162
Value:
Altai Standard Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2161
Value:
Altai Daylight Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-392
Value:
Arab Standard Time
(PID) Process:(1112) SonOyuncu Minecraft Launcher.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-391
Value:
Arab Daylight Time
Executable files
192
Suspicious files
334
Text files
359
Unknown types
57

Dropped files

PID
Process
Filename
Type
3656CCleaner64.exe
MD5:
SHA256:
3656CCleaner64.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
MD5:
SHA256:
1112SonOyuncu Minecraft Launcher.exeC:\Users\admin\AppData\Roaming\.sonoyuncu\bootstrap\logs.txttext
MD5:667DF01A2E80550229B48B113751651D
SHA256:0D92A547A2A85F68171D8F03F1143FCFFCD27DA23A757B364C4A243EDF05A3F1
3656CCleaner64.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfmdbf
MD5:630EFF6ABFDBB16C0A999E1C30ECCBB5
SHA256:FA03A9FC9805BB40D3186BB106646109A6BDD657E97584E5A00F0CEFA88C6598
5304TiWorker.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:9B547DF08B4F816A035346642A184E24
SHA256:B28422A8417F7592F6541E4BADA1867FD5BD663BE7E6F8D1E328FC439A90AFFE
3656CCleaner64.exeC:\Program Files\CCleaner\gcapi_17218520503656.dllexecutable
MD5:F17F96322F8741FE86699963A1812897
SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
3656CCleaner64.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000010.ldbbinary
MD5:8B6C3EA46EE80E79E11F43B55D5A8333
SHA256:168ACB2B10B881E0699B54806F18B264D70C10EC1D58D8136135A766D298AC58
3656CCleaner64.exeC:\Program Files\CCleaner\gcapi_dll.dllexecutable
MD5:F17F96322F8741FE86699963A1812897
SHA256:8B6CE3A640E2D6F36B0001BE2A1ABB765AE51E62C314A15911E75138CBB544BB
3656CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SBV2D42YPNCUXF0YUL3J.tempbinary
MD5:5F402CA9EE019275E0C34113F39E1463
SHA256:0AC00E9B5C8F5250257A464DE9AD5A0169AE5A570B6FB42C6E440C55F85EFDA2
3656CCleaner64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-ms~RFfc616.TMPbinary
MD5:715D03F2C851242AE02F082C92170337
SHA256:52F9047E9A072554A68045FD0215B8484C2D6D758FEE82543FBAA7C7F7D163D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
198
DNS requests
71
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3656
CCleaner64.exe
GET
404
23.48.23.31:80
http://ncc.avast.com/ncc.txt
unknown
whitelisted
5840
CCleaner64.exe
GET
404
23.48.23.31:80
http://ncc.avast.com/ncc.txt
unknown
whitelisted
7300
msedge.exe
GET
404
23.53.42.155:80
http://assets.msn.com/staticsb/statics/latest/fre/version.json
unknown
whitelisted
6568
svchost.exe
GET
404
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6568
svchost.exe
GET
404
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4204
svchost.exe
4.209.32.67:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1112
SonOyuncu Minecraft Launcher.exe
188.132.231.10:443
launcher.sonoyuncu.network
PremierDC Veri Merkezi Anonim Sirketi
TR
unknown
4
System
192.168.100.255:137
whitelisted
1392
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4172
SystemSettings.exe
104.126.37.137:443
www.bing.com
Akamai International B.V.
DE
unknown
4172
SystemSettings.exe
184.25.219.220:443
cxcs.microsoft.net
AKAMAI-AS
DE
unknown
1132
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.238
whitelisted
launcher.sonoyuncu.network
  • 188.132.231.10
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
cxcs.microsoft.net
  • 184.25.219.220
whitelisted
www.bing.com
  • 104.126.37.137
  • 104.126.37.153
  • 104.126.37.138
  • 104.126.37.146
  • 104.126.37.170
  • 104.126.37.144
  • 104.126.37.160
  • 104.126.37.161
  • 104.126.37.152
  • 104.126.37.123
  • 104.126.37.179
  • 104.126.37.185
  • 104.126.37.162
  • 104.126.37.171
  • 104.126.37.130
  • 104.126.37.186
  • 104.126.37.168
  • 104.126.37.139
  • 104.126.37.155
  • 104.126.37.176
  • 104.126.37.163
  • 104.126.37.178
  • 104.126.37.131
  • 104.126.37.128
  • 104.126.37.136
whitelisted
ncc.avast.com
  • 23.48.23.31
  • 23.48.23.10
whitelisted
self.events.data.microsoft.com
  • 52.178.17.235
  • 20.42.65.90
whitelisted
analytics.avcdn.net
  • 34.117.223.223
whitelisted
www.ccleaner.com
  • 23.206.209.82
whitelisted

Threats

PID
Process
Class
Message
2284
svchost.exe
Misc activity
ET INFO External IP Lookup Service in DNS Query (ip-info .ff .avast .com)
3656
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
5840
CCleaner64.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ip-info .ff .avast .com) in TLS SNI
Process
Message
CCleaner64.exe
[2024-07-24 20:14:10.007] [error ] [settings ] [ 3656: 3560] [000000: 0] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2024-07-24 20:14:10.007] [error ] [ini_access ] [ 3656: 3560] [000000: 0] Incorrect ini_accessor configuration! Fixing relative input path to avoid recursion. Input was: Setup
CCleaner64.exe
Failed to open log file 'C:\Program Files\CCleaner'
CCleaner64.exe
OnLanguage - en
CCleaner64.exe
[2024-07-24 20:14:10.788] [error ] [settings ] [ 3656: 1012] [D2EC45: 356] Failed to get program directory Exception: Unable to determine program folder of product 'piriform-cc'! Code: 0x000000c0 (192)
CCleaner64.exe
[2024-07-24 20:14:10.804] [error ] [Burger ] [ 3656: 1012] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
[2024-07-24 20:14:10.804] [error ] [Burger ] [ 3656: 1012] [904E07: 253] [23.2.1118.0] [BurgerReporter.cpp] [253] asw::standalone_svc::BurgerReporter::BurgerSwitch: Could not read property BURGER_SETTINGS_PANCAKE_HOSTNAME (0x00000003)
CCleaner64.exe
file:///tis/optimizer.tis(1131) : warning :'await' should be used only inside 'async' or 'event'
CCleaner64.exe
file:///tis/optimizer.tis(1288) : warning :'async' does not contain any 'await'
CCleaner64.exe
startCheckingLicense()
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SonOyuncu Minecraft Launcher.exe