9bc9bf7786f77e2ed0499c124e517c9fb8681cf4370c4504a8403e0f43fed8e2

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccsetup610_pro_trial.exe
Size

51.4MB
MD5

0be70789c0ee6ba913a65637b7050705
SHA1

fbc7371e9bd416b1a5f0e6eb68a86d538e341fb0
SHA256

9bc9bf7786f77e2ed0499c124e517c9fb8681cf4370c4504a8403e0f43fed8e2
SHA512

1fb145ae42d75dede203bdf566ef25ddfede5a075d6e30b7a6bf925c01ac0504faeb771a9059df6fa42c68d701f21e5de0a3ba49146e94077a0a98c61d9a52ca
SSDEEP

1572864:fXa3QR9TUKGAqcudtTkpttagIc56qFVKtdgZk:fq3QR9dRqv3TyEEnCdgZk

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccsetup610_pro_trial.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ccsetup610_pro_trial.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	CCleaner64.exe

Executes dropped EXE 5 IoCs

Processes:

CCleaner64.exeCCUpdate.exeCCUpdate.exeCCleaner64.exeCCleaner64.exe

pid process

1208 CCleaner64.exe
1216 CCUpdate.exe
4468 CCUpdate.exe
2768 CCleaner64.exe
5968 CCleaner64.exe

pid	process
1208	CCleaner64.exe
1216	CCUpdate.exe
4468	CCUpdate.exe
2768	CCleaner64.exe
5968	CCleaner64.exe

Loads dropped DLL 24 IoCs

Processes:

ccsetup610_pro_trial.exeCCleaner64.exeCCUpdate.exeCCleaner64.exeCCleaner64.exe

pid	process
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
660	ccsetup610_pro_trial.exe
1208	CCleaner64.exe
4468	CCUpdate.exe
2768	CCleaner64.exe
2768	CCleaner64.exe
2768	CCleaner64.exe
2768	CCleaner64.exe
5968	CCleaner64.exe
5968	CCleaner64.exe
5968	CCleaner64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CCleaner64.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"	CCleaner64.exe

Checks for any installed AV software in registry 1 TTPs 11 IoCs

Security Software Discovery

T1063

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Avast Software\Avast	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

ccsetup610_pro_trial.exeCCUpdate.exeCCUpdate.exeCCleaner64.exeCCleaner64.exeCCleaner64.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ccsetup610_pro_trial.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe

Drops file in Program Files directory 64 IoCs

Processes:

ccsetup610_pro_trial.exeCCleaner64.exesetup.exeCCleaner64.exeCCUpdate.exeCCleaner64.exe

description	ioc	process
File created	C:\Program Files\CCleaner\CCUpdate.exe	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1046.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1155.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1042.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1048.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-9999.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1030.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1081.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1068.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-2052.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\LOG\event_manager.log.tmp.abc8fd82-11d7-4e1f-9083-33e9f61a77b3	CCleaner64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230322143413.pma	setup.exe
File created	C:\Program Files\CCleaner\Lang\lang-1037.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1055.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1061.dll	ccsetup610_pro_trial.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1043.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1063.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1066.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1062.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1079.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1109.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\LOG\DriverUpdaterLib.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\CCleaner64.exe	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1029.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1035.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\LOG\DriverUpdaterLib.log.tmp.2cffde2b-7964-4416-b39d-759335c9d18e	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\Data\usercfg.ini	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1057.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1058.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\LOG\DriverUpdEng.log.tmp.35591583-3db0-40b3-8641-6d863ed03538	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1060.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1071.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1087.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Setup\b7aed578-e880-4935-a701-d1f78edc3669.ini	CCUpdate.exe
File created	C:\Program Files\CCleaner\Setup\cefedc2e-36a6-4abf-aa11-fb0fd654a6ec.xml	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1032.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1036.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1052.dll	ccsetup610_pro_trial.exe
File opened for modification	C:\Program Files\CCleaner\Data\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\1eea9325-554e-433d-9bd2-eb82ade21e71	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-2070.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Setup\5e45437c-726e-432f-8c17-6a366bf6745a.dll	CCUpdate.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\Setup\config.def	CCleaner64.exe
File created	C:\Program Files\CCleaner\CCleaner.dat	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1027.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1041.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1086.dll	ccsetup610_pro_trial.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1065.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1092.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.exe	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1034.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1045.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1051.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1090.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1102.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-2074.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\uninst.exe	ccsetup610_pro_trial.exe
File opened for modification	C:\Program Files\CCleaner\LOG\DriverUpdEng.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1031.dll	ccsetup610_pro_trial.exe

Drops file in Windows directory 2 IoCs

Processes:

CCleaner64.exe

description	ioc	process
File created	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5176 456 WerFault.exe

pid	pid_target	process	target process
5176	456	WerFault.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccsetup610_pro_trial.exeCCleaner64.exeCCleaner64.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup610_pro_trial.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup610_pro_trial.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup610_pro_trial.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

ccsetup610_pro_trial.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\.DEFAULT	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-19	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	ccsetup610_pro_trial.exe

Modifies registry class 27 IoCs

Processes:

ccsetup610_pro_trial.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\SOFTWARE	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\SOFTWARE\Piriform	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\SOFTWARE\Piriform\CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Software\Piriform\CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup610_pro_trial.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ccsetup610_pro_trial.exeCCleaner64.exe

pid	process
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe

pid	process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

ccsetup610_pro_trial.exeCCleaner64.exeCCleaner64.exeCCleaner64.exe

description	pid	process
Token: SeRestorePrivilege	660	ccsetup610_pro_trial.exe
Token: SeDebugPrivilege	1208	CCleaner64.exe
Token: SeDebugPrivilege	2768	CCleaner64.exe
Token: SeShutdownPrivilege	2768	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2768	CCleaner64.exe
Token: SeShutdownPrivilege	2768	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2768	CCleaner64.exe
Token: SeShutdownPrivilege	2768	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2768	CCleaner64.exe
Token: SeShutdownPrivilege	2768	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2768	CCleaner64.exe
Token: SeDebugPrivilege	5968	CCleaner64.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msedge.exeCCleaner64.exe

pid process

3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
3080 msedge.exe
5968 CCleaner64.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

CCleaner64.exe

pid process

5968 CCleaner64.exe

pid	process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
5968	CCleaner64.exe

pid	process
5968	CCleaner64.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

ccsetup610_pro_trial.exeCCleaner64.exeCCleaner64.exe

pid	process
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
660	ccsetup610_pro_trial.exe
2768	CCleaner64.exe
2768	CCleaner64.exe
2768	CCleaner64.exe
2768	CCleaner64.exe
5968	CCleaner64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ccsetup610_pro_trial.exeCCUpdate.exemsedge.exe

description	pid	process	target process
PID 660 wrote to memory of 1208	660	ccsetup610_pro_trial.exe	CCleaner64.exe
PID 660 wrote to memory of 1208	660	ccsetup610_pro_trial.exe	CCleaner64.exe
PID 660 wrote to memory of 1216	660	ccsetup610_pro_trial.exe	CCUpdate.exe
PID 660 wrote to memory of 1216	660	ccsetup610_pro_trial.exe	CCUpdate.exe
PID 660 wrote to memory of 1216	660	ccsetup610_pro_trial.exe	CCUpdate.exe
PID 1216 wrote to memory of 4468	1216	CCUpdate.exe	CCUpdate.exe
PID 1216 wrote to memory of 4468	1216	CCUpdate.exe	CCUpdate.exe
PID 1216 wrote to memory of 4468	1216	CCUpdate.exe	CCUpdate.exe
PID 660 wrote to memory of 3080	660	ccsetup610_pro_trial.exe	msedge.exe
PID 660 wrote to memory of 3080	660	ccsetup610_pro_trial.exe	msedge.exe
PID 660 wrote to memory of 2768	660	ccsetup610_pro_trial.exe	CCleaner64.exe
PID 660 wrote to memory of 2768	660	ccsetup610_pro_trial.exe	CCleaner64.exe
PID 3080 wrote to memory of 1660	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 1660	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 2572	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 392	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 392	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4316	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4316	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4316	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4316	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4316	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4316	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4316	3080	msedge.exe	msedge.exe
PID 3080 wrote to memory of 4316	3080	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ccsetup610_pro_trial.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup610_pro_trial.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Program Files\CCleaner\CCUpdate.exe
"C:\Program Files\CCleaner\CCUpdate.exe" /reg
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1216

C:\Program Files\CCleaner\CCUpdate.exe
CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\5e45437c-726e-432f-8c17-6a366bf6745a.dll"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=1&v=&l=1033&b=1&a=3
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffe06746f8,0x7fffe0674708,0x7fffe0674718
3⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17690340021969678857,2390173873063745580,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
3⤵
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,17690340021969678857,2390173873063745580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
3⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,17690340021969678857,2390173873063745580,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
3⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17690340021969678857,2390173873063745580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
3⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17690340021969678857,2390173873063745580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
3⤵
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17690340021969678857,2390173873063745580,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
3⤵
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17690340021969678857,2390173873063745580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
3⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff639d85460,0x7ff639d85470,0x7ff639d85480
4⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17690340021969678857,2390173873063745580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
3⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17690340021969678857,2390173873063745580,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
3⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17690340021969678857,2390173873063745580,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
3⤵
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17690340021969678857,2390173873063745580,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
3⤵
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17690340021969678857,2390173873063745580,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
3⤵
PID:1212

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2768

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /monitor
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 456 -ip 456
1⤵
PID:5284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 456 -s 2260
1⤵
- Program crash
PID:5176

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:5404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCUpdate.exe
Filesize
697KB

MD5
0f0b90a01f049665ca511335f9f0bf2e

SHA1
baf4016e50050b24925437864bfb3c19d0baa901

SHA256
4ad9635351c8e8579c4d4c2bdd679ea7b135ec329adc6fd5d8211255e2e666be

SHA512
44da936d020e857bf3bfa2bcc7a91182da9c1f320fe041bb2836d4e8ae99d4b939ea27842b49b9a2cd24e09c7698579617584d431a2b2f7eafdafa1fb9a59c50

Download Submit
C:\Program Files\CCleaner\CCUpdate.exe
Filesize
697KB

MD5
0f0b90a01f049665ca511335f9f0bf2e

SHA1
baf4016e50050b24925437864bfb3c19d0baa901

SHA256
4ad9635351c8e8579c4d4c2bdd679ea7b135ec329adc6fd5d8211255e2e666be

SHA512
44da936d020e857bf3bfa2bcc7a91182da9c1f320fe041bb2836d4e8ae99d4b939ea27842b49b9a2cd24e09c7698579617584d431a2b2f7eafdafa1fb9a59c50

Download Submit
C:\Program Files\CCleaner\CCUpdate.exe
Filesize
697KB

MD5
0f0b90a01f049665ca511335f9f0bf2e

SHA1
baf4016e50050b24925437864bfb3c19d0baa901

SHA256
4ad9635351c8e8579c4d4c2bdd679ea7b135ec329adc6fd5d8211255e2e666be

SHA512
44da936d020e857bf3bfa2bcc7a91182da9c1f320fe041bb2836d4e8ae99d4b939ea27842b49b9a2cd24e09c7698579617584d431a2b2f7eafdafa1fb9a59c50

Download Submit
C:\Program Files\CCleaner\CCleaner.exe
Filesize
31.5MB

MD5
10f73fbf9047789b611b3d35f2526334

SHA1
108b26ff38a2839a76300d87975ae23619469fce

SHA256
6e6fc50580fb43e0b68be7a6569818478a0accbdab425ea80830b450dc76601e

SHA512
ea0e77d31c4597022219f263f2defe19cef2cc69588dcd57e038354500f8f976c9bb9f185dc92e6fe1f33a0a09444dd9ae424f10ea6d722bbdf7a638c2fc5702

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.3MB

MD5
2989ffd5783532fb2d49588c9fc8b1c6

SHA1
d5b87c5402debd0434c02b2366fc2de50f47485e

SHA256
9d4b19b0723b350860614548f2c8342802fc115acff93ef63b580db189e57c2d

SHA512
1e666a6fed67b8aa492c3ca8de023bebb8ea842f4f67512c9876628d0a9f14efa1fce3b1abec32b9833470040dbd94c210a97b9241818fba8cfcdae036d7185a

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.3MB

MD5
2989ffd5783532fb2d49588c9fc8b1c6

SHA1
d5b87c5402debd0434c02b2366fc2de50f47485e

SHA256
9d4b19b0723b350860614548f2c8342802fc115acff93ef63b580db189e57c2d

SHA512
1e666a6fed67b8aa492c3ca8de023bebb8ea842f4f67512c9876628d0a9f14efa1fce3b1abec32b9833470040dbd94c210a97b9241818fba8cfcdae036d7185a

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.3MB

MD5
2989ffd5783532fb2d49588c9fc8b1c6

SHA1
d5b87c5402debd0434c02b2366fc2de50f47485e

SHA256
9d4b19b0723b350860614548f2c8342802fc115acff93ef63b580db189e57c2d

SHA512
1e666a6fed67b8aa492c3ca8de023bebb8ea842f4f67512c9876628d0a9f14efa1fce3b1abec32b9833470040dbd94c210a97b9241818fba8cfcdae036d7185a

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.3MB

MD5
2989ffd5783532fb2d49588c9fc8b1c6

SHA1
d5b87c5402debd0434c02b2366fc2de50f47485e

SHA256
9d4b19b0723b350860614548f2c8342802fc115acff93ef63b580db189e57c2d

SHA512
1e666a6fed67b8aa492c3ca8de023bebb8ea842f4f67512c9876628d0a9f14efa1fce3b1abec32b9833470040dbd94c210a97b9241818fba8cfcdae036d7185a

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.3MB

MD5
2989ffd5783532fb2d49588c9fc8b1c6

SHA1
d5b87c5402debd0434c02b2366fc2de50f47485e

SHA256
9d4b19b0723b350860614548f2c8342802fc115acff93ef63b580db189e57c2d

SHA512
1e666a6fed67b8aa492c3ca8de023bebb8ea842f4f67512c9876628d0a9f14efa1fce3b1abec32b9833470040dbd94c210a97b9241818fba8cfcdae036d7185a

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll
Filesize
8.2MB

MD5
eea47668c90db2fb6ea328e9f1760451

SHA1
d965bc56c1f0480b7e572c14ec84c5f5762dec85

SHA256
fefa23b99bc98b4dca30ae8d30bcb9220de4da0c5bdc5e6781ab27d5ccdfb6c0

SHA512
20460ed7b123e91ead45f1565c286dfb30472a020fa877690e6ee0d990181a61a01cb287b083e7f3546c8fa2de935a55df382cd2da176f92543df3f343e04d8c

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll
Filesize
8.2MB

MD5
eea47668c90db2fb6ea328e9f1760451

SHA1
d965bc56c1f0480b7e572c14ec84c5f5762dec85

SHA256
fefa23b99bc98b4dca30ae8d30bcb9220de4da0c5bdc5e6781ab27d5ccdfb6c0

SHA512
20460ed7b123e91ead45f1565c286dfb30472a020fa877690e6ee0d990181a61a01cb287b083e7f3546c8fa2de935a55df382cd2da176f92543df3f343e04d8c

Download Submit
C:\Program Files\CCleaner\Setup\5e45437c-726e-432f-8c17-6a366bf6745a.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\5e45437c-726e-432f-8c17-6a366bf6745a.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\5e45437c-726e-432f-8c17-6a366bf6745a.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\b7aed578-e880-4935-a701-d1f78edc3669.ini
Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Program Files\CCleaner\Setup\cefedc2e-36a6-4abf-aa11-fb0fd654a6ec.xml
Filesize
1KB

MD5
a8500f686252cdd13696bd7cd4df2df7

SHA1
4b8e01170a0fab56f250fabd6ec937e9a256d9c3

SHA256
693225b1c379176971faeb9ac2b49ab64750bf309d617f0bed0f7d2744ca57f0

SHA512
9c00c10ae75a5498593c0ae43be6b77b13d68e6db8367401127dc72a3ce5678b0a5e52d8b8b768af611a157b39e4fe7e44cfa5f257ac07c273142865bbf73499

Download Submit
C:\Program Files\CCleaner\Setup\config.def
Filesize
48B

MD5
a7aae01415beba879259774ff60e4e07

SHA1
a169b7b90824154893ef8ca3ceb68483e794c118

SHA256
f79e0c02b2b3cfa15324e66531a4045c465ef3dcbd739a04b3e62d7977834479

SHA512
0539a6751bd2143906fda9c9aa89a09d9d448821512b719deecbe132921f4b190f6d1165176dd907d0a0157f85573f3a5726cb6d72e717aeeb101449f9cdf6d6

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\gcapi_16794956311208.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16794956402768.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16794956402768.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16794956585968.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize
1KB

MD5
98e911b5c3a661734456c322c0a0e700

SHA1
afa5c83a9d8dd792f5610a1e6a6537fcd9055687

SHA256
028267a042bbb6a419190210ca05f5f04b2cdb0394da9d17423410badda84849

SHA512
98ea8a7bbd64163bef310995864f9c7c0d521fb9c7f77c1b28c190611f2bf93058bb67a8c546d739277d666ae5e0dc6df5e35bc320d060823b8e2c9d217b62c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
b2b3764a0eb3b6ee8f395cc1f3c31d85

SHA1
c3293471d6d018cd316b53c809036835c4060e9b

SHA256
e741768fc8a1a618b926abb44bacd1cb178cd73489d5fd828304c913d785fa52

SHA512
99b7549e1a058d37f47977c312ca8c6a83139f7a1a684022205f930ab7d2f00a57e4e09416860770d86dda1fcf9dcef441693cd2cce13ad42369805a0a1b6f23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
1KB

MD5
60f78053c151a7fb3ce3c1e2f247f963

SHA1
a090592930bc1adbd3b3dbed9130289dc4233f17

SHA256
be58a10111b4a808e6d67364a55dccb7458d63ff26ea8ddabd06ba8674fff126

SHA512
d9d0a62c65d181c64d7fa5142b7f8aa1a5369a3ddfb7daf688b780cc88630a81921dcdbf7cc2e5d796f136f71190e671aa8e86d9a7967667c48d8d96f94decd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
1KB

MD5
a0d886e95b82bb48f8753efb14ed976d

SHA1
6e2dbba309c16c542e919af06797459722a3324e

SHA256
d98337e8fa7b25c30155011806c40e36b92219eca6601bffa47da49fd209e8c1

SHA512
ffb728fe536707a5802deb7f754d794694fb3c1f7563dc578b11a7282255677892ca36ab4cad52afa88cf68822115df1c5b132324b9213b10ddd2454842193bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
Filesize
471B

MD5
7a4ec9d7cccd2ce4d73eab90fc0d6424

SHA1
123a4aafe8bcc3bc967d293de4875b23eb3d723a

SHA256
6a602eca840df42c42be65aedf651e3a3ff11dd52e3b316465dd889571905418

SHA512
d907cfaedb8afc53ba142e7c757d35bd1f6ea1a4ff70942a2e6fa5bc1f556536d5bfbc87233917249c5b82b23c18ab3b5d0e57dfe7c904554b14c0bf7117fea4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_094C2975B12480ED38496F27B88C1183
Filesize
471B

MD5
44c4eab6ffe458052d2d117772637640

SHA1
8523d1681d4a29ddde3eaa487f91a7c41ec56186

SHA256
1259607d85310f2c32d265b5a33161069c9e3f314a79ba38617f955cc5dff26c

SHA512
da6ce2e7b9885af31e3e63b0afe1ed05b5a03f5a90b35902619e54796579ef59784e4238739b408560c72b37281db8d91b5a1567f475e81eae58845c1aaf8da0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize
434B

MD5
c84b48bfff4a0b0ad168e0ff64d10570

SHA1
76735b26770d73faf8c9f7df5153ecd502d83410

SHA256
ae01ce3553c7fd75dcad905eb0edb3a5f594c37e58a6345cf5fa2903c91f2480

SHA512
1564daddcdb7e71dd02d830340b88775fb4d9969e1f1419df9de9ec5b031a5e1770d5628b798fe83c324b4f2d6db1182dc043f26cbaf8473aeeca10fdd62076c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
430B

MD5
a59f02f293d42a10dd2f7f0dbd3643ec

SHA1
24d7060409a4cd07140cb9ee990ffe220aefa743

SHA256
084fbb93dff406ea8ef8ee872b203aed90ea47fac0ba5cc3c25c934b0c2fe02e

SHA512
fa99fe3581d43d8d69244ab44ef0216b605925257b509ec907318c8ad62cd3eeda86fa6d54b839eba76bf1c71d5309c1410d4949707b7a810889cc0a8328f033

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
e3e935855408a4f8be60bf03fcdef06c

SHA1
41a2bd0bd6f81ccf356a94a0e0246a43ea564443

SHA256
8bdb63ecb0b2bfdd8dbd728b608fddffc62a5d530b807839c6c4114d7ca542a7

SHA512
c016c92fd41caa21a876fd62a7992d1bd86e10e11adb8bb63f09dadc4f70e314a4c0adb9c83b7fd686d0cf4086b83fef16090ccaeccb9d238e6554b41bf66129

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
432B

MD5
3de8767b5c2befb89ea400e1f2e2553f

SHA1
04af5018d4eb94a28a224e926e6ee86d89ef0e2d

SHA256
8e50d749bab5ecfbf1a9fa60e18f7951cbc280b657616733acc8a1b78809ba51

SHA512
149d88b420872afe457ea126d1dfba3113e2325742526f658e21ceb6f0ea63a4f3206f00b2d5aae170bd88c222f094ea6be0d6478b212ff85f1e6351b1fa7500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
Filesize
426B

MD5
ef8e4f73ca5771c1f0eca7d683bfac65

SHA1
4d1530f2fb98cedb10e778a8e19f36ef18891f06

SHA256
08d26c36f4e7f36f969f0ea11e09259dd4a65a3c2b22d007e9c6311781ffc088

SHA512
7b639db47d7e856354dde235f06646eae7ffb7f0cae37a2e8f3287f2054e0a899ccc5a794fc6efd6149ccea6892f04cb2908f058abb3e5dc4f885a7bd7e83bc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_094C2975B12480ED38496F27B88C1183
Filesize
464B

MD5
81d46242a87e17df4bf354c9b5362374

SHA1
72531b6a8c9ab3a07007f52c4a9b64720d39388f

SHA256
a4ed3f681a457bc225881f918eb22a79e5eae98491562e97460755abe6a67c0e

SHA512
7d80c4abb16ce60e8171941fa9b5961f858a0726f999225aaaefa333682e83e8344d89c20af3d88a036245c847f52371ea11b8b790e51c102de7335517cea495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
84fe04ceeb2668d712b037846100c605

SHA1
5fbba158d473c3e9a7e72e0c3fb0fb976b5bc6f8

SHA256
7e2b94146618b7f302836ea07423f46616daab2299ed7eb39b9bf492b21d9107

SHA512
b911920d230019cc483f78626c36538bc0a31ebd479becc089ca7379c5746952a7f8ba056cb4d3e23e92b180824106af9d74dffe33a23a2e81010c19cc3ae4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
ed150c0ac103316326d042281b20915b

SHA1
210eb42b36ae174465c2e740b778d0f415ded53c

SHA256
b1a0ee4f0d4883290286570d8859018bbbfbccc2398e118f4b945b9498df24d5

SHA512
c5b16e2fd93e60459fb205f7e103a2f61af9fa25a98a2552fe1d09907309cc6442b574854ae0095a77692f8dad3d3c615360b1729136639b95f655678a926699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
d2113863e3abd5bd9908ab7454dadfa7

SHA1
1227f79ebf7ce48c65c86b3a671e6d72f970c5eb

SHA256
b6e190a20effb93a3d87d1e23a5024471d4cefff51b9aadbe84593498d6add59

SHA512
2e33fa6153a746ff27bbb98743d988405be57f1cb307aa78cee9f49f6f29211052aeb5906b2f4c31be50f07c20892ecb4af37dec9ff162bdf5becdca61698928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
024611091e2d3af9de2a531b2a210eb5

SHA1
b893496cd1de5e777f59d0f663bf3ae095752712

SHA256
e2ee48e22c158ed9103d05fb3b3c96ae3d06624810fe8df56fa7efc2b5846f89

SHA512
8025aff04a68fc91de5d7df23c47284da8ac04614c28415dc30a9db277223c9db87073f304f61626a48af07935f4cfa00a978725d3c208298ef0cdd3f53395fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0276ef6730e9bffd02cf87174bb57282

SHA1
b06a22b0feb68f1a9b9e63e609e60b5be3130e18

SHA256
76122d387889e7ae5969f3de67138fdf72ba8166ce0b6f2692ebb5b3b19cd331

SHA512
b3960652200d208b16d1eef692ecd78ce32038258e2721c4d8d5c6bf29dda623949e3945d2e79e42b9278812fd5777358275f2b24aa862334197118f5435d0b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
a02927929298ced51e9b79468ea77767

SHA1
48ea9960d785fc6e94c6dd391e9ae083aba492c9

SHA256
a15dde214f5486cea7b865665843d891bcf08b8d6c32b687d34e6e06a1d0b3d7

SHA512
793bdcd1c05b86d4e3d8b22ede9c666793d54db887bde184a3d4c04ddb805ce0539c392fd8a71c520cdd2ecc1b5bbe12e5de7ca74f1eade1b1c8e4ce373937a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ad4199d9-3093-49c1-86e9-95ebadfe221a.tmp
Filesize
4KB

MD5
81aae8f70f5759b36c35e7d20bb88fe4

SHA1
f8fa35f9be36cabc90fd899eb75d24ebe1f01fa7

SHA256
2d7b56f005e4fe240f10072cb08414ddfc0aa792335443fb0372d907d0466d68

SHA512
2c7b12bf71a547792ce5909b5aa20cb555de72cc4b93e70c6ce696f87571f259ba86445aff223415d135c5f399c00e9a4960bf93fd0b59c354e597f74708ff75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cookies
Filesize
20KB

MD5
48646d542e5a38361abecc30526519a4

SHA1
93c0f55dc8d3d6db5a4a0fbb1277396060e8f68c

SHA256
f390d9d5621ad82535a6282ac4b5cbe2d70e1391884e26c98daa70d450a6d26c

SHA512
35432218e33c0cb99d2f585915b4c924e0394efba5981e29057ce855058e26a98f669b606b7ef961aebcfe77abd741b5a35859119f6a1b3327582d9d67f9bad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
d69b65a0a054df76dbfdd3605572b14c

SHA1
e13e133120d243abd4b74570c541b07b64db99ef

SHA256
5335d1bf46a155aa34796fe4993cb054b414c782ec493d0cef5457a4ac96eb71

SHA512
a7214c9fac1314d45c7f92863e56b48b33ec1bd9cbaeb004e9e9f0e9da852e2292397d6a139f79a892452b99f8d88ab9120c9cd13105878d989b99833a887005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
0a18674df79fddefb5f5238c18db2279

SHA1
ce8d92161c0a30712b38f9bcdbe33af776a2ed23

SHA256
001bdd4fe0d13e590a0db394d66eebbffdee968b6db189f98edd369e98443169

SHA512
03ecb9165a501daf017180378872211b4e36a733076264b2c5ef8f95952280739c764dd170e3207d12ca1b93f2e5394f85fcafebb4bb98d94decdf2e3560fb50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
Filesize
8KB

MD5
c34558e3c7e1be66aedaa68c0e484fa0

SHA1
b85ba1e48e328f849f4193364c0abd7c7d32083e

SHA256
82ddf46eaf5305452baaad4f087237fd167db1452a1a5c5299e419af2083e8fe

SHA512
ac43dd8313d82ac60943a7b4624b624c0bacb29827bfb5937484f32c9ce4ca4baa7f4114894d3427f3d67d758d2bee4ecef480468ade6e5f2c17d4f14e777f95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
a2547eb93cde87544eeae59176abac91

SHA1
964d0310982e2b77a5208ce81a0c909e1f0772aa

SHA256
42ffee12080bbe1debe57656648efbe027b595b20746f3758be9147d4c02f121

SHA512
c5dc7f2996cfe531c2d7fc9bf618e344b8a1b9e466b1250a4893d62143d150bce2a575515123890a3ca46a679ef51b141c8f070aab0c5506b594938667933e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
ba5989201223380b6e79363000042600

SHA1
2ec68077ce1e3f849ecfa904c1d0d6ca072423f0

SHA256
8084adb99cad9670964e49a7dcb9979d36608039590fb77a0000ff58435fa833

SHA512
23a0a47f030f9108c5309801379286d4db8755af258cf9fc08c1b23921199140bd17fa8096488a4b5c3e7370f4ea3c9064d82fd9257d142d89161bd64fb31aa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
ec0859b949312423a18a94c07446583f

SHA1
5832464293c9665db45ceef33c7cec744f474caf

SHA256
e8a9070037002001edb34f87e547d02fa509602826981710da68801ace608602

SHA512
bc8537118c3b9c3b4686a38b14cb8e5ffd4f3e5236d2b82fb947ff0fbfec7a477743e1926894a8d68fa81b3e7ae0fef546507b73449fbcb11d404de11d6da82c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
c634043cdc454c23d8f5e93b5149a3dc

SHA1
8e61fdfd7052196c6c4e79b3153d4fba942d4e6d

SHA256
75625c744298c03c9af60c97831fb6d91ff4d872e0116624b1edf36ad75a1558

SHA512
7105e53cda25b52aa3714ef2542af1791351078e1daddf8eb1973601155458122e1fc9c373194ca25c70108b77f4d8eb57be2224f99ca8e082633737cd5c2400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
b11997d4cb709e224fa74d4e0f979fc6

SHA1
34def26afcd17ffb91ef93c3af3dc434e2f70527

SHA256
8e8848f89e1e5ff7ff74159a5c4adb80381493885c921d8cf95e3d922b3b8b5d

SHA512
7bbc6b30459799a468a354f7e80e51a5e8d55bbebf388ff1d6c0d78df29c6adb006355c978cd04cc251840a18a279319f194b0d8faaf96952b027a3df2892022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
c9240bc16292a57cda36d65490e2e96e

SHA1
37f25248c484ad35cf1a5e3ad02df9c8ce48ccc9

SHA256
eeaecb9d7a947cc9deef076137aa8e46f035dd13cef4ad2a893f01ad926bbae6

SHA512
14f27a794bddd6652aa99737b1e29104658c796bc4434aac6006982ec908dcdf86b373907baefce2680ea1ce4a5c262d81f085d75d4be3966b8ed57841d5fbb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
b46cf3d38235cbc7e7a08c56561543bd

SHA1
4a2b7735ba13d81882cced2cf953800b84318dc9

SHA256
f9137309b93169653488be7a1702fef6cb05c7ada9ffa9efa804863cbc0d0734

SHA512
cffe0ea2475f14bdfa169391c8835c02e267b590c98d6cadca50b5309610319cd033ae090167b40fb4b55d81f725ad8e6a6e9244af32707a123ef30bd91ff773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
ed574276380e8d285f6a805ef73d22ca

SHA1
682598d24f7837eeee409a07b5453acc2143a266

SHA256
db1a3ff68a9962284bbd01ccca68e698135ad234977c360f942d1ff2fd990a4d

SHA512
5176895a52db9c7b4669358ca9e4d1c92567f22c946bedfc5b0b0acc4ad7181b9d17fef9c88d1342c4eef8a528d887fb344ea06a1ca72e6205d18cbd94de17ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
de5def5c132d398979d22b88d650eb8f

SHA1
7de103139fd2b2be02b544ced922f723efd9faf3

SHA256
0a37670f2b73b56712a86c1db013d59e53545db9133fdea60ff5f2b95d63019f

SHA512
7ff989ce1ba72335c593a62b9f84ca68f97766016f1bd3b0145f826cf309410b966459f2c1442f93fe564345e6e74f45bf318ed009378bc011a455946ca5cfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\asw43c299de625706f3.tmp
Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\ButtonEvent.dll
Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\INetC.dll
Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\UserInfo.dll
Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\p\ServiceUninstaller.dll
Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\p\ServiceUninstaller.dll
Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\p\pfBL.dll
Filesize
11.3MB

MD5
f8d1c110600144a9310723c011eeb9c8

SHA1
304e211607eb14e079956531e149e53db2930762

SHA256
d2b8a9d801e5c823be4c8eb9d721a8181d12f3b435d9c80b858d5e6074530bd2

SHA512
7656c865420724b8a77c5a4180b6a410c4c54e9f71f5938fb2d3549bfbd0b05e10f0deb90e532b9b0699e480133c410074ed58ae8f2f1dcd547af725e802eac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\p\pfBL.dll
Filesize
11.3MB

MD5
f8d1c110600144a9310723c011eeb9c8

SHA1
304e211607eb14e079956531e149e53db2930762

SHA256
d2b8a9d801e5c823be4c8eb9d721a8181d12f3b435d9c80b858d5e6074530bd2

SHA512
7656c865420724b8a77c5a4180b6a410c4c54e9f71f5938fb2d3549bfbd0b05e10f0deb90e532b9b0699e480133c410074ed58ae8f2f1dcd547af725e802eac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\ui\pfUI.dll
Filesize
16.4MB

MD5
d0ee52daa39b8b22eced053f68d5b765

SHA1
24675ba34154b43ab97fe27c9a15e8ed50d101b6

SHA256
3b71b214236e0fe464261e081628fb7d26fded5a08cca28820cf0a849310cd3f

SHA512
756f1628b40459e191cc96ffd75118cf8e7726764ca497504a0fa4a22a150347d1bfb993dd4c308f420fc57171eaac9ecba7b9761cb96929ba5f098ce56d76d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\ui\pfUI.dll
Filesize
16.4MB

MD5
d0ee52daa39b8b22eced053f68d5b765

SHA1
24675ba34154b43ab97fe27c9a15e8ed50d101b6

SHA256
3b71b214236e0fe464261e081628fb7d26fded5a08cca28820cf0a849310cd3f

SHA512
756f1628b40459e191cc96ffd75118cf8e7726764ca497504a0fa4a22a150347d1bfb993dd4c308f420fc57171eaac9ecba7b9761cb96929ba5f098ce56d76d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\ui\res\CC_Logo_40x96.png
Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\ui\res\CC_logo_72x66.png
Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\ui\res\Montserrat-Regular.otf
Filesize
44KB

MD5
27e50ffd6a14cbc8221c9dbd3b5208dc

SHA1
713c997ce002a4d8762c2dcc405213061233e4bc

SHA256
40fc1142200a5c1c18f80b6915257083c528c7f7fd2b00a552aeebc42898d428

SHA512
0a602f88cfba906b41719943465edb09917c447d746bfed5c9ce9c75d077f6aed2f8146697acd74557359f1ae267ca2a8e3a2ca40fb1633bde8e6114261abd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7805.tmp\ui\res\PF_computer.png
Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
995595a50a3c62c570ffb3caa30ee979

SHA1
bfebcb1b95e18dc42702e32aee9566c3dda63075

SHA256
6afe09e148ff728e6e7ace24f0f6168ba3e7d4a1669b37d7938b1cd546d60088

SHA512
770afbd9afbe2fe096fecf56e1ddb6e98d8e3c2237acd3bf4cb02a394b4c937c46334ea0ade33407ee5496f0eb3bc81706ced228a5f0bd08dba26e6b0e600f65

Download Submit
C:\Windows\Tasks\CCleanerCrashReporting.job
Filesize
760B

MD5
410096d99a0a8a6e88a93e7a55a23cd3

SHA1
fdf4d0cda9493327a7b0e474aba2c50ec2c3a964

SHA256
327a8ea63453865c3e62dda5fe1adf205e16f45ab4d1caceeaac2ea3127196aa

SHA512
5a961be74b301903a7a246dfca23a81f4e25986b07ff229c93f432bfbf462dec329cb0a1b5f8e81916d12d1312be1797ac888554767b43417226d9861a7008da

Download Submit
\??\pipe\LOCAL\crashpad_3080_ZAYYNSHYDGQNTUAG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/660-268-0x0000000007480000-0x0000000007488000-memory.dmp

Filesize
32KB

Download
memory/660-344-0x0000000007660000-0x0000000007668000-memory.dmp

Filesize
32KB

Download
memory/660-298-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/660-238-0x00000000064C0000-0x00000000064D0000-memory.dmp

Filesize
64KB

Download
memory/660-244-0x0000000006660000-0x0000000006670000-memory.dmp

Filesize
64KB

Download
memory/660-262-0x00000000076E0000-0x00000000076E8000-memory.dmp

Filesize
32KB

Download
memory/660-264-0x0000000007770000-0x0000000007778000-memory.dmp

Filesize
32KB

Download
memory/660-265-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/660-267-0x0000000007760000-0x0000000007768000-memory.dmp

Filesize
32KB

Download
memory/660-289-0x0000000007520000-0x0000000007528000-memory.dmp

Filesize
32KB

Download
memory/660-269-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/660-271-0x0000000007480000-0x0000000007488000-memory.dmp

Filesize
32KB

Download
memory/660-274-0x0000000007470000-0x0000000007478000-memory.dmp

Filesize
32KB

Download
memory/660-277-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/660-294-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/660-291-0x0000000007560000-0x0000000007568000-memory.dmp

Filesize
32KB

Download