31c5c9de9fa8af8f0389c81073792c2d83593da92fa71ee23a119b2d3441f2ff

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
24-03-2023 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccsetup609pro.exe
Size

50.7MB
MD5

d54e3f8343b8080c9dcaebcac1223c8d
SHA1

34c2a6e3b9e9e8af547e1b4690f9438c2136d927
SHA256

31c5c9de9fa8af8f0389c81073792c2d83593da92fa71ee23a119b2d3441f2ff
SHA512

10422d7805eb85d24656d247a248a33c30ec12824d5ec6e90c2433a7d62db7825ab8708ec352bbf96c300ed2299e374b689aab0dc217e39f34f559d125390434
SSDEEP

786432:/gdvr/D9oTblmYTv98cbxXUFvXIfo1XuQ5ogTsyB3jNYqvuOK1g2szehRXWg:/gdvv9slmYj98YUFv6kAKsk5DK0zeLP

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccsetup609pro.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ccsetup609pro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	CCleaner64.exe

Executes dropped EXE 6 IoCs

Processes:

CCleaner64.exeCCUpdate.exeCCUpdate.exeCCleaner64.exeCCleaner64.exeCCleanerPerformanceOptimizerService.exe

pid process

2784 CCleaner64.exe
4320 CCUpdate.exe
1496 CCUpdate.exe
1660 CCleaner64.exe
1336 CCleaner64.exe
2264 CCleanerPerformanceOptimizerService.exe

pid	process
2784	CCleaner64.exe
4320	CCUpdate.exe
1496	CCUpdate.exe
1660	CCleaner64.exe
1336	CCleaner64.exe
2264	CCleanerPerformanceOptimizerService.exe

Loads dropped DLL 30 IoCs

Processes:

ccsetup609pro.exeCCleaner64.exeCCUpdate.exeCCleaner64.exeCCleaner64.exeCCleanerPerformanceOptimizerService.exe

pid	process
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
1496	CCUpdate.exe
1660	CCleaner64.exe
1660	CCleaner64.exe
1660	CCleaner64.exe
1660	CCleaner64.exe
1660	CCleaner64.exe
1660	CCleaner64.exe
1336	CCleaner64.exe
1336	CCleaner64.exe
1336	CCleaner64.exe
1336	CCleaner64.exe
1336	CCleaner64.exe
1336	CCleaner64.exe
2264	CCleanerPerformanceOptimizerService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CCUpdate.exeCCleaner64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ccleaner_update_helper = "C:\\Program Files\\CCleaner\\ccleaner_update_helper.exe"	CCUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"	CCleaner64.exe

Checks for any installed AV software in registry 1 TTPs 20 IoCs

Security Software Discovery

T1063

Processes:

CCleaner64.exeCCleaner64.exeCCleanerPerformanceOptimizerService.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	CCleanerPerformanceOptimizerService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleanerPerformanceOptimizerService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

CCleaner64.exeCCUpdate.exeCCleaner64.exeCCleaner64.exeCCleanerPerformanceOptimizerService.execcsetup609pro.exeCCUpdate.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleanerPerformanceOptimizerService.exe
File opened for modification	\??\PhysicalDrive0	ccsetup609pro.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe

Drops file in Program Files directory 64 IoCs

Processes:

CCleaner64.execcsetup609pro.exeCCUpdate.exeCCleaner64.exeCCleaner64.exeCCleanerPerformanceOptimizerService.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files\CCleaner\LOG\DriverUpdaterLib.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1155.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-3098.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Setup\ff16eb2f-fd4c-40f1-a476-c29a2358dd78.xml	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1054.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1055.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1068.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Setup\8511dd15-8e55-4f84-a9a7-4eaf96811762\update.xml	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1026.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1031.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1043.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1051.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1062.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1063.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1086.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1090.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\CCleaner64.exe	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\branding.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1034.dll	ccsetup609pro.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\temp_ccupdate\ccupdate610_pro.exe	CCleaner64.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\LOG\pd.log.tmp.db5844f9-b431-4ded-a2e9-236225b6d6f4	CCleanerPerformanceOptimizerService.exe
File created	C:\Program Files\CCleaner\Lang\lang-1109.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2052.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\CCleanerBugReport.exe	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1037.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Setup\5836469c-8df2-40b5-bd4f-7676fefcd922.ini	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1058.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1093.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1110.dll	ccsetup609pro.exe
File opened for modification	C:\Program Files\CCleaner\Setup\8511dd15-8e55-4f84-a9a7-4eaf96811762\ccleaner_update_helper.exe	CCUpdate.exe
File opened for modification	C:\Program Files\CCleaner\Setup\8511dd15-8e55-4f84-a9a7-4eaf96811762\update.xml	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1038.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1040.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1052.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Setup\41a51c6b-f692-429a-b238-c9b02e1974f7.cab	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1041.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1044.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1060.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1045.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1053.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1059.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1092.dll	ccsetup609pro.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230325003235.pma	setup.exe
File created	C:\Program Files\CCleaner\autotrial.dat	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1027.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1035.dll	ccsetup609pro.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\LOG\event_manager.log.tmp.4f7f94ee-f4c4-4c90-a54c-ab7b584e2ea1	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-5146.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Setup\9a0090cc-dc99-4607-b059-875b55ccd6a3.dll	CCUpdate.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6bd45f45-dd55-473c-b4a7-9e74dda25fd0.tmp	setup.exe
File created	C:\Program Files\CCleaner\Lang\lang-1049.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1065.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1067.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1102.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2074.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1025.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1036.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1048.dll	ccsetup609pro.exe

Drops file in Windows directory 2 IoCs

Processes:

CCleaner64.exe

description	ioc	process
File created	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exeCCleaner64.exeCCleanerPerformanceOptimizerService.execcsetup609pro.exeCCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleanerPerformanceOptimizerService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup609pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleanerPerformanceOptimizerService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup609pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleanerPerformanceOptimizerService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleanerPerformanceOptimizerService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleanerPerformanceOptimizerService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup609pro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

ccsetup609pro.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	ccsetup609pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-20	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup609pro.exe
Key created	\REGISTRY\USER\.DEFAULT	ccsetup609pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup609pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner	ccsetup609pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-19	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform	ccsetup609pro.exe

Modifies registry class 27 IoCs

Processes:

ccsetup609pro.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Ejecutar CCleaner\command	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Ejecutar CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Software\Piriform\CCleaner	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Ejecutar CCleaner	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Abrir CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\SOFTWARE	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Ejecutar CCleaner\command	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Abrir CCleaner...\command	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Abrir CCleaner...\command	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\SOFTWARE\Piriform	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Abrir CCleaner...	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\SOFTWARE\Piriform\CCleaner	ccsetup609pro.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ccsetup609pro.exeCCleaner64.exe

pid	process
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe
2784	CCleaner64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2388 msedge.exe
2388 msedge.exe
2388 msedge.exe
2388 msedge.exe
2388 msedge.exe
2388 msedge.exe
2388 msedge.exe
2388 msedge.exe
2388 msedge.exe

pid	process
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

ccsetup609pro.exeCCleaner64.exeCCleaner64.exeCCleaner64.exe

description	pid	process
Token: SeRestorePrivilege	2276	ccsetup609pro.exe
Token: SeDebugPrivilege	2784	CCleaner64.exe
Token: SeDebugPrivilege	1660	CCleaner64.exe
Token: SeShutdownPrivilege	1660	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1660	CCleaner64.exe
Token: SeShutdownPrivilege	1660	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1660	CCleaner64.exe
Token: SeDebugPrivilege	1336	CCleaner64.exe
Token: SeShutdownPrivilege	1660	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1660	CCleaner64.exe
Token: SeShutdownPrivilege	1660	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1660	CCleaner64.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msedge.exeCCleaner64.exe

pid process

2388 msedge.exe
2388 msedge.exe
2388 msedge.exe
1336 CCleaner64.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

CCleaner64.exe

pid process

1336 CCleaner64.exe

pid	process
2388	msedge.exe
2388	msedge.exe
2388	msedge.exe
1336	CCleaner64.exe

pid	process
1336	CCleaner64.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

ccsetup609pro.exeCCleaner64.exeCCleaner64.exe

pid	process
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
2276	ccsetup609pro.exe
1660	CCleaner64.exe
1660	CCleaner64.exe
1660	CCleaner64.exe
1660	CCleaner64.exe
1660	CCleaner64.exe
1660	CCleaner64.exe
1336	CCleaner64.exe
1660	CCleaner64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ccsetup609pro.exeCCUpdate.exemsedge.exe

description	pid	process	target process
PID 2276 wrote to memory of 2784	2276	ccsetup609pro.exe	CCleaner64.exe
PID 2276 wrote to memory of 2784	2276	ccsetup609pro.exe	CCleaner64.exe
PID 2276 wrote to memory of 4320	2276	ccsetup609pro.exe	CCUpdate.exe
PID 2276 wrote to memory of 4320	2276	ccsetup609pro.exe	CCUpdate.exe
PID 2276 wrote to memory of 4320	2276	ccsetup609pro.exe	CCUpdate.exe
PID 4320 wrote to memory of 1496	4320	CCUpdate.exe	CCUpdate.exe
PID 4320 wrote to memory of 1496	4320	CCUpdate.exe	CCUpdate.exe
PID 4320 wrote to memory of 1496	4320	CCUpdate.exe	CCUpdate.exe
PID 2276 wrote to memory of 2388	2276	ccsetup609pro.exe	msedge.exe
PID 2276 wrote to memory of 2388	2276	ccsetup609pro.exe	msedge.exe
PID 2276 wrote to memory of 1660	2276	ccsetup609pro.exe	CCleaner64.exe
PID 2276 wrote to memory of 1660	2276	ccsetup609pro.exe	CCleaner64.exe
PID 2388 wrote to memory of 1140	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 1140	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4776	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4440	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4440	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4328	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4328	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4328	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4328	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4328	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4328	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4328	2388	msedge.exe	msedge.exe
PID 2388 wrote to memory of 4328	2388	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ccsetup609pro.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup609pro.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Program Files\CCleaner\CCUpdate.exe
"C:\Program Files\CCleaner\CCUpdate.exe" /reg
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4320

C:\Program Files\CCleaner\CCUpdate.exe
CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\9a0090cc-dc99-4607-b059-875b55ccd6a3.dll"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=1&v=&l=1034&b=1&a=3
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9798446f8,0x7ff979844708,0x7ff979844718
3⤵
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
3⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
3⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
3⤵
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
3⤵
PID:1004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
3⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
3⤵
PID:1132

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
3⤵
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1bc,0x22c,0x7ff6ce775460,0x7ff6ce775470,0x7ff6ce775480
4⤵
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
3⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
3⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
3⤵
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
3⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
3⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
3⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5514528236075705943,14277706299938248668,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
3⤵
PID:4224

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /monitor
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1768

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:5444

C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe
"C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
PID:2264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
C:\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
C:\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
C:\Program Files\CCleaner\CCleaner.exe
Filesize
31.1MB

MD5
134d186a5a2e9c457aaff06b1dd38f26

SHA1
da94f737371c78392c23d2193ee5b33de414403f

SHA256
47d28d20f347a5e8083d1cabb0d84d136f57f234f46caf7e2dbf9ec7b6867a1a

SHA512
1b84bb1b0e548473750aac083ad1a0e044a42359afe6badca93a73c6dcfa2b855fc4133922c6509e478c56582e75e6edb37afe0e0814edf519ab18bc2d14e1f6

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.2MB

MD5
d843bfaded3a4998923c4d214b9203a5

SHA1
e8631b8c887afa047acff88cf2b93da33c2d2117

SHA256
881fe28e3191cd2b916f39500014975680b1f235860299cae609dc3fa55bc8eb

SHA512
875d2cc0bf3a2baf7e79e65267780b7a40896e0cbd718df4e017698b6bec6ed693e51f4c0ceda42841c3baae391dc4b885ffe48ddb1c3f23a9cf1d91e62307e8

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.2MB

MD5
d843bfaded3a4998923c4d214b9203a5

SHA1
e8631b8c887afa047acff88cf2b93da33c2d2117

SHA256
881fe28e3191cd2b916f39500014975680b1f235860299cae609dc3fa55bc8eb

SHA512
875d2cc0bf3a2baf7e79e65267780b7a40896e0cbd718df4e017698b6bec6ed693e51f4c0ceda42841c3baae391dc4b885ffe48ddb1c3f23a9cf1d91e62307e8

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.2MB

MD5
d843bfaded3a4998923c4d214b9203a5

SHA1
e8631b8c887afa047acff88cf2b93da33c2d2117

SHA256
881fe28e3191cd2b916f39500014975680b1f235860299cae609dc3fa55bc8eb

SHA512
875d2cc0bf3a2baf7e79e65267780b7a40896e0cbd718df4e017698b6bec6ed693e51f4c0ceda42841c3baae391dc4b885ffe48ddb1c3f23a9cf1d91e62307e8

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.2MB

MD5
d843bfaded3a4998923c4d214b9203a5

SHA1
e8631b8c887afa047acff88cf2b93da33c2d2117

SHA256
881fe28e3191cd2b916f39500014975680b1f235860299cae609dc3fa55bc8eb

SHA512
875d2cc0bf3a2baf7e79e65267780b7a40896e0cbd718df4e017698b6bec6ed693e51f4c0ceda42841c3baae391dc4b885ffe48ddb1c3f23a9cf1d91e62307e8

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll
Filesize
7.7MB

MD5
a49dc29c7dc4bdf7d1c4b50bc4bf97a9

SHA1
4c342b9845f14b9efdcc9838ca71eebb8f92f57f

SHA256
20c32eb3b598dcfef0c71ca1f1e21ed7d3ea41825ef59d963b8553261646885c

SHA512
5a18b98218528f613954a1e002f8fd9841187cec1983e642a5ec7a8bc5853144d04f05e4902ac83d36fd06e2eed072b3a665bf35a1b78ba69dee4d75c5dc3847

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll
Filesize
7.7MB

MD5
a49dc29c7dc4bdf7d1c4b50bc4bf97a9

SHA1
4c342b9845f14b9efdcc9838ca71eebb8f92f57f

SHA256
20c32eb3b598dcfef0c71ca1f1e21ed7d3ea41825ef59d963b8553261646885c

SHA512
5a18b98218528f613954a1e002f8fd9841187cec1983e642a5ec7a8bc5853144d04f05e4902ac83d36fd06e2eed072b3a665bf35a1b78ba69dee4d75c5dc3847

Download Submit
C:\Program Files\CCleaner\Lang\lang-1034.dll
Filesize
248KB

MD5
3739b320bd1533366399bd81a35d9ae5

SHA1
999af2349ff11475acaef0bad7444eef47aea813

SHA256
e9f4d3034fdd07ba153e1f60e9a9615c527f34263c08e2f9fbdcd5930d0a1d02

SHA512
bfab82230ac59708f780a23fb87df8cfe2da6dcd039d4ca7c95427e7b83da6ddaae5f9d7b59e55c47d7c71f28af8028d3c3e307ea3f706b0e22ab7904efc93cb

Download Submit
C:\Program Files\CCleaner\Lang\lang-1034.dll
Filesize
248KB

MD5
3739b320bd1533366399bd81a35d9ae5

SHA1
999af2349ff11475acaef0bad7444eef47aea813

SHA256
e9f4d3034fdd07ba153e1f60e9a9615c527f34263c08e2f9fbdcd5930d0a1d02

SHA512
bfab82230ac59708f780a23fb87df8cfe2da6dcd039d4ca7c95427e7b83da6ddaae5f9d7b59e55c47d7c71f28af8028d3c3e307ea3f706b0e22ab7904efc93cb

Download Submit
C:\Program Files\CCleaner\Setup\41a51c6b-f692-429a-b238-c9b02e1974f7.cab
Filesize
412KB

MD5
12938932e37f24044ed00a043106dc7a

SHA1
435a4ac59b0bb5b8c764267ef969915b61db1547

SHA256
fe000954de50a7682d3fb4069e3e1b8e2b761a808c2e840c1d82bdc556ba57de

SHA512
8980534a887bd5cd423c8327cbdeeeaa93c3900b423bfdef4d485a86c9a3ed6df56b7f9dd8616631087f9c487ce3c1af11a4446f38a9b2048db5ed98d4576b79

Download Submit
C:\Program Files\CCleaner\Setup\5836469c-8df2-40b5-bd4f-7676fefcd922.ini
Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Program Files\CCleaner\Setup\8511dd15-8e55-4f84-a9a7-4eaf96811762\ccleaner_update_helper.exe
Filesize
729KB

MD5
844b5a7a8d35da17d19de4cbb1d5bc6a

SHA1
5c8ff1c0d5dfbf703835cd35ddbc93c1eaba20a6

SHA256
c74181c70ad77d8ff034a06ea3a9fbc4239a08b93e7c39380cd0663a04e076bf

SHA512
97a7c02651a247ae0da0fc018e4e910137d574b7e5f7bef3dde15c39742a22d0fb4d75302479cebd51c13927b33d0cd1042f33fdb084676bb1004aae51e0390f

Download Submit
C:\Program Files\CCleaner\Setup\9a0090cc-dc99-4607-b059-875b55ccd6a3.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\9a0090cc-dc99-4607-b059-875b55ccd6a3.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\9a0090cc-dc99-4607-b059-875b55ccd6a3.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\config.def
Filesize
48B

MD5
a7aae01415beba879259774ff60e4e07

SHA1
a169b7b90824154893ef8ca3ceb68483e794c118

SHA256
f79e0c02b2b3cfa15324e66531a4045c465ef3dcbd739a04b3e62d7977834479

SHA512
0539a6751bd2143906fda9c9aa89a09d9d448821512b719deecbe132921f4b190f6d1165176dd907d0a0157f85573f3a5726cb6d72e717aeeb101449f9cdf6d6

Download Submit
C:\Program Files\CCleaner\Setup\ff16eb2f-fd4c-40f1-a476-c29a2358dd78.xml
Filesize
1KB

MD5
a8500f686252cdd13696bd7cd4df2df7

SHA1
4b8e01170a0fab56f250fabd6ec937e9a256d9c3

SHA256
693225b1c379176971faeb9ac2b49ab64750bf309d617f0bed0f7d2744ca57f0

SHA512
9c00c10ae75a5498593c0ae43be6b77b13d68e6db8367401127dc72a3ce5678b0a5e52d8b8b768af611a157b39e4fe7e44cfa5f257ac07c273142865bbf73499

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\gcapi_16797043342784.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16797043421660.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16797043421660.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\lang\lang-1034.dll
Filesize
248KB

MD5
3739b320bd1533366399bd81a35d9ae5

SHA1
999af2349ff11475acaef0bad7444eef47aea813

SHA256
e9f4d3034fdd07ba153e1f60e9a9615c527f34263c08e2f9fbdcd5930d0a1d02

SHA512
bfab82230ac59708f780a23fb87df8cfe2da6dcd039d4ca7c95427e7b83da6ddaae5f9d7b59e55c47d7c71f28af8028d3c3e307ea3f706b0e22ab7904efc93cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize
1KB

MD5
13e6b3deaed20e0d442218c2fe1ff211

SHA1
196177c42bad050b9b9242eb5160a9abbf498c87

SHA256
5c739de218bbb2e032deb9026219e024906edca8360e0dfa67e0f934acd3a5a7

SHA512
987fdaad863f0563b74e5a1c6649b1016cc6c02fc40d29bcdfc70abb1485b83c3150f0ac1ee0accf6c468ab7aa4a30762e221b51d3ecfaf0a1f83433caac2c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
5c044e7f16be700237ae9f9f494101a0

SHA1
1b231580420248ead9b6509da69ba88bb5f2ebc7

SHA256
c0b3879685518cb2b27d03978ce91a31741cb57c473354b69084842133420d6f

SHA512
7d396a6d99b4641082836f80dcdfe7c5c68799e3a1f58cd1daa13e4656654e5c5ca69a53373f7d4edd75cafd3f33affb314ab2afac0517ad76ef5e05e4ae953d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
1KB

MD5
396ebd3aa8efa85181e1fbf70aa52b12

SHA1
ad54702cd06cfe878f7918262063bff30ff715c5

SHA256
f96896606a05bc081e8cfca8b57c4d409aa69c6a901b19b05848bb5e124ec276

SHA512
603ef302b90db5098373b9742beb309b617ff7e4f015570d5baea8802ca9baeef59854ecde55cbe53167ce9ac14c5f6119f2b5903b118214aa9f3dba5c99a472

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
1KB

MD5
bbb1731cfdddcef109d4be87b95f2254

SHA1
0ee037de3c5f82d82088651e64d74df3850f1e5e

SHA256
792f99c939647b571b40fbebd15be315dd4d935c6b3444921559b15f96f11a85

SHA512
d922c512920fe2298a9cb8c9b01da847d8a6fb5a378b8f6c76627643b3d56689e46d8617b076ccf4498b8e7c56724201bc0545d4d04b69f64724e4a94d7c5fb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
Filesize
471B

MD5
0e5c27ae1f8c448fd48d2e95cb0a90ec

SHA1
856b110a93a16518315350ca92ccf0e5e5166c0e

SHA256
d991726a5a2f6e3f68c7c35bf88852f898a060e0383be10c883ce650293253f7

SHA512
2d9297dd025c8d2cf3513e4e988920d36ca472f006d7e209d60dfb159d57e7b0c9938ed0546bc0e49b8e0499233c11f1acfcebc0b65b1a54539177d94d5e228b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_094C2975B12480ED38496F27B88C1183
Filesize
471B

MD5
fe61b9d41023cfa8a3e00974545258f4

SHA1
93cba56b04d6ed6596b69055d81ae3ac20130f77

SHA256
7380fb1d6537e8173a51cbff87ac0f120d68418dbf4210d1836f918ad380fafc

SHA512
901434366f425e74f13f146571a6aef7763ecead54fcd34d393ec071945f52b0be4375228e58e3cdc092d87019a49690d57b6124bf205b8a91ec437f7373fcc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize
434B

MD5
b3b0853975744489c80d7fe7d05aea55

SHA1
9d5f6bd66f44a129573a06c7ee2c8bbcd3893c91

SHA256
da163777b954f1a301a7b286dd3c51f9a95e5ba62295bb433bd72f0be8bd4451

SHA512
3b13185e08149780ace878add47e318a525383fd7df8d18e05b8e93cb1212215a89faa60fe833052e4c77cf625adc576e427bc880e5b5f75dbbe25f89420b6f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
b54e8724645028bb4a96caf8a2ec80fa

SHA1
718ded206e4f1b77f3bb4c64026a83c7aef0f07a

SHA256
d44b159461f85ec25761759a01499aa2f6f1ff3019f08dac2c08980080943899

SHA512
473d46717cd2d6512190ed47a90d43f6c36280aeb4f8bbd55a829fd4e79a6a8284f084200b628f831e1248c3cf4a178717ddf42ad6fab3051105f9dfd99bdba9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
f305f6f8af7f50d105c3a414dd2863ac

SHA1
df2df81a125265609c14846b090130f21fb33eb4

SHA256
a21dd9c3fcfecaff1b6a894cc5e257635ec3d72f0b16c76cf373f505fee29bc8

SHA512
421d84c9f016b32b195088036c73b81d1db91c5fdde0f71e4a2f3c139907944398e113ff8b1d4ad9d8678832f8529771b92adc734c1a408c5f87d5fda64d7976

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
432B

MD5
04141df24e4d4645838cc313a8182942

SHA1
d082831310cc6d6e682d509362d1411599440a82

SHA256
eb1542dd8989a44ff1247995cab78f4c3a36d13ff2527f6b3155f69ec0199e5d

SHA512
a6518ea0fb31e5ed6ab7df986df1c98e432a80f9996d3563a0855fadf99c18ed58fbbf4a1fa089f48765c88b8ccecfdd7fbd99f4fa9da8102afc9ad29ae9d727

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
Filesize
426B

MD5
be7a9a8480c86c2d0e7c37515f308b22

SHA1
67868ce196ad2acbfc759fd2bbeba34cd5acb6f4

SHA256
48a2a94c038a514a97f1937f35f39582f6cdf064579b53728b8434d65c5af203

SHA512
ddacf963d71c8f07774c41ea6f9fda4ca2322ad83fb46b1deb9c25ebcbe526f24a5b7649c200d1aedef961dce381f087ad695401a16af9fa7f218c7736ea4613

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_094C2975B12480ED38496F27B88C1183
Filesize
464B

MD5
bdff224ba781500a274b94a751374f53

SHA1
11ea68ee2a1751cd9d5a0068ab39319018d179f2

SHA256
0867e9c675189cd13c143170ad26b8216a3ab72f0f1d083ec8f7f08a477e5a28

SHA512
eb6411a5833e37f8c678392238fb7e6a52b469eac4996ac9bcf24c34c2e108af661a823f7ecfbf53d891bfb5319ca5a9beb7d3edfb64161feafc1eb94d6cfde8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7b7c3bee-35b1-4396-8c99-b650445c9018.tmp
Filesize
12KB

MD5
771dd498f935495e9da96a5f42981ef3

SHA1
8ecf349135aa47223e1fdac5537b947975d360cd

SHA256
3568d2cc50316aeff99c633dee315c5b2438ae2b6a80a2b5fffa0a09347655cf

SHA512
c5661b31517d503cc577d57969d3c0c88b09e924b147d2b1f5ffb8992f8f867df7c2cbc6cbcf6c175f5d00bbd60e4680d022143218a9a3efbcaddf1e7849b5d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
15f0bf02bd53bdeaac6157a87dc858be

SHA1
17992d07f4f420f9e8bff9f372b1bdaba9629663

SHA256
ab308d88e17b6f6cd878a642e3a08efea3cdf630f2fee778c7b30d0116403a49

SHA512
c14559c925e9af21deacc7079f3888d1e8aa503ecd989d28052fd5b8b463b730fcce95d573800c2247d227985b4cc19f0d72a347c171e3b72d4f9375fec9df09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
576B

MD5
acfb15e6ad4ce2dce795d126054e80af

SHA1
3e3a7bae1d950d3dd9ff9df1ffbb2c0ac5665635

SHA256
f8e5fc7229116c032ca4b26cb12d96e2aa77dbb1605b654a0f5ffee03f3af4f6

SHA512
f9291ecfd03981bf14b253bc9731b305f70a11bb829aeae963918625c960351b104ddebca69f295ae67962ae70c1dad51300905b53c8f3fb2478660c86f7a893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
18f0950202fb40e9e54c2ec6d0134bf5

SHA1
1e6ebc671e63fe71d6f821d0bfcb249e7d16faa3

SHA256
5691d0b671a8bfa8b2e3b41c84c0073f7d5cfd5c4d8118591c9201225cf6f712

SHA512
a603614ca95a19afe7ab847d118bf8f4155b8d7bf569d140d6182881e675271c4db27d8f7f355dfa2799735c9c9a1158e6f013f9f81c191dc54728fe7303591a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
7134c07468267c5a5db893baf143a1da

SHA1
812ec7a40d61a117857f9717ba2db2ef33c4bd49

SHA256
e8971fd599ef4a76853cb21b6ef8d5a59b760bb72ed58cb45e8dbbb7739e8f29

SHA512
4b65cf6d82cef82b5c5ccb0cdf00838140e5f304cd9329a433a5fb8d2e9c6ebb3c01054be0ab3046117ee6dd9bd98a011d5f6c46701dc3d9b3d65b26c3fa87d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0a6c983d44fa1e4597e5f82ef0d804c3

SHA1
e444e738426db51cdfc6452c613bdbbb930d4dcc

SHA256
4e9a9e38e9f288e0de5a83fc5849dff4073d4c98f00811875d65a7892673a811

SHA512
c78615b97861293798f24c2e63e474c9c86f3b052797d60e25836f2bcded9e67996c3698904ba5ce61c7711d6f03d4d4645064973cae1b7fddd785b8fc2fd54f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
e67fbc5d23dacdc1637449239a49ee88

SHA1
dd71cf05753a069d2cdd93c48c982b465be4f826

SHA256
ae1b7232b4bceeb902b75d54a79cd734efa8a92dba8df1505da92381ebcfdd10

SHA512
ecb14fe9c357e46927cd8ac6003fcbe9054863e1302e507519cc9c882fed29c749a1ef1a45407cace629dccb537120b82b0b16d98520d8c17efa8f79b0bed93c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
706af94ed662901e22957b122194cbeb

SHA1
0bd2a78c5d1b2cc74928449c84e461af29bb8abd

SHA256
12f180dc32d95b46fb9ad8f0036f5172fe880ecb36399cf382d95b141c9f1769

SHA512
5464a3e4602ee4fea6c3b9e93d27b1edd96a8a21edc2206eef859f997f93d784dc059304f2474ab72dc4e2e7d32eb8f14e9e3383623d587722b3d3323593c269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583c87.TMP
Filesize
1KB

MD5
bfd5d3c92d0dfdb47e439516fa7025f2

SHA1
d02fded4432ad0d32d597d643e1e8a074958c40c

SHA256
60996ee7921a166509a89558284e3d0385fbe001dfe709cff7242d3b94fa2f05

SHA512
05c27c31013f6c20ff222e89376cd200376bcf3868dbd5159fbc642f5e7c2e7eb9cfda0885c427a813bc82a4633e5f03faab4d43e737d7b8b5a3f2a4aaeac0ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cookies
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
f4146074e8ee815875baf90948b1c533

SHA1
2b68f15cbfc443bb1c550320d868c3eace0db90f

SHA256
89ae7258d90377157b3083a7d50b37d6235acd91dd00247ceac7471045eaedae

SHA512
42613619fce9660cbd3abf31e44385c700626f865e62a3d51cb2b25c5fce081e7a4ada0cb8291c844afaff66bd6c89c3a781ef95137a703b64c1f39d5e928208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
dd0664f07a6a0cba26f91408738d2b68

SHA1
64337300ef6795cb28bb6ad6432ef111576e2df2

SHA256
2de6bfd974bd5bd053fc30f9ff85e75dd98f66baa4246839b18f3a7b09775323

SHA512
99af1c4adb6a81063cc9f70dbf5ff1833c4bd1c8ce6bfe5380d4a7e989229719fdc582a3b903c4324920f242cc369fe6d63c43a18080128b4a4806486b2e2c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
Filesize
8KB

MD5
4c1f07e02faa0bfdf84c22ea59a2ae42

SHA1
68a5c6a5a69c1f5deba9f133b56e6fe014d88401

SHA256
ee72a0dbde264cfc3eca5fdd462ddd75df938922f6e618a842effd407a12a075

SHA512
9aa0fd1247ae9079cf8525aba64b39ae78e3c04ba92e96dfe3979db17bf3e9c666a07395e05e30f6f684cfa0c3bbd18d96a5f4860aa9db243f568b4e98b7661e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
bc4e17de4cf9f98f1b3e6baf795412a1

SHA1
2033fd43a27e86cf09816fed4dcc3a85b2867e17

SHA256
35c406fe31617267b934e26f6ed11c2aede793bfcb00bb313b3f1b68c2a42103

SHA512
728595200e6b126987ba860ece08511671452ba5ee3a2c0eae778504dede8948937519fc8fe8bb6d06a927b2ca3d1d304b5bb13c1f2e7b71b24780df3525080c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
ccb55b096704358504d74548a2591315

SHA1
14f156ff0ca2f0ea82df11d23ec95c70a533bab6

SHA256
e0538ac2d690c7a53e282d018ecedf3c6696bbe0794cdbbe540ed2bef84dca99

SHA512
1364162ff1ae977d8bd605fd17ddb84e1a3e3ae1fc5462914cdb249aa4e3619f65d4d323c219764ea7c40c9ae3973b102210902603b30864c6a3afb3524bbf43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
f151a7c44179dd59cc040e3ebff0b4a0

SHA1
b08dba007b643507ae2497d1eca95b28ecfb0fae

SHA256
e048d50dd455aa1083e127fd15be9fabc7ae35e92703c806d66d86efc3e37a10

SHA512
3d692b53f5a223245f313622f28a8c70e30ce29d10b2ffdc944189cce3b0743568fe70635841c406953c9c5df1a7d293cc5b5963459c9d0bf2f1bdab721f1498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
6b39c24f5928195a706f91d18f4d4880

SHA1
21beccc89b3f494be8d74ba18d130a45a5ba240b

SHA256
9b908e51d1e163b979183b37ffde29933357bbcdebc86fa252f77242969d55cf

SHA512
45f0120b7c54531162e7c01d8b4f418ffc58483d3bc73a8fb130e4187b17b47f656e08919b717b0628f246423a92f560148601d212288ed8c8d930dce9ab667b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
f853ba0005c25091872b57a48f2913f5

SHA1
97ae793780ae367b92f7afcd086f6752aa068d85

SHA256
9564d2dc53f52ac838e0867b00db1b44a6838c9d1f9e3a84b94674950c01d401

SHA512
3a98a4acf8a787dfc6536d4b1bb8fbc424863173a53687e493e743d76f951580307b9bc228ba3c3af1ebd352ab851597f83e424a82903950d68334d4a16ccedc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
ee12c1e210f57a1366788b2dab4bcef3

SHA1
8ca01f47b102d27c240fa8c17bdd13a5698bad29

SHA256
78b803b091e86df37676a64bd651b03200b232c5917087400d18a193625cd661

SHA512
3c33a7947bde410693b4fca463df926c73e19af5ad36828cf35bba44de6c0ad50a88f3910701af5ac8da7897abc0bf7a8b5e5b032d5c71234e84acf4c593cbcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
42acc308fc4108fa7f6140fe1e2ba96b

SHA1
7b004217d39454ee96697b98548408247ab8e4bf

SHA256
38380e9afec5dc7711274aa1fe184acd3f2b25f86caffd9af785ad2dfc812fa4

SHA512
d4310d9b78ba9e8247ef5cbd710e027ad58d4ede76ccbad3f30d47f430b7bab7fccc81298534fefb93012750936f1286eeeee3b2ad5c485c5d2249edb23222f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
aa55057c8c66c4b2b4bc32382b911af9

SHA1
0c2f58867d93ff7d44f10ea67da6c613f1c87512

SHA256
e6e3a51034188c117b46b2f90b2f6525a600dcf2cf4717dc59eb96504c45cd33

SHA512
3df333e60491d6d37a5e67e141771b5bd672ae61f70416148c7b9d5971b330d4cff083385169b8de1f93fff3fd958afaa83ea209171d97424ba40a2499a604d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
114d19e1fa2487dbfb3e9c330e5c9c9d

SHA1
320cb811ee2fe455bf75f52b481987d5cba3c134

SHA256
889b919c72b4d2fa27322b83aa11fbfb30f860f506e7a321aaf09d7c80516f3f

SHA512
52eb89db753975d64b161b71ddee39cf8e0a1f1c7544b111f4bf47d93bf7ff2d5e3ef345641958f2c22d661435378108adbae617a5d0cb538aa5a9808989ae81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
0c53d41e1bd3984210c204026fafa05c

SHA1
d187e80e0b76224974cba180d1aff9db7644fe27

SHA256
301e62257a7625a718b1c8eee71979d640cc849b632f20293d908f8faa4124ba

SHA512
062a755dded5975013844938f167311751a7c499abf3d22e6fc94580a7648ab43a0f98b096506d5cea2e6659b2eaf81c8a1829570afce0fb1cce8b1c61f97b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
e1a6669a33e594bb335753c32d1a7678

SHA1
b852cf8cb7ccd484020f14b6d911ff17da1e59b7

SHA256
ee724b3cdc05a383d1ce4182fbdab8cfeb83bb88faac06de1a169e05bdfa0d8d

SHA512
d5636459fe9e460227ce930b3b8084ae108d9d2e0a14f51b8511e8988dd5f597047b2a7bceb30a9fe4bf336601d5cc83c27bd0b2ff2fc243dc35ba42e11184cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
8e8524ad6aadd0bdb14f6b75dbfaea59

SHA1
2136283c59137d41c34b007546531f251c755031

SHA256
60902cc2f259cedb8f45692bc381a78f3bddaa88788c7562bea9e83029ac4943

SHA512
8e6c4809c3fd3849284d5f4ea96bc0cf7e7190c2104b234497e3d37db02953a1cfbfac79705a4e78a92033fe6f65368ca4532ef6797a51b0a0edce30ef400aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aswfe9be637250e0668.tmp
Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\ButtonEvent.dll
Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\INetC.dll
Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\UserInfo.dll
Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\p\ServiceUninstaller.dll
Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\p\ServiceUninstaller.dll
Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\p\pfBL.dll
Filesize
11.3MB

MD5
f8d1c110600144a9310723c011eeb9c8

SHA1
304e211607eb14e079956531e149e53db2930762

SHA256
d2b8a9d801e5c823be4c8eb9d721a8181d12f3b435d9c80b858d5e6074530bd2

SHA512
7656c865420724b8a77c5a4180b6a410c4c54e9f71f5938fb2d3549bfbd0b05e10f0deb90e532b9b0699e480133c410074ed58ae8f2f1dcd547af725e802eac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\p\pfBL.dll
Filesize
11.3MB

MD5
f8d1c110600144a9310723c011eeb9c8

SHA1
304e211607eb14e079956531e149e53db2930762

SHA256
d2b8a9d801e5c823be4c8eb9d721a8181d12f3b435d9c80b858d5e6074530bd2

SHA512
7656c865420724b8a77c5a4180b6a410c4c54e9f71f5938fb2d3549bfbd0b05e10f0deb90e532b9b0699e480133c410074ed58ae8f2f1dcd547af725e802eac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\ui\pfUI.dll
Filesize
15.7MB

MD5
8189d2d01f801ac406434b28e7df4743

SHA1
caa140b9c2aaea611168850f2259b574982e1b13

SHA256
7cb4c428ba38a8bc41fec4ed658e9bcfbf9a9f680cbb897f09ec31ddbbb013e6

SHA512
661ffd3a4a3fa121e5acafb56405944ceccb4d09d9c1a5e57bcbe67609854279eead610f28d0242879eca3afeb102b764920014d596ffb50306f21926fca3378

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\ui\pfUI.dll
Filesize
15.7MB

MD5
8189d2d01f801ac406434b28e7df4743

SHA1
caa140b9c2aaea611168850f2259b574982e1b13

SHA256
7cb4c428ba38a8bc41fec4ed658e9bcfbf9a9f680cbb897f09ec31ddbbb013e6

SHA512
661ffd3a4a3fa121e5acafb56405944ceccb4d09d9c1a5e57bcbe67609854279eead610f28d0242879eca3afeb102b764920014d596ffb50306f21926fca3378

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\ui\res\CC_Logo_40x96.png
Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\ui\res\CC_logo_72x66.png
Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\ui\res\Montserrat-Regular.otf
Filesize
44KB

MD5
27e50ffd6a14cbc8221c9dbd3b5208dc

SHA1
713c997ce002a4d8762c2dcc405213061233e4bc

SHA256
40fc1142200a5c1c18f80b6915257083c528c7f7fd2b00a552aeebc42898d428

SHA512
0a602f88cfba906b41719943465edb09917c447d746bfed5c9ce9c75d077f6aed2f8146697acd74557359f1ae267ca2a8e3a2ca40fb1633bde8e6114261abd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy90FC.tmp\ui\res\PF_computer.png
Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
f98c303115ed15d7a56166ab080901f9

SHA1
6beb251ab704969176a4bb5f92ca68db2b96fd11

SHA256
f64b7f7d57de70b1ecaea9a2ba16efa0f73e8094d03d162ae2331fd2345632e9

SHA512
0f9f9a1197a379d0cefee18943189fa0645b00d1701ab5f7a9ca2c96175c206a77938fb6fab553e78cea8a1e78426778237cc9b0977e94e7da86091c325a7d98

Download Submit
C:\Windows\Tasks\CCleanerCrashReporting.job
Filesize
760B

MD5
4c1e92865f391a346bc1e5f1b8149484

SHA1
c061076fbaa7533cf0a2de7fca7a8be03ed29bc9

SHA256
e21b9af77cabc6648c2326d52d2776b6c60b714417d809c64619cee7c3edc6ac

SHA512
491a39c29b2fe17902f31c2575f536530f9cc27af60a50f98cd8ea20a59a30d66cf277abd76a0aac3ca6a58b08a9c91b06a890f294bc13d812d926b478b0fb6e

Download Submit
\??\pipe\LOCAL\crashpad_2388_IJYAOZIOPYWXNFYI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2276-238-0x00000000063A0000-0x00000000063B0000-memory.dmp

Filesize
64KB

Download
memory/2276-274-0x0000000007350000-0x0000000007358000-memory.dmp

Filesize
32KB

Download
memory/2276-264-0x0000000007650000-0x0000000007658000-memory.dmp

Filesize
32KB

Download
memory/2276-262-0x00000000075C0000-0x00000000075C8000-memory.dmp

Filesize
32KB

Download
memory/2276-244-0x0000000006540000-0x0000000006550000-memory.dmp

Filesize
64KB

Download
memory/2276-271-0x0000000007360000-0x0000000007368000-memory.dmp

Filesize
32KB

Download
memory/2276-267-0x0000000007640000-0x0000000007648000-memory.dmp

Filesize
32KB

Download
memory/2276-265-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/2276-277-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/2276-289-0x0000000007400000-0x0000000007408000-memory.dmp

Filesize
32KB

Download
memory/2276-291-0x0000000007440000-0x0000000007448000-memory.dmp

Filesize
32KB

Download
memory/2276-294-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/2276-298-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/2276-344-0x0000000007540000-0x0000000007548000-memory.dmp

Filesize
32KB

Download
memory/2276-268-0x0000000007360000-0x0000000007368000-memory.dmp

Filesize
32KB

Download
memory/2276-269-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download