c313119701c422a0c2f407afee3bbf4e5873aab40b0edad82114a266e70fbb59

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccsetup610_pro_trial.exe
Size

51.4MB
MD5

018bb8581be952817f0764eea8e47d8b
SHA1

3cf7fdb1ea7e525fad755c1557f10f016e16399f
SHA256

c313119701c422a0c2f407afee3bbf4e5873aab40b0edad82114a266e70fbb59
SHA512

6a4129796041833e6391c8a70157542f591cc61ba881a668779429d9e738b88a8648a0e62c6e0f10d3fcd7238f73d30df8c7b8c05c4be354ea5eaa483516016e
SSDEEP

1572864:fXa3QR9TUKGAqcudtTkpttagIc56qFVKtdgZ:fq3QR9dRqv3TyEEnCdgZ

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccsetup610_pro_trial.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ccsetup610_pro_trial.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	CCleaner64.exe

Executes dropped EXE 5 IoCs

Processes:

CCleaner64.exeCCUpdate.exeCCUpdate.exeCCleaner64.exeCCleaner64.exe

pid process

3660 CCleaner64.exe
1728 CCUpdate.exe
4328 CCUpdate.exe
3680 CCleaner64.exe
5272 CCleaner64.exe

pid	process
3660	CCleaner64.exe
1728	CCUpdate.exe
4328	CCUpdate.exe
3680	CCleaner64.exe
5272	CCleaner64.exe

Loads dropped DLL 22 IoCs

Processes:

ccsetup610_pro_trial.exeCCleaner64.exeCCUpdate.exeCCleaner64.exeCCleaner64.exe

pid	process
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
3660	CCleaner64.exe
3660	CCleaner64.exe
4132	ccsetup610_pro_trial.exe
3660	CCleaner64.exe
4328	CCUpdate.exe
3680	CCleaner64.exe
3680	CCleaner64.exe
3680	CCleaner64.exe
3680	CCleaner64.exe
5272	CCleaner64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CCleaner64.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"	CCleaner64.exe

Checks for any installed AV software in registry 1 TTPs 11 IoCs

Security Software Discovery

T1063

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

CCUpdate.exeCCleaner64.exeCCleaner64.exeCCleaner64.execcsetup610_pro_trial.exeCCUpdate.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	ccsetup610_pro_trial.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe

Drops file in Program Files directory 64 IoCs

Processes:

ccsetup610_pro_trial.exeCCUpdate.exesetup.exeCCleaner64.exeCCleaner64.exeCCleaner64.exe

description	ioc	process
File created	C:\Program Files\CCleaner\autotrial.dat	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1031.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1034.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1071.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1155.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.exe	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Setup\90598213-e80f-4af0-ae56-199033ba20be.dll	CCUpdate.exe
File created	C:\Program Files\CCleaner\CCleaner64.exe	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1063.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1065.dll	ccsetup610_pro_trial.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230405155001.pma	setup.exe
File opened for modification	C:\Program Files\CCleaner\LOG\DriverUpdaterLib.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\Data\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\e2e2e240-043b-41da-8ab6-1c62199cf185	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1028.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1032.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1042.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1056.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-3098.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1030.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1049.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1051.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1087.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\branding.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1109.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-2074.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-9999.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\LOG\DriverUpdaterLib.log.tmp.fa365af6-4d2c-4128-ae30-c81e47613b15	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\LOG\DriverUpdEng.log	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\LOG\event_manager.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\LOG\event_manager.log.tmp.1a8be55b-2959-4c49-9f17-45ffdd31d34d	CCleaner64.exe
File created	C:\Program Files\CCleaner\CCleaner.exe	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1025.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1038.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1079.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1093.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-2070.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\LOG\DriverUpdEng.log.tmp.297f8952-6ea9-4bdc-983c-a97db5536ebb	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1041.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1062.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1102.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\CCleanerBugReport.exe	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1055.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1066.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-5146.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cb8f34b4-f4e9-4afc-a8e4-06d3da66a782.tmp	setup.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1035.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1045.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1050.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1054.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1058.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1059.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1061.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1068.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1086.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\uninst.exe	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Data\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\44ED97C8-2D40-4A50-913D-673F6858B9AF	CCleaner64.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1037.dll	ccsetup610_pro_trial.exe
File created	C:\Program Files\CCleaner\Lang\lang-1044.dll	ccsetup610_pro_trial.exe

Drops file in Windows directory 2 IoCs

Processes:

CCleaner64.exe

description	ioc	process
File created	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exeCCleaner64.exeCCleaner64.execcsetup610_pro_trial.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup610_pro_trial.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup610_pro_trial.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup610_pro_trial.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

ccsetup610_pro_trial.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_d7d_m"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-19	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_d7d_m"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_d7d_m"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-20	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\.DEFAULT	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup610_pro_trial.exe

Modifies registry class 28 IoCs

Processes:

ccsetup610_pro_trial.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Software\Piriform\CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\SOFTWARE	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\SOFTWARE\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_d7d_m"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\SOFTWARE\Piriform\CCleaner	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup610_pro_trial.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\SOFTWARE\Piriform	ccsetup610_pro_trial.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup610_pro_trial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ccsetup610_pro_trial.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ccsetup610_pro_trial.exe

pid	process
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4768 msedge.exe
4768 msedge.exe
4768 msedge.exe
4768 msedge.exe
4768 msedge.exe
4768 msedge.exe
4768 msedge.exe

pid	process
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

ccsetup610_pro_trial.exeCCleaner64.exeCCleaner64.exeCCleaner64.exe

description	pid	process
Token: SeRestorePrivilege	4132	ccsetup610_pro_trial.exe
Token: SeDebugPrivilege	3660	CCleaner64.exe
Token: SeDebugPrivilege	3680	CCleaner64.exe
Token: SeShutdownPrivilege	3680	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3680	CCleaner64.exe
Token: SeShutdownPrivilege	3680	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3680	CCleaner64.exe
Token: SeDebugPrivilege	5272	CCleaner64.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msedge.exeCCleaner64.exe

pid process

4768 msedge.exe
4768 msedge.exe
4768 msedge.exe
5272 CCleaner64.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

CCleaner64.exe

pid process

5272 CCleaner64.exe

pid	process
4768	msedge.exe
4768	msedge.exe
4768	msedge.exe
5272	CCleaner64.exe

pid	process
5272	CCleaner64.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

ccsetup610_pro_trial.exeCCleaner64.exeCCleaner64.exe

pid	process
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
4132	ccsetup610_pro_trial.exe
3680	CCleaner64.exe
3680	CCleaner64.exe
3680	CCleaner64.exe
3680	CCleaner64.exe
3680	CCleaner64.exe
3680	CCleaner64.exe
5272	CCleaner64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ccsetup610_pro_trial.exeCCUpdate.exemsedge.exe

description	pid	process	target process
PID 4132 wrote to memory of 3660	4132	ccsetup610_pro_trial.exe	CCleaner64.exe
PID 4132 wrote to memory of 3660	4132	ccsetup610_pro_trial.exe	CCleaner64.exe
PID 4132 wrote to memory of 1728	4132	ccsetup610_pro_trial.exe	CCUpdate.exe
PID 4132 wrote to memory of 1728	4132	ccsetup610_pro_trial.exe	CCUpdate.exe
PID 4132 wrote to memory of 1728	4132	ccsetup610_pro_trial.exe	CCUpdate.exe
PID 1728 wrote to memory of 4328	1728	CCUpdate.exe	CCUpdate.exe
PID 1728 wrote to memory of 4328	1728	CCUpdate.exe	CCUpdate.exe
PID 1728 wrote to memory of 4328	1728	CCUpdate.exe	CCUpdate.exe
PID 4132 wrote to memory of 4768	4132	ccsetup610_pro_trial.exe	msedge.exe
PID 4132 wrote to memory of 4768	4132	ccsetup610_pro_trial.exe	msedge.exe
PID 4132 wrote to memory of 3680	4132	ccsetup610_pro_trial.exe	CCleaner64.exe
PID 4132 wrote to memory of 3680	4132	ccsetup610_pro_trial.exe	CCleaner64.exe
PID 4768 wrote to memory of 3032	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3032	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 3408	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 1224	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 1224	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 4032	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 4032	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 4032	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 4032	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 4032	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 4032	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 4032	4768	msedge.exe	msedge.exe
PID 4768 wrote to memory of 4032	4768	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ccsetup610_pro_trial.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup610_pro_trial.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- C:\Program Files\CCleaner\CCUpdate.exe
  "C:\Program Files\CCleaner\CCUpdate.exe" /reg
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Program Files\CCleaner\CCUpdate.exe
    CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\90598213-e80f-4af0-ae56-199033ba20be.dll"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=1&v=&l=1033&b=1&a=3
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdcb8446f8,0x7ffdcb844708,0x7ffdcb844718
    3⤵
    PID:3032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7165161996826908412,11696861304711760939,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:3408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,7165161996826908412,11696861304711760939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    PID:1224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,7165161996826908412,11696861304711760939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 /prefetch:8
    3⤵
    PID:4032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7165161996826908412,11696861304711760939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
    3⤵
    PID:4912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7165161996826908412,11696861304711760939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
    3⤵
    PID:1564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7165161996826908412,11696861304711760939,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
    3⤵
    PID:3620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7165161996826908412,11696861304711760939,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
    3⤵
    PID:3796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7165161996826908412,11696861304711760939,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
    3⤵
    PID:540
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7165161996826908412,11696861304711760939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8
    3⤵
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:3388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff75e105460,0x7ff75e105470,0x7ff75e105480
      4⤵
      PID:1064
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7165161996826908412,11696861304711760939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8
    3⤵
    PID:316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7165161996826908412,11696861304711760939,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
    3⤵
    PID:1316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7165161996826908412,11696861304711760939,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
    3⤵
    PID:4228
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks system information in the registry
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3680
- - C:\Program Files\CCleaner\CCleaner64.exe
    "C:\Program Files\CCleaner\CCleaner64.exe" /monitor
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks system information in the registry
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCUpdate.exe

Filesize
697KB

MD5
0f0b90a01f049665ca511335f9f0bf2e

SHA1
baf4016e50050b24925437864bfb3c19d0baa901

SHA256
4ad9635351c8e8579c4d4c2bdd679ea7b135ec329adc6fd5d8211255e2e666be

SHA512
44da936d020e857bf3bfa2bcc7a91182da9c1f320fe041bb2836d4e8ae99d4b939ea27842b49b9a2cd24e09c7698579617584d431a2b2f7eafdafa1fb9a59c50

Download Submit
C:\Program Files\CCleaner\CCUpdate.exe

Filesize
697KB

MD5
0f0b90a01f049665ca511335f9f0bf2e

SHA1
baf4016e50050b24925437864bfb3c19d0baa901

SHA256
4ad9635351c8e8579c4d4c2bdd679ea7b135ec329adc6fd5d8211255e2e666be

SHA512
44da936d020e857bf3bfa2bcc7a91182da9c1f320fe041bb2836d4e8ae99d4b939ea27842b49b9a2cd24e09c7698579617584d431a2b2f7eafdafa1fb9a59c50

Download Submit
C:\Program Files\CCleaner\CCUpdate.exe

Filesize
697KB

MD5
0f0b90a01f049665ca511335f9f0bf2e

SHA1
baf4016e50050b24925437864bfb3c19d0baa901

SHA256
4ad9635351c8e8579c4d4c2bdd679ea7b135ec329adc6fd5d8211255e2e666be

SHA512
44da936d020e857bf3bfa2bcc7a91182da9c1f320fe041bb2836d4e8ae99d4b939ea27842b49b9a2cd24e09c7698579617584d431a2b2f7eafdafa1fb9a59c50

Download Submit
C:\Program Files\CCleaner\CCleaner.exe

Filesize
31.5MB

MD5
10f73fbf9047789b611b3d35f2526334

SHA1
108b26ff38a2839a76300d87975ae23619469fce

SHA256
6e6fc50580fb43e0b68be7a6569818478a0accbdab425ea80830b450dc76601e

SHA512
ea0e77d31c4597022219f263f2defe19cef2cc69588dcd57e038354500f8f976c9bb9f185dc92e6fe1f33a0a09444dd9ae424f10ea6d722bbdf7a638c2fc5702

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe

Filesize
37.3MB

MD5
2989ffd5783532fb2d49588c9fc8b1c6

SHA1
d5b87c5402debd0434c02b2366fc2de50f47485e

SHA256
9d4b19b0723b350860614548f2c8342802fc115acff93ef63b580db189e57c2d

SHA512
1e666a6fed67b8aa492c3ca8de023bebb8ea842f4f67512c9876628d0a9f14efa1fce3b1abec32b9833470040dbd94c210a97b9241818fba8cfcdae036d7185a

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe

Filesize
37.3MB

MD5
2989ffd5783532fb2d49588c9fc8b1c6

SHA1
d5b87c5402debd0434c02b2366fc2de50f47485e

SHA256
9d4b19b0723b350860614548f2c8342802fc115acff93ef63b580db189e57c2d

SHA512
1e666a6fed67b8aa492c3ca8de023bebb8ea842f4f67512c9876628d0a9f14efa1fce3b1abec32b9833470040dbd94c210a97b9241818fba8cfcdae036d7185a

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe

Filesize
37.3MB

MD5
2989ffd5783532fb2d49588c9fc8b1c6

SHA1
d5b87c5402debd0434c02b2366fc2de50f47485e

SHA256
9d4b19b0723b350860614548f2c8342802fc115acff93ef63b580db189e57c2d

SHA512
1e666a6fed67b8aa492c3ca8de023bebb8ea842f4f67512c9876628d0a9f14efa1fce3b1abec32b9833470040dbd94c210a97b9241818fba8cfcdae036d7185a

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe

Filesize
37.3MB

MD5
2989ffd5783532fb2d49588c9fc8b1c6

SHA1
d5b87c5402debd0434c02b2366fc2de50f47485e

SHA256
9d4b19b0723b350860614548f2c8342802fc115acff93ef63b580db189e57c2d

SHA512
1e666a6fed67b8aa492c3ca8de023bebb8ea842f4f67512c9876628d0a9f14efa1fce3b1abec32b9833470040dbd94c210a97b9241818fba8cfcdae036d7185a

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe

Filesize
37.3MB

MD5
2989ffd5783532fb2d49588c9fc8b1c6

SHA1
d5b87c5402debd0434c02b2366fc2de50f47485e

SHA256
9d4b19b0723b350860614548f2c8342802fc115acff93ef63b580db189e57c2d

SHA512
1e666a6fed67b8aa492c3ca8de023bebb8ea842f4f67512c9876628d0a9f14efa1fce3b1abec32b9833470040dbd94c210a97b9241818fba8cfcdae036d7185a

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll

Filesize
8.2MB

MD5
eea47668c90db2fb6ea328e9f1760451

SHA1
d965bc56c1f0480b7e572c14ec84c5f5762dec85

SHA256
fefa23b99bc98b4dca30ae8d30bcb9220de4da0c5bdc5e6781ab27d5ccdfb6c0

SHA512
20460ed7b123e91ead45f1565c286dfb30472a020fa877690e6ee0d990181a61a01cb287b083e7f3546c8fa2de935a55df382cd2da176f92543df3f343e04d8c

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll

Filesize
8.2MB

MD5
eea47668c90db2fb6ea328e9f1760451

SHA1
d965bc56c1f0480b7e572c14ec84c5f5762dec85

SHA256
fefa23b99bc98b4dca30ae8d30bcb9220de4da0c5bdc5e6781ab27d5ccdfb6c0

SHA512
20460ed7b123e91ead45f1565c286dfb30472a020fa877690e6ee0d990181a61a01cb287b083e7f3546c8fa2de935a55df382cd2da176f92543df3f343e04d8c

Download Submit
C:\Program Files\CCleaner\Setup\051041cb-2c1e-426f-bb52-188f1fe94f32.ini

Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Program Files\CCleaner\Setup\07f640f1-4b29-4b91-ad9b-acee53f85c59.xml

Filesize
1KB

MD5
a8500f686252cdd13696bd7cd4df2df7

SHA1
4b8e01170a0fab56f250fabd6ec937e9a256d9c3

SHA256
693225b1c379176971faeb9ac2b49ab64750bf309d617f0bed0f7d2744ca57f0

SHA512
9c00c10ae75a5498593c0ae43be6b77b13d68e6db8367401127dc72a3ce5678b0a5e52d8b8b768af611a157b39e4fe7e44cfa5f257ac07c273142865bbf73499

Download Submit
C:\Program Files\CCleaner\Setup\90598213-e80f-4af0-ae56-199033ba20be.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\90598213-e80f-4af0-ae56-199033ba20be.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\90598213-e80f-4af0-ae56-199033ba20be.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\config.def

Filesize
48B

MD5
a7aae01415beba879259774ff60e4e07

SHA1
a169b7b90824154893ef8ca3ceb68483e794c118

SHA256
f79e0c02b2b3cfa15324e66531a4045c465ef3dcbd739a04b3e62d7977834479

SHA512
0539a6751bd2143906fda9c9aa89a09d9d448821512b719deecbe132921f4b190f6d1165176dd907d0a0157f85573f3a5726cb6d72e717aeeb101449f9cdf6d6

Download Submit
C:\Program Files\CCleaner\branding.dll

Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll

Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll

Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll

Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\branding.dll

Filesize
50KB

MD5
705a39c1b61a9cbca3e8e2a71ab4fdde

SHA1
8179af4878bcfb57f08399e3b74dce849b88ceb8

SHA256
631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534

SHA512
e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

Download Submit
C:\Program Files\CCleaner\gcapi_16807097773660.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16807097893680.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16807097893680.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\gcapi_16807098445272.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
f78ed01dc018d93d97514821b17abeb6

SHA1
3fc7f0a1798984d9096f236f8c00d0c51d0f93ca

SHA256
6760baee8e30d8ae5cecbbb32fd6654f1ae0b1d696f2620d0a5ce72e4a428869

SHA512
1611df095c3e33e36da6b6cad1f134c05a01afb519878ed778eff79074aaec9fba00c4f10367de82af5a51fdbe956d0eac9f403ac7cbd8020b075bad05293b55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Filesize
471B

MD5
939210be30f0b72f324bbab238cc9192

SHA1
7338a905f705ceffdb0dd6d19c4d165d4f349ae3

SHA256
2b2c9349ee515290c2c1d237b81ffd252a5d5c53312ce416b56c195b2b662986

SHA512
291bbebc597f0c902b28e3a598b1b773e2513e0d139fd0842821e08a3bfb86ae9908ccf7c09a96fe9fc2db3be2fca49aeea9c845a82b414291fcd757dfabcb66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
44b62336566439a5fbb4302b0f772194

SHA1
327466432d01bc3548734f969607a24d0b5b8c70

SHA256
5ae40eaac0243875593258f6d16c24c5d5198f29d92b70528d35afeb327dd4f1

SHA512
cc92d041df83208ca9c7e7146901453a92a307f10404c009e5179bba5401a67e530742dd3233bbf51c39fb9720ca985c57210a269fbb5e57d15356d356280033

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Filesize
426B

MD5
8bfa0ff5167141b7449c70a5fc80bb43

SHA1
e1711381bd8ea5aebd4a28ceffdd70a852dfd341

SHA256
cebbfa201b09b3cb91b9937ba8c57df54c29f25c1400f6467aa46bc2134d0dfc

SHA512
53276547e873415efb611a89b275c6995fe079aa37cd2f1124665410224d38d9801f4d384e6efacef744868e00b1268799fd762235a0606b57ac441d177c241c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aaeb1f5e097ab38083674077b84b8ed6

SHA1
7d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2

SHA256
1654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef

SHA512
130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
6713d93a309f1d9b0abbba02f31a1428

SHA1
bf82a8b915f970ad709c800b31ca479019dfbff8

SHA256
1515b88e87105c2bbf1f4d3d561dcdf60052972a3f000508e126cfe4a8c94b06

SHA512
6a488427820ab76c0bf3988a9de351744db02c18e2e6ba1834a8f4d22c36ebe13a7cdab3bc5aeec0721dfc0bfc755552c5dd3aa95bae3140edec2e0255852898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
102dbed97da3e77bbedf26cfd73f6c64

SHA1
0681b887182025fe00afbeb995aa76bc1ebfabaa

SHA256
811910bac6f0be5f5795bdeed8d4251a8ad7eb908dd1339c2bf508d81ba3fca9

SHA512
47c31f67722e45bd016254e5c56de2bb74cd738f8ba7034200bd660a732bb3a3d6b115c75105a6cc8bbf55e645a71d091d42c558d35996ae0978588ad82a8b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
13a34971d447c30f59994f5ebb11b74d

SHA1
7856fba7569a1a94d0dee6bb62282af7d328880c

SHA256
b11a6e624d673e14718e9f59911264e98cf8d992b51225c629e9712cd8cc3be7

SHA512
56122e0e4f91e1631998977f60f4d8bb20f47bb073050092ea3e1e7270f2c71b571d024b0a77b0d297b7b69bb54169390af3c8043f89afa2b96be3f271a85806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e8946e4f697d7b624182dea5b91e3b62

SHA1
f7240bd8f6c7aed55da6f4d5eafb8410e0628d6e

SHA256
fd4d08fe8993a1f36b0ffcf52b14693a54a456ea0b8b2e6ee5b625be75fa1c7d

SHA512
e72bf04b2256d30b2f191ccb61f340614929baace9821aa7a7fd7f9ab2c42c981219612f2a4b4da03c3060e2c37a1d42c1d0161d34ff27b4ad7f509765ba01a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
993301e7dfc52978bd1a7241aed355d2

SHA1
dc081b816a7a28a551f4f196e9e4b8b603dc6025

SHA256
fcce78dc53f87d6d0b54360450aa2749b301958a91cd97d9d4462b716478d9d1

SHA512
4322139b0c42cee8dc5e1e7eeef84d1142c16a1e05a503995bd2cb467305a5e4762f4a6ecb26df0a5abdcb4cc4d454d32a957c2f8438f290768cf39b4d67155f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
86a58a210ef8cb1e55a5030c61c47bec

SHA1
6e601fb96b742ea76a2b69d857b8ebeb9c90025a

SHA256
12805e62aee465bfe7ff809109971090ff83a4f8d000a0f28f9c53b908a61587

SHA512
fe25da1cce78a416b35b9b3a0eff5b55511e39d1cf6c4a744abf64a8cc837f6a76628555908b8a386ecdab82f896e2344cddb02bf15a1525f0267e07c9f33d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b0eee5c4b13ad328afb5b42029b17238

SHA1
601a868669717c11765da4794437f2221e2da95e

SHA256
9c9c522585775fb6dae20ce985bdb0e7452e6c30c10308de7709f08eed754cd8

SHA512
56f974f41ffaf9a6423bd306de1433b04b3c542735ca4330b30ca00b4738f30100e75bdb52403f221344e4b23adeccae382d3ad69a471d476bda1ad6a49a1331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
47e94a96372e6f095b8a3fd7edc48ec0

SHA1
377b68f34e5964ca8be1b1b0c1507dd7f0e5f005

SHA256
15c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e

SHA512
5bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cookies

Filesize
20KB

MD5
348e03c6d1f7efa2c339090bdf9fdec5

SHA1
c7d1e70110177670dee86485b8827f70ac23f33c

SHA256
218013f39302350e39bc1acefa53609e06ddb72a4814d1df3e220319933401c1

SHA512
4ac2405e5320ba4578cc61abab2724c1bf746c4e7d2065e62e7e375d119e1a3218480a23d8dfae7c0f73dfce585682bfd18504081a945fcf09969e14652c80d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
007ee8983646cd768f1ab6f49bffc31c

SHA1
2dcd7de6b542da8396c84c9027c63286186afc21

SHA256
36fb7d211c701f273b4486018d0eeea999df4e1d5f98be4e669ff21b0a5cd25a

SHA512
9bc23cd0fc0e571e3100b80a4fd9affb77cca5b643be662321812603385fb9896866badcd31c4fb8a1a68de92f54d5d20ac043944d3231bc35477a0e12049fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
6036489e447fcfd325ee1eb4bc461d79

SHA1
8312af15fc89c95672e2d70d45be7f471aa94963

SHA256
04337ebe5fee4a6f73d56d7e1bdca847a65ce37f39308c3e9618e75200598392

SHA512
4d1fa16e6e8d7122abc66a139d9efd2b36b7908d7dccdba0031da459d21a481e63943ed3b8a69172cfe3210bfccd0fe7be9a1edbb2fbc76e760d4f2ce3a0ee59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edc46e5f-7c4f-4309-adff-96dc2b07e796.tmp

Filesize
13KB

MD5
84380f863bc305037e4dd851d351fd15

SHA1
caa697f63d3f1d5704171107fb99b9cf60e5333e

SHA256
71dc22d9cd469cf969d15a837fe3148de069413ab4460f92b6a6a7691240f436

SHA512
1f4f139109a58addf0bc3b0d824d9f3e8c576253194fb024a6ce309561475fee1786bfecd72d85414cddf94123d92ac4f2f9de8adb5da2765bcc4340f9716772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
d1ecbb57f5f6ef1001eacafbcc1fe78c

SHA1
daa735e53e7f2c5b5be01e089c5592fa54ef76a8

SHA256
16d2380861771fd92e595aeaad4feb973e73cab5557fd04b222500f98739890c

SHA512
b3c7a26ff752ccec7c40d5fc5b9244c6fa4453062dbe045f9b8ec0af680eb62aec7653551fc6164c28e0a994c0823be4ac8d17bd481b0bec20b8f92eaea88153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
a0c7808797337361a7b142541004bbff

SHA1
eb1f9172443cbffe7a80698d37bb99853b8bf866

SHA256
66fbb1373af9539d7b0f81a1987b3d5233c0286fbf59fcd8587690b757bf6eb9

SHA512
0fb6187280ee1f644b6f66804a22f3bf5538fdf7a0f150125bb55c3ea2bb9874df0472fdbf285121618c7a13e6fb8bf125fe8f270c94f870fe2f876db9d372c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
ea02d7699e40fa4d04edd78b3fdc9526

SHA1
521565adaffc3735a0eda1de32b21830485840dd

SHA256
2def59ce109b3f8ce768e7fa93185ba178e640d710ee93e23a876f9d15b3a6a2

SHA512
aff2415d79d3cde0676141cd598f419c1f4caa21b371658af6d6be803af82b1e9dba9a07941d3e75c73c1f92591aae5c79efd3f9be67a5ad6a91c6bf7086bdd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V0100003.log

Filesize
512KB

MD5
e7289fce035ae2a6d5b66faa9b2e5dae

SHA1
90358e1a76ab63689931a838a560e496bfcca1dc

SHA256
f2b6509ec1c7c16615a034855ee1a0a7d41325327c301866fd166363181e25c0

SHA512
32ab1e6e6807babce30c976c06edebbef197d1288edb3daf0c1fb295e2eb138af61e91a25a95ba5fdf69209bd41fd1d55a008d4017d2c49e1d9e5bba8502be13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
1c27d3502166c7f1e307ab9608e78e2b

SHA1
2670ec00fa521691857799134c16d641fd662268

SHA256
8b814a511dd888d1796dfb9d5aad608e6616bdcdf5c3fdcab9be651c7895934e

SHA512
3111d6940088f7d6c3cdb3e8a8968d8ceba4cf3dbf33229d1dae30e477277c71d59f3f6b0c21d5fc2198c3e66f07f2ecbae8434162edff052eedf4179aa8096e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
12237925e1fa9b3b5a51c37a2a80333e

SHA1
ce139dc1883650b5ce45128f911cad3a6818e008

SHA256
892516998a696f919ace24b570a77af27cc7ac12873447122b5888d2c9a28c24

SHA512
5604eaa8bbbc609599e0ceb7d5682a39082bbc8636cf0d022c4623c700fdbcc348a2c0b49745cef52eea895782bd6b673dac5dbd72f3f0a1efcf0ea327f00ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
26d458ac07df722c3faeffa401854f37

SHA1
cef791f47db4a80d742e3ffad9b91fae318956b1

SHA256
9f9a95a4aaaaa2f8ede0b91868e931fbfb83f39e4c0ebeca61d657c419c7f81a

SHA512
547c20608ed1b8b935e092adc144b34b7f233bb82093ef7e15e4c51107390fe3ea5b00a30702a9ad301bcf5526ed8de7f88dbb9e351432036e773822f01a8373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
1a4054b72486bac25872aa7ff6219e04

SHA1
8caf00a29cfb5a41c9608122069e1c8f37140f57

SHA256
f46cecb329a48667b06ac00456f66189fc8f194c64b26c919d8b74fe55d416b5

SHA512
435dbabfb1e873894ff1bfa5729a5b50663af1217f739d7e73b76fa5fef96cf32aa678be290fbbb0d94b4d69951d66dcdb4cb4d0b55e246ee4e2d4ded4addba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
c824a8c500bfa5a6340519f7b3191468

SHA1
ca55af94965ac0964c9adf96a404931098373e50

SHA256
e5532d70c4a21cb97a41341ed322d2700145cf5deb0f181e8f0a77195db2838d

SHA512
6bdb042f411da70bc8e69a3b78b09bf417ed8ae0d83bdc37b3067715e2ac2ef5e949b743988fa202e6162bf990730e68faccd2434507c936171789c96ffd6acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aswc2414d003fbb9fa7.tmp

Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\ButtonEvent.dll

Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\INetC.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\p\ServiceUninstaller.dll

Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\p\ServiceUninstaller.dll

Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\p\pfBL.dll

Filesize
11.3MB

MD5
f8d1c110600144a9310723c011eeb9c8

SHA1
304e211607eb14e079956531e149e53db2930762

SHA256
d2b8a9d801e5c823be4c8eb9d721a8181d12f3b435d9c80b858d5e6074530bd2

SHA512
7656c865420724b8a77c5a4180b6a410c4c54e9f71f5938fb2d3549bfbd0b05e10f0deb90e532b9b0699e480133c410074ed58ae8f2f1dcd547af725e802eac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\p\pfBL.dll

Filesize
11.3MB

MD5
f8d1c110600144a9310723c011eeb9c8

SHA1
304e211607eb14e079956531e149e53db2930762

SHA256
d2b8a9d801e5c823be4c8eb9d721a8181d12f3b435d9c80b858d5e6074530bd2

SHA512
7656c865420724b8a77c5a4180b6a410c4c54e9f71f5938fb2d3549bfbd0b05e10f0deb90e532b9b0699e480133c410074ed58ae8f2f1dcd547af725e802eac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\ui\pfUI.dll

Filesize
16.4MB

MD5
d0ee52daa39b8b22eced053f68d5b765

SHA1
24675ba34154b43ab97fe27c9a15e8ed50d101b6

SHA256
3b71b214236e0fe464261e081628fb7d26fded5a08cca28820cf0a849310cd3f

SHA512
756f1628b40459e191cc96ffd75118cf8e7726764ca497504a0fa4a22a150347d1bfb993dd4c308f420fc57171eaac9ecba7b9761cb96929ba5f098ce56d76d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\ui\pfUI.dll

Filesize
16.4MB

MD5
d0ee52daa39b8b22eced053f68d5b765

SHA1
24675ba34154b43ab97fe27c9a15e8ed50d101b6

SHA256
3b71b214236e0fe464261e081628fb7d26fded5a08cca28820cf0a849310cd3f

SHA512
756f1628b40459e191cc96ffd75118cf8e7726764ca497504a0fa4a22a150347d1bfb993dd4c308f420fc57171eaac9ecba7b9761cb96929ba5f098ce56d76d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\ui\res\CC_Logo_40x96.png

Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\ui\res\Montserrat-Regular.otf

Filesize
44KB

MD5
27e50ffd6a14cbc8221c9dbd3b5208dc

SHA1
713c997ce002a4d8762c2dcc405213061233e4bc

SHA256
40fc1142200a5c1c18f80b6915257083c528c7f7fd2b00a552aeebc42898d428

SHA512
0a602f88cfba906b41719943465edb09917c447d746bfed5c9ce9c75d077f6aed2f8146697acd74557359f1ae267ca2a8e3a2ca40fb1633bde8e6114261abd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8479.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
9ed4e05f5c7262339ac62e9fa4aa6680

SHA1
0a386c5a435eaaf409d6988a56bb24a619fc10bd

SHA256
77e1ad329d1cea286e7fa4bba8627b32ebbd40a6e983a6fdef804a7b839d2084

SHA512
8e362d92d53792cd182119c43079475867a1a07c515dd1ac9546809d8f48e62f1af406130287b36e1225984f2a6ac4a9f01035b422371746dd3795086e21389d

Download Submit
C:\Windows\Tasks\CCleanerCrashReporting.job

Filesize
760B

MD5
dd7a57c56576b8178cefd7bef70eb69f

SHA1
46ebf3ca7e7783352449875b31762d1d7f6901f1

SHA256
16d9bae466dbb9cf2a68c417b8ef74f5e74f224d2084de8184d154f573043906

SHA512
f41c1770882d4e691e5263bbe8dc2b88a71181a12fdd533de8a7791f4c37e905c3ffccf018ed20b54432c639475b796c42f4245158b63864cccc74084165f086

Download Submit
\??\pipe\LOCAL\crashpad_4768_JMBTPRWLZIQNOUYK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4132-265-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/4132-262-0x0000000007A70000-0x0000000007A78000-memory.dmp

Filesize
32KB

Download
memory/4132-264-0x0000000007810000-0x0000000007818000-memory.dmp

Filesize
32KB

Download
memory/4132-244-0x00000000069F0000-0x0000000006A00000-memory.dmp

Filesize
64KB

Download
memory/4132-267-0x0000000007810000-0x0000000007818000-memory.dmp

Filesize
32KB

Download
memory/4132-270-0x0000000007800000-0x0000000007808000-memory.dmp

Filesize
32KB

Download
memory/4132-273-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/4132-238-0x0000000006850000-0x0000000006860000-memory.dmp

Filesize
64KB

Download
memory/4132-285-0x00000000078B0000-0x00000000078B8000-memory.dmp

Filesize
32KB

Download
memory/4132-287-0x00000000078F0000-0x00000000078F8000-memory.dmp

Filesize
32KB

Download
memory/4132-290-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/4132-294-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download