a398fff09ee7b0aa3a77540e7efd3da0a9792b34fbc8820377cdb9c04dc6eb25

Resubmissions

29-03-2023 03:03

230329-dj9chsee46 7

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCleaner_v5.84.9126.exe
Size

24.3MB
MD5

f5f6a78587b0daf42518a5dbf6ef028b
SHA1

5fd7e0493a6ee0dd60ae2d78a0c3c2ed918f6347
SHA256

a398fff09ee7b0aa3a77540e7efd3da0a9792b34fbc8820377cdb9c04dc6eb25
SHA512

724725bb1b2960ae648155af4463a83c4a18672fcc4d93143498000f5330374007b6e233942f626ab5d45e614d3d782aa2fca68789a290e8a60df9ee01e05afd
SSDEEP

786432:RN1dAWoyVU9uom48R5xTgWfWof+pph3Aw2I3D:RN1WAVvtVRAymnxAw2I3D

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	CCleaner64.exe

Executes dropped EXE 3 IoCs

Processes:

CCleaner_v5.84.9126.tmpCCleaner64.exeCCleaner64.exe

pid process

4160 CCleaner_v5.84.9126.tmp
2604 CCleaner64.exe
4948 CCleaner64.exe

Loads dropped DLL 10 IoCs

Processes:

CCleaner_v5.84.9126.tmpCCleaner64.exeCCleaner64.exe

pid	process
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CCleaner64.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"	CCleaner64.exe

Checks for any installed AV software in registry 1 TTPs 16 IoCs

Security Software Discovery

T1063

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

CCleaner64.exeCCleaner64.exe

description ioc process

File opened for modification \??\PhysicalDrive0 CCleaner64.exe
File opened for modification \??\PhysicalDrive0 CCleaner64.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Drops file in System32 directory 1 IoCs

Processes:

CCleaner64.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log	CCleaner64.exe

Drops file in Program Files directory 27 IoCs

Processes:

CCleaner64.exeCCleaner64.exeCCleaner_v5.84.9126.tmp

description	ioc	process
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\Lang\lang-1049.dll	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\is-OII4K.tmp	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\locales\is-PBL69.tmp	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\locales\is-INVSD.tmp	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\unins000.dat	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\is-I6RBA.tmp	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\is-O0KOB.tmp	CCleaner_v5.84.9126.tmp
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\uninst.exe	CCleaner_v5.84.9126.tmp
File opened for modification	C:\Program Files\CCleaner\CCleaner64.exe	CCleaner_v5.84.9126.tmp
File opened for modification	C:\Program Files\CCleaner\CCUpdate.exe	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\Lang\lang-1058.dll	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\is-0MCTU.tmp	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\is-2H8FM.tmp	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\is-P8DEH.tmp	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\Lang\is-KNH1T.tmp	CCleaner_v5.84.9126.tmp
File opened for modification	C:\Program Files\CCleaner\Uninstall.dat	CCleaner_v5.84.9126.tmp
File opened for modification	C:\Program Files\CCleaner\CCEnhancer.exe	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\is-59H77.tmp	CCleaner_v5.84.9126.tmp
File opened for modification	C:\Program Files\CCleaner\branding.dll	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\is-8R6DT.tmp	CCleaner_v5.84.9126.tmp
File opened for modification	C:\Program Files\CCleaner\unins000.dat	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\Lang\is-SK421.tmp	CCleaner_v5.84.9126.tmp
File created	C:\Program Files\CCleaner\is-L418H.tmp	CCleaner_v5.84.9126.tmp

Drops file in Windows directory 40 IoCs

Processes:

CCleaner64.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00003.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00005.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00006.log	CCleaner64.exe
File opened for modification	C:\Windows\DtcInstall.log	CCleaner64.exe
File opened for modification	C:\Windows\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\sammui.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CbsPersist_20230329050419.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00009.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000D.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000F.log	CCleaner64.exe
File opened for modification	C:\Windows\security\logs\scesetup.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000A.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000C.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000E.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00007.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\NetSetup.LOG	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00010.log	CCleaner64.exe
File opened for modification	C:\Windows\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\PASSWD.LOG	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00004.log	CCleaner64.exe
File opened for modification	C:\Windows\lsasetup.log	CCleaner64.exe
File opened for modification	C:\Windows\WindowsUpdate.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00008.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000B.log	CCleaner64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe

Modifies registry class 14 IoCs

Processes:

CCleaner_v5.84.9126.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Software\Piriform\CCleaner	CCleaner_v5.84.9126.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Software\Piriform\CCleaner\Brandover = "0"	CCleaner_v5.84.9126.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	CCleaner_v5.84.9126.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	CCleaner_v5.84.9126.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	CCleaner_v5.84.9126.tmp
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Software\Piriform	CCleaner_v5.84.9126.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Software\Piriform\CCleaner\RunICS = "0"	CCleaner_v5.84.9126.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	CCleaner_v5.84.9126.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	CCleaner_v5.84.9126.tmp
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Software	CCleaner_v5.84.9126.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	CCleaner_v5.84.9126.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	CCleaner_v5.84.9126.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	CCleaner_v5.84.9126.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	CCleaner_v5.84.9126.tmp

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

CCleaner64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CCleaner_v5.84.9126.tmpCCleaner64.exeCCleaner64.exe

pid	process
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
4948	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe
2604	CCleaner64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

CCleaner64.exe

pid process

2604 CCleaner64.exe

pid	process
2604	CCleaner64.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

CCleaner_v5.84.9126.tmp

pid	process
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp
4160	CCleaner_v5.84.9126.tmp

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

CCleaner64.exe

pid process

4948 CCleaner64.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

CCleaner64.exeCCleaner64.exe

pid process

2604 CCleaner64.exe
4948 CCleaner64.exe
2604 CCleaner64.exe

pid	process
4948	CCleaner64.exe

pid	process
2604	CCleaner64.exe
4948	CCleaner64.exe
2604	CCleaner64.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

CCleaner_v5.84.9126.exeCCleaner_v5.84.9126.tmpCCleaner64.exe

description	pid	process	target process
PID 2028 wrote to memory of 4160	2028	CCleaner_v5.84.9126.exe	CCleaner_v5.84.9126.tmp
PID 2028 wrote to memory of 4160	2028	CCleaner_v5.84.9126.exe	CCleaner_v5.84.9126.tmp
PID 2028 wrote to memory of 4160	2028	CCleaner_v5.84.9126.exe	CCleaner_v5.84.9126.tmp
PID 4160 wrote to memory of 2604	4160	CCleaner_v5.84.9126.tmp	CCleaner64.exe
PID 4160 wrote to memory of 2604	4160	CCleaner_v5.84.9126.tmp	CCleaner64.exe
PID 2604 wrote to memory of 4948	2604	CCleaner64.exe	CCleaner64.exe
PID 2604 wrote to memory of 4948	2604	CCleaner64.exe	CCleaner64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CCleaner_v5.84.9126.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner_v5.84.9126.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\is-TF7VD.tmp\CCleaner_v5.84.9126.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TF7VD.tmp\CCleaner_v5.84.9126.tmp" /SL5="$80044,24999940,166912,C:\Users\Admin\AppData\Local\Temp\CCleaner_v5.84.9126.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4160

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /monitor
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4948

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCEnhancer.exe
Filesize
835KB

MD5
928cb9009e248e648280270255d6d44b

SHA1
5ff1b16d9da12d5325a8169ee1d7a770e62d660a

SHA256
4d025fad652ec6b890883f64e617f1e5dccfbff0dc857631695c6cf4315c1c23

SHA512
e0a1e4e667d71853dca434309d48beeb1d2a04f89c7c8bfc94f7a8c8f1cc3ba948f78e06ab6dea9aaeb1fdc3d6f40840de31bf5e4032907698f68f120bcb24e2

Download Submit
C:\Program Files\CCleaner\CCleaner.dat
Filesize
88B

MD5
da001983823494b2442a910f4e7642f0

SHA1
be196f9616b6f6658fdf661037bde66376e4b61a

SHA256
45c82b27541610b858281526341e8361df471eb8593897665571ff3bb7c21649

SHA512
cb693583c77c890c0c1bd6dd6b45b4b4911dcd3c86790ee2a91b04d410ca88aed16b65716daf2390a5d29451f3635fd946fa6bed73c5bb9105026b4fd968d68e

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
33.5MB

MD5
a49ac7fd0a2ab6427d59d3cf2995792c

SHA1
cae8707bdf112a5684ed50991221d66453765c31

SHA256
8645ddc0cf3099ad0928a69a576c69639facb481568962adb6aea4c197febbc7

SHA512
eef787d1d26676511113ccc1f545f0840d635e27ad582bcc7c9c09240e523577246900ca5da2f4c41c7638c662807f09f2efee2575371a15b37eaa6acfb6af6a

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
33.5MB

MD5
a49ac7fd0a2ab6427d59d3cf2995792c

SHA1
cae8707bdf112a5684ed50991221d66453765c31

SHA256
8645ddc0cf3099ad0928a69a576c69639facb481568962adb6aea4c197febbc7

SHA512
eef787d1d26676511113ccc1f545f0840d635e27ad582bcc7c9c09240e523577246900ca5da2f4c41c7638c662807f09f2efee2575371a15b37eaa6acfb6af6a

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
33.5MB

MD5
a49ac7fd0a2ab6427d59d3cf2995792c

SHA1
cae8707bdf112a5684ed50991221d66453765c31

SHA256
8645ddc0cf3099ad0928a69a576c69639facb481568962adb6aea4c197febbc7

SHA512
eef787d1d26676511113ccc1f545f0840d635e27ad582bcc7c9c09240e523577246900ca5da2f4c41c7638c662807f09f2efee2575371a15b37eaa6acfb6af6a

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
33.5MB

MD5
a49ac7fd0a2ab6427d59d3cf2995792c

SHA1
cae8707bdf112a5684ed50991221d66453765c31

SHA256
8645ddc0cf3099ad0928a69a576c69639facb481568962adb6aea4c197febbc7

SHA512
eef787d1d26676511113ccc1f545f0840d635e27ad582bcc7c9c09240e523577246900ca5da2f4c41c7638c662807f09f2efee2575371a15b37eaa6acfb6af6a

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
47KB

MD5
b823a4ac4a449f7e5f08def393c0e848

SHA1
f65e00df7e852da267979882e561349fa382145b

SHA256
f51f6ac289daf6969497877023c93897165e0001eeebd82a3d92c9a12972c05e

SHA512
2d3b7d1f062b04c7673233ec83ccbc835087432b1f178e17c94dce8baf195417e2d06609c7bff63dfcb52cc449469d6d5c48b84040419cfa11a2923fceb10fb4

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
47KB

MD5
b823a4ac4a449f7e5f08def393c0e848

SHA1
f65e00df7e852da267979882e561349fa382145b

SHA256
f51f6ac289daf6969497877023c93897165e0001eeebd82a3d92c9a12972c05e

SHA512
2d3b7d1f062b04c7673233ec83ccbc835087432b1f178e17c94dce8baf195417e2d06609c7bff63dfcb52cc449469d6d5c48b84040419cfa11a2923fceb10fb4

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
47KB

MD5
b823a4ac4a449f7e5f08def393c0e848

SHA1
f65e00df7e852da267979882e561349fa382145b

SHA256
f51f6ac289daf6969497877023c93897165e0001eeebd82a3d92c9a12972c05e

SHA512
2d3b7d1f062b04c7673233ec83ccbc835087432b1f178e17c94dce8baf195417e2d06609c7bff63dfcb52cc449469d6d5c48b84040419cfa11a2923fceb10fb4

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
47KB

MD5
b823a4ac4a449f7e5f08def393c0e848

SHA1
f65e00df7e852da267979882e561349fa382145b

SHA256
f51f6ac289daf6969497877023c93897165e0001eeebd82a3d92c9a12972c05e

SHA512
2d3b7d1f062b04c7673233ec83ccbc835087432b1f178e17c94dce8baf195417e2d06609c7bff63dfcb52cc449469d6d5c48b84040419cfa11a2923fceb10fb4

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
47KB

MD5
b823a4ac4a449f7e5f08def393c0e848

SHA1
f65e00df7e852da267979882e561349fa382145b

SHA256
f51f6ac289daf6969497877023c93897165e0001eeebd82a3d92c9a12972c05e

SHA512
2d3b7d1f062b04c7673233ec83ccbc835087432b1f178e17c94dce8baf195417e2d06609c7bff63dfcb52cc449469d6d5c48b84040419cfa11a2923fceb10fb4

Download Submit
C:\Program Files\CCleaner\gcapi_16800662852604.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16800662914948.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16800662914948.dll
Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
f102222780156bc5e8c1348cbe1fb440

SHA1
dc976538daba6a6f7dee61c24bb145e3796c4c77

SHA256
37d0f7a6ba32ff27d6b35678aeb9baa84780b403f97aa408e693dfdc2572dc3c

SHA512
c3c50d9f92bfb7841e3dfe1d204bed2bf1efce75e362b18b151434315743d41dbe6a3a101abd38caf65f2ea0d65edcc0ff40ee5440a52780885901d075b15d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
14.0MB

MD5
0c2b5ebc521c3fd1c04adbc5af73b25a

SHA1
fcea22a12093e4cbc65d4d886fd8a9c61b683b0f

SHA256
7344d435147b422956a19447aadc722fa160f5d7f3807ba87da5419ecb50a01c

SHA512
c06fb1c28c7d6d5dde48e6dc9cb629f38c53831c978b2ec5c356e3730e11aa483ffcfb2353565507fe6dd7f19e5ad58374d0d10036c88abc96d557f64ba08a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMO27.tmp\1.png
Filesize
17KB

MD5
01975f781549e90c099201bd9ec59611

SHA1
44e2909c7e832916d1d7355b277e720b22fcd31e

SHA256
d8befc4f53bf858386d5f5d3fc0931a89b84f3df7bf96b306c69e0a3e921178e

SHA512
36d91f1369803045f9a59854acc5f67f88eaa509baae7660f9d745231849f10629e7fac5e4139d1b98366704a31f630e3176c929121ef29bd8263ffafaae1cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMO27.tmp\Installer net.png
Filesize
11KB

MD5
1c5bfe3b17ae62449e5f9e42b762f33b

SHA1
47f77205abb1318baf5e3add0670b7ee9fbb8f24

SHA256
567a2d3cea865f672b63e6ff44fc7091173a79fa840c9d20286ecd5429029823

SHA512
07e8c8f38e4e8477248092656af2e6844e325e301647a84efd2435d9cf3e5876e17dc1baaf18435f7a90459a6ce35b47fee36f3098b74604e48c87072210cced

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMO27.tmp\Portable.png
Filesize
23KB

MD5
89475a0f65e50ee9c484967ebc348ab7

SHA1
06ba9bcdada628fc6b0a77437c8f700004ae4648

SHA256
5f9ca566d37e1f25d19bbf5f885862808cb6b3d1a4dbcca5af812a58ae6fedf9

SHA512
d062a31dc8cacc15159e96b18f8aaa01c4457cacc7e0f6cf78b78bc30600dadfc3d12932d6ba72b03197df7d3c2d86757c474774bca3c430d7d0c8710713b0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMO27.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMO27.tmp\botva2.dll
Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMO27.tmp\botva2.dll
Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMO27.tmp\eng.jpg
Filesize
704B

MD5
4ad999118697c0735eed9b5437e2ddd9

SHA1
6f4c6026e3e31f8eaac4ab9ba633cdc64541a2c1

SHA256
ee6d8d45a073ff7c69012cf34b1fa4dafed071e709f64143d57a42be5bb6e7f4

SHA512
bf62bca3fa087cedf89c93a2a4952922e6ccf4c1ad356e68db33aae59bc10309fc37d778180ad20f48c8473a9c44fde3614a19c7e762c85588af0ca83c93ecaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMO27.tmp\icon.png
Filesize
3KB

MD5
6c8630ca7cbcaabf9280dfc4b7bc57bd

SHA1
b51792a4cb96dacbe52c9f8ab91d5f5063dc5823

SHA256
8caaa6de2cfbaa3216a4545f2f996f084f1ecf313a6b04508bed453b7d31ea71

SHA512
6e10e2be2adbf4092b539ca0ebb87ca96f41df0cebe464175584ec8b9b769182ba6dd6e4e5cc750c3320a2e25d1c69fda6422688497c0bb73edecef127b4c43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMO27.tmp\iswin7logo.dll
Filesize
74KB

MD5
7363a2a5949c9f613cde458b89deecb5

SHA1
fb25bad5d2625210c4cb47a9c24b853e63d52ae0

SHA256
196390762f6393024e0c5d33b037d497c5a8cfdd6c406719c05b0081d7e45cb5

SHA512
323f8eb42f355a0dc2df2b5b2d7711842c688f770e4ea8cb671228c60e8f2dbd92468e248a824822a08ee557075b7aaa8e42ca7b870f49c4385c6b2e9227a021

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMO27.tmp\port neaktiv.png
Filesize
11KB

MD5
893aa141cf93c75adeeb0f4e7ec917bc

SHA1
36bb3105e25671d2aa0da41e6f906f5bc24119f9

SHA256
f87de21bac4f7ee32d32f65c6754f57057bcb8b00376f13a9275e86b722c2fd9

SHA512
0a630b83b4ad69ccd0a5d48999e8702e3d8e72208a50e0b3efaecaca87d71995b8bc55c1a19918cff75710ad086d552a57bd1e861e7db2303959dc3ba2e7fb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMO27.tmp\stac.png
Filesize
15KB

MD5
eaec12cf0e741d23cbf1a100e7dee23e

SHA1
d4e20ea202eccedb63c35ee138726fadf16abd9f

SHA256
b38e0315691adf47090665ec21aee0c0cb5014246cfe0edf0c1f1ff36c45d2ac

SHA512
344c5f14efc854f579e925928ff3b95e213f4cf325e1d80359d7ea756b11f11d756338a921a370f6308abe78981f8f5808f4941b4646d31c7ee1819bb8216c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TF7VD.tmp\CCleaner_v5.84.9126.tmp
Filesize
1.5MB

MD5
80cd878c042109d2c10b96885206a1ef

SHA1
7091b0e09214fc75d8956c05c2edcee9f095f3ac

SHA256
75a6fe1438cd7f42f0887cad8c6b30abe06da6feef447aaeb65108ab04ef4fc5

SHA512
681fca5d1b5abe5182ce68928f7424314b5ccc25cd83778076b74f646a7f2413bc24cccc317df1fd0857c11b39019ddd195e5179e9e5a4933067b0157bb54a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TF7VD.tmp\CCleaner_v5.84.9126.tmp
Filesize
1.5MB

MD5
80cd878c042109d2c10b96885206a1ef

SHA1
7091b0e09214fc75d8956c05c2edcee9f095f3ac

SHA256
75a6fe1438cd7f42f0887cad8c6b30abe06da6feef447aaeb65108ab04ef4fc5

SHA512
681fca5d1b5abe5182ce68928f7424314b5ccc25cd83778076b74f646a7f2413bc24cccc317df1fd0857c11b39019ddd195e5179e9e5a4933067b0157bb54a53

Download Submit
memory/2028-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-302-0x000001B8CBDF0000-0x000001B8CBE00000-memory.dmp

Filesize
64KB

Download
memory/2604-330-0x000001B8CC950000-0x000001B8CC951000-memory.dmp

Filesize
4KB

Download
memory/2604-273-0x00007FFCB3F70000-0x00007FFCB3F71000-memory.dmp

Filesize
4KB

Download
memory/2604-274-0x00007FFCB3FE0000-0x00007FFCB3FE1000-memory.dmp

Filesize
4KB

Download
memory/2604-275-0x00007FFCB3F80000-0x00007FFCB3F81000-memory.dmp

Filesize
4KB

Download
memory/2604-276-0x00007FFCB3410000-0x00007FFCB3411000-memory.dmp

Filesize
4KB

Download
memory/2604-271-0x00007FFCB3F60000-0x00007FFCB3F61000-memory.dmp

Filesize
4KB

Download
memory/2604-270-0x00007FFCB3F50000-0x00007FFCB3F51000-memory.dmp

Filesize
4KB

Download
memory/2604-269-0x00007FFCB3F40000-0x00007FFCB3F41000-memory.dmp

Filesize
4KB

Download
memory/2604-352-0x000001B8D58C0000-0x000001B8D58C8000-memory.dmp

Filesize
32KB

Download
memory/2604-350-0x000001B8D5890000-0x000001B8D5898000-memory.dmp

Filesize
32KB

Download
memory/2604-338-0x000001B8CC380000-0x000001B8CC381000-memory.dmp

Filesize
4KB

Download
memory/2604-335-0x000001B8CC950000-0x000001B8CC958000-memory.dmp

Filesize
32KB

Download
memory/2604-332-0x000001B8CC960000-0x000001B8CC968000-memory.dmp

Filesize
32KB

Download
memory/2604-272-0x00007FFCB3FB0000-0x00007FFCB3FB1000-memory.dmp

Filesize
4KB

Download
memory/2604-308-0x000001B8CBE50000-0x000001B8CBE60000-memory.dmp

Filesize
64KB

Download
memory/2604-326-0x000001B8D5910000-0x000001B8D5918000-memory.dmp

Filesize
32KB

Download
memory/2604-328-0x000001B8D59B0000-0x000001B8D59B8000-memory.dmp

Filesize
32KB

Download
memory/2604-329-0x000001B8CC960000-0x000001B8CC968000-memory.dmp

Filesize
32KB

Download
memory/4160-194-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4160-196-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/4160-238-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/4160-163-0x0000000003460000-0x000000000346F000-memory.dmp

Filesize
60KB

Download
memory/4160-264-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/4160-145-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4160-193-0x0000000003460000-0x000000000346F000-memory.dmp

Filesize
60KB

Download
memory/4160-192-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download