0cd53b38aff244f57afc12e7393b543d82e7eed2eecfc2fcdb034fcd1f3bd2ee

Analysis

max time kernel
45s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PC_Cleaner_setup.exe
Size

7.5MB
MD5

f004da3d2f9f3ff3437089759bae8cfd
SHA1

f0106d7e51cca3cfe35c4c6d6d53e9bdaddc7ad7
SHA256

0cd53b38aff244f57afc12e7393b543d82e7eed2eecfc2fcdb034fcd1f3bd2ee
SHA512

b09d5cbca0252acb6b3414ad60956686731bd3b5e57c20bd993593f06a7611daab8c68c35218881fffb25d0f5546a3b3326ce1f532c85bf6965ad6c4b86bb7f8
SSDEEP

196608:WW3n0Nma5Jn2JxKSxpYseYy7/fFs49fyJmJuSpp:p30h32JxKSxpYagq4kmJuSpp

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	PCCNotifications.exe

Executes dropped EXE 3 IoCs

pid	Process
3840	PC_Cleaner_setup.tmp
4512	PCCNotifications.exe
944	PCCleaner.exe

Loads dropped DLL 3 IoCs

pid	Process
4512	PCCNotifications.exe
944	PCCleaner.exe
944	PCCleaner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
139	api.db-ip.com
141	api.db-ip.com

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PC Cleaner\is-7LIQE.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-EFLTA.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-TDQ3L.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-LBF51.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-QV6T1.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-K03R5.tmp	PC_Cleaner_setup.tmp
File opened for modification	C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-1S0EJ.tmp	PC_Cleaner_setup.tmp
File opened for modification	C:\Program Files (x86)\PC Cleaner\sqlite3.dll	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-4D66K.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-UTPN6.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-FE35V.tmp	PC_Cleaner_setup.tmp
File opened for modification	C:\Program Files (x86)\PC Cleaner\PCCleaner.exe	PC_Cleaner_setup.tmp
File opened for modification	C:\Program Files (x86)\PC Cleaner\PCHSUninstaller.exe	PC_Cleaner_setup.tmp
File opened for modification	C:\Program Files (x86)\PC Cleaner\PlayaSDK.dll	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-9JT8P.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-IUIC1.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-2C02T.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-962NJ.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-1KHGP.tmp	PC_Cleaner_setup.tmp
File opened for modification	C:\Program Files (x86)\PC Cleaner\net.db	PCCleaner.exe
File opened for modification	C:\Program Files (x86)\PC Cleaner\net.db-journal	PCCleaner.exe
File created	C:\Program Files (x86)\PC Cleaner\unins000.dat	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-VQRLS.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-HDBAO.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-8BLVN.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-5HIP7.tmp	PC_Cleaner_setup.tmp
File opened for modification	C:\Program Files (x86)\PC Cleaner\unins000.dat	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-91GA0.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-P2T6C.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-M86A9.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-KAN49.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-PD1AC.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-C83LD.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-7ESK9.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-HFK63.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-78U98.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-CN69F.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-4CKMK.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\unins000.msg	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-9M6QT.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-G65V9.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-N3GNE.tmp	PC_Cleaner_setup.tmp
File created	C:\Program Files (x86)\PC Cleaner\is-2H48F.tmp	PC_Cleaner_setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PCCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PCCleaner.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	PCCleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	PCCleaner.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCCleaner.ppc_encrypted	PC_Cleaner_setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\PCCleaner.exe\SupportedTypes	PC_Cleaner_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\pchscleaner\shell	PCCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppc_encrypted\OpenWithProgids\PCCleaner.ppc_encrypted	PC_Cleaner_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCCleaner.ppc_encrypted\DefaultIcon\ = "C:\\Program Files (x86)\\PC Cleaner\\PCCleaner.exe,0"	PC_Cleaner_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PCCleaner.exe\SupportedTypes\.ppc_encrypted	PC_Cleaner_setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.ppc_encrypted\OpenWithProgids	PC_Cleaner_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCCleaner.ppc_encrypted\shell\open\command	PC_Cleaner_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppc_encrypted\OpenWithProgids	PC_Cleaner_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCCleaner.ppc_encrypted\ = "PC Cleaner Protected File"	PC_Cleaner_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCCleaner.ppc_encrypted\shell	PC_Cleaner_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\pchscleaner	PCCleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\pchscleaner\shell\open	PCCleaner.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PCCleaner.ppc_encrypted	PC_Cleaner_setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PCCleaner.ppc_encrypted\shell\open\command	PC_Cleaner_setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCCleaner.ppc_encrypted\shell\open\command\ = "\"C:\\Program Files (x86)\\PC Cleaner\\PCCleaner.exe\" \"%1\""	PC_Cleaner_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PCCleaner.exe\SupportedTypes	PC_Cleaner_setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\pchscleaner\ = "URL: PC Cleaner Protocol"	PCCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppc_encrypted	PC_Cleaner_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCCleaner.ppc_encrypted\shell\open	PC_Cleaner_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\pchscleaner	PC_Cleaner_setup.tmp
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\pchscleaner\shell\open\command	PCCleaner.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PCCleaner.ppc_encrypted\DefaultIcon	PC_Cleaner_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	PC_Cleaner_setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PCCleaner.exe	PC_Cleaner_setup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\pchscleaner\URL Protocol	PCCleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\pchscleaner\shell\open\command\ = "\"C:\\Program Files (x86)\\PC Cleaner\\PCCleaner.exe\" \"%1\""	PCCleaner.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3840	PC_Cleaner_setup.tmp
3840	PC_Cleaner_setup.tmp

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	4512	PCCNotifications.exe
Token: SeBackupPrivilege	4512	PCCNotifications.exe
Token: SeSecurityPrivilege	4512	PCCNotifications.exe
Token: SeSecurityPrivilege	4512	PCCNotifications.exe
Token: SeBackupPrivilege	4512	PCCNotifications.exe
Token: SeSecurityPrivilege	4512	PCCNotifications.exe
Token: SeSecurityPrivilege	4512	PCCNotifications.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3840	PC_Cleaner_setup.tmp
4512	PCCNotifications.exe
4512	PCCNotifications.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4512	PCCNotifications.exe
4512	PCCNotifications.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 3840	1936	PC_Cleaner_setup.exe	85
PID 1936 wrote to memory of 3840	1936	PC_Cleaner_setup.exe	85
PID 1936 wrote to memory of 3840	1936	PC_Cleaner_setup.exe	85
PID 3840 wrote to memory of 4512	3840	PC_Cleaner_setup.tmp	90
PID 3840 wrote to memory of 4512	3840	PC_Cleaner_setup.tmp	90
PID 3840 wrote to memory of 4512	3840	PC_Cleaner_setup.tmp	90
PID 3840 wrote to memory of 944	3840	PC_Cleaner_setup.tmp	91
PID 3840 wrote to memory of 944	3840	PC_Cleaner_setup.tmp	91
PID 3840 wrote to memory of 944	3840	PC_Cleaner_setup.tmp	91

C:\Users\Admin\AppData\Local\Temp\PC_Cleaner_setup.exe
"C:\Users\Admin\AppData\Local\Temp\PC_Cleaner_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\is-IL3JM.tmp\PC_Cleaner_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IL3JM.tmp\PC_Cleaner_setup.tmp" /SL5="$A005E,6942773,831488,C:\Users\Admin\AppData\Local\Temp\PC_Cleaner_setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe
    "C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4512
- - C:\Program Files (x86)\PC Cleaner\PCCleaner.exe
    "C:\Program Files (x86)\PC Cleaner\PCCleaner" /START
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies registry class
    PID:944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ffd4fd39758,0x7ffd4fd39768,0x7ffd4fd39778
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:2
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4712 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5172 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5504 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5508 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6092 --field-trial-handle=1924,i,3341354027025552693,814088628349211705,131072 /prefetch:8
  2⤵
  PID:2324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PC Cleaner\Cookies.txt

Filesize
245B

MD5
f64c612cf669e719dfabc162fbdd61e5

SHA1
a3018caad39ab800f8f7e5df6b7de136e873e5d6

SHA256
a193f2eba15cef7fe439e4f0292af90bd46eee89730bd390e04c365f3e62deb4

SHA512
62922ce844b4b4285d6eb30b7515fc0f1c6552d5825aaa33d2d9cdc091d68cfd503c2d521bc3e26765df0600652487532f9ce8ab788f9931bf1cdd7bd045cec2

Download Submit
C:\Program Files (x86)\PC Cleaner\English.ini

Filesize
81KB

MD5
c304408a360456b08d1fdf319166702d

SHA1
5b58c82fd4f316aed09bbdcaeb1a895afc3f42db

SHA256
b6ccd92470726f0d35d0dc7a8f61dd0f17ac06c55550939351c49acd2809e919

SHA512
02cfbe75d6410cbb5484084176ef88fc1e4c5ec2cadf3eb871b14625b05770bc1d9ac0ff3022edddd312f7b603171bc963cd63623678ab4086265c4aa66c07e1

Download Submit
C:\Program Files (x86)\PC Cleaner\IDs.txt

Filesize
1KB

MD5
82b0c12afc82bb2ce9fe25055032012a

SHA1
c1686583e644f810495b49ffdde585ab53f5ae1e

SHA256
c1db4573e9d2a9c4fed3af2b14214c2a1a38db79fc72a77bd5239fc2c6c561b6

SHA512
ea825b3e8d3877e94fe3f6d14026e9c45f4f4b4cff7fdda7e935a23456289d8891d234ad0e72a04aced9d0a79610c94c270cc073e82fa2564fac41551c95684b

Download Submit
C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe

Filesize
1.1MB

MD5
46438aecb15ea7de354d5dfe6287abe7

SHA1
c32bc551121580dce97d529a35ec46600e2ecd76

SHA256
04ed636405c87e99bb331727c77c366b64fe961526bd346be299dee4ac084f3b

SHA512
934f0807f79f1922b7d6a8a5c89c6dcf901b5384c45f42bca57b766403b881f2a0034a3b3cc39e8bce39a32219371d2da53134e3f67c375da28265d14fef5f8d

Download Submit
C:\Program Files (x86)\PC Cleaner\PCCleaner.exe

Filesize
576KB

MD5
7b1496dd1d69d4928535f2163afa49b5

SHA1
7f092307c2ada20960a0ebd5b49d3e5a1bc650d6

SHA256
75075f633aa88ce333c31324a951e12c1454cba5876c763e2be30d49a671763f

SHA512
030f78f7df069e673289a7b1ab638c78c2a9eb0095c2de05ca220348ec22e7a0af673d1435c8f3b54b0a73abbdd0e488be318369cf33190166cab7689eef49f3

Download Submit
C:\Program Files (x86)\PC Cleaner\PCCleaner.exe

Filesize
697KB

MD5
62abd9ce7c9994577f49beab8f9aa835

SHA1
f682df0af6a9f31cf30c5140f4b6a7e23e9d7856

SHA256
71fc17f782322cce8ee2fe7585441e741825dd4dfac084a8a4363eff76c46b86

SHA512
985b145001832461ea5aee0f5983c0832d7f52862ca6784a39fd4ab6eb2cc88ab2b3b80e7cb955775d7029308dc9a739e3ab6ef6d1d5afbc870e34b679c3f680

Download Submit
C:\Program Files (x86)\PC Cleaner\PlayaSDK.dll

Filesize
960KB

MD5
11a813c0972b740937d3a7e2daf9ffcb

SHA1
4245b5a3c97f725c56a29d745767edebb5e3f15d

SHA256
3f933bced2d9f65d48f7c48715bf286fd431341a74e1ce15d39b7c4c96603cf9

SHA512
9a590dcab0cf7051d04743736ea7a6b74fa0f87539580cc41a58ad33a76574201e7b6d54d5100cbcd262266bc55b053243edd4860a2d43deeb1c164395e4a941

Download Submit
C:\Program Files (x86)\PC Cleaner\SList.txt

Filesize
77KB

MD5
e246b232635098d4f0fb5fa2d33b15fd

SHA1
92a900a20d5f00923cc69902409310990df6cd68

SHA256
75143874b8165e82187d430a55bb732e7eb765cc0b378c1b9da8638b091875b1

SHA512
19da2beee854d9c2d66f2556a5744ff311666f9d7d8a27e7ac5c50c9d3b3754ef37f13690df42cb0468f18d0619c35c789080415aecf3d22373fc1f3e55be2ca

Download Submit
C:\Program Files (x86)\PC Cleaner\SiteNtf.txt

Filesize
4KB

MD5
023938522a2335379044391c1b83656a

SHA1
1761b2dcadb48689c7c052393490043e050e5fea

SHA256
66aae467ef3636628b6eb4c4dc2e210990bb6440653cc3aafb7800b89a8da1ec

SHA512
0f88726ee74a9d51dfd888120d0e0dc1c66949374388ef4a394b4a2cd59056dbada68fe75929f4374b4441cfd8b8100e5edfaaa2982dba9f02d0322f1d1dd389

Download Submit
C:\Program Files (x86)\PC Cleaner\net.db

Filesize
1.4MB

MD5
690573714bfe225ebb010da07753cd61

SHA1
46dae37c65e37979677e552060c042798e82f0b5

SHA256
eb25595b66b58d4ac7980b6b159624b79a76387122f88f5ac554e7ff8fdec902

SHA512
d82a41709eac5a69e32f527c286503701b986bbdee841b66566b29a627c27e45e701c474825fbeb2e67170b82ef93868d2622d17864c107eac71e6a9dcce69ae

Download Submit
C:\Program Files (x86)\PC Cleaner\sqlite3.dll

Filesize
384KB

MD5
0ba3d073333041aff6fed9ae97e3a0a6

SHA1
f9220520c855ad64c8eb24ee35ae615953e7a0ba

SHA256
c1afac4de4e3d42cb60eb6e27ecbb6271ff5718536a35e6216248c0c93a2f700

SHA512
d8a006863ada9a0e3e619c437142e1d5d430c6505e05b8e181b0241502837a1b51e8bf877e798f0ee75f9df69b73f9862ece84286e1a0849331a9f279b1032ea

Download Submit
C:\Program Files (x86)\PC Cleaner\sqlite3.dll

Filesize
704KB

MD5
764fe1d5097cc56878164ba310130813

SHA1
c9584609b86cafbd8fcf8659012cec6012b2c0e6

SHA256
351097d69913e0d43009b250800925878d90367afbf8cf5ceb9cf15bb55b01db

SHA512
ba4cccca3d86c5efac370c6a4614e48c0abbedb4b8e00c3a39860241e11ab6fbf40671553e9f7c462f327151083dcdfc696753cfa601385470323179541a5fc0

Download Submit
C:\Program Files (x86)\PC Cleaner\sqlite3.dll

Filesize
576KB

MD5
4913e6542acfdb7424916a24ee5bcec1

SHA1
703077acbe61d1c9c89c00fcb71157538bacfaba

SHA256
c30a1c5b02aeb384d4cf7a0eb9bc1904737ec75ac97095db75b6e7b7f97f425a

SHA512
513eb88814e0c2e8452ab422696f4289d9dfa360522a7524162ff24b2b2d37fb02e625c464e003dcf9b98d1ae82b51b348345b61b836d8e259fd4a5a38920ce6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner\PC Cleaner on the Web.lnk

Filesize
1KB

MD5
b240fc21ac18ac2203561eba364077c5

SHA1
58848603dc187a1f1bf0d433b8342e791f307a95

SHA256
486376411c06e7918e5aad3d99a406dfc1ba6b6b0d13efbe93324a15e9fed2cc

SHA512
e4660dd42dba9a4d9c9b9f114b33d31be79313c2109c41b81ebf81984f806d9ba2049d498863e5f516a8c6edda18712fd170c8b8709390c496ca2464300b6bbe

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner\PC Cleaner.lnk

Filesize
1KB

MD5
4a1ff6a881286f1e29ebe059d92bc97e

SHA1
5c8b37361c06da38d3c3043416724b36beafa41f

SHA256
1bc429074a82ae6ba4027cf9b516016e1e4cc91df63221076fb5e7fad4359593

SHA512
3a67885740a5de3538e4701b6aad88fb183a39e1bf80a16b14ea879f097a351a0ce8692d84154fb3b48602d2bea4afb03fab4474eeb35b7907ed92d8fe1e65c2

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner\Uninstall PC Cleaner.lnk

Filesize
1KB

MD5
2ae1fd3588dacaeafdc5bdf2904818b9

SHA1
42234a0e20a1a6a6132ec78d2c08f6b6353dc4c5

SHA256
736dee52fe7095666be63db899ff3c988e9a8e43b1d2c29bf80459ea218116b1

SHA512
9956361c3ae3c8a4148bfba780dd0d846109f8030d176b86eae402cd0695cde2ad7865c39f855f74b07c1bb6dbec5076f222173432625a57355e3cb243334169

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
f14b4213eeffe3867a2042240ca1288d

SHA1
42cb434026c86054c57d15a4023bc84f189de8b1

SHA256
c3fe6dd36539dfa2fd20b26baf67c7b41a4c83cd4de5918e29fe86d1c9815e45

SHA512
2b987795ca21dec11f390720a274e57e04ecd86ce4412fa69c852f0dad46b8debfdc71e2c78b4fb1eb7f54ef698193d49d62af29e8406cff05d0db98c6e5a5ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
011977f2e9e5346654c248485f46b444

SHA1
345dbbcd29cbcfc34afd0788a992dc827d314f79

SHA256
60b8e795131d8cd6b014c2a91e4f693fd5e698ee5a4515490553c22c3a21b0a2

SHA512
efa74110049ced4aaafbc0b13e88836efbefb9459d5c579ea7dd3ec21d74c270af57672757b0a52d8307246a62a341ec7b05ce8d0e13e55fbe7660bee8c70386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f4effe6475e3af4347be60af08f952bc

SHA1
e0758dd47154f559598acae7b68f247a3a6253ff

SHA256
a155da0b3f28a3d1825c7729582673a2966c639e1027175d3c9a985a5528fc9e

SHA512
086bc5274277315a5fac9ea5b46fc101151e1999b822503ff6458562e5a8036a1c4766ccd3092e0fc55259ed332764fb4755dd77876c188a51f554ea808fb9f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9b7391efda8db64c4e2aa53b84dcb701

SHA1
f7eabd1765ac518e7fca55e12777b15fe78771ca

SHA256
c09a3883c423d915ec8380b98e62e89776424403891ebd946171f04365265153

SHA512
e39170b8df3175f8a64530b95244b923fc08067e5c4aa7fa1776b8faffe65f514eaca942a09d397dbc0ee09365067d29625dcf409f93f9355559710e27a60be4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
b8f4bdbe0604aa664dba659d5c1a9343

SHA1
601ddcb1223960084ccb2083c6fc33ddce8453f7

SHA256
69a6ec5308e0f6d855585f91a569f7c65e05209e25d778e4cfeb05ddd505ee40

SHA512
754a202452548feed0eb31d90ecc221470e344d50f397b3eec80ade1ccbc5a86e701f2f1e05a804388eeebcc4920cfcc3503a9a62fb3e18d9220b65d923791e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
81f417d21dfbb34bda448f0a1263ba6a

SHA1
b23a80db36b383cf7d8123eca4cb87bd63f9627a

SHA256
b4988f6dfbeac916a7651c37e278f983c6841c28c8becaa1afa82792513cf2f1

SHA512
a9fba69d23505fa11e957fc569e016f16da52adeb96ce4db0c47c87c881a076c3bfdddc7cb034009838e3b6427d15e6a2d4862822fa6959ea46241d677e6cd8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e38c50fd39e1b3bd7e92777bad40aa7f

SHA1
7081ac52accf04c322e69477f21f5232a760c63e

SHA256
8a57c4e728a7fbd5e302697a6a00eb355af721bf73ecb48d057266e7178763bc

SHA512
ab89bbedfa48be622dd4ca34705ee712c847546425c4356bc7bf35b0dbc1a2039e393ac05591e4edcb4f84377575c30a44c7f89c160664c564738caf54c28331

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d7057e57f4a06aff942befe01941ea56

SHA1
f3ddf4510d410b179220c3c21f52789641294c00

SHA256
c721c6af0c09d9460390756d7371a6a643fc3dd15b64c1cde49a1df7ca154b53

SHA512
6a231f97eab72ed73a19a8b88dfa38f60e89d6ad036a8b60ca36fb206a64648583f856adbb3373f2456eef3461976a7b264c16854ceb49cc6e49981c87fb44ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f808b8fbb4582b72fd96b3871ffc096c

SHA1
f1aa332d8a0ae0a36ed40e5c7f32d5401b4f3363

SHA256
d25b696a53ab6eb9ff27436c09bbb2964c27499d71f664d515765c12a8978a34

SHA512
76f0ff74e3fe12276da79d9fd448a850106df0b407bfe02a4cddb62e8e0850ede2c9546c37d0db25536c91f27ba91fa100e6d456aa7a930fa28c1e278cdc694f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8958ff0a8ec6840374d645bb7f6719bb

SHA1
433c73c3b7b1da0a4b87113b95a0faeac3b48126

SHA256
5f0644399fef7cf78fe47854bf71b219ad5a4c409b4c1eb6730557ba6c991974

SHA512
db89b06e4badafd2070807b7752ea9319aa4c42cbd0540afef462efb61a95e5c814a740988615bdde2aebe1bac44595705b7b95d406e2a4074802130c8b3d5ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
6711ca405cd318dbd380cb42fe87181d

SHA1
267a98f852b3e68d7e02692016c152c0c83bb3a7

SHA256
f4e4a16191e2c045ca25e09059f20b337438f0a27137cccfa9aa88e2117ec63f

SHA512
864fa8c1bedb1d7404612f0a9ff90adc734fa27b4c126255213748bebf835a040a0cf9a4063d767a4337613d73814b6e3b4c22290ed043a612f5d10ab3aa00ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
2a6c8f0be648c3e561dc79af43bd3ee4

SHA1
b2aa0ef2eabef35aae6a0dccb949c1fc8c28aa6e

SHA256
43c07d550317eb8ae8523d663d717b078a71981805ed27076263333e28e11964

SHA512
2c019c11fbefe8161b9a1da95307d45bca9fcb4dbd46cf969296401bc1f5cde0373fb2809922106b90a1719fd1e9be5e91a29ccdfdac974fc55f8424c8c23f3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
ab4db6b45aeeb9a2602dd2f0509288c0

SHA1
7b513bef87d78761dd26f7200190fff31f22f2ce

SHA256
cddd0af333a0442b198d50a3ba3cfb75784aff20ca6bd9d7edd2a9a2d448a7f2

SHA512
71bc8b3181ea981735ab17b9fdb52ec8044ffee6b9d0a0b0954692cb5b957b443696f7d917f91b0bd9dcd6371364d6bb3a1da543fa0b4ba6586207f10c5f72ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59457b.TMP

Filesize
98KB

MD5
50f8bcef4c101dde45f34bb9767eb0c3

SHA1
f6b156177cb08230ea5bfc47ce1a9aba56f26869

SHA256
8e37c4b2ccfad89ad9cc7e03489a515b613e2173d60999512919ad011bd6edad

SHA512
4ae9adef6688d8e6370995b2aeb1948ba7bcc1fdbe1eadd4bbe54b1539b6315d9d745261f660b4791ff3440a94e617af4e5d2e2cc6d05da9276d8b9c02ed80fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IL3JM.tmp\PC_Cleaner_setup.tmp

Filesize
3.1MB

MD5
e1efffeabf739101e96d3a2cfece74c0

SHA1
e541f100b3bf528e8624c0ba1ef4c57a312bab57

SHA256
14096802b6957f548379c56ff9a48b39b988c03355132353230295b68c38e163

SHA512
43586ac27db6e202025a5caeb7dbb67ce0695def75a57ecc262fca1bf25647d5916cac3e42aa8104d2eb981520ab74beb94ec199f74e5b3f203e66691c506ae0

Download Submit
C:\Users\Admin\AppData\Roaming\PC Cleaner\Log\Tasks.log

Filesize
645B

MD5
c52ce90ebf27532856b89d00d83f7986

SHA1
f5aad240732fb373ef632487f9fcb30d8b45322c

SHA256
93720c7fd0960c861136a8d52b3d2d1333189b9ff34b3aa001e1b8aa2af38d80

SHA512
08c39c9091101dbf4f4f10b4fb9caf5b10311e10bccc09988a6761c0e44085961c3de34a3aed06eea0a75f0106f8bda10e117c317de0a6d248c4277fb47a3db8

Download Submit
C:\Users\Admin\Desktop\PC Cleaner.lnk

Filesize
1KB

MD5
828790a3346ec0a39e350940c5435418

SHA1
90baf4d0e81bd99661a0d698df244263cd38c0d0

SHA256
40eabe8970b3b17a656ef98a645eec651c756c5b51651ef4427a80060e49f0e6

SHA512
fe5344939e46f2cc8576ec9c11b8e5c023b5321f59091ffaeab77eb2b1360604ecc0649aff9b7967061c514414bca07b1372b74962745bdda927c3a7d2707b8f

Download Submit
memory/944-111-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/944-165-0x0000000061E00000-0x0000000061EBE000-memory.dmp

Filesize
760KB

Download
memory/944-485-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/944-177-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/944-173-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/944-170-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/944-377-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/944-341-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/944-168-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/944-190-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/944-354-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/944-164-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/944-363-0x0000000000400000-0x0000000000E1D000-memory.dmp

Filesize
10.1MB

Download
memory/1936-95-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1936-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1936-110-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3840-106-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3840-5-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/3840-102-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4512-163-0x0000000061E00000-0x0000000061EBE000-memory.dmp

Filesize
760KB

Download
memory/4512-109-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/4512-162-0x0000000000400000-0x00000000008E7000-memory.dmp

Filesize
4.9MB

Download
memory/4512-375-0x0000000000400000-0x00000000008E7000-memory.dmp

Filesize
4.9MB

Download
memory/4512-339-0x0000000000400000-0x00000000008E7000-memory.dmp

Filesize
4.9MB

Download
memory/4512-188-0x0000000000400000-0x00000000008E7000-memory.dmp

Filesize
4.9MB

Download