80628c3bf2a36c061210b3b3098309ccd74c12778906ab75734acefa22af21de

Analysis

max time kernel
140s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCleaner-Professional/ccsetup625_pro.exe
Size

74.5MB
MD5

dd1c07c23f43164a71d525f23cfea8db
SHA1

97ab99a14636e2b9920fe1bb1868fcbda3094fc0
SHA256

193890704894e4aa1c8112aea01c425fc027653c10d8157f0356395a63aaf74c
SHA512

72ff71268e40695aaf8783840cd532bdddedc0da11279ffbac7bc55fbcc96765d29f7dc830763516318cf5577dfa8ad1d04edc3a2a76b0c9003d50238d3c49fd
SSDEEP

1572864:yvBn7XWXQfAiSulWSqsLnSp/o9QjdQHdK5k7QDi8iB05xJHQoT6cwgS5m7mtyp:yvBnDWAfAiSulxfnCo9L9KcQO/C5Xp6p

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	CCleaner64.exe

Downloads MZ/PE file

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ccsetup625_pro.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	ccsetup625_pro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\CCleaner\Lang\lang-1048.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1052.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Setup\config.def	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\LOG\DriverUpdaterLib.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1068.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1093.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1055.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1102.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1050.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1051.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll	ccsetup625_pro.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1037.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\LOG\event_manager.log.tmp.90dde3fb-90fe-4f9c-a579-d05efa111225	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1109.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2070.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\libwaapi.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\libwautils.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2052.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1032.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1041.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1043.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1029.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1057.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1065.dll	ccsetup625_pro.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1031.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1045.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1059.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-5146.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.exe	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1063.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\CCleaner.exe	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1079.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Setup\1609c9c5-e7ce-4e8b-8785-2eb56ac0014b.xml	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1028.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1035.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1060.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1067.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1104.dll	ccsetup625_pro.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\CCleanerDU.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\libwavmodapi.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1025.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1040.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1090.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-3098.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Setup\e29d545e-f819-4d6b-8b01-cc54f2da9bef.ini	CCUpdate.exe
File created	C:\Program Files\CCleaner\LOG\DriverUpdaterLib.log.tmp.fd5e67f4-0e31-4bc8-93cf-165a3043c462	CCleaner64.exe
File created	C:\Program Files\CCleaner\LOG\DriverUpdEng.log.tmp.0476d092-733a-4551-8947-9f33741ab983	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-9999.dll	ccsetup625_pro.exe
File opened for modification	C:\Program Files\CCleaner\gcapi_17215882281208.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1027.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1058.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\wa_3rd_party_host_64.exe	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1066.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1030.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1046.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1049.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1054.dll	ccsetup625_pro.exe
File created	C:\Program Files\CCleaner\Setup\d5dcf849-3327-49cb-8c6b-73d3756f0971.dll	CCUpdate.exe
File opened for modification	C:\Program Files\CCleaner\Data\usercfg.ini	CCleaner64.exe
File created	C:\Program Files\CCleaner\CCleaner64.exe	ccsetup625_pro.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe

Executes dropped EXE 5 IoCs

pid	Process
2432	CCleaner64.exe
3912	CCUpdate.exe
4936	CCUpdate.exe
1208	CCleaner64.exe
2496	CCleaner64.exe

Loads dropped DLL 19 IoCs

pid	Process
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
4936	CCUpdate.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
2496	CCleaner64.exe
2496	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe

Embeds OpenSSL 3 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x00070000000234ef-10.dat	embeds_openssl
behavioral1/files/0x0008000000023516-181.dat	embeds_openssl
behavioral1/files/0x000700000002355e-401.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup625_pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup625_pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup625_pro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform	ccsetup625_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-20	ccsetup625_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup625_pro.exe
Key created	\REGISTRY\USER\.DEFAULT	ccsetup625_pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup625_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform	ccsetup625_pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ccsetup625_pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner	ccsetup625_pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-19	ccsetup625_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	ccsetup625_pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner	ccsetup625_pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup625_pro.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	ccsetup625_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	ccsetup625_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "fa52a0cf-c2f9-4a29-bc0c-89df40ba28ca"	CCleaner64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup625_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	ccsetup625_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ccsetup625_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup625_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup625_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ccsetup625_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	ccsetup625_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	ccsetup625_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAipuYxUlFOE2TtYg6C3vG/QQAAAACAAAAAAAQZgAAAAEAACAAAABOmb0vcDli5Y8UyioZfvpAJeH80EnsqaxXZ1kBGR55+gAAAAAOgAAAAAIAACAAAABkclYJTH4o72QWdCI2IgHrc2Phz2kcwhePzef+9QsvsjAAAAB/zFeqP2ep0JecAIMBcfmfPr3nqJlzIZenM0PvPG6rSw5DQrnEAmCm5SVBWSZkDqBAAAAA437CaFjfrSFTJdYf4MeuDx8hButjfv/G2UTQJ3uj/pLukOSzTffR5oxo2XF8v/6Jrp3ahChAib2W4Zcgw09Oww=="	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup625_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	ccsetup625_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\SOFTWARE\Piriform	ccsetup625_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup625_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	ccsetup625_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup625_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup625_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\SOFTWARE\Piriform\CCleaner	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\SOFTWARE	ccsetup625_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367"	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	ccsetup625_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner	ccsetup625_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	ccsetup625_pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Software\Piriform\CCleaner	ccsetup625_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command	ccsetup625_pro.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1208	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
3244	ccsetup625_pro.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
2432	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe
1208	CCleaner64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3244	ccsetup625_pro.exe
Token: SeDebugPrivilege	2432	CCleaner64.exe
Token: SeDebugPrivilege	1208	CCleaner64.exe
Token: SeDebugPrivilege	2496	CCleaner64.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1208	CCleaner64.exe
1208	CCleaner64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 2432	3244	ccsetup625_pro.exe	106
PID 3244 wrote to memory of 2432	3244	ccsetup625_pro.exe	106
PID 3244 wrote to memory of 3912	3244	ccsetup625_pro.exe	108
PID 3244 wrote to memory of 3912	3244	ccsetup625_pro.exe	108
PID 3244 wrote to memory of 3912	3244	ccsetup625_pro.exe	108
PID 3912 wrote to memory of 4936	3912	CCUpdate.exe	110
PID 3912 wrote to memory of 4936	3912	CCUpdate.exe	110
PID 3912 wrote to memory of 4936	3912	CCUpdate.exe	110
PID 3244 wrote to memory of 4772	3244	ccsetup625_pro.exe	111
PID 3244 wrote to memory of 4772	3244	ccsetup625_pro.exe	111
PID 3244 wrote to memory of 1208	3244	ccsetup625_pro.exe	112
PID 3244 wrote to memory of 1208	3244	ccsetup625_pro.exe	112
PID 4772 wrote to memory of 1616	4772	msedge.exe	113
PID 4772 wrote to memory of 1616	4772	msedge.exe	113
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 920	4772	msedge.exe	114
PID 4772 wrote to memory of 4760	4772	msedge.exe	115
PID 4772 wrote to memory of 4760	4772	msedge.exe	115
PID 4772 wrote to memory of 3880	4772	msedge.exe	116
PID 4772 wrote to memory of 3880	4772	msedge.exe	116
PID 4772 wrote to memory of 3880	4772	msedge.exe	116
PID 4772 wrote to memory of 3880	4772	msedge.exe	116
PID 4772 wrote to memory of 3880	4772	msedge.exe	116
PID 4772 wrote to memory of 3880	4772	msedge.exe	116
PID 4772 wrote to memory of 3880	4772	msedge.exe	116
PID 4772 wrote to memory of 3880	4772	msedge.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CCleaner-Professional\ccsetup625_pro.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner-Professional\ccsetup625_pro.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Drops file in Program Files directory
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Program Files\CCleaner\CCUpdate.exe
  "C:\Program Files\CCleaner\CCUpdate.exe" /reg
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Program Files\CCleaner\CCUpdate.exe
    CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\d5dcf849-3327-49cb-8c6b-73d3756f0971.dll"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=1&v=&l=1033&b=2&a=3
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc7e1d46f8,0x7ffc7e1d4708,0x7ffc7e1d4718
    3⤵
    PID:1616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,13582132784815809099,8565320788033247703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
    3⤵
    PID:920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,13582132784815809099,8565320788033247703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
    3⤵
    PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,13582132784815809099,8565320788033247703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
    3⤵
    PID:3880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13582132784815809099,8565320788033247703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:2396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13582132784815809099,8565320788033247703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:1
    3⤵
    PID:3408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13582132784815809099,8565320788033247703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
    3⤵
    PID:3636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13582132784815809099,8565320788033247703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
    3⤵
    PID:2800
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks computer location settings
  - Checks system information in the registry
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1208
- - C:\Program Files\CCleaner\CCleaner64.exe
    "C:\Program Files\CCleaner\CCleaner64.exe" /monitor
    3⤵
    PID:5892
- - C:\Program Files\CCleaner\wa_3rd_party_host_32.exe
    --pid=1208
    3⤵
    PID:5712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2668

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:5648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCUpdate.exe

Filesize
697KB

MD5
0f0b90a01f049665ca511335f9f0bf2e

SHA1
baf4016e50050b24925437864bfb3c19d0baa901

SHA256
4ad9635351c8e8579c4d4c2bdd679ea7b135ec329adc6fd5d8211255e2e666be

SHA512
44da936d020e857bf3bfa2bcc7a91182da9c1f320fe041bb2836d4e8ae99d4b939ea27842b49b9a2cd24e09c7698579617584d431a2b2f7eafdafa1fb9a59c50

Download Submit
C:\Program Files\CCleaner\CCleaner.exe

Filesize
37.6MB

MD5
6068830154e280bb0c0ca87e57533425

SHA1
94e5cab7e49fb04ec30ff75b6e3bc4fcea9e792d

SHA256
492d4f36465829ece536dbd06aa7010b1d4c0270db158242d296ed6e73a4b696

SHA512
990ccda1b69c7a0d3bb43dc3bdf6bb518deb02197395b661b332e55d64cdbf4a740fbab830773c22e4b1afc6d357ee4be12e7ab9a6916f15386bd45c9e68df73

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe

Filesize
43.5MB

MD5
b99fdded16b8127d5be4226b45c5320d

SHA1
9816592bd17aaba0fe4919d98128825895a79a41

SHA256
880064ede08f253865a51ae23e528fcaa31469e39fa7fc29a025a2ee485c7bac

SHA512
91b1b3a2a55c3f1b3200d4aa6658b62febc9569063076261c17f71f5c091652bf4b112c5342df8c183e586b9eaf1f20d3995ceab5856612ee5d3db5d9d8316aa

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll

Filesize
13.1MB

MD5
a98691a5ae8d27770872ffe492f8864d

SHA1
b3262af1d14eb8d025e14fcc6a857eaee26adb19

SHA256
574296f0462392a46f953f9d126eed3c85c6ec33e403ef814193bc6a54262883

SHA512
888b7a264de28a9a2493a7b751490171f7a8fa3bbd38929f43e2c1e12351303768be0bb783ac72c5830979aeb113ec800ce4b9111efcfe40d3bb20b18c735bba

Download Submit
C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll

Filesize
12.8MB

MD5
d7553366da2d53c6bf9e6fa5d800891d

SHA1
11327d7c008570e0d9feeb0c6472cead646170ce

SHA256
447dd080abd3db5e6e77bba9ba63326d2b240f76c3d1d39dab662f629ddf4af0

SHA512
52912e18ab94c8e82056749a55b5dbec5b7bc81a0e1ed4ca6de06ffa185c857e83aaf47c2e4f0baa3120b7743faf32e700070ebcd64ecbf78cb178d9afdda7de

Download Submit
C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe

Filesize
1.0MB

MD5
88524bee3b4548c4bf611e5337d52567

SHA1
ec2f94de8385eb63313c40c11911c8e2f88e18ac

SHA256
1accad967f9190591f9bca01f1b446e2a7e0c7b9063610ef75273b7405cd852d

SHA512
8c1fdaec9b9b2c825e19ecdad45cba2987ffff25fe643b3b0415139fedfd2d82e347a5a1770d5b24640653137c62b87e11bcbccb1f6becf449975e79372b783f

Download Submit
C:\Program Files\CCleaner\CCleanerReactivator.dll

Filesize
2.2MB

MD5
44e8e3b4418f8f61810370b92855e37c

SHA1
5bbee4ff4cfa0e9a40257c72f525c23b0888343f

SHA256
3fe7dd1178f4ad700f9258146a5cddcedd8558e999d67f82a69b98783b0da504

SHA512
e45f6085e5ade0424cd6ce0b9af6f20878988bee90f7a865aa4873a595b736b01e98a38137d6337c7dd0abbf7d0af47377a29af1eedaba1f06571546361947c8

Download Submit
C:\Program Files\CCleaner\CCleanerReactivator.exe

Filesize
188KB

MD5
ba28d231f17a9effbfd7138096bd7062

SHA1
fb970b00eb5fce4eba4a66db5bdb98d684523c60

SHA256
d787e84b930de660a48cd1686e92ebc4abd99e79cd884b25d7d35027e6bb8451

SHA512
cf1f39e8c80188d70ae2d6d8538eebfe7ce1ffeae04921cb93251da97cff0249d4d94a1ac7526dda44eb390f04e0463f52dcd13a0a6d3078285bb0791ea5f8aa

Download Submit
C:\Program Files\CCleaner\Setup\1609c9c5-e7ce-4e8b-8785-2eb56ac0014b.xml

Filesize
823B

MD5
dd26355e1db338c5ae3efb13da165aec

SHA1
0569d7b0955ff15ec82cd62236e32d5444e450b4

SHA256
8f7008b95f0f46f310ab0e5653c1056545340153838db971e276f08606a09326

SHA512
a4f658b6985c0a3325e552dc893a706b2fdfcf519eddb6ab87e0c17d11d53619835cd7960c689fa4cd7ddd435f669714252d3ca553e3f74bb77d74262e215a62

Download Submit
C:\Program Files\CCleaner\Setup\config.def

Filesize
27B

MD5
05927e894c81eb42c3b4dae5a5a6c937

SHA1
7ec0660aac7c3396599447a49f30ba18e1f0db49

SHA256
09c65b39bc891e12956ab7bb30fae147ef7c8fa37542b6f040613436b566e7f8

SHA512
c06e2788952a3550597f5b539cf8f5cf7a569e33192951bc8ce97d4570bd4ba35abce99586f309f3e1cffe6f1d83aee98b79c0c26503ef4cd4d1fbfb40e1ba4e

Download Submit
C:\Program Files\CCleaner\Setup\d5dcf849-3327-49cb-8c6b-73d3756f0971.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\e29d545e-f819-4d6b-8b01-cc54f2da9bef.ini

Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Program Files\CCleaner\branding.dll

Filesize
50KB

MD5
c82c46fa12b2bfd78e6383061856def2

SHA1
28d92e285b68edc8a0b90aed76bb5cf7fe369d59

SHA256
ecab2f53c13600a6057af6e6388b08c1dd1cb98f8cd27429329a3d3028ce0c22

SHA512
2f797ec1ca070fb3ca79e28d288590f019fbfa83c2aa480778499f1c91f0e3d890190a1882d363b695c1aa804ac7d10edfbecb72d8558b310d65c6d976abfa20

Download Submit
C:\Program Files\CCleaner\gcapi_17215882281208.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\libwaapi.dll

Filesize
1.0MB

MD5
55e8abc2e2a985bfcf63b31fcb616798

SHA1
1515621393b52ae31c697422c3410d9738d58ad6

SHA256
0e5c4afb2fd25f3b0843c1f982d5f1314040ec5446d3587888743e6e5825ef31

SHA512
a0e8ea08b458a791455846b8a38f4576e9d88040dc4240eaf76253d100212f24c3fad76963ea26edfc3dc634ac83cb0151254e64bdaedeb943dbd12d8cbd6e1f

Download Submit
C:\Program Files\CCleaner\libwaheap.dll

Filesize
100KB

MD5
17b24cd98ab8714abfb1847aab4bcc38

SHA1
e3c8a2ea624e9e4739e951f27e8fe0748511c420

SHA256
532fd260954d47eb1364ea4e79f313b56f4b440a17f32519dcedeb7c91276705

SHA512
29ae5c1d51699e1fd11e0c8d14f5d8b0e56dc973b6b39834c1892014d6a512872e8d9331d9553f3c2ff31dac51dc3b7df7d4df0bee3cb76db84d2bbe9af1a29f

Download Submit
C:\Program Files\CCleaner\libwautils.dll

Filesize
3.4MB

MD5
13c520abb15829477f295cc8c11b5889

SHA1
e23f9aa51e65fe6d9b30362774a5b9ba36ffc10a

SHA256
f2aad2ac13e4fdc8bc1031f85928d5e00f4ea62c81ca57aefe3833a86e85a559

SHA512
76e202b72f9b64e45b39b7e22b69c60ea55bfac51ed45380676064f6314039cd1e761eafe367e2b7246b1ebf933a0066843f5f6666e3cf0d27e63f60c19031f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
8d1040b12a663ca4ec7277cfc1ce44f0

SHA1
b27fd6bbde79ebdaee158211a71493e21838756b

SHA256
3086094d4198a5bbd12938b0d2d5f696c4dfc77e1eae820added346a59aa8727

SHA512
610c72970856ef7a316152253f7025ac11635078f1aea7b84641715813792374d2447b1002f1967d62b24073ee291b3e4f3da777b71216a30488a5d7b6103ac1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
c2cbaa051cb26369c431b787384b092c

SHA1
a524a5e8223e1efc93296a4446dae12f1f3da35b

SHA256
52f7d139f1a90b09a5d98d8dd01a7c5a38073b5e40b44f4a5e83236ec0d8369a

SHA512
1e4c225deabc9756cb32df7b312985f7681e1cf7e77ff52fed5b7896f1607d150848ed7fc75a78d33c8b9c7a54a5b97764b2cf60fe0907d660a899d8816309c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7137491880316DE4BCB5778DF26B80B9_C4602243A2F41B67C79EF7120684DE14

Filesize
471B

MD5
cb9cec5d5ac44c0d2d3e045fdb13887e

SHA1
b706e375bb2191057fde5ecf42deef39ae248efb

SHA256
d4c626eba2b4b4282ea98501a9dde6b4cd9d9c0aa7bc11f50d163c823041b9fa

SHA512
06c911cb2f787c4665c75df98b42afd032425073c85d71e5906e88cac190a4a50f5331d5a1d93a054b8b43233434778a2142c367a801544b202e8a0ef64494e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
834b95ca3c6a37758a00a5930b4c4764

SHA1
6851b70b50271e1573d242d6c9f05bd516c5d4c5

SHA256
67152c9f044c6f1ae50d7a1caf6a50bf10dba098739fed5666c6413d4f04ba70

SHA512
50b61ce58b643efb2efcd8afce77875e74a7f11ddcfb2cfa55d8f00e3c022fda2b9c66e807599d1afe6189266df74924295437cac086e0d5ac80cb3538f1c4d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
47022a7575e320876ec2a4879e8c9de0

SHA1
a3cad5cd128ad232ac2f1f6f0f733163b92d553d

SHA256
eafa12b3183d4747247f58bdcd9638569eb13542805781ac828ec0a8d52b4894

SHA512
167d86308b58b3d7bb75d154fc43be87e244d4b6cc537d6a9eed29e2578b91250caa38567e42dab21d78d6b3d3d6651cf56bac6573c155846ca8fd55779c79a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
1313d32d0926f74bcfe635433276f058

SHA1
719d52813a4fc19c697fca2b52c6cb46aef84a0d

SHA256
e036e2afbf698d6639497e04eeede5c82a6a8e2b48567cda9ce283eba3ebf1c5

SHA512
6e1caeb6b08374b70765e6e8058e1e6c219340078a1d7385791807b165b8e39fca67b9bcc1f698d5c6e9129c51b1bb81be5ca807741b0c6294cac5e88c1dff6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
fc7db4bec3a3198ddaef842b8dd8bd97

SHA1
415d6b7a6bdf4fa0d047403f4f54eef68a83f8f2

SHA256
4cd0ef71202b8e787beda0c7532bd788e70419b38ca836dbc7b82553ca142474

SHA512
97634e8572e868dd5cc8c585985175566fe34a6b51b44d31a5a2a73b3a5157806e1af5fed353339d5ada4b8cb6e9c1abf0e48883edf1bffb120b1aba197fbb2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
7cd5a3c0de9bc0d18b9c56b036ccb3e6

SHA1
92f665f9ea92a905f0f5791cd4c91564a3c279d3

SHA256
5cd39e56f9f239e55a065c763ce759cfa14775c4127bdcc887c6f13b6d3ae4e8

SHA512
775b0e4dc42d42eab4285470dcf7e384b5d6996218f5c8302b1b353a11ec3f6a0aa86242c6b3bd6f3d50cbee2b22a59ff6b65471ac18fc993c4dbe4705dc4729

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7137491880316DE4BCB5778DF26B80B9_C4602243A2F41B67C79EF7120684DE14

Filesize
410B

MD5
6a9c55a35b99af99965d8e4c5eaab781

SHA1
5010b11ab7406d88952f559ca2d1b2878209f581

SHA256
7769709e349997e86e056034b36f2dcf3b0773620d35bab6a54bb61b6763d400

SHA512
7cb4e78c89b650006ced6da1743b7461ba0b926acca8b892319e898dffb2422227dd97b9db3da4ad5301763b45091cab1ae5346913c8fe2ea3520de8ddb515db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
bb8921ba453b5c3a0d9386ed44262059

SHA1
3ecc3f88c98cd951d84fb7493492e78a1bfac9b6

SHA256
a9fc4978953ae67499498df0d7e40b282a7733e32022d9d65d41d1d9a82e2037

SHA512
2caf97c9235962ad331e822ff005f6283f0dc0061c0699f5630c32a44092c7515d7df581786ef2336b6e4bf2f0e671b9563d4f71ad2e4ca842a0f171064318a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
5fec68dd5c07cc25215bf5f09b8928d6

SHA1
2a614ccab065bec194b3135b6a176b00ce176192

SHA256
8e49d85d7f5684b89f74916e482c18bcb76df173ddba0a83bd5623bcfee4e336

SHA512
5be32a544a051112970c7feacbeaa9ff48c6de6a4adfda5f27d8e94b3a5e90dbb58910ab219b28d0d9cf221aaefaace5fb6fe4f2325bbc82bf34486681aed5e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b28ef7d9f6d74f055cc49876767c886c

SHA1
d6b3267f36c340979f8fc3e012fdd02c468740bf

SHA256
fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

SHA512
491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
584971c8ba88c824fd51a05dddb45a98

SHA1
b7c9489b4427652a9cdd754d1c1b6ac4034be421

SHA256
e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

SHA512
5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
cf1763ffc98c0be5e60c1949a69d7f35

SHA1
d4f66d3bbb7355870a64dc9c42175e3531c05f48

SHA256
e0fecb34193f929f68a9e7b07bd52bba042352a47a4e8e8959155e032b9cba3c

SHA512
c608668c9119658ef9240ae18378c188d831df7550e1109dc67a8a8273438f9ed548686a65c39391bf4fa9f8e43781244873b49b052603e52332266c9bdb2da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a1c4a461443aa5bae66fdabfcf9520a3

SHA1
b60950d533fb4c588f1f5a021e6d38538ac0a58b

SHA256
ee4f80037a89598231f57f69a6ef6cabe24f56d315f9bb09ea31c1dd51eee768

SHA512
12882bb513c97feda0091de174971bb5444a5d05a979bae81d7a586ea9aa0d75d219c9dbfd01139c683882d536b67018bfb61e0bccd762141e601e4729adf2ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0552482da654908dc9a586fdcd89c1d0

SHA1
8debf68b8da23ad28810b9fedd747a076b64e5c1

SHA256
4ffc1ad897ef1f09d55c70b2921fb4bade7d6d0930bafe61117b3e2c4e19980b

SHA512
a559e66562e229a21041ef1b25b995a64a8544c67561c0da318fa5a27b3eac087bba9c9cb0c2297aa1e8f0113feef6f8d26cbeefdced1b81e49e93b145fd9b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\A4F1OTIC\6942H76B.txt

Filesize
1KB

MD5
51c8af6bf123de818b2a71f0b5c48a23

SHA1
4707128bcc9400d50dca3ce56389e1bf526b3c93

SHA256
c51914a685aa8e7de59eae7f593764eb25d2d26430a1b1df3ab3fce8a7aec702

SHA512
e97ef3d894e5fd0299d0bc49e6c064343a8b6e1e2934fad11c5cab1986e37971ccc7d0c6d70a3d77157a9979d8cc2954b3cdfca9cea66c1f98224b88dd4445b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
0cb9e6512ad6d34b43da3593416b91b7

SHA1
41c493a46b32bb6ff5a9faa6ac75b89cfa2a520a

SHA256
c76ada4987409d4c849bc6867bf2fcb1c0b21dbc7aabe317e8026446cc27fa16

SHA512
12be735a03a8e3b80ece8ab4195f041fa78ce2605a73333ab653d6dab2ada6665609db3eb75535db98fa23f35864184f2556b43fb5a9b960d37a69e85a613382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
757292d4bcd831234bbaeab7542eef6d

SHA1
8eb3cb0dc74e49b6466b116de30efb360c6daac7

SHA256
6ce8265244b1f65a72377ac0bd1fe18c870c8342366be4bfccd726691383d7d4

SHA512
48003b07dc261719c34420f9b49cf31edc29622129bd1e3290fcda029c0cac1c4a554d9f836f706306b2cf8d8b62b4f1a724aa3193a0508a843728fbe806526c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
fd6ccfe5a79ddc128d791ac6fcb80294

SHA1
93ffcdce68ce3f41971d094051ba8f96a075e28c

SHA256
9993ad9c2ff7c2e79865820a12e543e920ca66fc3f5a59ee73a7ec402fa0f97d

SHA512
c11940ad9e647bb1ee027f09aea721c6ba9199bec0b0aa40cefeced10de3d7f7f15fbd99d1f030f596ddbd67c25ff3bae02400f626ac9d05ba29435b23b58432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
1266ff790d5e7019a6bdbb7e94f9eae8

SHA1
65bbee02be2a169308e77b5361720cef6a0fdb50

SHA256
6259dac169556e948146a0ea5d73c7d0ec5cb69824cbb8f8ec3b0f839115c86a

SHA512
342216e9baa421128321f1fcb7d514ba36dee2d1a1a2e26857f41b9d997eff6123724a5a633a7197e4ae88014103251a9a58a6598cdbf56d836b6fc4f629634c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
b94bf4a73aeb7f4ea45e71f336a83d07

SHA1
384cf224e4df23ed194d456461bc1c854db98ec9

SHA256
2a1e1457562d1e33cdc01035b0c329ef7c6ed4f645e1bc846d3e2a77bbda14f4

SHA512
29f398c07a80725ba4e0695b954dd7c55f8a30f0065534200e2293f2af7ca0e5afba6a261ca67032db520fc0d983c11e0550b6e752c1bb0c05140c05d585da0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
88d359457eac2e38f80ea036f2daed20

SHA1
779395efc2eeabb7a1feb0b6b6c5d1ff54a87604

SHA256
8ce3e355b27eed24b4e5b3ad4b4daa048e43af586e1173f6f9e3b40993c0cdb5

SHA512
2eac88b8ebd3793de34c9e3160c038282ea4a9b81f8c9b45464a07e4c05f24bb9d081029e7e9473708afa3401ea6fed603120e14b309cd76f2a580cdaa34ad67

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5jxwylbc.cvk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aswa46966aba1215437.tmp

Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC19C.tmp\ButtonEvent.dll

Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC19C.tmp\INetC.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC19C.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC19C.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC19C.tmp\modern-wizard.bmp

Filesize
150KB

MD5
8bd95fbd159e00b9823fe8d60ccf9b50

SHA1
c55e1a485062efcae2ac4d4aa43172a0d8dc9413

SHA256
6ef238fafc028ba028eacbff28bcc670cd7213df9318f99f619ac3e2988d16f3

SHA512
1bbf9d41d3180cfddb99e300142b619ddbc225a099a43e8755aecb44000a4248a7606d04bbea3c1e65143fc488c40d30fcf9bdd418174bd821247b932977f86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC19C.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC19C.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC19C.tmp\p\ServiceUninstaller.dll

Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiC19C.tmp\p\pfBL.dll

Filesize
13.5MB

MD5
db9217d1edf86f2fa5a21fa8c2a9de52

SHA1
ec21ad34fbe0647cd921a81e306b56bcbde01417

SHA256
0be5a234aa9d63afe5157746182f5d5fce3f8892b625657856aaebf35c34628f

SHA512
da799b055c0358f3cebc5a66714fabace366f3e30a05b75b1e459edc18c1bf147792c92403525fdc4ce89e45ce7e7445564b6b581a867cb16628e205ff7ecf18

Download Submit
C:\Windows\Tasks\CCleanerCrashReporting.job

Filesize
666B

MD5
17d8ab3a1e1aedfd7974aecc9ebf59d8

SHA1
cba46721f0df02ccfd6d55b535e8dbfa8e337483

SHA256
49e248a36977a52e176d4fda3ad612278eddd60a78242c67d113d8d2c03b7dde

SHA512
07332f3293f1e65a7ad0df441e33df787d59d71655da7a3be5d843e4ecdbe566e0f451c9c63f1bfcab20b4cc3ff5607afd4b027940b759cea6ca8388279601ec

Download Submit
memory/1208-421-0x0000017B1C700000-0x0000017B1C710000-memory.dmp

Filesize
64KB

Download
memory/1208-445-0x0000017B278F0000-0x0000017B278F8000-memory.dmp

Filesize
32KB

Download
memory/1208-478-0x0000017B27780000-0x0000017B27781000-memory.dmp

Filesize
4KB

Download
memory/1208-447-0x0000017B27970000-0x0000017B27978000-memory.dmp

Filesize
32KB

Download
memory/1208-427-0x0000017B1F2C0000-0x0000017B1F2D0000-memory.dmp

Filesize
64KB

Download
memory/1208-471-0x0000017B278B0000-0x0000017B278B8000-memory.dmp

Filesize
32KB

Download
memory/1208-448-0x0000017B277D0000-0x0000017B277D8000-memory.dmp

Filesize
32KB

Download
memory/1208-449-0x0000017B277C0000-0x0000017B277C1000-memory.dmp

Filesize
4KB

Download
memory/1208-451-0x0000017B277D0000-0x0000017B277D8000-memory.dmp

Filesize
32KB

Download
memory/1208-474-0x0000017B277C0000-0x0000017B277C1000-memory.dmp

Filesize
4KB

Download
memory/1208-454-0x0000017B277C0000-0x0000017B277C8000-memory.dmp

Filesize
32KB

Download
memory/1208-457-0x0000017B27780000-0x0000017B27781000-memory.dmp

Filesize
4KB

Download
memory/1208-469-0x0000017B27870000-0x0000017B27878000-memory.dmp

Filesize
32KB

Download
memory/2432-182-0x00007FFC1C170000-0x00007FFC1C171000-memory.dmp

Filesize
4KB

Download
memory/2432-174-0x00007FFC1C6F0000-0x00007FFC1C6F1000-memory.dmp

Filesize
4KB

Download
memory/2432-179-0x00007FFC1C790000-0x00007FFC1C791000-memory.dmp

Filesize
4KB

Download
memory/2432-178-0x00007FFC1C720000-0x00007FFC1C721000-memory.dmp

Filesize
4KB

Download
memory/2432-177-0x00007FFC1C760000-0x00007FFC1C761000-memory.dmp

Filesize
4KB

Download
memory/2432-176-0x00007FFC1C710000-0x00007FFC1C711000-memory.dmp

Filesize
4KB

Download
memory/2432-175-0x00007FFC1C700000-0x00007FFC1C701000-memory.dmp

Filesize
4KB

Download
memory/2432-180-0x00007FFC1C730000-0x00007FFC1C731000-memory.dmp

Filesize
4KB

Download
memory/5712-713-0x0000000006330000-0x0000000006396000-memory.dmp

Filesize
408KB

Download
memory/5712-718-0x0000000006BD0000-0x0000000006C66000-memory.dmp

Filesize
600KB

Download
memory/5712-714-0x0000000006410000-0x0000000006476000-memory.dmp

Filesize
408KB

Download
memory/5712-702-0x0000000005DA0000-0x0000000005DAA000-memory.dmp

Filesize
40KB

Download
memory/5712-715-0x00000000062F0000-0x000000000630A000-memory.dmp

Filesize
104KB

Download
memory/5712-716-0x0000000006480000-0x00000000064B6000-memory.dmp

Filesize
216KB

Download
memory/5712-717-0x00000000071B0000-0x000000000782A000-memory.dmp

Filesize
6.5MB

Download
memory/5712-703-0x0000000006500000-0x0000000006B28000-memory.dmp

Filesize
6.2MB

Download
memory/5712-719-0x00000000063E0000-0x0000000006402000-memory.dmp

Filesize
136KB

Download
memory/5712-722-0x0000000006C70000-0x0000000006CBA000-memory.dmp

Filesize
296KB

Download
memory/5712-723-0x0000000008390000-0x00000000086E4000-memory.dmp

Filesize
3.3MB

Download
memory/5712-721-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/5712-720-0x0000000007DE0000-0x0000000008384000-memory.dmp

Filesize
5.6MB

Download
memory/5712-724-0x0000000007CD0000-0x0000000007CF2000-memory.dmp

Filesize
136KB

Download
memory/5712-725-0x0000000008740000-0x000000000878C000-memory.dmp

Filesize
304KB

Download