Malware Analysis Report

2025-08-11 06:04

Sample ID 240222-w3ax6sea93
Target ccleaner_pro_6.09.10300.exe
SHA256 3c0186b73c42ce88cd6124dc54333f70fb7235b35bc32a6b57a8c9c7fca63b2c
Tags
bootkit discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3c0186b73c42ce88cd6124dc54333f70fb7235b35bc32a6b57a8c9c7fca63b2c

Threat Level: Shows suspicious behavior

The file ccleaner_pro_6.09.10300.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Checks for any installed AV software in registry

Checks system information in the registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 18:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 18:26

Reported

2024-02-22 18:28

Platform

win11-20240221-en

Max time kernel

83s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccleaner_pro_6.09.10300.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Avast Software\Avast C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\AVAST Software\Avast C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Avira\Antivirus C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\AntiVir Desktop C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avira\AntiVir Desktop C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avast Software\Avast C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\KasperskyLab C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\SOFTWARE\Avira\AntiVirus C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\Speedup C:\Program Files\CCleaner\CCleaner.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files\CCleaner\CCleaner.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files\CCleaner\CCleaner.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files\CCleaner\CCleaner.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\CCleaner\lang\is-8IM3R.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1052.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1053.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-2074.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1044.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1066.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1067.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-8T9GG.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-I4PB5.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1038.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1092.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1034.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-QAQM1.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-8KM63.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1027.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1058.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-PTI33.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-8ICHN.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-VBSQF.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1054.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1041.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1071.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-1HUGJ.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1060.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-3E59P.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\ C:\Program Files\CCleaner\CCleaner.exe N/A
File created C:\Program Files\CCleaner\lang\is-1NVDC.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-982VE.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-JKJCE.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\locales\is-QETLB.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner C:\Program Files\CCleaner\CCleaner.exe N/A
File created C:\Program Files\CCleaner\lang\is-FSDSP.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\locales\is-J40Q5.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\locales\is-EQJQE.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\locales\is-29LKT.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\is-ON7MH.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\ccleaner.ini C:\Program Files\CCleaner\CCleaner.exe N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1028.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1035.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-UD32F.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-NB893.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-DJ3GR.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-6LT3J.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-QT0KL.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\locales\is-MUJ3I.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-3098.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\CCEnhancer.exe C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-5PAEB.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-0I6QT.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-BHR6B.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-VTTI1.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-P6GJ7.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\is-A7P8S.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\locales\is-ON6EM.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1029.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1155.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1081.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-005P6.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-CU4KB.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\lang\is-O656D.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\is-AJ63O.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File created C:\Program Files\CCleaner\locales\is-LJJU0.tmp C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\ccleaner.ini C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
File opened for modification C:\Program Files\CCleaner\lang\lang-1046.dll C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\CCleaner\CCleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Program Files\CCleaner\CCleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\CCleaner\CCleaner.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\CCleaner\CCleaner.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor C:\Program Files\CCleaner\CCleaner.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Program Files\CCleaner\CCleaner.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1" C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol" C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\ C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\ C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\CCleaner\CCleaner.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\CCleaner\CCleaner.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\CCleaner\CCleaner.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\CCleaner\CCleaner.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\CCleaner\CCleaner.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\ccleaner_pro_6.09.10300.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\ccleaner_pro_6.09.10300.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\ccleaner_pro_6.09.10300.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mode.com
PID 2288 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mode.com
PID 2288 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mode.com
PID 2288 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CCleaner 6.09.10300.exe
PID 2288 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CCleaner 6.09.10300.exe
PID 2288 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CCleaner 6.09.10300.exe
PID 4308 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CCleaner 6.09.10300.exe C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp
PID 4308 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CCleaner 6.09.10300.exe C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp
PID 4308 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CCleaner 6.09.10300.exe C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp
PID 4776 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp C:\Windows\regedit.exe
PID 4776 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp C:\Windows\regedit.exe
PID 2288 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 1392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 1392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 3032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 3032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 1376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 1376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 1376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2884 wrote to memory of 1376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ccleaner_pro_6.09.10300.exe

"C:\Users\Admin\AppData\Local\Temp\ccleaner_pro_6.09.10300.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\en-us.cmd" "

C:\Windows\SysWOW64\mode.com

mode con:cols=50 lines=10

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CCleaner 6.09.10300.exe

"CCleaner 6.09.10300.exe" /VERYSILENT /MERGETASKS=desktopicon

C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp

"C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp" /SL5="$500D8,54886285,64512,C:\Users\Admin\AppData\Local\Temp\RarSFX0\CCleaner 6.09.10300.exe" /VERYSILENT /MERGETASKS=desktopicon

C:\Windows\regedit.exe

"C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\RarSFX0\settings.reg"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://getintoway.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc5f663cb8,0x7ffc5f663cc8,0x7ffc5f663cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1906004412127174233,621835598311859448,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,1906004412127174233,621835598311859448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,1906004412127174233,621835598311859448,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1906004412127174233,621835598311859448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1906004412127174233,621835598311859448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1906004412127174233,621835598311859448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,1906004412127174233,621835598311859448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1906004412127174233,621835598311859448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,1906004412127174233,621835598311859448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8

C:\Program Files\CCleaner\CCleaner.exe

"C:\Program Files\CCleaner\CCleaner.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 getintoway.com udp
US 162.159.137.54:443 getintoway.com tcp
US 8.8.8.8:53 52.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
GB 172.217.169.34:443 securepubads.g.doubleclick.net tcp
GB 172.217.169.34:443 securepubads.g.doubleclick.net udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com tcp
GB 172.217.16.238:443 fundingchoicesmessages.google.com udp
GB 216.58.201.97:443 lh3.googleusercontent.com tcp
GB 96.17.179.205:80 apps.identrust.com tcp
GB 216.58.204.65:443 6f3b1e186cebe42a8c979b725febb435.safeframe.googlesyndication.com tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.193:443 tpc.googlesyndication.com tcp
GB 216.58.212.193:443 tpc.googlesyndication.com udp
GB 172.217.16.228:443 www.google.com tcp
US 216.239.32.3:443 csi.gstatic.com tcp
US 216.239.32.3:443 csi.gstatic.com udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\en-us.cmd

MD5 237d2bb9ba36d00a76eaef67a431fe02
SHA1 b6ade83a97c9b7e9ebfc7540acfce56b7786a9f3
SHA256 eb5ae14666ff40836738d71d39f846cd2f84788359f8a6f6d7e70428c2e51f4c
SHA512 98d996232aa1f2d15681c6119f9f1f409fd56c977d98df5305025c421fbf61f99f3bde3f55b6b7e585979256496a7b924bac1dd49dbb89c0274bb19bb5a85329

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CCleaner 6.09.10300.exe

MD5 7343a750daf04cebfacc713c38a3aefa
SHA1 42ff6ec785ade345bbc3f7897c0273a1f43bc75c
SHA256 ce987ad6a67242c3d18579a971af4ef338c1de4dade576435c1c15699b411c57
SHA512 cbbc67a39cb75bb2417fb8c499a9052c44ef513943b4e0bf2c739eeef711d407e734388c437f884b1249c59a037e3fc0ddc833c5c7917ed6b57d4f4bf346a21f

memory/4308-9-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CCleaner 6.09.10300.exe

MD5 64502f50db867adb2a43d053bea59189
SHA1 a4531fb71788af24b14b419c0dbb3adb669a7519
SHA256 7e9c40273a204682a67e5af6a70caba7730a8f63b6acbef3c0d1e9d72af84337
SHA512 f9963e6b1fb96fdeb446cac4e88e7569ca0db33ef01b621029c5bd570bf885b700c516ace74d91ac7244d35b988bd4a24bafab28b59767f8d2cefdef5202d529

C:\Users\Admin\AppData\Local\Temp\is-O2EPC.tmp\CCleaner 6.09.10300.tmp

MD5 ffc5577132ce8e70bc0ee08ae8ad9846
SHA1 7d0bac57589e6b5d50d9a9817b40288251b5b674
SHA256 a5d781cdb29a6629439e69dcf3bd22d999c1aca0286e5219bb754cdc6bbd75bc
SHA512 1d993e9d4adb45a86e15d484694d0d26c9e197ca60d0ba1fc008e0aacb6206fb6a1ab25307026f76d1421f7321de524fa4119247ea8f4c205da7d61d01f8433f

memory/4776-15-0x0000000002390000-0x0000000002391000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-O98AO.tmp\ISTask.dll

MD5 86a1311d51c00b278cb7f27796ea442e
SHA1 ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256 e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

memory/4776-26-0x00000000023B0000-0x00000000023C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-O98AO.tmp\VclStylesInno.dll

MD5 b0ca93ceb050a2feff0b19e65072bbb5
SHA1 7ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA256 0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA512 37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

memory/4776-32-0x0000000006C50000-0x0000000006F6A000-memory.dmp

memory/4776-34-0x00000000070C0000-0x00000000070C1000-memory.dmp

memory/4776-35-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-36-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-37-0x00000000070D0000-0x00000000070D1000-memory.dmp

memory/4776-38-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-39-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-40-0x00000000070E0000-0x00000000070E1000-memory.dmp

memory/4776-41-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-42-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-44-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-43-0x00000000070F0000-0x00000000070F1000-memory.dmp

memory/4776-45-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-46-0x0000000007100000-0x0000000007101000-memory.dmp

memory/4776-47-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-48-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-50-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-51-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-49-0x0000000007110000-0x0000000007111000-memory.dmp

memory/4776-52-0x0000000007120000-0x0000000007121000-memory.dmp

memory/4776-53-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-54-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-56-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-55-0x0000000007130000-0x0000000007131000-memory.dmp

memory/4776-57-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-58-0x0000000007140000-0x0000000007141000-memory.dmp

memory/4776-59-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-60-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-62-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-61-0x0000000007150000-0x0000000007151000-memory.dmp

memory/4776-63-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-64-0x0000000007160000-0x0000000007161000-memory.dmp

memory/4776-65-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-66-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-67-0x0000000007170000-0x0000000007171000-memory.dmp

memory/4776-68-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-69-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-70-0x0000000007180000-0x0000000007181000-memory.dmp

memory/4776-72-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-73-0x0000000007190000-0x0000000007191000-memory.dmp

memory/4776-74-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-76-0x00000000071A0000-0x00000000071A1000-memory.dmp

memory/4776-77-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-75-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-71-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-78-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-79-0x00000000071B0000-0x00000000071B1000-memory.dmp

memory/4776-80-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-81-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-83-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-84-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-82-0x00000000071C0000-0x00000000071C1000-memory.dmp

memory/4776-86-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-85-0x00000000071D0000-0x00000000071D1000-memory.dmp

memory/4776-87-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-88-0x00000000071E0000-0x00000000071E1000-memory.dmp

memory/4776-89-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-90-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-91-0x00000000071F0000-0x00000000071F1000-memory.dmp

memory/4776-92-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-93-0x0000000006F70000-0x00000000070B0000-memory.dmp

memory/4776-100-0x0000000006B40000-0x0000000006B41000-memory.dmp

C:\Program Files\CCleaner\lang\lang-1049.dll

MD5 c73ae8381b0fcf393dab071a33104ebc
SHA1 bf0197b60e005420cdc3f7577b427a37664f41f7
SHA256 42cf3c10d48633375c11467dde187e58e2aa8d38174f77a9d79da3a5c45619c8
SHA512 470548d49a43de70dcfc094ddff46e2c9571c2373c460bdb0ccd4cdd7ea7b4f4ba9c08bad43e944b1229b0c49e5dd2e2286a0452809e9b7dbb1688ef4ffe6c0c

C:\Program Files\CCleaner\CCleaner.exe

MD5 63e585677d89f2cae04b88187805aaeb
SHA1 df290688ac6e6d6b941df0476fe8a85d3397ea90
SHA256 9620fde053ff66c52d7ee7a26d291889a23eb2e3540627753c0a7cfe0a5b2e30
SHA512 9528c1dd546056a78aff85d8c122b4d9a846a528cb7beef44aac34d397274135ecafb560c466aecfcb763ae7c233057bf26e2862cc30f4f40ebab03b2b368134

C:\Program Files\CCleaner\CCEnhancer.exe

MD5 928cb9009e248e648280270255d6d44b
SHA1 5ff1b16d9da12d5325a8169ee1d7a770e62d660a
SHA256 4d025fad652ec6b890883f64e617f1e5dccfbff0dc857631695c6cf4315c1c23
SHA512 e0a1e4e667d71853dca434309d48beeb1d2a04f89c7c8bfc94f7a8c8f1cc3ba948f78e06ab6dea9aaeb1fdc3d6f40840de31bf5e4032907698f68f120bcb24e2

C:\Program Files\CCleaner\ccleaner.ini

MD5 5678e5bea1b09dc2476377cc2a0de3eb
SHA1 47f904a061704ec9f3db1c38ded396f0c8bd63ae
SHA256 04764148098d1825732392f371de3f134d7f5407ab0a6f4f1b1c9c15aa82091b
SHA512 4343cd2c55be148c7dba4ea137b2964076115cd8e32d26c6d7ef79fa77f0b478d15ac834e37072438d0e300b14bf1c2243ef3dd8fc0b3fba67e8d1ea679384c8

memory/4308-392-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f2dc80f5403feb8461b7ffa09890d6a0
SHA1 d5b61e6d672e7e71571e0132e21cead181da8805
SHA256 eadeadba37eed18e5acba408d7e076270b00403fed372b77164577232232428a
SHA512 5e2119529b99b76be105c43714e4b9977ee2147172c1c44e92bd9b41fa7a66f55d4073c864aac668a912aff2898bd216fb38f2fe34ef65de69ad12965218caf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5c48e8b68231fb5b2d7f1188b930bc0e
SHA1 1822aef5da8fdd47626fb91afcf79a2be175a325
SHA256 c3b287c29eaa57166b2ab1ba9bd0aaced13cc2f946a04b8d708ac429187fe944
SHA512 2bd09b83e44e0104fbe080a8573690217dc9fbf7fd59ff25a1a9e9ebd2d87ac533f9b99350773d081a7e748b39657115a13e94538b153bceb13ecdfc4672a0f8

\??\pipe\LOCAL\crashpad_2884_WORHHMYEWMVYYWSG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 656409696283c1e546e91646f20288c1
SHA1 3c1fe1c0c68837c74803cfccfb782bc7a4de2e67
SHA256 affecd9ea2f457c119987daf846b1360626b1a12334fb1ae7fc7bb819cbe1514
SHA512 26663ffa7364d3eb683e947c2d1ae252ecb36903317dfbc844952bbae85a4fddee38eb290047441f0d16eeeb39a260787bc3d4c17ae398783cda52dceafeb1c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 49afb43a2b19ccfe6afa155592eec70f
SHA1 5b6d9951582feb5341742df72a135bb172356745
SHA256 f3e273f0f9be504297b04810100ba4459a8b74a3ad3e892517cdd27d23222e47
SHA512 3ccc14ca5d98db09b0ff66860806e5abe8f4add77d0a9a278716e063204186c7cc4615bfca34cebd0ebc00aa3f23eefaab3fae8023e1c4727ca05f1e7809e8a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b176ead8e1520ae9a5955a7db3b31b77
SHA1 7d75fe58c6f6422217d93dd0aacf883621336b57
SHA256 907a2f1d93fedba84c54146cc6cea813c11ac11208d11b3c3e3bb016eec3fed1
SHA512 c57746aca247807f03abfc1652f6e302f96bc29fe7bb418675b9550dec2e46700da387eea08815ea3d9bcd93a7d07a6c80f95057e5870ea9b1a1c8f0330ea8b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 879aecaac6167e5b794ef1f27625fbef
SHA1 3049822683fb3d4145e2407b3b02aab137b8d8da
SHA256 fb1fdc1a774c53c44c44729c069ac4cd22ea2eda48a23d65c76a3ff87925f9be
SHA512 0aa088ab741ad7c948882f2fb49ce0a4e04dac7fedc485473c888feacbd3fc3d98e7117344df92dbba934c8be8c0656433de2c46f15c7ac6d575bace6d106eb6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 18c2b5a53791c7ccc4685111b8dac014
SHA1 62a1f6db6be5957d1d14affd8bf1a1fd11166359
SHA256 614aecb4100b511d5006142b4220b10e42d72be03faaa6016b445ca54575515c
SHA512 78e1d59ff510ce594d0286aba8c5a96eb37432bc646f8c848ace07a6ed9fe9b393129a6cd112e9897c3b43c480593b56d9056cae669b37419871a7e0d756389d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9ca85eb3-05d8-4235-b971-9cf6e21f2fd5.tmp

MD5 402714d611ddc7e2b95458d8c79b3c0b
SHA1 ded333f902d7f96af558672fc5896f008a42aa49
SHA256 fda8948bc2de0aab85656c51e850733658b4c70df1aaf89b70ddf07accc1a200
SHA512 129473e50a5a0269fce9e471c943a17fa75ba7f47153b3d42ab29c0886d82dfbce15517da4dc59c09cfbbe90f9c82cc6fce81bc41966469badb36ad317bc8f44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 7a135989867ac4b2dbc583e570cf56b2
SHA1 887b8fe05411fbf9bc269e03effac865a431983c
SHA256 f9e44be9b4d1424df28499e7e332382118d606c54ceb69047b518763d1d10340
SHA512 35a9e19256659fc28cf45a8791161cc5eb45051d6835ee6e1cbd00be9ee90b474e024edeca20a37d11db25b6b04056f82743317dfb39d53e24a67d7884474329

C:\Program Files\CCleaner\CCleaner.exe

MD5 abe8d7c6e01d0028193748b8a285dab9
SHA1 8643449245092ab4474b306662a08415cd464d49
SHA256 a5d00e115a3b8fc552787e42a346f62a03dc69bdacb491c7e78e54143538cbc8
SHA512 d72cf22ba8861b07c4fbfb635c79568c99b561c8161087f9288bd154dcb82bdea0a2948a852091ad85ad3e0ed118914cc28f24582aacd2b66daf820452c480ce

C:\Program Files\CCleaner\CCleaner.exe

MD5 e9ace0377ef53c6e9fe26715bf454d85
SHA1 330d00ec8ab700c7b40a730fc81b39426da7a85a
SHA256 9521b72ba4813d68d764d86e9eb1b4710bbd9c811fb6d399c867113f68d84097
SHA512 e756c99aaea8661ca4bc841ed745b032faee125ff998815e6d3a7e6d717ac1da46de93e05c01043e5817ee06c3dd45ebef2697afacaff4c3c74a2aab12e28555

C:\Program Files\CCleaner\CCleaner64.dll

MD5 7ead3dac9feabef2533465e544269f5e
SHA1 518f392f75bfe7e207eb7774bef6c4b0335ae9be
SHA256 8e8acda5509d1afa814bdae4c59b879d380c15eb6e695bb5da7ce46e39c5d201
SHA512 5837a92d7ebc8edde665fd0f288642afe9f879f6cb5292bc6631201c6faf1823ba42b5058ac1eb444f6eb8a641ee22c3ba982e677b6a9fa0138a5b3df7f04beb

memory/4868-640-0x0000000070020000-0x0000000070022000-memory.dmp

C:\Program Files\CCleaner\branding.dll

MD5 705a39c1b61a9cbca3e8e2a71ab4fdde
SHA1 8179af4878bcfb57f08399e3b74dce849b88ceb8
SHA256 631c578e7e2153957e6e07cf02bf9aa05cc7eb1c13d98e7b0270fb216f09e534
SHA512 e72ff8f7f0f09af06238fd8e1ea46769a35bddcb5e8921956edd9f37637ecf32bda3e533a57fec0c36b0830938a58a37c0777b1d1f8518261c1f579dfbfa5bc5

C:\Program Files\CCleaner\gcapi_17086264714868.dll

MD5 f17f96322f8741fe86699963a1812897
SHA1 a8433cab1deb9c128c745057a809b42110001f55
SHA256 8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb
SHA512 f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

C:\Program Files\CCleaner\ccleaner.ini

MD5 15ae539891ec03d875009bb91d99ca2a
SHA1 d1bd0483c83f61e5d494f3915c7a0988c8da6a68
SHA256 9b8ae4b643d07e468ce17013502eeda88ab53aa092b5a7ec432112056861b697
SHA512 df8618225c15add1419a565f087256d86e607fb5be367c70a3f8d43112ebb16d96881b8c824eb7237a61861e0aba679a6ce6c8ad4feab6dca4fc65b8273a8580

C:\Program Files\CCleaner\CCleaner.dat

MD5 26557ece29393618c2ea9e8a68c522e4
SHA1 e83cdc8f872de25fa625f901c66d3434c72156e2
SHA256 6ebc6735c40ab36bcd33f461b5b1ac1cb20d06d481f901700f0c2501bee9908c
SHA512 1d5fc5059d94f70ca84a8cac7e678a815f6bf69a11fe546cc26ba2549623359a2dd360af72983b73739a3f9f6d63702de04c1eef80256328f079475be4301d24

C:\Program Files\CCleaner\ccleaner.ini

MD5 6401d9cecf4562e1f2996b92eee34cea
SHA1 e9e16b76af43449a4fd4b0dafa73103fd496266a
SHA256 be52678e2cbf0d834a0515bcf78a7e67300a0b17e65d270e4c4b66f136eb18e7
SHA512 87211e7be235431561cbb4b4910748a339a0233b7d2f47bcd6379bc00dc3454cde4345468438da954694b87469164353cb2a6d7be7d4e0f2f3df178ac02363a4

C:\Program Files\CCleaner\ccleaner.ini

MD5 5356d5e8054c9a2f00aa0cb696203d5b
SHA1 19bf3716f0f616e409208aed32706cacc5306a69
SHA256 7a88bfcf71df764e20453611c680cb2ff67bdd6b7e7899a74f2301e2710b098d
SHA512 6437295e3a43847f99ead2047fedf037db34574efd9805bc3acdd8ab4fcbdbc4d32930bf40c3f86683831232083e561acff11f890466c5659cd2c1a1533d4dbf

C:\Users\Admin\Desktop\CCleaner.lnk

MD5 41a0e2f372817f57b5e6b14a01898996
SHA1 32936b8b146141c4f86e315db83196a7402aa15f
SHA256 12be2b29c98e615cf42306a2cb662fac38bc7b13576ed842175d720eb8eed9bc
SHA512 aacc7e336766196b3d839dcb2dec1836d382860fb28cc165fc2db1bdb7e45de4f9752f18642226bc48200f0431d2f946ac562cba2b4f6b6904adbb1001358205

C:\Program Files\CCleaner\ccleaner.ini

MD5 98e5b9f19e8c34b5719b82e3e90c3443
SHA1 bf6979815223019679ff74b0429b17d35795b61d
SHA256 b744eb6366331dc1c09f34cb138114d3fa83eff3622142b92b0733c6dd0fcbed
SHA512 247ebd6284f6893e6f1af37eaaa0d4160f1380debcb80eb7320078f9564ab723ccab4ff55e84f42c21848332eb12d8d31e60d54f83d74ddf1760370c5fa91170

C:\Program Files\CCleaner\ccleaner.ini

MD5 c92f4b9a643b46b0186786969208cef7
SHA1 09e6e1e10a3494957e59dedfb9d714c1c6892cf3
SHA256 c86d29d7dec44a2c86cff73796cb534db30899b00b2c15f6028e6684f8debe02
SHA512 444287e4aeac59e790e22a6b4ccb9203dac8283ec77bcbaa5b702edf949678585437962a1667ad2b8e99aa88c003645fb79765e7be48a2f6bb1984a6d9abef3b

C:\Program Files\CCleaner\ccleaner.ini

MD5 90c782f5d23a3cb738dc047d4f0d29e1
SHA1 3f4ecad743deaaa7296a1d18354cc1619f00d5b9
SHA256 dbc31c46ff513c2076711de49cebda12d94f5bbffd39e5b6f3dd65be35ec9dc3
SHA512 cf456746e450c79aeb718c89ab103b0bebbb11e285e90c3ce7105c61c26d8a8fe083a909c4b5f9dfaf83d55c5fbfbd3910a6fd8cc6bf2adef369d40950c3b96a

C:\Program Files\CCleaner\winapp2.ini

MD5 8b343cf7da66ce060f18375e0387e088
SHA1 38456290b0e762bc6b26b377763c9e4a5c5675d2
SHA256 fd4ce2c4f4fe37ccf189fe9531479b05332bd9edfd0c516da2f24c2d4ece914b
SHA512 32f41263b4cdee2c9e18ba38ec8f87582bfe795b9a797643da17b93f46755c6aa07a5e4badbc1dfade65cefc3fcdf93023e7a86d84ff6e006c22cac1887b51ed

C:\Program Files\CCleaner\ccleaner.ini

MD5 318205b9aab1dc7a473457c107f4d129
SHA1 6e905bb25bc12c868736101a01d34ca254ed9012
SHA256 ffa346cd7d3d8be04f5f0ddeddcc45381b147f4404645a8bb1998fabff8a7284
SHA512 e5d13ec69b28b0cd8def483d781ce65341f20e15e6185f0eb8861b625c6ccb610c7eb358836c9822fb2eb679352e34b1878aab677864b6a5cbc8597dc8979948

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84