31c5c9de9fa8af8f0389c81073792c2d83593da92fa71ee23a119b2d3441f2ff

Analysis

max time kernel
1806s
max time network
1731s
platform
windows10-2004_x64
resource
win10v2004-20230221-es
resource tags

arch:x64arch:x86image:win10v2004-20230221-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
24-03-2023 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccsetup609pro.exe
Size

50.7MB
MD5

d54e3f8343b8080c9dcaebcac1223c8d
SHA1

34c2a6e3b9e9e8af547e1b4690f9438c2136d927
SHA256

31c5c9de9fa8af8f0389c81073792c2d83593da92fa71ee23a119b2d3441f2ff
SHA512

10422d7805eb85d24656d247a248a33c30ec12824d5ec6e90c2433a7d62db7825ab8708ec352bbf96c300ed2299e374b689aab0dc217e39f34f559d125390434
SSDEEP

786432:/gdvr/D9oTblmYTv98cbxXUFvXIfo1XuQ5ogTsyB3jNYqvuOK1g2szehRXWg:/gdvv9slmYj98YUFv6kAKsk5DK0zeLP

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccsetup609pro.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ccsetup609pro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	CCleaner64.exe

Executes dropped EXE 5 IoCs

Processes:

CCleaner64.exeCCUpdate.exeCCUpdate.exeCCleaner64.exeCCleaner64.exe

pid process

4108 CCleaner64.exe
1492 CCUpdate.exe
2464 CCUpdate.exe
3916 CCleaner64.exe
1832 CCleaner64.exe

pid	process
4108	CCleaner64.exe
1492	CCUpdate.exe
2464	CCUpdate.exe
3916	CCleaner64.exe
1832	CCleaner64.exe

Loads dropped DLL 28 IoCs

Processes:

ccsetup609pro.exeCCleaner64.exeCCUpdate.exeCCleaner64.exeCCleaner64.exe

pid	process
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
4108	CCleaner64.exe
4108	CCleaner64.exe
4108	CCleaner64.exe
2464	CCUpdate.exe
3916	CCleaner64.exe
3916	CCleaner64.exe
3916	CCleaner64.exe
3916	CCleaner64.exe
3916	CCleaner64.exe
3916	CCleaner64.exe
1832	CCleaner64.exe
1832	CCleaner64.exe
1832	CCleaner64.exe
1832	CCleaner64.exe
1832	CCleaner64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CCUpdate.exeCCleaner64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ccleaner_update_helper = "C:\\Program Files\\CCleaner\\ccleaner_update_helper.exe"	CCUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"	CCleaner64.exe

Checks for any installed AV software in registry 1 TTPs 10 IoCs

Security Software Discovery

T1063

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Avast Software\Avast	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

ccsetup609pro.exeCCUpdate.exeCCleaner64.exeCCUpdate.exeCCleaner64.exeCCleaner64.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ccsetup609pro.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe

Drops file in System32 directory 1 IoCs

Processes:

CCleaner64.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log	CCleaner64.exe

Drops file in Program Files directory 64 IoCs

Processes:

ccsetup609pro.exeCCUpdate.exeCCleaner64.exeCCleaner64.exeCCleaner64.exesetup.exe

description	ioc	process
File created	C:\Program Files\CCleaner\Lang\lang-1102.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1027.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1036.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1038.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1052.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1066.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1071.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1087.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\ccleaner_update_helper.exe	CCUpdate.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\temp_ccupdate\update.ini	CCleaner64.exe
File created	C:\Program Files\CCleaner\CCleaner.exe	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1025.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1050.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1051.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1056.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1090.dll	ccsetup609pro.exe
File opened for modification	C:\Program Files\CCleaner\LOG\event_manager.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\branding.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1045.dll	ccsetup609pro.exe
File opened for modification	C:\Program Files\CCleaner\Data\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\16285aad-d8d3-4e35-a877-a5426d0d03c0	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1081.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1104.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\autotrial.dat	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1041.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1065.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1155.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Setup\config.def	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\Setup\2b99f5c0-637d-46e2-8df7-8174fa25151b\ccleaner_update_helper.exe	CCUpdate.exe
File opened for modification	C:\Program Files\CCleaner\Data\usercfg.ini	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1042.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1057.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1063.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\uninst.exe	ccsetup609pro.exe
File opened for modification	C:\Program Files\CCleaner\ccleaner_update_helper.exe	CCUpdate.exe
File opened for modification	C:\Program Files\CCleaner\LOG\DriverUpdaterLib.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\LOG\event_manager.log.tmp.99fdae75-312b-4c55-8c58-3ff1705f74f6	CCleaner64.exe
File created	C:\Program Files\CCleaner\CCUpdate.exe	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1031.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1034.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1060.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230325003426.pma	setup.exe
File created	C:\Program Files\CCleaner\Data\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\16285aad-d8d3-4e35-a877-a5426d0d03c0	CCleaner64.exe
File created	C:\Program Files\CCleaner\Setup\e4d33bee-aaa8-491e-a4d8-37ce3c109467.cab	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1026.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1043.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1044.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1053.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1058.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1067.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.exe	ccsetup609pro.exe
File opened for modification	C:\Program Files\CCleaner\Setup\2b99f5c0-637d-46e2-8df7-8174fa25151b\update.xml	CCUpdate.exe
File opened for modification	C:\Program Files\CCleaner\Setup\2b99f5c0-637d-46e2-8df7-8174fa25151b	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1032.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1049.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1110.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Setup\e8a4871a-d462-499e-a26a-0f082d7afabe.dll	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1029.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1030.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1054.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1092.dll	ccsetup609pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1109.dll	ccsetup609pro.exe

Drops file in Windows directory 42 IoCs

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	CCleaner64.exe
File opened for modification	C:\Windows\lsasetup.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\NetSetup.LOG	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00009.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000A.log	CCleaner64.exe
File opened for modification	C:\Windows\security\logs\scesetup.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00004.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000B.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000D.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\PASSWD.LOG	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00003.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000C.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00010.log	CCleaner64.exe
File created	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\WindowsUpdate.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\sammui.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00007.log	CCleaner64.exe
File opened for modification	C:\Windows\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CbsPersist_20230325003148.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000E.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log	CCleaner64.exe
File opened for modification	C:\Windows\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000F.log	CCleaner64.exe
File opened for modification	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00005.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00006.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00008.log	CCleaner64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exeCCleaner64.execcsetup609pro.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup609pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup609pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup609pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

ccsetup609pro.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	ccsetup609pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-19	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-20	ccsetup609pro.exe
Key created	\REGISTRY\USER\.DEFAULT	ccsetup609pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner	ccsetup609pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup609pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup609pro.exe

Modifies registry class 27 IoCs

Processes:

ccsetup609pro.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\SOFTWARE\Piriform\CCleaner	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Ejecutar CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Abrir CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Abrir CCleaner...\command	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\SOFTWARE\Piriform	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Ejecutar CCleaner	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Abrir CCleaner...\command	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\SOFTWARE	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Ejecutar CCleaner\command	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup609pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Ejecutar CCleaner\command	ccsetup609pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Abrir CCleaner...	ccsetup609pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup609pro.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Software\Piriform\CCleaner	ccsetup609pro.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ccsetup609pro.exe

pid	process
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

464 msedge.exe
464 msedge.exe
464 msedge.exe
464 msedge.exe
464 msedge.exe
464 msedge.exe
464 msedge.exe

pid	process
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

ccsetup609pro.exeCCleaner64.exeCCleaner64.exeCCleaner64.exe

description	pid	process
Token: SeRestorePrivilege	2136	ccsetup609pro.exe
Token: SeDebugPrivilege	4108	CCleaner64.exe
Token: SeDebugPrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeDebugPrivilege	1832	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	1832	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1832	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	1832	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1832	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	1832	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1832	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	1832	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1832	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	1832	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1832	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	1832	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1832	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe
Token: SeShutdownPrivilege	1832	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1832	CCleaner64.exe
Token: SeShutdownPrivilege	3916	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3916	CCleaner64.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msedge.exeCCleaner64.exe

pid process

464 msedge.exe
464 msedge.exe
464 msedge.exe
1832 CCleaner64.exe
1832 CCleaner64.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

CCleaner64.exe

pid process

1832 CCleaner64.exe
1832 CCleaner64.exe

pid	process
464	msedge.exe
464	msedge.exe
464	msedge.exe
1832	CCleaner64.exe
1832	CCleaner64.exe

pid	process
1832	CCleaner64.exe
1832	CCleaner64.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

ccsetup609pro.exeCCleaner64.exeCCleaner64.exe

pid	process
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
2136	ccsetup609pro.exe
3916	CCleaner64.exe
3916	CCleaner64.exe
3916	CCleaner64.exe
3916	CCleaner64.exe
1832	CCleaner64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ccsetup609pro.exeCCUpdate.exemsedge.exe

description	pid	process	target process
PID 2136 wrote to memory of 4108	2136	ccsetup609pro.exe	CCleaner64.exe
PID 2136 wrote to memory of 4108	2136	ccsetup609pro.exe	CCleaner64.exe
PID 2136 wrote to memory of 1492	2136	ccsetup609pro.exe	CCUpdate.exe
PID 2136 wrote to memory of 1492	2136	ccsetup609pro.exe	CCUpdate.exe
PID 2136 wrote to memory of 1492	2136	ccsetup609pro.exe	CCUpdate.exe
PID 1492 wrote to memory of 2464	1492	CCUpdate.exe	CCUpdate.exe
PID 1492 wrote to memory of 2464	1492	CCUpdate.exe	CCUpdate.exe
PID 1492 wrote to memory of 2464	1492	CCUpdate.exe	CCUpdate.exe
PID 2136 wrote to memory of 464	2136	ccsetup609pro.exe	msedge.exe
PID 2136 wrote to memory of 464	2136	ccsetup609pro.exe	msedge.exe
PID 2136 wrote to memory of 3916	2136	ccsetup609pro.exe	CCleaner64.exe
PID 2136 wrote to memory of 3916	2136	ccsetup609pro.exe	CCleaner64.exe
PID 464 wrote to memory of 2572	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2572	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2448	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 4516	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 4516	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2552	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2552	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2552	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2552	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2552	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2552	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2552	464	msedge.exe	msedge.exe
PID 464 wrote to memory of 2552	464	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ccsetup609pro.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup609pro.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Program Files\CCleaner\CCUpdate.exe
"C:\Program Files\CCleaner\CCUpdate.exe" /reg
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1492

C:\Program Files\CCleaner\CCUpdate.exe
CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\e8a4871a-d462-499e-a26a-0f082d7afabe.dll"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=1&v=&l=1034&b=1&a=3
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffff1d746f8,0x7ffff1d74708,0x7ffff1d74718
3⤵
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
3⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
3⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
3⤵
PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
3⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
3⤵
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
3⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
3⤵
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff686265460,0x7ff686265470,0x7ff686265480
4⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
3⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
3⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
3⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
3⤵
PID:2508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --disable-gpu-compositing --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
3⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15593847943250789357,13762898482155004647,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3208 /prefetch:2
3⤵
PID:3448

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /monitor
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
C:\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
C:\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
C:\Program Files\CCleaner\CCleaner.exe
Filesize
31.1MB

MD5
134d186a5a2e9c457aaff06b1dd38f26

SHA1
da94f737371c78392c23d2193ee5b33de414403f

SHA256
47d28d20f347a5e8083d1cabb0d84d136f57f234f46caf7e2dbf9ec7b6867a1a

SHA512
1b84bb1b0e548473750aac083ad1a0e044a42359afe6badca93a73c6dcfa2b855fc4133922c6509e478c56582e75e6edb37afe0e0814edf519ab18bc2d14e1f6

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.2MB

MD5
d843bfaded3a4998923c4d214b9203a5

SHA1
e8631b8c887afa047acff88cf2b93da33c2d2117

SHA256
881fe28e3191cd2b916f39500014975680b1f235860299cae609dc3fa55bc8eb

SHA512
875d2cc0bf3a2baf7e79e65267780b7a40896e0cbd718df4e017698b6bec6ed693e51f4c0ceda42841c3baae391dc4b885ffe48ddb1c3f23a9cf1d91e62307e8

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.2MB

MD5
d843bfaded3a4998923c4d214b9203a5

SHA1
e8631b8c887afa047acff88cf2b93da33c2d2117

SHA256
881fe28e3191cd2b916f39500014975680b1f235860299cae609dc3fa55bc8eb

SHA512
875d2cc0bf3a2baf7e79e65267780b7a40896e0cbd718df4e017698b6bec6ed693e51f4c0ceda42841c3baae391dc4b885ffe48ddb1c3f23a9cf1d91e62307e8

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.2MB

MD5
d843bfaded3a4998923c4d214b9203a5

SHA1
e8631b8c887afa047acff88cf2b93da33c2d2117

SHA256
881fe28e3191cd2b916f39500014975680b1f235860299cae609dc3fa55bc8eb

SHA512
875d2cc0bf3a2baf7e79e65267780b7a40896e0cbd718df4e017698b6bec6ed693e51f4c0ceda42841c3baae391dc4b885ffe48ddb1c3f23a9cf1d91e62307e8

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.2MB

MD5
d843bfaded3a4998923c4d214b9203a5

SHA1
e8631b8c887afa047acff88cf2b93da33c2d2117

SHA256
881fe28e3191cd2b916f39500014975680b1f235860299cae609dc3fa55bc8eb

SHA512
875d2cc0bf3a2baf7e79e65267780b7a40896e0cbd718df4e017698b6bec6ed693e51f4c0ceda42841c3baae391dc4b885ffe48ddb1c3f23a9cf1d91e62307e8

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
37.2MB

MD5
d843bfaded3a4998923c4d214b9203a5

SHA1
e8631b8c887afa047acff88cf2b93da33c2d2117

SHA256
881fe28e3191cd2b916f39500014975680b1f235860299cae609dc3fa55bc8eb

SHA512
875d2cc0bf3a2baf7e79e65267780b7a40896e0cbd718df4e017698b6bec6ed693e51f4c0ceda42841c3baae391dc4b885ffe48ddb1c3f23a9cf1d91e62307e8

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll
Filesize
7.7MB

MD5
a49dc29c7dc4bdf7d1c4b50bc4bf97a9

SHA1
4c342b9845f14b9efdcc9838ca71eebb8f92f57f

SHA256
20c32eb3b598dcfef0c71ca1f1e21ed7d3ea41825ef59d963b8553261646885c

SHA512
5a18b98218528f613954a1e002f8fd9841187cec1983e642a5ec7a8bc5853144d04f05e4902ac83d36fd06e2eed072b3a665bf35a1b78ba69dee4d75c5dc3847

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll
Filesize
7.7MB

MD5
a49dc29c7dc4bdf7d1c4b50bc4bf97a9

SHA1
4c342b9845f14b9efdcc9838ca71eebb8f92f57f

SHA256
20c32eb3b598dcfef0c71ca1f1e21ed7d3ea41825ef59d963b8553261646885c

SHA512
5a18b98218528f613954a1e002f8fd9841187cec1983e642a5ec7a8bc5853144d04f05e4902ac83d36fd06e2eed072b3a665bf35a1b78ba69dee4d75c5dc3847

Download Submit
C:\Program Files\CCleaner\Lang\lang-1034.dll
Filesize
248KB

MD5
3739b320bd1533366399bd81a35d9ae5

SHA1
999af2349ff11475acaef0bad7444eef47aea813

SHA256
e9f4d3034fdd07ba153e1f60e9a9615c527f34263c08e2f9fbdcd5930d0a1d02

SHA512
bfab82230ac59708f780a23fb87df8cfe2da6dcd039d4ca7c95427e7b83da6ddaae5f9d7b59e55c47d7c71f28af8028d3c3e307ea3f706b0e22ab7904efc93cb

Download Submit
C:\Program Files\CCleaner\Lang\lang-1034.dll
Filesize
248KB

MD5
3739b320bd1533366399bd81a35d9ae5

SHA1
999af2349ff11475acaef0bad7444eef47aea813

SHA256
e9f4d3034fdd07ba153e1f60e9a9615c527f34263c08e2f9fbdcd5930d0a1d02

SHA512
bfab82230ac59708f780a23fb87df8cfe2da6dcd039d4ca7c95427e7b83da6ddaae5f9d7b59e55c47d7c71f28af8028d3c3e307ea3f706b0e22ab7904efc93cb

Download Submit
C:\Program Files\CCleaner\Setup\2b99f5c0-637d-46e2-8df7-8174fa25151b\ccleaner_update_helper.exe
Filesize
729KB

MD5
844b5a7a8d35da17d19de4cbb1d5bc6a

SHA1
5c8ff1c0d5dfbf703835cd35ddbc93c1eaba20a6

SHA256
c74181c70ad77d8ff034a06ea3a9fbc4239a08b93e7c39380cd0663a04e076bf

SHA512
97a7c02651a247ae0da0fc018e4e910137d574b7e5f7bef3dde15c39742a22d0fb4d75302479cebd51c13927b33d0cd1042f33fdb084676bb1004aae51e0390f

Download Submit
C:\Program Files\CCleaner\Setup\b04e1855-05cf-43b1-aec8-b96805b2c09c.xml
Filesize
1KB

MD5
a8500f686252cdd13696bd7cd4df2df7

SHA1
4b8e01170a0fab56f250fabd6ec937e9a256d9c3

SHA256
693225b1c379176971faeb9ac2b49ab64750bf309d617f0bed0f7d2744ca57f0

SHA512
9c00c10ae75a5498593c0ae43be6b77b13d68e6db8367401127dc72a3ce5678b0a5e52d8b8b768af611a157b39e4fe7e44cfa5f257ac07c273142865bbf73499

Download Submit
C:\Program Files\CCleaner\Setup\config.def
Filesize
48B

MD5
a7aae01415beba879259774ff60e4e07

SHA1
a169b7b90824154893ef8ca3ceb68483e794c118

SHA256
f79e0c02b2b3cfa15324e66531a4045c465ef3dcbd739a04b3e62d7977834479

SHA512
0539a6751bd2143906fda9c9aa89a09d9d448821512b719deecbe132921f4b190f6d1165176dd907d0a0157f85573f3a5726cb6d72e717aeeb101449f9cdf6d6

Download Submit
C:\Program Files\CCleaner\Setup\e4d33bee-aaa8-491e-a4d8-37ce3c109467.cab
Filesize
412KB

MD5
12938932e37f24044ed00a043106dc7a

SHA1
435a4ac59b0bb5b8c764267ef969915b61db1547

SHA256
fe000954de50a7682d3fb4069e3e1b8e2b761a808c2e840c1d82bdc556ba57de

SHA512
8980534a887bd5cd423c8327cbdeeeaa93c3900b423bfdef4d485a86c9a3ed6df56b7f9dd8616631087f9c487ce3c1af11a4446f38a9b2048db5ed98d4576b79

Download Submit
C:\Program Files\CCleaner\Setup\e8a4871a-d462-499e-a26a-0f082d7afabe.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\e8a4871a-d462-499e-a26a-0f082d7afabe.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\e8a4871a-d462-499e-a26a-0f082d7afabe.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\f1b0a033-8ff6-4951-a2ba-6b0f2562588e.ini
Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\gcapi_16797043874108.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16797044523916.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16797044523916.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\lang\lang-1034.dll
Filesize
248KB

MD5
3739b320bd1533366399bd81a35d9ae5

SHA1
999af2349ff11475acaef0bad7444eef47aea813

SHA256
e9f4d3034fdd07ba153e1f60e9a9615c527f34263c08e2f9fbdcd5930d0a1d02

SHA512
bfab82230ac59708f780a23fb87df8cfe2da6dcd039d4ca7c95427e7b83da6ddaae5f9d7b59e55c47d7c71f28af8028d3c3e307ea3f706b0e22ab7904efc93cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize
1KB

MD5
13e6b3deaed20e0d442218c2fe1ff211

SHA1
196177c42bad050b9b9242eb5160a9abbf498c87

SHA256
5c739de218bbb2e032deb9026219e024906edca8360e0dfa67e0f934acd3a5a7

SHA512
987fdaad863f0563b74e5a1c6649b1016cc6c02fc40d29bcdfc70abb1485b83c3150f0ac1ee0accf6c468ab7aa4a30762e221b51d3ecfaf0a1f83433caac2c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
1KB

MD5
396ebd3aa8efa85181e1fbf70aa52b12

SHA1
ad54702cd06cfe878f7918262063bff30ff715c5

SHA256
f96896606a05bc081e8cfca8b57c4d409aa69c6a901b19b05848bb5e124ec276

SHA512
603ef302b90db5098373b9742beb309b617ff7e4f015570d5baea8802ca9baeef59854ecde55cbe53167ce9ac14c5f6119f2b5903b118214aa9f3dba5c99a472

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
1KB

MD5
bbb1731cfdddcef109d4be87b95f2254

SHA1
0ee037de3c5f82d82088651e64d74df3850f1e5e

SHA256
792f99c939647b571b40fbebd15be315dd4d935c6b3444921559b15f96f11a85

SHA512
d922c512920fe2298a9cb8c9b01da847d8a6fb5a378b8f6c76627643b3d56689e46d8617b076ccf4498b8e7c56724201bc0545d4d04b69f64724e4a94d7c5fb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
Filesize
471B

MD5
0e5c27ae1f8c448fd48d2e95cb0a90ec

SHA1
856b110a93a16518315350ca92ccf0e5e5166c0e

SHA256
d991726a5a2f6e3f68c7c35bf88852f898a060e0383be10c883ce650293253f7

SHA512
2d9297dd025c8d2cf3513e4e988920d36ca472f006d7e209d60dfb159d57e7b0c9938ed0546bc0e49b8e0499233c11f1acfcebc0b65b1a54539177d94d5e228b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_094C2975B12480ED38496F27B88C1183
Filesize
471B

MD5
fe61b9d41023cfa8a3e00974545258f4

SHA1
93cba56b04d6ed6596b69055d81ae3ac20130f77

SHA256
7380fb1d6537e8173a51cbff87ac0f120d68418dbf4210d1836f918ad380fafc

SHA512
901434366f425e74f13f146571a6aef7763ecead54fcd34d393ec071945f52b0be4375228e58e3cdc092d87019a49690d57b6124bf205b8a91ec437f7373fcc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize
434B

MD5
2a3dc5f8952986e4e7e22fa7cb58593d

SHA1
d82a6ca3cb832013adb8daa3b6a0413822fa1a32

SHA256
cb778492e8506998ef5775ce3469fa529aa2e315a955edcd66249d064dbb3743

SHA512
c2a4218bb9bb704e79a7ae3aeffdf7574d6fbcb03a16625f3cedc997ed188b3f2993cd0afab94113976dcb1823bb06533a57fba6cbb3546dd741f9761f33ff63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
349d3d1ef8162fc7f54b03c0b3579fdf

SHA1
c9cff478d8603968dbb72a4e5f2a2963539516bb

SHA256
594c1502c9fe43c94800e2dcab825c8132f5c52ee5bdbd0367e8dcb06eeb71b8

SHA512
7e3a8cbafa7dd54a348b72a7ac0b121c28f428bc7877d445e7d79acb3e7560ac379a91fb1643ba0cbb00c906d17857090a88f210f770397a9e4e33e9cb6903de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
432B

MD5
af74ca39d316f0fe5d547881674b4af5

SHA1
1a0e30c35eddb7de1639b3ddc2b7dd41e6efe619

SHA256
e743c31f940e5a04f6090ad9469344b9acf22fce4fb42573be2653967f0642e8

SHA512
5d659591014646866d51df51b9f85062ec04c13ab1bab286f8951f9e1bef70c1a4f1b50bda89dd859d727a1e49fabffbbfc5de844c64a04279a07320ded6649f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
Filesize
426B

MD5
6482c67cb172cf751038f8a2b1f7554a

SHA1
8f3ecfe65937bf0bd6110da44e64a8e05fe2b2a6

SHA256
ff6f9c043c106434a693a6491e3c61128db54f84ed2c10cce69f6e02bf63ba2f

SHA512
ba9e617d3129cf57cfe60e3e8bb7522ca72bdef1fa4888245e779d1575e20149eea341cd9ac1bd4f009593610264c524e38f56f7403679f0c66023770c51cddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_094C2975B12480ED38496F27B88C1183
Filesize
464B

MD5
c3a5af5367a53c7a8a6ea4cfd7300819

SHA1
baf5066e5c44553173faad387d5e9ebbcdd0b274

SHA256
f5ba9896d1782d781c9e1c115222347fba49e164e2876a9683a0130942ec98c3

SHA512
3896b3aa8c13efbecb004e57f0dfb9f3f81a2608d7dff1dbe4912baa44a3c17f483f96269e99cfdb69c0305f0ae4e45868de1884e729972f689806c7de42900c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5a10efe23009825eadc90c37a38d9401

SHA1
fd98f2ca011408d4b43ed4dfd5b6906fbc7b87c0

SHA256
05e135dee0260b4f601a0486401b64ff8653875d74bf259c2da232550dbfb4f5

SHA512
89416a3f5bf50cd4a432ac72cd0a7fb79d5aeb10bdcc468c55bbfa79b9f43fab17141305d44cb1fe980ec76cc6575c27e2bcfcbad5ccd886d45b9de03fb9d6d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c1a3c45dc07f766430f7feaa3000fb18

SHA1
698a0485bcf0ab2a9283d4ebd31ade980b0661d1

SHA256
adaba08026551b1b8f6c120143686da79f916d02adbef4a8d1c184e32a19fd48

SHA512
9fc93f01ab4b14f555791d757ffe881787cc697102547c61847552e597e206e70c6d35fedff559c72a0a67d1b95e769095ecb0a8a7d4f07cf58a7a0d57d3e9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
1acf7206abd0cb06ed9d175fd6410b1c

SHA1
60d0114bceb931a59032ab9dad881e174b45f292

SHA256
de36d9e8ebb8c0844525c7b922561a86b18a4fe0c0bb2ac0976b9d6d915c78d4

SHA512
d893204cc969a6f86957e0e4f9999cffb196624b8835e8fdc35194afa6d3fccbe3d3b802648712ec48fabcbcc82e2bc383713b764ee68083015651902ca10367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
fb50514a3c4b1bdc1bc234e2df0d2fed

SHA1
3fac21362a4ad5986e25365d37d6ba54438cb606

SHA256
d87ead31ac7f897e5abc8e1071c77086999dc1028103e6e95180195e772c2b84

SHA512
e52c6d2bc660286f7344922bd658e2d6538fc86e11a1f8383a7971ccf4627b48b7bd831974eec45afff0ada25cd298373c4cafcdf1cb4790a3a3375b41afc64c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
bd2ce374f99ef635c56f3f4b60fac1a2

SHA1
7ee23f6a17216738019994d3d230cc64dff63a76

SHA256
06bcbedc0064858ca1899fe0d4c854f11e6e3b662cce6d49afe09546ceec567a

SHA512
402c44375ab6f2fc37688c41727c6ad1c443fa1d0b251f7ab4325ea683a68dad02261564bbed4bdae321ed3f042ed8211fb3d90106d4070aae4d10a2cfeeed6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
709c42d7eb3176d34378daf9bf3f53de

SHA1
2db7106551271993b6762ac234eb922358605365

SHA256
9be3da5d323b149085107b8ce172c9c8507c4a4a217378412562702c9d2bcd2c

SHA512
f7121c206cc4988c055ea8a12cb2f5b6d9c78899f43774f66905b557c9ae5434538318a44ee5cd288f19ffc6780340c893a39134ac6cb31bbfeb2092b0f03c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
b841da9e6ede40b335895f79b06a4985

SHA1
787964f204a7259260199edb363940e2e44cd6b5

SHA256
780f6fcdf064ed7b00cf494a718d5ed30666289f44b7b2a120abcc4e1c4483a0

SHA512
489917bb54503ea222927f2984f6dc1a11dbe77f16ee6758b8d0e21d4e5b151aa934ac85da6e31beaad0a23b196066a1d292e4204b3a0826c0210940e47aa39f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4eb84a7732cbba478c7e5dbb549d34c5

SHA1
b8fe7820fad70ac7ed53a3f836486cf7d6148cb9

SHA256
404be6a9268d46064afcda9677620055e4f234a6a02dee0fe855cbbb9bd57e61

SHA512
12328158399427075288fb8bb278c5e4c6a74e0e94b341c2b7721f9095c9eea70b60eb16bc40af9eb217d5522fadbc32df5c394b691371782115ae590e94ec63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
fb56d684bd8f006feec75bd3e4d24041

SHA1
3ef94572749100b87b922dc146fe3a762ab3b3c8

SHA256
d804d3a124c5d387ead455c2ab6f0c51dae571af5f76513868c9eefe7bf17a04

SHA512
0a569678393a0e7b03901d61d57bef7988eeb1a63a87251761028b79992d4cd3d45af3c82180a4876696e0d8d0a2cccc1703918f40ba290ddf962a5cc9304185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
5edab6d3ffbeee247ccb4423f929a323

SHA1
a4ad201d149d59392a2a3163bd86ee900e20f3d9

SHA256
460cddb95ea1d9bc8d95d295dd051b49a1436437a91ddec5f131235b2d516933

SHA512
263fa99f03ea1ef381ca19f10fbe0362c1f9c129502dc6b730b076cafcf34b40a70ee8a0ee9446ec9c89c3a2d9855450609ec0f8cf9d0a1b2aebdd12be58d38c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cookies
Filesize
20KB

MD5
92f9dbc9c38cd916a282b36c454e3394

SHA1
92c5add769a39ad98f6d3d82fe7597f2933b625e

SHA256
5dd0ad3ba3fdb039290b749415dffb89b47fbdc949e69e46531b38756032eaa6

SHA512
22579070dd7a7273b2bd5085b17844e8e5ae0a4db7b405f874615518386be2f9f009417749625b8a7d9e9f5df17d714eea0a55592f0d01f9a6aa7a98ae0d0192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
7e5861396c3c411928405dc0c24d3e83

SHA1
ffb77c6fba0667834dd72597647b3558fd919cf6

SHA256
27dfc90ca79c4edec1b60f9d68151e7823fa5317fe1e4988d5cbd56aeb2b367c

SHA512
7fcaadc924708bd6c042a14d33bb3406fc52649f5a9ceb604d9b769911dd523bce6c8fee93b073e3da9090d65ffdb272eaef9d5b7fe51b7f55511ecb48928d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
56a85e169c3887231f0a69cd69a6fc61

SHA1
95b3ff2e2856af43e3595b8d9063f867cc173f39

SHA256
009e7bd9bff7aaed6a702c61abbe8f53725e0a9dc029f5937b9a48da5d72c8a4

SHA512
cf4b4f6439815022f0659adf5b1cd87bc3ae5f3520d8f9b8a8fb78407a7e381f3e4adec6834f91c09601a4d289ce68d8c5c6a3219ac2e1280f0d59835b03704e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
41fb7377926d55bef137c56565f77ef8

SHA1
f9dabcaebe04c95204c6a8e89fecde3131aab712

SHA256
2892eade3989a1d95b5a3f11a2c0cb94213b67e596ee80942345a4556e6ca645

SHA512
4b09bb296fd87946a0a3dda1037d75c23055f4b748e780ae7d5f83541088c3b48b536706b82955e7384d2279537313e3c20da32d10aaf3609ea3e64f05e0d4bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
Filesize
8KB

MD5
38c702128633be80c6f716d93f12b880

SHA1
1497f29801131d29a44be1ff4d5dba2fa61a772f

SHA256
c3f72ee4cd20dc1e9d9ee9a8e68728ef609b40e8216bf83550f95a676c8d666c

SHA512
f9e1d7ca0c4c91a79618de9205127d752fdd1e88ec88a86a37d3f0736c6eb37510e2b696000d9325814c4f21f45d0f64577f53b80fa8771fd445e7e30ba3019f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
46ed7e888beac3aeb91399a07c7686cf

SHA1
846b25437bf34e89ba1372dea0bf9f7fee23b37f

SHA256
c863d4da5db74df8d9a50eef225ff8c3c11c3a7d1bfbe70f9e2991624eac2693

SHA512
f824afb4a567b3af21b7beff1617d0cc694ea86f510cadbc22bc3c0d9f70187b0c88138a3437e891975b6ac5067a4c75a958becd148554e9a5a3d84a0a7a27bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
ed9f7d1b144d806b1527df6a0fbd4331

SHA1
bb5823ba07ca87e661f4c7f790e0df3ee714a425

SHA256
8191620deae4cbbc0a0272973e20c31b3be0a57627ca5f271cf8faf21bfeed96

SHA512
0200695afee8ca44581cea5ef473526c44a8f2926cebb819c1a7b578b451c2bfb6970985ce00fd6543aab693bbce12f79c90f60e01811b5601d9bd85f5d4ff6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
3937f310ea0f27df77cc33b633467ec9

SHA1
6c86802aac92e118ae43e9762ebf0b4da2cb0410

SHA256
0adbc5ccee1b74cdfbcad995f327593a8d684459d9f34880e8badfbcf2aebbae

SHA512
7280586615df9c20ac4c4039abb5f12e0738f4f98bde52fe49ae08cfa1b6138a21aa76eea8640850c303556169134c7049173bc0de033f1140a049345011afe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
c198baa9476df3215209bc8554a4edd5

SHA1
41ee5fec104e87c0db4a486c73ff3fa454592bcb

SHA256
7ecbd2a315ce215059341880cf5039a9d7d7167cbb8c0a7391b1f27e0aac3450

SHA512
e3fa453e35dde985d60501007ce86153397e771311a93c58debb2767427afc7d569f9247bd6f0f0821873c103c3c80e077fe92ff1657b3b75d11c56d30db376e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
7bc0faf5586b902bfc56295e22a73964

SHA1
e860046a37a9242c923e3f96010dc2681ca938cc

SHA256
08024fd4e71e37103c7895d96b02267c114ea900072c19e8bcf0a57d2fd47870

SHA512
36894b04f50fd1417be044697ebedd9461bb9564ddb5f294bd1ba1fd4ee36732c6e7855b46ef67419e06f93bc33dd852816bdf70b6efa40ebc5fc2538123f971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
f39a8597f4c3d5d6339562c229e6d652

SHA1
6a5ee8de226f1a3ee240e3878cdbc8274b05cd29

SHA256
b232af79c3ccc126c02c9a0558d92952a77bb397a6a7834c6813d26407d4a999

SHA512
e8bd99879e32613e4948cb4650907891ec54945dd85ea5f828eac1c9c659f9dfd681715787dde38259b470c0503a68a824fe19625db0e8f92c326b72498068fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
78214de8541e86858d1f4fa3cb070ff7

SHA1
55913bfe1d2a78c0a097450d7b48fbfb8e018e3d

SHA256
eaaa47e13b1bab5cc045b097b90dd7741fb91d31934c56f052c35862d934471c

SHA512
cbcf0f9cc0b2a4ead2fdb251500bef29af374bd059986ddfb9528c9427ffc479941e7afc270930b004dc28395a5f6244b255e1c87a4f1f4ca332d23884fd383e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
7ae28144fcb1f3b4ff0aee29bae45dd9

SHA1
7860891ef132619b0dd69dec9bad6739f3bb306c

SHA256
83704034c00beb2a12c791ba38e50c18274c6250549922dd6e0175ee3834509c

SHA512
2a2c81dc4fced347d08e0f96098a1f21d2c21d6bb4ec7a899a94981b303fe1ed8570e5e5bbd695d9373665a930b8f3c4fb4375cc90fae55b67fe17ad78759e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
df0090b04ded67533a509d15cbbf3030

SHA1
3aadc51febe15a09c61a6be55922e8b1cd02d5cd

SHA256
f3777e7651f689da172ad110128880066471f495d44530b9a6574a9ea203b7c7

SHA512
b1062a991a7eba6cdd2499a03b4853ec22ad4f3575daa34b4d51505bd1832bca7bd7b507bb8342ee997146fcc19d21f39eaef762b7cd6e42271b4240e0b5ce18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
159814551995f5d0e12df6ec178ec282

SHA1
f1a5a09316c3c27f575290fe6bb8c4853ebfc534

SHA256
dcadb2b1edb2241759e14cdaf106713b029fa18c967725d7e848171c73b64b07

SHA512
f8e762d246142fc80d413d73d5e1e79e8c0b7fb65f49c3ea8cf3c005c15a4eebc82a0728f1e61b5e531e118fccd9b93cf52e68572425cf4b9ea59ad6735938df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
a999437b5732adda838b31be45a30da8

SHA1
45d356b9f190e1c2ca05a000189aeb96c0736a5f

SHA256
b1879f0533fa6aa04a67a262a86ccebca3578a26e1c69267060bc13003b6205a

SHA512
fefc1282650b871ae872e7ac66c6a1fd38a301d4b5bbc2b346895b7b9d0639c433b34e45dfdb07bbe63e85a79c8007b0362ef258fe9dac08eef5216383a540ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\asw3c9945a59dbc0c41.tmp
Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\ButtonEvent.dll
Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\INetC.dll
Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\UserInfo.dll
Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\p\ServiceUninstaller.dll
Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\p\ServiceUninstaller.dll
Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\p\pfBL.dll
Filesize
11.3MB

MD5
f8d1c110600144a9310723c011eeb9c8

SHA1
304e211607eb14e079956531e149e53db2930762

SHA256
d2b8a9d801e5c823be4c8eb9d721a8181d12f3b435d9c80b858d5e6074530bd2

SHA512
7656c865420724b8a77c5a4180b6a410c4c54e9f71f5938fb2d3549bfbd0b05e10f0deb90e532b9b0699e480133c410074ed58ae8f2f1dcd547af725e802eac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\p\pfBL.dll
Filesize
11.3MB

MD5
f8d1c110600144a9310723c011eeb9c8

SHA1
304e211607eb14e079956531e149e53db2930762

SHA256
d2b8a9d801e5c823be4c8eb9d721a8181d12f3b435d9c80b858d5e6074530bd2

SHA512
7656c865420724b8a77c5a4180b6a410c4c54e9f71f5938fb2d3549bfbd0b05e10f0deb90e532b9b0699e480133c410074ed58ae8f2f1dcd547af725e802eac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\ui\pfUI.dll
Filesize
15.7MB

MD5
8189d2d01f801ac406434b28e7df4743

SHA1
caa140b9c2aaea611168850f2259b574982e1b13

SHA256
7cb4c428ba38a8bc41fec4ed658e9bcfbf9a9f680cbb897f09ec31ddbbb013e6

SHA512
661ffd3a4a3fa121e5acafb56405944ceccb4d09d9c1a5e57bcbe67609854279eead610f28d0242879eca3afeb102b764920014d596ffb50306f21926fca3378

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\ui\pfUI.dll
Filesize
15.7MB

MD5
8189d2d01f801ac406434b28e7df4743

SHA1
caa140b9c2aaea611168850f2259b574982e1b13

SHA256
7cb4c428ba38a8bc41fec4ed658e9bcfbf9a9f680cbb897f09ec31ddbbb013e6

SHA512
661ffd3a4a3fa121e5acafb56405944ceccb4d09d9c1a5e57bcbe67609854279eead610f28d0242879eca3afeb102b764920014d596ffb50306f21926fca3378

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\ui\res\CC_Logo_40x96.png
Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\ui\res\CC_logo_72x66.png
Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\ui\res\Montserrat-Regular.otf
Filesize
44KB

MD5
27e50ffd6a14cbc8221c9dbd3b5208dc

SHA1
713c997ce002a4d8762c2dcc405213061233e4bc

SHA256
40fc1142200a5c1c18f80b6915257083c528c7f7fd2b00a552aeebc42898d428

SHA512
0a602f88cfba906b41719943465edb09917c447d746bfed5c9ce9c75d077f6aed2f8146697acd74557359f1ae267ca2a8e3a2ca40fb1633bde8e6114261abd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA08C.tmp\ui\res\PF_computer.png
Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
042d6794eb97dc1f4e466ddfc2435948

SHA1
3139295920a55ebf4e566f8184452cbba7b4c14f

SHA256
d9ce729b7b841fe371570fffcd1a144adac84a3cf4d7680d7f0ad5957db79b8f

SHA512
c1ebd27d9ef67f0518171eb0cf7fd4cca61b6505b09f5e508b9f4643301d83b39c98099cc5fbc93779609667552ea25018f9d5d174726246844c40f148515974

Download Submit
C:\Windows\Tasks\CCleanerCrashReporting.job
Filesize
760B

MD5
9590344b8a65a7b323752c5708814ee1

SHA1
56e40a94ede2eb3e5c53595f843181ffe1b58d44

SHA256
56276ec8c917595be9501d2d34fd357c1eb4ea7e2b99842d69579f86d8948292

SHA512
22c5b0af84df1ff4f92f659b85f66dda871b38cbd4987ecc293e29f31168bc5c1e3f28c2297c60c41615e117f78dcfbf6e51473913b99e050a2947a6a06fd281

Download Submit
\??\pipe\LOCAL\crashpad_464_ZJQERLUJETFCJFPE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2136-271-0x00000000074A0000-0x00000000074A8000-memory.dmp

Filesize
32KB

Download
memory/2136-274-0x0000000007490000-0x0000000007498000-memory.dmp

Filesize
32KB

Download
memory/2136-264-0x0000000007790000-0x0000000007798000-memory.dmp

Filesize
32KB

Download
memory/2136-265-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/2136-267-0x0000000007780000-0x0000000007788000-memory.dmp

Filesize
32KB

Download
memory/2136-268-0x00000000074A0000-0x00000000074A8000-memory.dmp

Filesize
32KB

Download
memory/2136-262-0x0000000007700000-0x0000000007708000-memory.dmp

Filesize
32KB

Download
memory/2136-238-0x0000000006510000-0x0000000006520000-memory.dmp

Filesize
64KB

Download
memory/2136-269-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/2136-277-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/2136-244-0x00000000066B0000-0x00000000066C0000-memory.dmp

Filesize
64KB

Download
memory/2136-289-0x0000000007540000-0x0000000007548000-memory.dmp

Filesize
32KB

Download
memory/2136-291-0x0000000007580000-0x0000000007588000-memory.dmp

Filesize
32KB

Download
memory/2136-294-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/2136-298-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download