lumma | 2d071818c4530a76a0cf946fa7dc00a1d2bba95a741962802c4b8b23d54a319c

Analysis

max time kernel
152s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2. CCleaner.Professional.6.06.10144.exe
Size

49.6MB
MD5

c80f2122f4755d8035d54e853d0d4ca2
SHA1

ba1c08614d713545be84e1229df09eb6275f0223
SHA256

2d071818c4530a76a0cf946fa7dc00a1d2bba95a741962802c4b8b23d54a319c
SHA512

f4285e0530a5cec0f2e294ea0b47a45cce9919782c37efca30567092bdd024f3a26b973aa340101ad3d935076af5458b72c2306d684e2a6199fbbda77cd41358
SSDEEP

1572864:kY3EH/GNT2kFLiWijs9jI3tF8+vMZEU0CYJYtK:kYUfgCGi5jsk8QyYJYtK

Score

10^/10

lumma bootkit discovery persistence spyware stealer

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exe2. CCleaner.Professional.6.06.10144.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	CCleaner64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	2. CCleaner.Professional.6.06.10144.exe

Executes dropped EXE 5 IoCs

Processes:

CCleaner64.exeCCUpdate.exeCCUpdate.exeCCleaner64.exeCCleaner64.exe

pid process

4744 CCleaner64.exe
3828 CCUpdate.exe
1776 CCUpdate.exe
4548 CCleaner64.exe
4668 CCleaner64.exe

pid	process
4744	CCleaner64.exe
3828	CCUpdate.exe
1776	CCUpdate.exe
4548	CCleaner64.exe
4668	CCleaner64.exe

Loads dropped DLL 24 IoCs

Processes:

2. CCleaner.Professional.6.06.10144.exeCCleaner64.exeCCUpdate.exeCCleaner64.exeCCleaner64.exe

pid	process
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
1776	CCUpdate.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4668	CCleaner64.exe
4668	CCleaner64.exe
4668	CCleaner64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CCUpdate.exeCCleaner64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ccleaner_update_helper = "C:\\Program Files\\CCleaner\\ccleaner_update_helper.exe"	CCUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"	CCleaner64.exe

Checks for any installed AV software in registry 1 TTPs 18 IoCs

Security Software Discovery

T1063

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

CCUpdate.exeCCUpdate.exeCCleaner64.exeCCleaner64.exeCCleaner64.exe2. CCleaner.Professional.6.06.10144.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	2. CCleaner.Professional.6.06.10144.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe

Drops file in Program Files directory 64 IoCs

Processes:

2. CCleaner.Professional.6.06.10144.exeCCUpdate.exeCCleaner64.exeCCleaner64.exeCCleaner64.exesetup.exe

description	ioc	process
File created	C:\Program Files\CCleaner\Lang\lang-1109.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1155.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-9999.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1028.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1046.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1049.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1054.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1063.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1086.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-3098.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\CCUpdate.exe	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\autotrial.dat	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1066.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1068.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1079.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1071.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\CCleanerDU.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Setup\4ebb6324-bad8-4b15-9da8-bd269b4079d6\update.xml	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1032.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1058.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\LOG\event_manager.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\Setup\ddcc5749-64f5-4863-b21b-8d37b8065f11.cab	CCUpdate.exe
File created	C:\Program Files\CCleaner\LOG\event_manager.log.tmp.9324c231-6982-45ed-b8f8-fb0c6de180a9	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\branding.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1035.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\uninst.exe	2. CCleaner.Professional.6.06.10144.exe
File opened for modification	C:\Program Files\CCleaner\Setup\4ebb6324-bad8-4b15-9da8-bd269b4079d6\ccleaner_update_helper.exe	CCUpdate.exe
File opened for modification	C:\Program Files\CCleaner\Data\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\b0d37415-f168-4dad-a22c-ff05ede48050	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1044.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1045.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Setup\4ebb6324-bad8-4b15-9da8-bd269b4079d6\ccleaner_update_helper.exe	CCUpdate.exe
File created	C:\Program Files\CCleaner\CCleaner.dat	CCleaner64.exe
File created	C:\Program Files\CCleaner\LOG\DriverUpdaterLib.log.tmp.0b3af6af-229b-4b0d-8444-f51d4e939380	CCleaner64.exe
File created	C:\Program Files\CCleaner\Data\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\44ED97C8-2D40-4A50-913D-673F6858B9AF	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1062.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1092.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1110.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll	2. CCleaner.Professional.6.06.10144.exe
File opened for modification	C:\Program Files\CCleaner\ccleaner_update_helper.exe	CCUpdate.exe
File created	C:\Program Files\CCleaner\Data\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\b0d37415-f168-4dad-a22c-ff05ede48050	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\temp_ccupdate\update.ini	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1040.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1060.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1087.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.exe	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\temp_ccupdate\ccupdate610_pro.exe	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1036.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1057.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1051.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1104.dll	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Setup\config.def	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\Setup\4ebb6324-bad8-4b15-9da8-bd269b4079d6\update.xml	CCUpdate.exe
File created	C:\Program Files\CCleaner\CCleaner.exe	2. CCleaner.Professional.6.06.10144.exe
File created	C:\Program Files\CCleaner\Lang\lang-1031.dll	2. CCleaner.Professional.6.06.10144.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230329044234.pma	setup.exe
File opened for modification	C:\Program Files\CCleaner\LOG\DriverUpdaterLib.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1026.dll	2. CCleaner.Professional.6.06.10144.exe

Drops file in Windows directory 2 IoCs

Processes:

CCleaner64.exe

description	ioc	process
File created	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exe2. CCleaner.Professional.6.06.10144.exeCCleaner64.exeCCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	2. CCleaner.Professional.6.06.10144.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2. CCleaner.Professional.6.06.10144.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	2. CCleaner.Professional.6.06.10144.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

2. CCleaner.Professional.6.06.10144.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\UpdateBackground = "1"	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\.DEFAULT	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-19	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-20	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AutoICS = "1"	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	2. CCleaner.Professional.6.06.10144.exe

Modifies registry class 27 IoCs

Processes:

2. CCleaner.Professional.6.06.10144.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\SOFTWARE\Piriform\CCleaner	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\SOFTWARE	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\SOFTWARE\Piriform	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	2. CCleaner.Professional.6.06.10144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	2. CCleaner.Professional.6.06.10144.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Software\Piriform\CCleaner	2. CCleaner.Professional.6.06.10144.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

CCleaner64.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2. CCleaner.Professional.6.06.10144.exeCCleaner64.exeCCleaner64.exe

pid	process
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4744	CCleaner64.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4548	CCleaner64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

4856 msedge.exe
4856 msedge.exe
4856 msedge.exe
4856 msedge.exe
4856 msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

2. CCleaner.Professional.6.06.10144.exeCCleaner64.exeCCleaner64.exeCCleaner64.exetaskmgr.exe

description	pid	process
Token: SeRestorePrivilege	3376	2. CCleaner.Professional.6.06.10144.exe
Token: SeDebugPrivilege	4744	CCleaner64.exe
Token: SeDebugPrivilege	4548	CCleaner64.exe
Token: SeShutdownPrivilege	4548	CCleaner64.exe
Token: SeCreatePagefilePrivilege	4548	CCleaner64.exe
Token: SeShutdownPrivilege	4548	CCleaner64.exe
Token: SeCreatePagefilePrivilege	4548	CCleaner64.exe
Token: SeDebugPrivilege	4668	CCleaner64.exe
Token: SeShutdownPrivilege	4548	CCleaner64.exe
Token: SeCreatePagefilePrivilege	4548	CCleaner64.exe
Token: SeShutdownPrivilege	4548	CCleaner64.exe
Token: SeCreatePagefilePrivilege	4548	CCleaner64.exe
Token: SeDebugPrivilege	1440	taskmgr.exe
Token: SeSystemProfilePrivilege	1440	taskmgr.exe
Token: SeCreateGlobalPrivilege	1440	taskmgr.exe
Token: 33	1440	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1440	taskmgr.exe

Suspicious use of FindShellTrayWindow 55 IoCs

Processes:

msedge.exeCCleaner64.exetaskmgr.exe

pid	process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4668	CCleaner64.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

CCleaner64.exetaskmgr.exe

pid	process
4668	CCleaner64.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe
1440	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

2. CCleaner.Professional.6.06.10144.exeCCleaner64.exeCCleaner64.exe

pid	process
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
3376	2. CCleaner.Professional.6.06.10144.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4548	CCleaner64.exe
4668	CCleaner64.exe
4668	CCleaner64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2. CCleaner.Professional.6.06.10144.exeCCUpdate.exemsedge.exe

description	pid	process	target process
PID 3376 wrote to memory of 4744	3376	2. CCleaner.Professional.6.06.10144.exe	CCleaner64.exe
PID 3376 wrote to memory of 4744	3376	2. CCleaner.Professional.6.06.10144.exe	CCleaner64.exe
PID 3376 wrote to memory of 3828	3376	2. CCleaner.Professional.6.06.10144.exe	CCUpdate.exe
PID 3376 wrote to memory of 3828	3376	2. CCleaner.Professional.6.06.10144.exe	CCUpdate.exe
PID 3376 wrote to memory of 3828	3376	2. CCleaner.Professional.6.06.10144.exe	CCUpdate.exe
PID 3828 wrote to memory of 1776	3828	CCUpdate.exe	CCUpdate.exe
PID 3828 wrote to memory of 1776	3828	CCUpdate.exe	CCUpdate.exe
PID 3828 wrote to memory of 1776	3828	CCUpdate.exe	CCUpdate.exe
PID 3376 wrote to memory of 4856	3376	2. CCleaner.Professional.6.06.10144.exe	msedge.exe
PID 3376 wrote to memory of 4856	3376	2. CCleaner.Professional.6.06.10144.exe	msedge.exe
PID 3376 wrote to memory of 4548	3376	2. CCleaner.Professional.6.06.10144.exe	CCleaner64.exe
PID 3376 wrote to memory of 4548	3376	2. CCleaner.Professional.6.06.10144.exe	CCleaner64.exe
PID 4856 wrote to memory of 2696	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 2696	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3212	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 2508	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 2508	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3224	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3224	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3224	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3224	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3224	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3224	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3224	4856	msedge.exe	msedge.exe
PID 4856 wrote to memory of 3224	4856	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2. CCleaner.Professional.6.06.10144.exe
"C:\Users\Admin\AppData\Local\Temp\2. CCleaner.Professional.6.06.10144.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3376

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Program Files\CCleaner\CCUpdate.exe
"C:\Program Files\CCleaner\CCUpdate.exe" /reg
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3828

C:\Program Files\CCleaner\CCUpdate.exe
CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\6f03e140-f0af-4f55-a76c-bd709ba4eedf.dll"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=1&v=&l=1033&b=1&a=3
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb365546f8,0x7ffb36554708,0x7ffb36554718
3⤵
PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,5208944733576831584,12065110187237655762,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
3⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,5208944733576831584,12065110187237655762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
3⤵
PID:2508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,5208944733576831584,12065110187237655762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
3⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5208944733576831584,12065110187237655762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
3⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5208944733576831584,12065110187237655762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
3⤵
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5208944733576831584,12065110187237655762,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
3⤵
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5208944733576831584,12065110187237655762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4044 /prefetch:8
3⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff659fd5460,0x7ff659fd5470,0x7ff659fd5480
4⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5208944733576831584,12065110187237655762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4044 /prefetch:8
3⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5208944733576831584,12065110187237655762,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1
3⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5208944733576831584,12065110187237655762,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
3⤵
PID:3980

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /monitor
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4872

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3508

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
C:\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
C:\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
C:\Program Files\CCleaner\CCleaner.exe
Filesize
30.8MB

MD5
0a864e78e2244c926ec0ed931e438df6

SHA1
7f60164f0876b0ab7dd3859dd3a2cb6b206a3403

SHA256
dfe62ca60e4f30ce93522038ca18ed0f43dcc07922dcf20c1456ffe527b8499e

SHA512
b7615ad05bc119777f5ed5f5988ffccc2f38b4e3eac0f7ac9099240e39ade0fa6737a8183fc8b80e8bf4ccca8ed1674bd6734b957b95a9f2c661d75f7b0f586a

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
36.9MB

MD5
51ba771e6ad2ebe444947a737d74615a

SHA1
85e4868407e0247474a995e567374b241ca39a93

SHA256
f7d3243cde281dbc709586312216366880d13001206826c590d7e1b6f01fecbd

SHA512
1a2a104bb7abda141f95c951de7c8153ba676e9bc5a155b73645c1f1605dc46d205c40fdc057883d3e404c398bf497057fac1c081e7032ec61c7ce1d2fe6f7be

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
36.9MB

MD5
51ba771e6ad2ebe444947a737d74615a

SHA1
85e4868407e0247474a995e567374b241ca39a93

SHA256
f7d3243cde281dbc709586312216366880d13001206826c590d7e1b6f01fecbd

SHA512
1a2a104bb7abda141f95c951de7c8153ba676e9bc5a155b73645c1f1605dc46d205c40fdc057883d3e404c398bf497057fac1c081e7032ec61c7ce1d2fe6f7be

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
36.9MB

MD5
51ba771e6ad2ebe444947a737d74615a

SHA1
85e4868407e0247474a995e567374b241ca39a93

SHA256
f7d3243cde281dbc709586312216366880d13001206826c590d7e1b6f01fecbd

SHA512
1a2a104bb7abda141f95c951de7c8153ba676e9bc5a155b73645c1f1605dc46d205c40fdc057883d3e404c398bf497057fac1c081e7032ec61c7ce1d2fe6f7be

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
36.9MB

MD5
51ba771e6ad2ebe444947a737d74615a

SHA1
85e4868407e0247474a995e567374b241ca39a93

SHA256
f7d3243cde281dbc709586312216366880d13001206826c590d7e1b6f01fecbd

SHA512
1a2a104bb7abda141f95c951de7c8153ba676e9bc5a155b73645c1f1605dc46d205c40fdc057883d3e404c398bf497057fac1c081e7032ec61c7ce1d2fe6f7be

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
36.9MB

MD5
51ba771e6ad2ebe444947a737d74615a

SHA1
85e4868407e0247474a995e567374b241ca39a93

SHA256
f7d3243cde281dbc709586312216366880d13001206826c590d7e1b6f01fecbd

SHA512
1a2a104bb7abda141f95c951de7c8153ba676e9bc5a155b73645c1f1605dc46d205c40fdc057883d3e404c398bf497057fac1c081e7032ec61c7ce1d2fe6f7be

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll
Filesize
7.7MB

MD5
4f13eb09c4ffdb072a5c4395e2776f7b

SHA1
7084943302f8badc682957b84ab5181dc0c6d3db

SHA256
9ef3b97035a7c600a819cfa7141af1f0d008f3c8a40095a56ee5b39d6f2e9312

SHA512
a9550a1a8e67b08f981f729e542cb3c9728b362e86534c8a73abb1ecae04dd11e5a05e170bb28bf9433909d81327b7b9e8188717bbf02c8bb066c256d2d34ec4

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll
Filesize
7.7MB

MD5
4f13eb09c4ffdb072a5c4395e2776f7b

SHA1
7084943302f8badc682957b84ab5181dc0c6d3db

SHA256
9ef3b97035a7c600a819cfa7141af1f0d008f3c8a40095a56ee5b39d6f2e9312

SHA512
a9550a1a8e67b08f981f729e542cb3c9728b362e86534c8a73abb1ecae04dd11e5a05e170bb28bf9433909d81327b7b9e8188717bbf02c8bb066c256d2d34ec4

Download Submit
C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll
Filesize
6.6MB

MD5
59b2b535fe576a45126eb6f11c474b60

SHA1
4e5c8d1a092e7c1b31db094749dffdb2f704e88d

SHA256
39f781bc5594f59a5dc9fb4a648957c9caa144dc80852785f570c3986ee1b447

SHA512
07095f492fd995073a9af0c4bafeacf2b2e6bebef20bc8bd1a732d2a69033bc94bdae0eba1a7b276cfe36939f6a33ffe54d89c7e2683c5315a1ff68f6d475944

Download Submit
C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe
Filesize
979KB

MD5
b83bf280f728b2c3b2452744194662d5

SHA1
539e07baccf1115ab221a65282ad08cb48a4c73a

SHA256
a0e796d5ad5a3b999143e3dd79f4dc64c884e699f4b753a2ec9a631fb6b64b33

SHA512
4250b3ccf5226380506579f0ff0024a511266743d745954ad31bc3a5f0300ff4ae4a96258f1ddf1b30a5ceb662ddbb6397a072bbe3046b9ed99358383ec0ff47

Download Submit
C:\Program Files\CCleaner\CCleanerReactivator.dll
Filesize
2.1MB

MD5
117a266e71070aa902d6cebd7c57f93d

SHA1
4627a8f20af4de04de731fe5ef6b37d708ef31e0

SHA256
d20f11c30f2e7b4835a9b9056d1c7667e02d443feca8b851086772e04619f38d

SHA512
b5438f2cba4ac36484bb6bde15efe6053e5f403599a63a61af6b30a6bab5027e7f62bcb4cf1221417230e0f3e053117e70553a06e7889428fee3a71a8b719f54

Download Submit
C:\Program Files\CCleaner\CCleanerReactivator.exe
Filesize
181KB

MD5
0f8a82b91d4985b8c8dd3be3c5167b45

SHA1
2048a6a3bbe2c7a959919a7a624d44e38a4200ca

SHA256
906c1e9c0daffbe36a7790873290e81d8600e0f593f465958905aff004bcb137

SHA512
2baa0446336376520ce6673e27e40d53e83b298ca44901320647001ebb31ce7cda5818716b3cb496d7da12b1902efdfa989b0af9115c6050cc99bed7c550c057

Download Submit
C:\Program Files\CCleaner\Setup\4ebb6324-bad8-4b15-9da8-bd269b4079d6\ccleaner_update_helper.exe
Filesize
729KB

MD5
844b5a7a8d35da17d19de4cbb1d5bc6a

SHA1
5c8ff1c0d5dfbf703835cd35ddbc93c1eaba20a6

SHA256
c74181c70ad77d8ff034a06ea3a9fbc4239a08b93e7c39380cd0663a04e076bf

SHA512
97a7c02651a247ae0da0fc018e4e910137d574b7e5f7bef3dde15c39742a22d0fb4d75302479cebd51c13927b33d0cd1042f33fdb084676bb1004aae51e0390f

Download Submit
C:\Program Files\CCleaner\Setup\6f03e140-f0af-4f55-a76c-bd709ba4eedf.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\6f03e140-f0af-4f55-a76c-bd709ba4eedf.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\6f03e140-f0af-4f55-a76c-bd709ba4eedf.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\b0e2d940-218c-46d3-83a0-1bd88f1a5fb2.ini
Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Program Files\CCleaner\Setup\bcdcd5e6-526c-4bd3-9e0c-be843345d98f.xml
Filesize
1KB

MD5
a8500f686252cdd13696bd7cd4df2df7

SHA1
4b8e01170a0fab56f250fabd6ec937e9a256d9c3

SHA256
693225b1c379176971faeb9ac2b49ab64750bf309d617f0bed0f7d2744ca57f0

SHA512
9c00c10ae75a5498593c0ae43be6b77b13d68e6db8367401127dc72a3ce5678b0a5e52d8b8b768af611a157b39e4fe7e44cfa5f257ac07c273142865bbf73499

Download Submit
C:\Program Files\CCleaner\Setup\config.def
Filesize
48B

MD5
a7aae01415beba879259774ff60e4e07

SHA1
a169b7b90824154893ef8ca3ceb68483e794c118

SHA256
f79e0c02b2b3cfa15324e66531a4045c465ef3dcbd739a04b3e62d7977834479

SHA512
0539a6751bd2143906fda9c9aa89a09d9d448821512b719deecbe132921f4b190f6d1165176dd907d0a0157f85573f3a5726cb6d72e717aeeb101449f9cdf6d6

Download Submit
C:\Program Files\CCleaner\Setup\ddcc5749-64f5-4863-b21b-8d37b8065f11.cab
Filesize
412KB

MD5
12938932e37f24044ed00a043106dc7a

SHA1
435a4ac59b0bb5b8c764267ef969915b61db1547

SHA256
fe000954de50a7682d3fb4069e3e1b8e2b761a808c2e840c1d82bdc556ba57de

SHA512
8980534a887bd5cd423c8327cbdeeeaa93c3900b423bfdef4d485a86c9a3ed6df56b7f9dd8616631087f9c487ce3c1af11a4446f38a9b2048db5ed98d4576b79

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
C:\Program Files\CCleaner\gcapi_16800649364744.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16800649394548.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16800649394548.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize
1KB

MD5
2401b82e34ff6d50342403176ea2b7f9

SHA1
9772db34a96b2345b98c9d64ff927d6e5d147491

SHA256
2a05d22bb20f054ca9ddf401c18ffaf0441931245fd700b9896cfad62449bb41

SHA512
96aba7e40c2dc4b4fe8651378c477ceb7cc374d7dd62f3b4fd8f9e627fc98ce34515e574bbcf54f41d96858f478da108359b7e3aa2bab6cae995886216bb5a26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
471B

MD5
38ec2cce9ea6d36e74859b17ce7b5428

SHA1
92461f6cfc37172157747d07a23783558770e7b1

SHA256
8417ae6338b266e92f4ef76b30893ba0c6c9684af77b60981d6e68c4326b5bcb

SHA512
55a52d551bcc204cc9240bead4ab408ddb25c700a518c178a99d737c5cf3f3288bddf5a2af383b6d648b696942e653d9f9487634c165ebd9b1272b2d5bb63099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
1KB

MD5
e3778d887ae4dfcbd3be890ab7ca7493

SHA1
24e328ca8c437a63428d78ce453a4e4a05308293

SHA256
31c815454647e77efbc9fb8ce6f67bdceda76545b5627cf663a384142a91133a

SHA512
3113359f68498b4be3797b51c75a8a599abd9c18318c233007e049dfdfdd625e18e511ca2d6536bfd072d5460cdd086ed5e1b2523ed155c074551178475fbcc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
1KB

MD5
0b828b5fde0eee48662083c64389312f

SHA1
e855ee22e4852d5bb0d6f44fbb678bc52ba56b77

SHA256
dea8fdde54f02e93f49fc042ce8c53c3e93e94bdaeb030214b293d27878875c1

SHA512
222bff361b98a6fc219e9b71e97a08ce9dc655d283c5a3955a901a52ba284e48c6bd71fbde437737901143e88d22f44e91fb378da0a532eda8c90d53cc07b78a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
Filesize
471B

MD5
d7584cba63d0c27a3d6e94869a264864

SHA1
b25f90217179043cfc271578aee7407ba6b8f8b3

SHA256
2343b2f01a0a4b9385809693bda9be6b93e7510b468c00f8d12833b809d07ab7

SHA512
130a7a640b5dffb2e477ea0f6544cb49f8ab6387eaa2fa37134b1bea6da698b1fa23c7f6baeadac77afed4b68f0b2d282c102112d0d8acc4d2c12a9fa5ae0453

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_094C2975B12480ED38496F27B88C1183
Filesize
471B

MD5
52bb1d7da9f1e412da2e9f661917c671

SHA1
d1757d724e4d176b2480ec5fe1bc87333e1c60c5

SHA256
55cfbc87de9e573c70f34796440455df036be32ef3fea5b980bb3626fb6f4d9a

SHA512
ca44f18df8bce35d1afb3592ae4b461fc95a84c715936f826629607158da05d8acc810b207a2ba4e8039603aa2b29e4d8f2fbdb483b9a54ec7ba0a7c842682c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656
Filesize
434B

MD5
3a5a394722caaa43c5871258d6ee4e1e

SHA1
88bc11162f39be8477e0ae415af7a1541c64805d

SHA256
5285c1fa8541d34e20a77efdc9d0e62670eddba0a79afca6e5d60cc55f66e79d

SHA512
766ae3a973614f4b0d7bd86eb5a4787e180fed4a101c4123c24b433b9fc24a25d648a5cc403ede8acce2e2bb6f811c891d65e1887030b2eeeed0653a61fc46c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
400B

MD5
1f12a9ea8cefd92bbd60d9a1c39848d6

SHA1
a0f10de20539af9f923000b352dca8664e2ab949

SHA256
488e3d0da470f0f5e69929f300ad082c613a227d140d7bae9365bd1ed5261a8a

SHA512
c1335f9085ac4ef214ab7d6053af0039c8f36e3766705bb4364ea218777b0f063adcb462b6bde1af601bbd310bb682f131f4683827b9f878c46793debe775c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize
458B

MD5
9f6f6e5cccb6feb68a90b745f5889c82

SHA1
7ce1d06e2f825a3aa4b391ea438c68edddaba6e8

SHA256
89eb34486bdea348306c58bb35fc5280c77eca9902f14833b4010d08135c947e

SHA512
78dd43eb4d237593ae297c7d86e036b747d01826e9a0e3f828ff8966504d49a945f5e03f634f2647635373e52b15b493577060e7669f6858c7c57c94b52c6810

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize
432B

MD5
e2a43df232e718a5e9273ec159bf858c

SHA1
caa07ca8b4b3d43ed01c301b33739452f3496b68

SHA256
a2593df6d2681d656dda1ec6d80b419d4cbaad1f26095d5336c5a0e34f4d2a3a

SHA512
539723548605ec6787d2688642b0bc435fd84010c446bd04ebfb63a9fd665e30fe39fe717ad834bb75e225cf7bbf873c55acb6dce2c53d21d09eff00405925fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
Filesize
396B

MD5
3d3b1822b2fc328671d1dbb9c17fdafd

SHA1
2010ad9b98729ab1426e86aa7eb5ca182abff586

SHA256
c994fed2a85aae83b29eaf7bb08b27fef4593af642378d98621854ba61e76986

SHA512
bb92443bfb7a1854ede900d039670146572b31426722146ebc2ee12f6512900fea6653ab21eca44311351a23fcd80e5711640cb7ecf38ff12c8157f4658f2328

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_094C2975B12480ED38496F27B88C1183
Filesize
464B

MD5
211cfda37b60faa356fa6afd7f3996ae

SHA1
c1fa5aaa46f4056817b9eeb275da9d146950962a

SHA256
459f86da29cb2ac8a43d4162d5df4f2121af24dbdd3bd8cebe7908d3a4a2881f

SHA512
efd5b9eb400594e54c707ecdc6cb65fb7abc60c199fa8646fa47a443ca2ecf537974bcd26925793f77fc6826ee2df113fb1340b0c3254cef2144a331a02f64bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
8c669ef0386757d33a121d880d73c73c

SHA1
35306c3601b336b466849c79518dca38766ec4c7

SHA256
47573fd7b920ea54b261417e16ef07e4dcd004037fff0bb410e05a6ad31d114a

SHA512
197e4db83d441672177f16aecf14f7b5e260d863ea50851b93f1ebe70f43798419115de73a697de21f25685dd9e340df56cc8206b8069b0fa81a443541047d66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
576B

MD5
048cd491c7f618af05ceaac82d016a64

SHA1
7333eb3aa123d85ecf63a2dc82a83f2229e1c0f4

SHA256
61aaefb8f67d2321c939b226f4d7737f8af210f56f5574c451ca26fbd0853c76

SHA512
4ecf560b3737e3491c35868ac25ed6f64ecf3ceb608a73e9bb9f267974e20f16dd396a2d949b3548013afc126d4e360f3ceaa57eaf204de2dc550d8c1e534771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
a68c73e56d74e25c5e9f34538641f4ac

SHA1
b54a705968edf0cccf5d6b5e422421f4f3fe94f5

SHA256
49e2da07268165ce0ce46208be980c830f630af440b1b0740bede0153e82e3e8

SHA512
2963ef07f52ec318d0757221405cfdd5144990d0bc8837e93ac2c9fd103b8ffda98f845daf8c080395a157758bd136cabcca2147bef42d9f1037c0a43bad0fef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
4e6ae451a0bcbf46e2704d0f290fcfbd

SHA1
f184fead35e91d47e322dd83275d1a3194b31ec6

SHA256
a501fca1d7c82298dcbcf7a40d45ad06fa705940dd3a452cef44afa41c3ad9b8

SHA512
7d43ecbd8b1a78ead5d890880b9406f9909367982fc541a6815c86529c1f4870c7e099109f6c82fe11ab79a1bd775b9dddf428d1d2aad05144403b3976a9e233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
8b462099708c4da6ca5596dfc24576f3

SHA1
ea539d7be8ef3c3767df9fa02c43d6db548169f2

SHA256
ab1e1ef1f68bbc95efd0429a4088ab8bdd5b585df54310b78e32bf354f5ba37f

SHA512
64cf36101d4c6fd6ead85d3d3895493eec1ccbe79598a121466ed6b414d8db57a93296ef60db193482b8d3fbd449e350ce19e8c84bbf6bda01131435c9d79bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1b5c75e577f34762ec504f408918d48a

SHA1
a330ad3bed89f84bd7f73bed424414260e038ea9

SHA256
5d4b0206e6945e2bfde08b3e43394b09682d447599d31d287e71ce4d12574b10

SHA512
2c551be1395bc869fbb5e729e0594d7adfe77bca3cb06809ade7da8d2d04dc5ef06a7ebbf953ebdc9e14f6b39aee4340d69731022174db85f049a57110e59cd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
caa57ad472fee11059086c2ab022d83e

SHA1
d7faaa2056662caa96d1ef2140d044e38a4b28a9

SHA256
4b6e8f2b45e1ac6ae1db11a034c30edbaa8c9e74691ef6a126cc1cef0456da3d

SHA512
1ac74a8de188964ec86d6ce3d5c0dbfc988b27f645a634866fb3d2ae8e4677ebda1183711e5622a6cbf2f6a31314d113f0bb93de5f162a0c0fc6a30dc61858cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1463bf2a54e759c40d9ad64228bf7bec

SHA1
2286d0ac3cfa9f9ca6c0df60699af7c49008a41f

SHA256
9b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df

SHA512
33e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9e6030b7f5d97e38f4f6888bec3ebd70

SHA1
8aa3a31094c5ad9cce69e5606884cbbd53120369

SHA256
c137375828f18ca4110df3736ae54cb0bfb304543735cb5ca67b6e8105d9d21f

SHA512
eb24552c4210e7a27d8e4bcb9aba47b5c2542421eb9b49b786b670831117a2ee7e2c4e8c81e22ad1d86fd5b7263bbdde5ce141edf61740abd429d77c44d34c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5770fa.TMP
Filesize
1KB

MD5
70ac67ef42e14c5d424966364ea675b0

SHA1
259927d43f4b4a2fc21496e0fc799b9922cef7fb

SHA256
954560892f9cd3a5ea62b98055b50fc93c183e95aa1047cd817c4d3b8886e80d

SHA512
7924664697613e6d2d30125fd9d1651991d2b2e4908668f4bd9a4c7e11db6c9452d7a059a5c9f227af3286d0b3376a786d8f006fc864570d0952140b966a42fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cookies
Filesize
20KB

MD5
5bca82136f6b23402423eb1fcbbadd09

SHA1
c508e343805c7a446e74f71cd4480133d645eaed

SHA256
9c865b65d48eef6dd30724a787f79fa459e9d645b7ff0ba4cc6962537c5d76c5

SHA512
fab79e56cb35e1c5b5ca64d2309bd5b08c62b4d1fea7d7010ffb00966e9ed6516707364bf875334771c166d01efa6666d6aeae4104f09104db1d67a6c2421a40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
e8f2602735fbdedc4718d7060819758f

SHA1
6be60e74d1fdbc5ab697e25764f39a58050903f0

SHA256
7052cd0ba7222523a092155c5847a19173f98d2ba92308dae4c10d2a6acb04cf

SHA512
0be674249f475b58d0e3a140543553a431aad933d842fb66e0fcb9af9d492c4e973cecfa577e213de838f93f25fa99ff53a5ee0a9f44af5d1456ccc9e69a5fc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
7f77cb777b0fb8be8c8d41a27aa8f447

SHA1
36ac1880d161db50b9ccc30246e8294fa7ca2db9

SHA256
1a442dcb46c2cd58473ec436c74e93ee2642a06d1c8f6f77826248c299a7c6fd

SHA512
74ae132887ad7ea265c5c36df42089745be64bacb9befc127017bf93a8cb241032123c09356dfbe1fc0a499de020ab55e1e28e60c3544eb5f86b5da0f7c953a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
Filesize
8KB

MD5
b93e6aba5e1209276eca65ceddebe118

SHA1
bac37cf2b90cc74d58680e92d7ab1dadffbc27a8

SHA256
cb7426d7959a5567f862ddc9034ca72a22b21811bf1ca8c1d9ff0d4d99ee2334

SHA512
bb30fbf53c8984eeb30738ae6b1d3eb630250abb065b4dee004d962384b08f5f01e1e4e9bcbe0275506a485ef4e424ea7a0dc6732e6bb7c7543275837bd36517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
318664e4b4bdd62ffff549b9162462ea

SHA1
4d153a81eacefb57db3fc2dc01fa1a26afecf65f

SHA256
ac649f87c8b3f2f697385866b426abf0b7c2a90ce200fd42e39f0b6e635ed4d7

SHA512
edf6e243c67488b65159d0a05cc605a3ba8cf0e23a2dba16384ad2b98c8615b6bb18b9be879e5898c3a9b9225d74d962cad8eb2924f594fed06edb7ce40fb6a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
8f5fd93f2c6f56f141417715801b128c

SHA1
dd955d769cad4b07f3817233f383d3b0f0e32dc5

SHA256
90d0802626a265653d0f463b24285cefd20bfbbe72ede50622aa4ea104115547

SHA512
2666024f35282d2162e62f03692d1eea695f639bacbd6210380f39bb33e0072741230b53bdde698f50d1a8d4cc1a85fa79a5afc8bece83f5a9e1ce2a1a5d160c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
8bb11300c9936bdb7cd92cde7836efb5

SHA1
9f3277f6edea96e41a89c7559e0179966cf0e4e4

SHA256
eb6156f0580abc4e23e9f7b790fd649e0402fa93869cac7de9ba28f61bea4f8e

SHA512
71b5f7f600cec8c5e7882a25a274c7b0e737351d975fea899c0916367216d17e3ff8bdb748813dc961c5ac68c54b163f50fd6d603c2786a7d4470febd7c5f36f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
a60f18d5af1bbc2b2376887d94e0b8b2

SHA1
4520108b73022b566223b6f023fd788648b4628c

SHA256
1c927e9a71aa591497af1b1838f409d34176948a8930174e3e3822bc9c069393

SHA512
7efa7a8ef59380d278cd130adb3abd7663784bd9713fdd82026942e62587ad3e139d0dff64bd28a97bc41b1c3653e91c8c85ac714f448be4cc6e7dca7201f9c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
e35a775875b849297bc7eb5bd9e371af

SHA1
19685001e32a99c088abf8761d1e0f6da8103372

SHA256
2aeaf1834ebcfc59f7b19d9e68cf9e914874605d10e8189d54247d6ccefebd38

SHA512
b1de2e80f21e4bad70d7c0ec0fdcb05b5df6eec60e28a6b88dd8fe9a2748a7b72f1699ae318d121cbf3a4857ea13438fafd805c4487acb691cad62779683585f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
f9df1ce0cd01517278de6aef4fbfacf6

SHA1
d7ad469520423f52df6646137bd7ba7057832b7a

SHA256
7fc848eb49c41bef34a14e890d60b926781b03594744afe47b49475ffb8a3f4b

SHA512
aa841e87f9619676726f3504ca47cbd78242e37fa94be53893e40c8e5c23026f0bb3c98d76c20b84afa276da8999c7a704c4f83c7ed0f0ed5636a4691fdb989d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
7eabffb7d897741ce4e7b59f15a926dd

SHA1
ce0c37c8f0d70e029136b1c5326263b0339eaf2f

SHA256
5613bdfaad5436a11726f30ebc177e56eed364d5173d8c710b2abb6398f4dbf6

SHA512
28a066c235039e2941ba207429145a97dea3294d1654773300485bd9d5ad00347d5db42ce2e3e21f7443669d6a37f9e149e1d3966a95b1f642cd187a96037f36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
bd68dfd032e37b4637bd5cc57b6f5c04

SHA1
4867376ac46f4ad3c2e09033dc05746603f9b83f

SHA256
fb3c5df7b5c4866464561a7d039a4e863b2e41d45e7c785f0666c156e70b33c7

SHA512
4709b1022cda0636b45d3b0e7537ce3a4d3302d239d4fd3e14aa92caf5cc0f81b8e0453a0f8a5de4312fc826ae28b65148e2f1334660da1b3452f2065d6d1d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
Filesize
16KB

MD5
87b103848d68ca83e76e6b9470260ce2

SHA1
53a4b65e269c72efc6ac8ccbbbbca23d4654170c

SHA256
9e72892ed1a8c142a4f9742fcf4b1d0180ddc1f438d166ae06666ba7cfb264cf

SHA512
d06f709adf179d24a0b57b3b68b8719e40caa65ebb4e263e4973b3ee3f692210ac6f5f08a8bb7b3670b8cd9a61da589eee29ad2e9d3f204f16e235be513db885

Download Submit
C:\Users\Admin\AppData\Local\Temp\aswb19aa99ff289d753.tmp
Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\ButtonEvent.dll
Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\INetC.dll
Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\UserInfo.dll
Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\p\ServiceUninstaller.dll
Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\p\ServiceUninstaller.dll
Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\p\pfBL.dll
Filesize
10.4MB

MD5
6ddffba31fda380b0a1a71e2c5918624

SHA1
4bae4d95e8be8d6f1a73f6760791785302b5e4ab

SHA256
ee033fdbd7bd82848426fce765c13eaccb0c0211eb1d586ef8e5288aee25aea0

SHA512
fc6b9e0c1b752bb5068c76e048663fd1492a6d3c3b99c42c4db57009fd111ad6cf94fd37438acd5ed3f5d6f5e50888d6dab4e909e3c796b8d308ae5d513e73cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\p\pfBL.dll
Filesize
10.4MB

MD5
6ddffba31fda380b0a1a71e2c5918624

SHA1
4bae4d95e8be8d6f1a73f6760791785302b5e4ab

SHA256
ee033fdbd7bd82848426fce765c13eaccb0c0211eb1d586ef8e5288aee25aea0

SHA512
fc6b9e0c1b752bb5068c76e048663fd1492a6d3c3b99c42c4db57009fd111ad6cf94fd37438acd5ed3f5d6f5e50888d6dab4e909e3c796b8d308ae5d513e73cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\ui\pfUI.dll
Filesize
14.8MB

MD5
60c35f3523c9d22e1b502508ff757a96

SHA1
b124d2ad2c9b09181d9ee983ddf7a5d39b6b70cb

SHA256
eb929d174316e6ac2c0a109694f856f348c3c02208b40b34386406f7f572763c

SHA512
5ede92756cfb2da5114e78cf6f539d3015099ebfbb04951d967bfccc73c10cf9a457f218cf6ca0889a13131c651d58ab49d44e8fd1f19e91da65784c9908a3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\ui\pfUI.dll
Filesize
14.8MB

MD5
60c35f3523c9d22e1b502508ff757a96

SHA1
b124d2ad2c9b09181d9ee983ddf7a5d39b6b70cb

SHA256
eb929d174316e6ac2c0a109694f856f348c3c02208b40b34386406f7f572763c

SHA512
5ede92756cfb2da5114e78cf6f539d3015099ebfbb04951d967bfccc73c10cf9a457f218cf6ca0889a13131c651d58ab49d44e8fd1f19e91da65784c9908a3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\ui\res\CC_Logo_40x96.png
Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\ui\res\CC_logo_72x66.png
Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\ui\res\Montserrat-Regular.otf
Filesize
44KB

MD5
27e50ffd6a14cbc8221c9dbd3b5208dc

SHA1
713c997ce002a4d8762c2dcc405213061233e4bc

SHA256
40fc1142200a5c1c18f80b6915257083c528c7f7fd2b00a552aeebc42898d428

SHA512
0a602f88cfba906b41719943465edb09917c447d746bfed5c9ce9c75d077f6aed2f8146697acd74557359f1ae267ca2a8e3a2ca40fb1633bde8e6114261abd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7621.tmp\ui\res\PF_computer.png
Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
2dbb384f5e5e947de14ac09977480218

SHA1
fdc1b78aedd780d3b02b3c6d603bedb724fc95a4

SHA256
9c69bda8a1107e1bdc8fd1f789d367792e71f41ff611b1b6ef5c9518e61f18af

SHA512
19ba90b1c283799e9bb808d45d1a74579a204c95e0f1f7cd1df2f8432f1ea21249974773e918cd366380e9be646f4fb61b16c60a2e6e257a5a66411520086d10

Download Submit
C:\Windows\Tasks\CCleanerCrashReporting.job
Filesize
760B

MD5
93e08d56b226d4b3491f747056a8264a

SHA1
925999e255ce1f707b638748805fda98bedc4665

SHA256
e80871ded7b8776a6d5204de8fb75e54c0cb0534ead12476c8c0fe8bd7f8ff1f

SHA512
3fbee2c801ddf8fa80f436512ce350ad61a059ca5f5b100a8d1e898c07852d1af47ae0780494947cf4d5c27a4b14954fb0bc1c28b2272488c250ac0c5ea020bc

Download Submit
\??\pipe\LOCAL\crashpad_4856_LAYGJQAXTDWPCLRA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3376-340-0x0000000007A10000-0x0000000007A18000-memory.dmp

Filesize
32KB

Download
memory/3376-345-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/3376-294-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/3376-290-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/3376-267-0x0000000007830000-0x0000000007838000-memory.dmp

Filesize
32KB

Download
memory/3376-273-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/3376-342-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

Filesize
32KB

Download
memory/3376-270-0x0000000007820000-0x0000000007828000-memory.dmp

Filesize
32KB

Download
memory/3376-287-0x0000000007920000-0x0000000007928000-memory.dmp

Filesize
32KB

Download
memory/3376-265-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/3376-285-0x00000000078D0000-0x00000000078D8000-memory.dmp

Filesize
32KB

Download
memory/3376-238-0x0000000006870000-0x0000000006880000-memory.dmp

Filesize
64KB

Download
memory/3376-264-0x0000000007830000-0x0000000007838000-memory.dmp

Filesize
32KB

Download
memory/3376-244-0x0000000006A10000-0x0000000006A20000-memory.dmp

Filesize
64KB

Download
memory/3376-262-0x0000000007A90000-0x0000000007A98000-memory.dmp

Filesize
32KB

Download