Malware Analysis Report

2024-11-16 12:51

Sample ID 240809-xq5gpavarq
Target https://soft98.ir/software/optimization/212-ccleaner.html
Tags
bootkit credential_access defense_evasion discovery exploit persistence spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

Threat Level: Likely malicious

The file https://soft98.ir/software/optimization/212-ccleaner.html was found to be: Likely malicious.

Malicious Activity Summary

bootkit credential_access defense_evasion discovery exploit persistence spyware stealer

Credentials from Password Stores: Credentials from Web Browsers

Possible privilege escalation attempt

Drops file in Drivers directory

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection

Executes dropped EXE

Reads user/profile data of web browsers

Modifies file permissions

Loads dropped DLL

Adds Run key to start application

Checks for any installed AV software in registry

Writes to the Master Boot Record (MBR)

Checks installed software on the system

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Checks system information in the registry

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Suspicious behavior: GetForegroundWindowSpam

NTFS ADS

Views/modifies file attributes

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 19:04

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 19:04

Reported

2024-08-09 19:21

Platform

win11-20240802-en

Max time kernel

623s

Max time network

1036s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://soft98.ir/software/optimization/212-ccleaner.html"

Signatures

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\msisadrv.sys C:\Windows\system32\DrvInst.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\ab6d359c4cdd6b94_PD C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appvlp.exe\UseFilter = "1" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoev.exe\b6cf088aaed5f530_PD\Debugger = "\"C:\\Program Files\\CCleaner\\CCleanerReactivator.exe\"" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msotd.exe\UseFilter = "1" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe\b6cf088aaed5f530_PD\FilterFullPath = "c:\\program files\\microsoft office\\root\\office16\\powerpnt.exe" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\b6cf088aaed5f530_PD\FilterFullPath = "c:\\program files\\microsoft office\\root\\office16\\winword.exe" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msotd.exe\b6cf088aaed5f530_PD C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\UseFilter = "1" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe\UseFilter = "1" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe\b6cf088aaed5f530_PD\Debugger = "\"C:\\Program Files\\CCleaner\\CCleanerReactivator.exe\"" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appvlp.exe\710eccaedf4af036_PD C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appvlp.exe\710eccaedf4af036_PD\Debugger = "\"C:\\Program Files\\CCleaner\\CCleanerReactivator.exe\"" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe\b6cf088aaed5f530_PD\Debugger = "\"C:\\Program Files\\CCleaner\\CCleanerReactivator.exe\"" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msotd.exe\b6cf088aaed5f530_PD\Debugger = "\"C:\\Program Files\\CCleaner\\CCleanerReactivator.exe\"" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msotd.exe\b6cf088aaed5f530_PD\FilterFullPath = "c:\\program files\\microsoft office\\root\\office16\\msotd.exe" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe\UseFilter = "1" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appvlp.exe C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appvlp.exe\710eccaedf4af036_PD\FilterFullPath = "c:\\program files\\microsoft office\\root\\client\\appvlp.exe" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msotd.exe C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe\b6cf088aaed5f530_PD\Debugger = "\"C:\\Program Files\\CCleaner\\CCleanerReactivator.exe\"" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe\b6cf088aaed5f530_PD\FilterFullPath = "c:\\program files\\microsoft office\\root\\office16\\onenote.exe" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe\b6cf088aaed5f530_PD C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\ab6d359c4cdd6b94_PD\Debugger = "\"C:\\Program Files\\CCleaner\\CCleanerReactivator.exe\"" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe\UseFilter = "1" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoev.exe C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\UseFilter = "1" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoev.exe\b6cf088aaed5f530_PD C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoev.exe\b6cf088aaed5f530_PD\FilterFullPath = "c:\\program files\\microsoft office\\root\\office16\\msoev.exe" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe\b6cf088aaed5f530_PD C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\b6cf088aaed5f530_PD\Debugger = "\"C:\\Program Files\\CCleaner\\CCleanerReactivator.exe\"" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoev.exe\UseFilter = "1" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe\b6cf088aaed5f530_PD C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe\b6cf088aaed5f530_PD\Debugger = "\"C:\\Program Files\\CCleaner\\CCleanerReactivator.exe\"" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe\UseFilter = "1" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\b6cf088aaed5f530_PD C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe\b6cf088aaed5f530_PD C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe\b6cf088aaed5f530_PD\FilterFullPath = "c:\\program files\\microsoft office\\root\\office16\\excel.exe" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe\b6cf088aaed5f530_PD\FilterFullPath = "c:\\program files\\microsoft office\\root\\office16\\setlang.exe" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\ab6d359c4cdd6b94_PD\FilterFullPath = "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msoxmled.exe" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCUpdate.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Patch 64bit\Patch.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCUpdate.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Patch 64bit\Patch.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR" C:\Program Files\CCleaner\CCleaner64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR" C:\Program Files\CCleaner\CCleaner64.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Avast Software\Avast C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\Speedup C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avast Software\Avast C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\Speedup C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\SOFTWARE\Avira\AntiVirus C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\avira\launcher\ C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\avira\launcher\ C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avast Software\Avast C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Avast Software\Avast C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\SOFTWARE\Avira\AntiVirus C:\Program Files\CCleaner\CCleaner64.exe N/A

Checks installed software on the system

discovery

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\CCleaner\CCUpdate.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\CCleaner\CCUpdate.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\CCleaner\CCleaner64.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files\CCleaner\CCleaner64.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_4930e9ac235a7d97\cpu.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{c08c6870-3348-d345-88d3-24f1dafaef8c}\SET1888.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{c08c6870-3348-d345-88d3-24f1dafaef8c}\SET1899.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c08c6870-3348-d345-88d3-24f1dafaef8c}\RtNicProp64.dll C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ich9core.inf_amd64_11099e449d0dade9\ich9core.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{c08c6870-3348-d345-88d3-24f1dafaef8c}\SET189A.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_84ea762c0a90c362\mshdc.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8fda17e9-f2a1-364a-8abd-8c2cf91163c5}\tstamd64.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8fda17e9-f2a1-364a-8abd-8c2cf91163c5}\cdrom.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_970e40f68a7583a1\tstamd64.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{bacf555e-d14a-6c42-91fd-734ed856878c}\ich9core.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_1493e724f07f9b39\vhdmp.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{bacf555e-d14a-6c42-91fd-734ed856878c}\SETAFD.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ich9core.inf_amd64_11099e449d0dade9\ich9core.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c08c6870-3348-d345-88d3-24f1dafaef8c}\Netrtl64.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_b9219faf432b1e25\cdrom.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_5ab7d1c25144fcab\msmouse.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\cdrom.inf_amd64_970e40f68a7583a1\cdrom.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{bacf555e-d14a-6c42-91fd-734ed856878c}\SETAFC.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{bacf555e-d14a-6c42-91fd-734ed856878c}\SETAFC.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{c08c6870-3348-d345-88d3-24f1dafaef8c}\SET189B.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_e61357c1a331ecc4\hdaudio.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_3bf6c0d173eb26c6\swenum.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8fda17e9-f2a1-364a-8abd-8c2cf91163c5}\SET928.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{bacf555e-d14a-6c42-91fd-734ed856878c}\ich9core.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_726cea1f0f349cf7\machine.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8fda17e9-f2a1-364a-8abd-8c2cf91163c5}\SET927.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{8fda17e9-f2a1-364a-8abd-8c2cf91163c5}\SET928.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_970e40f68a7583a1\cdrom.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_5653ba7de4b18c6f\monitor.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_46a68184927df9e8\disk.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{bacf555e-d14a-6c42-91fd-734ed856878c}\SETAFD.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{8fda17e9-f2a1-364a-8abd-8c2cf91163c5}\SET927.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8fda17e9-f2a1-364a-8abd-8c2cf91163c5} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c08c6870-3348-d345-88d3-24f1dafaef8c}\SET1888.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_cc6edbde0940344f\keyboard.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_585900615f764770\usbport.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_0a89aff902a5c3a9\umbus.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\pci.inf_amd64_429878ca49a21d99\pci.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ich9core.inf_amd64_11099e449d0dade9\ich9core.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created \??\c:\windows\system32\driverstore\filerepository\ich9core.inf_amd64_11099e449d0dade9\ich9core.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_702fdf2336d2162d\input.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\acpi.inf_amd64_1facf5c0b549e8ff\acpi.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c08c6870-3348-d345-88d3-24f1dafaef8c}\SET1899.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c08c6870-3348-d345-88d3-24f1dafaef8c}\SET189A.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c08c6870-3348-d345-88d3-24f1dafaef8c}\Rtnic64.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c08c6870-3348-d345-88d3-24f1dafaef8c}\SET189B.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{bacf555e-d14a-6c42-91fd-734ed856878c} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_8207ba80cf22e40a\hdaudbus.PNF C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_970e40f68a7583a1\cdrom.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{c08c6870-3348-d345-88d3-24f1dafaef8c}\netrtl64.cat C:\Windows\system32\DrvInst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\CCleaner\Data\package_download\c159b16b2d5bcacea4edce02720f3e2fb1220bfc.sig C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Program Files\CCleaner\Data\package_download\853c8e15e9910004b3aedff1cf9474b5b42f363c.sig.part C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1055.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1062.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\CCleanerDU.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File opened for modification C:\Program Files\CCleaner\gcapi_17232307106712.dll C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Program Files\CCleaner\LOG\su_telemetry.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Data\DownloadJobs\036f52b8-40a3-444e-83f0-1c4774ce73bf.winhttp_job C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1041.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1044.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1155.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\wa_3rd_party_host_32.exe C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File opened for modification C:\Program Files\CCleaner\LOG\su_adapter.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-5146.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-9999.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Setup\ad494186-1679-4f5e-a9bd-9602437ce2c0.xml C:\Program Files\CCleaner\CCUpdate.exe N/A
File opened for modification C:\Program Files\CCleaner\LOG\su_controller.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\CCUpdate.exe C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1043.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1067.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File opened for modification C:\Program Files\CCleaner\Data\package_download\5ab31921e7608b750e5af368503de5de1f7440f8.zip.part C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1087.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\libwaresource.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File opened for modification C:\Program Files\CCleaner\LOG\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\def438d0-cc94-452e-80c4-f8a33101a96e C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Program Files\CCleaner\Data\package_download\df2052ab846c543608316e16ec18ed5eb296f4fe C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1028.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1045.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1071.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File opened for modification C:\Program Files\CCleaner\Data\DownloadJobs\4131631f-2c2e-4d92-a359-53a3811d5f57.winhttp_job C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Program Files\CCleaner\LOG\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\ca7ace8e-151e-467a-b450-bf531b17cbe5 C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Program Files\CCleaner\Data\package_download\c159b16b2d5bcacea4edce02720f3e2fb1220bfc.sig.part C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1027.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1061.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1104.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\LOG\DriverUpdEngTask.log.tmp.497d86ee-7987-4264-a77f-4cf639dcfb94 C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Program Files\CCleaner\LOG\DriverUpdEngTask.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\LOG\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\44ED97C8-2D40-4A50-913D-673F6858B9AF C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\LOG\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\ca7ace8e-151e-467a-b450-bf531b17cbe5 C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1029.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1036.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1037.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1048.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1030.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1038.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1065.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File opened for modification C:\Program Files\CCleaner\Data\package_download\df2052ab846c543608316e16ec18ed5eb296f4fe.zip.part C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File opened for modification C:\Program Files\CCleaner\LOG\DriverUpdaterLib.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Program Files\CCleaner\LOG\event_manager.log C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
File opened for modification C:\Program Files\CCleaner\Data\StateHistory\DUState 2024-08-09 19-12-03-244.dat C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Program Files\CCleaner\LOG\pd.log C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
File opened for modification C:\Program Files\CCleaner\Data\package_download\5ab31921e7608b750e5af368503de5de1f7440f8 C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1052.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1058.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-2052.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\LOG\su_controller.log.tmp.6deedbf0-44ea-4e86-bf7d-c7e418e6549a C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1034.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1059.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
File created C:\Program Files\CCleaner\LOG\su_adapter.log.tmp.38411870-bf06-43de-8353-89b82afd1ad4 C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Data\package_download\5ab31921e7608b750e5af368503de5de1f7440f8\tstamd64.cat C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Data\StateHistory\DUState 2024-08-09 19-14-41-474.dat C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Program Files\CCleaner\Data\package_download\d3309a95bdd4456290d2571593848ea9323e84b9.zip C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Program Files\CCleaner\Lang\lang-1046.dll C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\security\logs\scesetup.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\Panther\setupact.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb00006.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb00008.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000C.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000F.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Tasks\CCleanerCrashReporting.job C:\Program Files\CCleaner\CCleaner64.exe N/A
File created C:\Windows\Tasks\CCleanerCrashReporting.job C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\setupact.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\Debug\sammui.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000B.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Debug\PASSWD.LOG C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb00003.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000D.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000E.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\lsasetup.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb00004.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\Panther\setuperr.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb00007.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\Debug\NetSetup.LOG C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb00009.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000A.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\Logs\MoSetup\UpdateAgent.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb00005.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\TEMP C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
File created C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\setuperr.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Program Files\CCleaner\CCleaner64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Program Files\CCleaner\CCleaner64.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CCleaner\CCUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CCleaner\CCUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Patch 64bit\Patch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CCleaner\wa_3rd_party_host_32.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002\ C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\ C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000B C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0007 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0007 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0011 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0007 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0012 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006\ C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003 C:\Program Files\CCleaner\CCleaner64.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ = "0" C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\000F C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 C:\Windows\system32\DrvInst.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0006\ C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0013 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009\ C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000B\ C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ C:\Program Files\CCleaner\CCleaner64.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags = "32" C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0012 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Program Files\CCleaner\CCleaner64.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor C:\Program Files\CCleaner\CCleaner64.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor C:\Program Files\CCleaner\CCleaner64.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\CCleaner\CCleaner64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\CCleaner\CCleaner64.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\CCleaner\CCleaner64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\CCleaner\CCleaner64.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\LIVE.COM C:\Program Files\CCleaner\CCleaner64.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Program Files\CCleaner\CCleaner64.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\OneDriveSetup = 020000000000000000000000 C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AutoICS = "1" C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AutoICS = "1" C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Program Files\CCleaner\CCleaner64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1" C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol" C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner... C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Software C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Software\Piriform\CCleaner\AutoICS = "1" C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB" C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "65F115A51CCCDBF623206AEDE3B3D8A4" C:\Program Files\CCleaner\CCleaner64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\ C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Software\Piriform\CCleaner C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Software\Piriform C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "6363e5bd-33e3-49d6-9ca3-6404fb9c42be" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB" C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAFYbCXk3jR0+sI9UVuRJ/PgQAAAACAAAAAAAQZgAAAAEAACAAAABTtBtH2Vz2i+yViQ2BUk2KB/DgO3Jwis2T7XRZqTar5gAAAAAOgAAAAAIAACAAAAB10/LOx0NXVvEGJVVDjaU/tDmQILD0iEA1cg6j3ticHkAAAAC822i4+CTfghk4hQk9E1TiSqNaI2s9YL4Ld6cQGG2hjZFn1pH6RJ0Hw/58gobotFuzkGvWGBn0Wisek169I1mSQAAAAH+sdAm6NTxgrAArxc5B4whs2Qs5AUUpgDtdPprpI+bWUh3Q+c0Gtt0tHTUJPHvbdnM3RpuljNOcXlMGAZU/GuE=" C:\Program Files\CCleaner\CCleaner64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "6363e5bd-33e3-49d6-9ca3-6404fb9c42be" C:\Program Files\CCleaner\CCleaner64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "65F115A51CCCDBF623206AEDE3B3D8A4" C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\ C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169.rar:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\wa_3rd_party_host_32.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CCleaner\CCleaner64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCUpdate.exe N/A
N/A N/A C:\Program Files\CCleaner\CCUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCUpdate.exe N/A
N/A N/A C:\Program Files\CCleaner\CCUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A
N/A N/A C:\Program Files\CCleaner\CCleaner64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 4056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 4056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 4056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 4056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 4056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 4056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 4056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 4056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 4056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 4056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4900 wrote to memory of 4056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 4184 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 5012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 5012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 5012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 5012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 5012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 5012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 5012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4056 wrote to memory of 5012 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://soft98.ir/software/optimization/212-ccleaner.html"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://soft98.ir/software/optimization/212-ccleaner.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae5b0870-a1bb-40c1-b740-3a48808cbda6} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2296 -prefMapHandle 2300 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0918d8a-a231-431d-85ff-e628803e608b} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3200 -childID 1 -isForBrowser -prefsHandle 3192 -prefMapHandle 3188 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13717a6b-f6bb-4e54-93c7-0ba66fa184cc} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3704 -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5a8f8f-60c1-4d5a-802c-9384dcc7a45c} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4496 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4508 -prefMapHandle 2792 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7967e0a-b3ea-4921-8711-0896b65a8ad6} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5344 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba3a5055-9ce0-4c9e-97a0-5ab1c2982047} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5632 -prefMapHandle 5628 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec15192a-79df-4cd2-b615-696585da5bc1} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 5 -isForBrowser -prefsHandle 5520 -prefMapHandle 5528 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {165b61cb-5f03-4304-b5b9-a69c9f09ad6c} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6176 -childID 6 -isForBrowser -prefsHandle 6152 -prefMapHandle 6148 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa45d46-d5eb-4dc6-9e1d-163f34366014} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3552 -childID 7 -isForBrowser -prefsHandle 4064 -prefMapHandle 4228 -prefsLen 30901 -prefMapSize 244658 -jsInitHandle 1324 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4334ff8c-b171-4dad-9235-1c7ca7bd4b4f} 4056 "\\.\pipe\gecko-crash-server-pipe.4056" tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\" -ad -an -ai#7zMap2215:122:7zEvent18839

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Block Host [ Run Administrator ].cmd

C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe

"C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Setup.exe"

C:\Program Files\CCleaner\CCleaner64.exe

"C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC

C:\Program Files\CCleaner\CCUpdate.exe

"C:\Program Files\CCleaner\CCUpdate.exe" /reg

C:\Program Files\CCleaner\CCUpdate.exe

CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\61c8d31d-e0b0-4b1e-95b0-1793a93f621c.dll"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=1&v=&l=1033&b=2&a=2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe41f63cb8,0x7ffe41f63cc8,0x7ffe41f63cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1844 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3752 /prefetch:8

C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Patch 64bit\Patch.exe

"C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Patch 64bit\Patch.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Block Host [ Run Administrator ].cmd" "

C:\Windows\system32\fltMC.exe

fltmc

C:\Windows\system32\timeout.exe

timeout -1

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\drivers\etc\hosts" /a

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\drivers\etc\hosts" /grant administrators:F

C:\Windows\system32\attrib.exe

attrib -h -r -s "C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\find.exe

FIND /C /I "# Piriform Blocker Key Verificator" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "license.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "www.license.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "www.speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "www.recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "www.defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "www.ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "license-api.ccleaner.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\attrib.exe

attrib +h +r +s "C:\Windows\system32\drivers\etc\hosts"

C:\Windows\system32\timeout.exe

timeout -1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Program Files\CCleaner\CCleaner64.exe

"C:\Program Files\CCleaner\CCleaner64.exe"

C:\Program Files\CCleaner\CCleaner64.exe

"C:\Program Files\CCleaner\CCleaner64.exe" /monitor

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Program Files\CCleaner\wa_3rd_party_host_32.exe

--pid=5176

C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe

"C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,10835259004460969832,6962661984961529710,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3756 /prefetch:2

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{9e8c4c29-4b22-e742-9dd3-fbdaef7cb9ad}\cdrom.inf" "9" "4c2199133" "000000000000014C" "WinSta0\Default" "0000000000000158" "208" "\\?\C:\Program Files\CCleaner\Data\package_download\5ab31921e7608b750e5af368503de5de1f7440f8"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "1" "SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000" "C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_970e40f68a7583a1\cdrom.inf" "oem3.inf:*:*:6.3.9600.16384:GenCdRom," "4c2199133" "000000000000014C" "ee52"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{a3ca6837-a4b6-8c4f-b203-41e953f162fe}\ich9core.inf" "9" "4a5bb1cab" "000000000000014C" "WinSta0\Default" "0000000000000180" "208" "\\?\C:\Program Files\CCleaner\Data\package_download\df2052ab846c543608316e16ec18ed5eb296f4fe"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "1" "PCI\VEN_8086&DEV_2918&SUBSYS_11001AF4&REV_02\3&11583659&0&F8" "C:\Windows\System32\DriverStore\FileRepository\ich9core.inf_amd64_11099e449d0dade9\ich9core.inf" "oem4.inf:*:*:9.1.9.1005:PCI\VEN_8086&DEV_2918," "4a5bb1cab" "000000000000014C" "ee52"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{9367f647-c20f-724a-9f4e-83a0869c982d}\Netrtl64.inf" "9" "4ce682def" "000000000000015C" "WinSta0\Default" "0000000000000178" "208" "\\?\C:\Program Files\CCleaner\Data\package_download\d3309a95bdd4456290d2571593848ea9323e84b9"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "1" "PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18" "C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_3c359b290aa86d32\netrtl64.inf" "oem5.inf:*:*:6.111.723.2009:PCI\VEN_10EC&DEV_8139&REV_20," "4ce682def" "000000000000015C" "ee52"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49743 tcp
US 8.8.8.8:53 soft98.ir udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
IR 79.127.127.35:443 soft98.ir tcp
IR 79.127.127.35:443 soft98.ir tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
IR 79.127.127.35:443 soft98.ir udp
IR 79.127.127.102:443 cdn.soft98.ir tcp
IR 79.127.127.102:443 cdn.soft98.ir tcp
IR 79.127.127.102:443 cdn.soft98.ir tcp
IR 79.127.127.102:443 cdn.soft98.ir tcp
IR 79.127.127.102:443 cdn.soft98.ir tcp
IR 79.127.127.102:443 cdn.soft98.ir tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 79.127.127.102:443 cdn.soft98.ir tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 216.239.32.36:443 region1.analytics.google.com udp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
NL 172.217.23.200:443 ssl.google-analytics.com tcp
NL 172.217.23.200:443 ssl.google-analytics.com udp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
N/A 127.0.0.1:49751 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 193.151.157.174:443 dl2.soft98.ir tcp
IR 193.151.157.174:443 dl2.soft98.ir tcp
IR 193.151.157.106:443 dl2soft98.82.ir.cdn.ir tcp
IR 193.151.159.52:443 edge11.82.ir.cdn.ir tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
GB 23.49.163.75:443 service.piriform.com tcp
GB 23.49.163.75:443 service.piriform.com tcp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 34.149.149.62:443 ip-info.ff.avast.com tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
GB 92.123.143.240:80 ncc.avast.com tcp
GB 92.123.140.9:80 emupdate.avcdn.net tcp
GB 92.123.140.24:80 ccleaner.tools.avcdn.net tcp
US 34.149.149.62:443 ip-info.ff.avast.com tcp
NL 142.251.36.46:80 www.google-analytics.com tcp
GB 184.26.133.226:80 www.ccleaner.com tcp
GB 184.26.133.226:80 www.ccleaner.com tcp
GB 184.26.133.226:443 www.ccleaner.com tcp
US 104.18.86.42:443 cdn.cookielaw.org tcp
US 104.18.86.42:443 cdn.cookielaw.org tcp
US 104.18.86.42:443 cdn.cookielaw.org tcp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 42.86.18.104.in-addr.arpa udp
US 8.8.8.8:53 42.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
GB 184.26.44.174:443 s.go-mpulse.net tcp
GB 184.26.57.29:443 assets.adobedtm.com tcp
GB 92.123.142.24:443 s1.pir.fm tcp
GB 92.123.142.24:443 s1.pir.fm tcp
GB 184.26.134.46:443 s7.addthis.com tcp
NL 142.250.179.196:443 www.google.com tcp
US 104.18.28.127:443 geolocation.onetrust.com tcp
GB 92.123.142.24:443 s1.pir.fm tcp
GB 92.123.142.24:443 s1.pir.fm tcp
GB 92.123.142.24:443 s1.pir.fm tcp
GB 92.123.142.24:443 s1.pir.fm tcp
NL 142.250.179.196:443 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
IE 34.253.253.34:443 dpm.demdex.net tcp
GB 184.26.132.163:443 www.nortonlifelock.com tcp
NL 20.50.2.53:443 mstatic.ccleaner.com tcp
GB 184.26.57.149:443 wave.outbrain.com tcp
GB 87.248.114.11:443 s.yimg.com tcp
GB 108.156.39.8:443 www.mczbf.com tcp
IE 34.248.175.81:443 symantec.demdex.net tcp
IE 52.48.198.240:443 cm.everesttech.net tcp
IE 66.235.152.225:443 oms.ccleaner.com tcp
NL 216.58.208.98:443 googleads.g.doubleclick.net tcp
US 64.74.236.63:443 tr.outbrain.com tcp
GB 184.26.57.149:443 wave.outbrain.com tcp
US 34.96.102.137:443 dev.visualwebsiteoptimizer.com tcp
IE 3.248.141.173:443 c5.adalyser.com tcp
US 34.96.102.137:443 dev.visualwebsiteoptimizer.com udp
GB 108.156.39.8:443 www.mczbf.com tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
NL 172.217.168.195:443 www.google.co.uk tcp
NL 142.250.102.156:443 stats.g.doubleclick.net tcp
IE 66.235.152.221:443 oms.ccleaner.com tcp
GB 23.200.208.174:443 c.go-mpulse.net tcp
US 8.8.8.8:53 11.114.248.87.in-addr.arpa udp
US 8.8.8.8:53 8.39.156.108.in-addr.arpa udp
US 8.8.8.8:53 81.175.248.34.in-addr.arpa udp
US 8.8.8.8:53 98.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 240.198.48.52.in-addr.arpa udp
US 8.8.8.8:53 225.152.235.66.in-addr.arpa udp
US 8.8.8.8:53 61.39.156.108.in-addr.arpa udp
US 8.8.8.8:53 137.102.96.34.in-addr.arpa udp
US 8.8.8.8:53 173.141.248.3.in-addr.arpa udp
US 8.8.8.8:53 63.236.74.64.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 174.208.200.23.in-addr.arpa udp
US 104.17.208.240:443 siteintercept.qualtrics.com tcp
N/A 224.0.0.251:5353 udp
GB 104.86.110.128:443 tcp
GB 92.123.142.112:443 r.bing.com tcp
GB 92.123.142.112:443 r.bing.com tcp
GB 92.123.142.112:443 r.bing.com tcp
GB 92.123.142.112:443 r.bing.com tcp
GB 92.123.142.112:443 r.bing.com tcp
GB 92.123.142.112:443 r.bing.com tcp
US 20.42.65.85:443 browser.pipe.aria.microsoft.com tcp
DE 34.159.85.52:443 alpha-crap.ff.avast.com tcp
GB 92.123.142.208:80 ncc.avast.com tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.149.149.62:443 ip-info.ff.avast.com tcp
GB 184.26.133.226:443 www.ccleaner.com tcp
DE 34.159.85.52:443 alpha-crap.ff.avast.com tcp
NL 142.250.179.131:80 o.pki.goog tcp
GB 92.123.143.240:80 ncc.avast.com tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
GB 184.26.57.169:443 download.avira.com tcp
US 34.149.202.126:443 driver-updater.ff.avast.com tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 104.18.29.127:443 geolocation.onetrust.com tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 40.71.11.133:443 healthcheck.ccleaner.com tcp
US 34.149.202.126:443 driver-updater.ff.avast.com tcp
GB 92.123.142.192:443 drup.avcdn.net tcp
GB 92.123.142.192:443 drup.avcdn.net tcp
GB 92.123.142.192:443 drup.avcdn.net tcp
GB 92.123.142.192:443 drup.avcdn.net tcp
GB 92.123.142.192:443 drup.avcdn.net tcp
GB 92.123.142.192:443 drup.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 javadl.oracle.com udp
GB 2.22.96.153:443 javadl.oracle.com tcp
US 8.8.8.8:53 www.7-zip.org udp
GB 2.16.234.57:443 aka.ms tcp
GB 2.16.234.57:443 aka.ms tcp
DE 49.12.202.237:443 www.7-zip.org tcp
FR 68.232.34.200:443 download.visualstudio.microsoft.com tcp
FR 68.232.34.200:443 download.visualstudio.microsoft.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 237.202.12.49.in-addr.arpa udp
FR 68.232.34.200:443 download.visualstudio.microsoft.com tcp
FR 68.232.34.200:443 download.visualstudio.microsoft.com tcp
GB 184.26.188.105:443 sdlc-esd.oracle.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 184.26.188.105:443 sdlc-esd.oracle.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 184.25.193.234:80 www.microsoft.com tcp
FR 68.232.34.200:443 download.visualstudio.microsoft.com tcp
FR 68.232.34.200:443 download.visualstudio.microsoft.com tcp
FR 213.36.253.2:443 download.videolan.org tcp
FR 195.154.241.219:443 get.videolan.org tcp
DE 83.133.245.233:443 vlc.pixelx.de tcp
FR 68.232.34.200:443 download.visualstudio.microsoft.com tcp
DE 83.133.245.233:443 vlc.pixelx.de tcp
US 8.8.8.8:53 233.245.133.83.in-addr.arpa udp
US 34.117.35.28:443 ftp.mozilla.org tcp
US 34.117.35.28:443 ftp.mozilla.org tcp
US 8.8.8.8:53 110.39.251.142.in-addr.arpa udp
GB 92.123.142.211:443 ardownload3.adobe.com tcp
GB 92.123.142.211:443 ardownload3.adobe.com tcp
US 8.8.8.8:53 211.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 99.57.26.184.in-addr.arpa udp
US 8.8.8.8:53 javadl-esd-secure.oracle.com udp
GB 2.22.96.153:443 javadl-esd-secure.oracle.com tcp
US 8.8.8.8:53 rps-svcs.oracle.com udp
GB 2.22.96.153:443 rps-svcs.oracle.com tcp
GB 104.86.110.128:443 tcp
US 8.8.8.8:53 fp-afd.azureedge.net udp
US 8.8.8.8:53 4bd3b32c2f8ed985cad38ebfd08b4c5c.nrb.footprintdns.com udp
US 13.107.246.64:443 fp-afd.azureedge.net tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 123.208.120.34.in-addr.arpa udp
US 8.8.8.8:53 ecs.office.com udp
US 52.113.194.132:443 ecs.office.com tcp
US 8.8.8.8:53 92.129.74.13.in-addr.arpa udp
US 8.8.8.8:53 132.194.113.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 184.25.193.234:80 www.microsoft.com tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 update.googleapis.com udp
AU 52.98.143.50:443 4bd3b32c2f8ed985cad38ebfd08b4c5c.nrb.footprintdns.com tcp
US 13.107.246.64:443 fp-afd.azureedge.net tcp
US 8.8.8.8:53 317f865c49165b54d67c17ecd472d44b.nrb.footprintdns.com udp
GB 104.86.110.128:443 tcp
US 8.8.8.8:53 t-ring-s.msedge.net udp
US 52.96.157.82:443 317f865c49165b54d67c17ecd472d44b.nrb.footprintdns.com tcp
US 13.107.246.254:443 t-ring-s.msedge.net tcp
US 8.8.8.8:53 856a1d8b8b8ec66698c71962a32e9001.azr.footprintdns.com udp
IN 52.140.48.131:443 856a1d8b8b8ec66698c71962a32e9001.azr.footprintdns.com tcp
US 8.8.8.8:53 254.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 50.143.98.52.in-addr.arpa udp
US 8.8.8.8:53 82.157.96.52.in-addr.arpa udp
US 8.8.8.8:53 254.197.79.204.in-addr.arpa udp
US 20.42.65.85:443 browser.pipe.aria.microsoft.com tcp
US 8.8.8.8:53 131.48.140.52.in-addr.arpa udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 cxcs.microsoft.net udp
GB 92.123.142.185:443 www.bing.com tcp
GB 23.206.78.251:443 cxcs.microsoft.net tcp
US 8.8.8.8:53 185.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 251.78.206.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\bc4b6f4b-7f87-4d77-a90e-e19bdd4a6c21

MD5 31c02e85b3dededa8b8780f68e98a097
SHA1 931ddf59cd40a49e74aa8d4c3225b6224f898b53
SHA256 728871e1978faf92f56a9cfbecdfdbc9ced8a48cd20919631e6cf4487dee26fc
SHA512 4f2ade15bd10e6fce7a9a1f0e7e05cdb1859c07ad5770c3eeeda0d225aae58aeedf86665563b5baf7a95dcbf0b479511c6f91928a189445e0e21a779619a50b0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 a79dbe36d91b283954317c8e32e41409
SHA1 f00ca3002ddd00658e634bc3992956c4959b1330
SHA256 632d679fa048e36ff0a63784f012b3493575777c42d21165b3963626438ba035
SHA512 71ea0cb7f9dffc2c45b6d89bc9563ee537a9d1531f63ea8211bd685458c266f942e4a144aae8e0a2886dde5d023959d57a8d026ccb641c7626f832164bf0d0a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\fe390636-d550-4289-ad0d-9ca1fddc69cc

MD5 f41157b8499ce1ba567ad29ac62b9f82
SHA1 9b1cd788184ca4008fc00f41ffc98f711e49ba8f
SHA256 529f26535bf807235d6e972899e3a17cc45f6bd1c1c18a80f7deac72c96caf00
SHA512 6338269c3cbcedf69db63e09d807fbe4fe66f197568eb64536f5c0d843e1282b2b0e340ecb01c1e1e5922882f404add907d2f2ecd1ebdec10df5aed29e3f9457

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\f1718499-e88e-4972-a4e0-d6bccf82a3c9

MD5 539a5061c1bf539ac4deb8387c89bea8
SHA1 a814bb35f6c54f95e0dc5c1869fd314ea3faf119
SHA256 6bc1e9155d97ec5606dcbef124224543faca17d1b09f138815e0fefe88838d32
SHA512 478db7935ee30d3c316e59f7f51efc550dd000215720891a6d9386d52a040b3f4c6de6be6bfc681eb72336ae37657ae1a21b8d2e024d9a2d65028377a845721d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 7b1b97f62251961fc3032a024f789eb4
SHA1 36d10f01033f31de8ba20ae664f966ca4b6c7af0
SHA256 015868a6aee0f529f35378f5f37abad7ebe119931e53563f72c43e1e5a3703cb
SHA512 cec38df4ece72939f5c016da513235ebd5afed7bcba07ce63e6474c843e5d344ff396c8bd2a14043cd17e37cac84741599b31b77400a55f054d01905c0cf0419

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\activity-stream.discovery_stream.json

MD5 10d66df2459a0b4b3f44e42fad944dc5
SHA1 a50bc9169e5f12eb727acec9db8c622d70278969
SHA256 b571f23ef986b309c85cc35a0bcfba23179aa4a800d71674442f1ccf829ddcd4
SHA512 1b4917336017bfdcea023f4d2b184092f6890b7526fe8069ec6c226f94cd37f719622b9034f06ff7954f792b734133f06f38d17e92c5cf2de6ab5219a7142729

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

MD5 479e87f40ab452f9821a4b9fec2e4174
SHA1 a59fd9f2ac3a3d732673a8ee3e53bd335d9c2cc0
SHA256 86c33799df378fe0dd37faa06b3856d2ce8c15d4356128328a21358cf16109bb
SHA512 7b06c7f77e8c5887fb8e0a6faaad42166737f267c58020ec777310a092b6d994caaa214e71e04c484490c76e127b769e7be4399afacfc2e22b28e6e5b43cc656

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs.js

MD5 80c797980a5854dfa861b5cda70d9865
SHA1 7e1a2db6dcb7f4068850b146ef5eed658c866aff
SHA256 6034a13b61f3108fae175ec0e5584b824b7ccf10008201c10dd5b65aa3b7ecd0
SHA512 d4f7b5a81729d2c98c9b9343bbaa9793e21b41dccbb78410c838086f8ee9c7cf58333ca40383da2535b43899ade405a501812eeb34cadcf61743396a00741e51

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

MD5 63a029efc12b1b01225b82751f6ed807
SHA1 c586247002adfd55fba2d5f3b91b9b58f32f4786
SHA256 2074a4784341ebdd3ed2f6aecdabf6b59587242a0c31601a10e060d43675209c
SHA512 f55d1d46ad7c1100ad3c0d52aa0e644aa3f26b6e6991a9604d2c8cf25271774e5522bf77a938fb93a6d5b549c1d2b82d47ae75535e5c2351fdd8c3d80d14d84e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 c5299d456bd838f595ecc8df1f70f9a9
SHA1 c1d5ada20ec08274e87adc480a237025587b833e
SHA256 3d7505f389e40c57b8805147ebb14068c100148af72053819b6e534f55693b2b
SHA512 172f9a6557806eb79da65278c52c4434dbab4523b9bc69135781b764a96e03e7e8c456d61ccfe82f5238cc0ebcbf7bf039e6d83cd193ccbec8d8e0da6c88ce77

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 a1aadf6365e0ea1e3df52ee9560397fc
SHA1 eee26293bcd5d408a926fe1a1717975278387296
SHA256 fd022abb655af2892236d1b270fa230a292411d114b4f018d80030b56336b3c5
SHA512 09e594527c7653e821fa00ac10bf571b99cad064cd40810c0f03be97c2b54445ff4ee346780b201fdb9daf0f4529c63383e359c372ede6691776434b0a17ead5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

MD5 5cf294b611912ee433520c3ee8269d32
SHA1 036441628fd717fdde79da8c70c09b7a126a83dc
SHA256 9ee2f23b7a3ffcf328dd7dc934b1db343bdde1f345e71552dace44da2be8127c
SHA512 5c28a2ad0b09b97233143defcc8853287cb6d22271617d60a388c5a4b26bf212674c7aa15f1fcb289e6dd057e544cc164fa02ceab4728948e7b8adf46dd56cdb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 ffae6740c6404099a3961eb1dba18b4f
SHA1 41d2e18c2f5a938b41199434dd93c08b19a3a9f1
SHA256 a71f0eab4871040de959105203d85adaa0a357f9979ef47a223b0781d7a2a669
SHA512 5ded045003cbaed8b448d84bb647b99ddb45b42ab7e35762f1e8249712fbe312f2e45fb6d6b32e82f57eb1177320197ed631bd274635ddfd86c41b4eb352473e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 9ff6b44ec956434fdb80183e00ca40ea
SHA1 76ce59338ddaa4690354dd292a18abcea5c72ce3
SHA256 2afe231d5ca59cf18ff15224f0715cd3c05979060b0a2910713d012f3dc2b8a6
SHA512 7734afc05f291d768755a6eb87ae7dc23fe975fa7fac9e36d8ea96ef889163f9037ad7627df673684d24b1119124f76508c06f6344d091e239f5a63bab3dc8f8

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a30a89f79df8888ae9c1728f2a2dfcf3
SHA1 840bdd66e9d7a49288a6298f9c3c1a43c11396e6
SHA256 91991cea15b83aaa64bdab8e522c0d324d6f7df18f9e294af43d62fee3e1d459
SHA512 1ed6e15d3cba1585c0e88c2ff53cd4f6021bd8d6cf9f3fb17c119715b0a03d946064d549ec66559dc594bc3d2fc3cc55914f0e9d176e7be07986bd8e6fd4848f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

MD5 d2d4939aa85d600208a7becea1f6c667
SHA1 1d08b01da02a2848e857da6e44a14cdebafcaf58
SHA256 d0fcaa3e5df8d79cd68402b7e9daf99956b926e19769189468ffe86161875550
SHA512 7ece2eeebda93ea70df3ae3322e8a5987cf21d4dfa5ed1c8399cae5306841d967d0d4316f0641ff9c7feec8f8d863eb95510b3f13b1360405fbae9e409d6d109

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4

MD5 1187d43c22872b7a93fe48ed8edf61fd
SHA1 c4e2a011960fdbabb58b24df1cd1548e71adcb08
SHA256 90af4102e519bb786e5159a981e7210e69cc00a262e9f9287607c8e7d90dca7d
SHA512 1b9351c60a7ee5c1853f0a65cf04357880a78c2301dd69f51f1312bac11524f1bf45998cebb1a429fd418ce4cae4998245ad40bae4545eb6ab4e2088468ca17c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4

MD5 44d49700c1660d827de6faa85e32b436
SHA1 f2475ede1fb33bb8784f649994b31a0247946c09
SHA256 31c907158a3d47093a6031c264bf74c4244b166015d7edd1c12b84f3241ba445
SHA512 f709582e1f46e6e003cbc5061c64ab67932fd127bb0c51c9a783f1795b3f85a0561857ac315ab19286361f20402898ed3097f31cd18df6ab97e9431a9111ff95

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4

MD5 b257a1eff4070b8db5ccab943466768a
SHA1 d3e25482d5a954085ab6bb5c916cc8ebbcf58524
SHA256 b59df596ac78818466bcd3f709760323d2fc04d2dc900d9e4c440b9c424e2b47
SHA512 17e45242417a81be938f5f56cc399c4dcc291d03e8c1bd7bece55e05cafdd04169fc9068ad58bb612669884947432a48a9bd0158c4d73f1fa54b998ae9cdccd4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4

MD5 2d29a76d61cd8a1df79451dfe3e46ba5
SHA1 2491a9107c1801f1f69079f544c3aa7c2af2c053
SHA256 8acc4086d062dbd341cfcf9ca2cdcdb7d320d1285f42f770cb3498cf6c032533
SHA512 40dc121510f5e08bf777a97e954696a726033bfe5f44fe1ba3ca1a7a51f529803ae3628bd629e7eeb7977094b6313b5d4cb781e4c7743452c871ba09dd74f54b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4

MD5 4e25f7b34541ee3708df2376b71d735c
SHA1 aabefcae78eac1e5a7904a5e2de6ef36aa9c48b3
SHA256 06ee2810ab3b171e4d3b7d24b39eabb4fba32f68b5e4f7525f43f6d54ba8208b
SHA512 6c636c685f6aee7f817c0a5cae53cc92afcd5e77767f3d63f5e896f183ad16d1bdf52368b363f29ba65ff83aa078735dfcedab7d2330a4ce72766169b01addad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K4L2ZGV9Y9CPX5EMEF8C.temp

MD5 9eb83501d6f0ec678b8938c667cad008
SHA1 4dfccc46d9d9720310d6b63eb304aecf952d5897
SHA256 6506af36e03eea2448bb3b86e9b585df0682952f311a1aa8ae65fedd70ecf896
SHA512 1c3596d089417392e11cbb5bfbf93cd870c979f90b69ecdfd112e4579f0995a1371d9182716c26b241b18b0cd7f7252df04c42402f7dd15f0b01732cab0f7c9d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

MD5 5268c8514b205f4268bf2768e10aa40a
SHA1 eeb70fafdab2739f1193e8ba70b179688ace15f3
SHA256 9c1619afb27accb0a9aee2e1440e8d7cc5aba994885b25f3d715021b6388632f
SHA512 48c149c0ba89cb518dd65f7a1ac2460eabe0229518a1ee21a91ae46543af22f06a73f283e4ba47cbf3fc0c74ab67f2a7b4b30dcec6e2a9cca4b05d5f530f346d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4

MD5 b35776ab172b25d77e6ab8b72771469d
SHA1 4625988d088898b36d6c3e2d6ebf8a8451431963
SHA256 164e7aa273f43b8f0915ce5cc88979c078b6be22d9e3b519eb60e65250437d90
SHA512 7338b801285be86abca446cb06d4d2b476aaf84afa17b129f85e955cff2f2444e6b5b0b2f09a94cbbf6f6bf84b84b86e8a9928381a88d60df71ee61d4a484efa

C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Block Host [ Run Administrator ].cmd

MD5 6ba5c46261ff52e7438f21ccef5f8c7e
SHA1 acdf309fbfebecb7a93b78068fc1498fae4d9e62
SHA256 f7d87d0a3977d9ed4ed6eaa2da2fe2aea9564f58cf062f828dec0aa21d9ec11e
SHA512 106b05fbeca31c78e5e5f33cbd62580aac1b4ef781a78ac2cbe80f92eb01f75beeaa480772dcf2f9f2bbea178e681aff2247dd3d08387b35ca507b90b4a5cc43

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

MD5 2601abd09ef927a1b8d1e5e354dfa770
SHA1 7982fe33f25e03bddfb3dbdbdbde41bae7a3d60b
SHA256 5770ed26b6f27750806b7be97ea3b200a073fb45f63c81023193337c6568d0fb
SHA512 3fe5ef259506d81ded7ca6843c0ea0b43a97b9c80843a14d149a19850f715cce8b78e67711cbac711c7cabcfa312ac5969ce5e5f1aea75500e49a445e7669558

C:\Users\Admin\AppData\Local\Temp\nsw7374.tmp\UserInfo.dll

MD5 2f69afa9d17a5245ec9b5bb03d56f63c
SHA1 e0a133222136b3d4783e965513a690c23826aec9
SHA256 e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0
SHA512 bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

C:\Users\Admin\AppData\Local\Temp\nsw7374.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

C:\Users\Admin\AppData\Local\Temp\nsw7374.tmp\p\pfBL.dll

MD5 b17e3a7bcb1cf4a0d5959a21ffe3336c
SHA1 c1bc1b1b715007c05f79162cab00ba3c23d94efc
SHA256 aac187b6ca8256f90f64d940cbd9aa457f3b52229cca5bb17d5ec4ac3f8993c4
SHA512 9e02ff8f279fe0e17ef03dec289c7ae623b2ec2b12434bc08479d8c676e25ed3d0ebac54a44a7e571b6bd65e50aa056338b5db90e94ab5ed3b279d514efcde47

C:\Users\Admin\AppData\Local\Temp\nsw7374.tmp\ButtonEvent.dll

MD5 c24568a3b0d7c8d7761e684eb77252b5
SHA1 66db7f147cbc2309d8d78fdce54660041acbc60d
SHA256 e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d
SHA512 5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

C:\Users\Admin\AppData\Local\Temp\nsw7374.tmp\nsDialogs.dll

MD5 6c3f8c94d0727894d706940a8a980543
SHA1 0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA256 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA512 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

C:\Users\Admin\AppData\Local\Temp\nsw7374.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

C:\Users\Admin\AppData\Local\Temp\nsw7374.tmp\p\ServiceUninstaller.dll

MD5 3053907a25371c3ed0c5447d9862b594
SHA1 f39f0363886bb06cb1c427db983bd6da44c01194
SHA256 0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495
SHA512 226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

C:\Users\Admin\AppData\Local\Temp\nsw7374.tmp\INetC.dll

MD5 7760daf1b6a7f13f06b25b5a09137ca1
SHA1 cc5a98ea3aa582de5428c819731e1faeccfcf33a
SHA256 5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079
SHA512 d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\CCleaner\CCleaner64.exe

MD5 4ee9df4bef3571c74b1a4556e6afae6c
SHA1 4cd037edf6984b026f25572298e5c6345cbd7b0a
SHA256 c02731acaa708f929e4935da2338cda307afb4729c962722708e5a4e3b8aeb33
SHA512 a295f2d91639db79c496b31c3f03f175a9b1649d1f4c5342bdcb01c2e8871d3ef48938cfda72c57cc8724ad94d9284fb8f8e9135886e51d69f075b01a8d95085

C:\Program Files\CCleaner\CCUpdate.exe

MD5 943a4f169e9a3303ed6defc1ac3690bd
SHA1 e0bd76b866624164c10b85d37efb6474b84164df
SHA256 e531742a357907248de84b99f68ed7e8edd70e7ca918d21b24cc17ee4c128240
SHA512 da29cafdd63fd3ab3d2378fc6c2810d7579ebd6b62a4f99248458094cd2e42dc0071b83f0aee4185ca1c81139dec2991212ac383d77a737937558bbcb29d688c

C:\Program Files\CCleaner\branding.dll

MD5 eea64d3d3dc333abf45869d252b77d0a
SHA1 fa64bd25c6d50a92c2be6e5313dc2eacc2560760
SHA256 01ba7443a3c81d33f1c722606d5673adac580360f8febb70797d2be796f73606
SHA512 7f4a54a6405a32022c118fbc1075b0067c401a4fe4b8c200c86d223dfe06c577f89bc11e94086018e77f6227f096506e1b0a8480bc77888ec32ec0afd84f6239

C:\Program Files\CCleaner\CCleaner.exe

MD5 6b4c65034b779fa91129d036f2854a55
SHA1 b0c21f129f58f4195cbffb8268b5693b0a4c4f2a
SHA256 9cea0bdcf677382833e973158a0c7c9b5dee86fbd7c6fdb8b114aa7b23e64d58
SHA512 b3d16086c09b23b6e8fa796e307348c005a2885c6067a5d180eeba39178d1a37fa6dffd4aad6f7a1624c9e150bf3b62f49ebfaa7612ebb26dc34264fcee88dba

memory/8048-3746-0x00007FFDE54D0000-0x00007FFDE54D1000-memory.dmp

memory/8048-3747-0x00007FFDE54E0000-0x00007FFDE54E1000-memory.dmp

memory/8048-3745-0x00007FFDE54C0000-0x00007FFDE54C1000-memory.dmp

memory/8048-3748-0x00007FFDE54F0000-0x00007FFDE54F1000-memory.dmp

memory/8048-3749-0x00007FFDE5550000-0x00007FFDE5551000-memory.dmp

memory/8048-3750-0x00007FFDE5500000-0x00007FFDE5501000-memory.dmp

memory/8048-3751-0x00007FFDE3DB0000-0x00007FFDE3DB1000-memory.dmp

memory/8048-3743-0x00007FFDE54B0000-0x00007FFDE54B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsw7374.tmp\modern-wizard.bmp

MD5 8bd95fbd159e00b9823fe8d60ccf9b50
SHA1 c55e1a485062efcae2ac4d4aa43172a0d8dc9413
SHA256 6ef238fafc028ba028eacbff28bcc670cd7213df9318f99f619ac3e2988d16f3
SHA512 1bbf9d41d3180cfddb99e300142b619ddbc225a099a43e8755aecb44000a4248a7606d04bbea3c1e65143fc488c40d30fcf9bdd418174bd821247b932977f86f

C:\Program Files\CCleaner\Setup\ab440ba7-a8f9-485e-b7d7-9124ff5a27bf.ini

MD5 2af9f69df769f876f6e02da18e966020
SHA1 5d21312d9bd23a498a294844778c49641a63d5e2
SHA256 473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c
SHA512 a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

C:\Program Files\CCleaner\Setup\61c8d31d-e0b0-4b1e-95b0-1793a93f621c.dll

MD5 fe6f58fb55d9a93502528c3c9bb13a3f
SHA1 516275dddbc9e2f056342201b03a0931d93a6239
SHA256 c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348
SHA512 7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

C:\Users\Admin\AppData\Local\Temp\asw9821107274b621ed.tmp

MD5 28d6814f309ea289f847c69cf91194c6
SHA1 0f4e929dd5bb2564f7ab9c76338e04e292a42ace
SHA256 8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015
SHA512 1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

C:\Program Files\CCleaner\Setup\ad494186-1679-4f5e-a9bd-9602437ce2c0.xml

MD5 ae6a8195071ca62513212cc891097046
SHA1 59e970ce9228067477754b352217bcf6aa7624a6
SHA256 6670a81a48ea5c942c3617f0cfa026352adfa1a9bcbb7848f4c41ea427585ff0
SHA512 ceae43a60089f75f654e9a639a06afbdc213f031d5aceebb73ef5cb41e300e7ea209c17bbd3c5f1de5b5eb7bf3770ae7222263c0ba23202ef48ecfb91072014e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b0177afa818e013394b36a04cb111278
SHA1 dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5
SHA256 ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d
SHA512 d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c78f8988e0518bcf8ab9b17756d32224
SHA1 97c52cf09b499638511e1db80ac618a9b1a5169b
SHA256 7f826f0988ffee8cbcd6f3174de581270ec79592f9cb571f72a5e6fb5ce59959
SHA512 3917eba55a19a9971bf95e881928208420db8009001759d9461babc3d541c3264e70e21f369c575130aa30e87a5f71dd4add982b6443d6cb3b6d4c53001f4d28

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 6252e6fd2df17d09da5cd211f30b5d3c
SHA1 0131eae8c576b70ff9cd43e9acebf908510fa134
SHA256 ecf68318687d842e7bd02f5f19fa911e925ae5e28da49ff5b39911dc3a8bb832
SHA512 f95ff07da07813aa5693e3c0b21691144635371d5b66f4d6634c5d8cd631be989c74bc98be12d3311fd131906848a4151daa7b9b3ea57ddebb6e068f52afab0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

MD5 b66a5adb48b3f2ed1cce4d04379c3ffc
SHA1 fca3b11b488b1130423d28a077e56de65261833a
SHA256 f1d6c96baee9f26f3430addff9a995f4a2ed9795ae5d0eb1268f3183fda4a9e2
SHA512 5564a254504aca32353981b3fa2f838791e3ea9ebef958511226fa11c6a928ef3e2c6a6df6e483f4d18aaa618fc958cc2edbc4061eff1fc6438f950a44368658

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 dafd74bb9227bfd2a61ca2c2185f1798
SHA1 ea053b0295ce1c42dcc492f7897d47402438a855
SHA256 d2e27c01f7ab805bd54cee52cfbf8f0014a88c8ef075ff347ea7fce2cdf6e285
SHA512 dfcaa1839f7dab8a2cedf9b5709566b63d2bef701378f10ad66c9b6b982aa5a4396f0d98b5eb8f2f8383126c16624f90a612992d7d6faf1fdb8a4d038381f74e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

MD5 e935bc5762068caf3e24a2683b1b8a88
SHA1 82b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256 a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512 bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

MD5 ad3b35a5ca76e0a648ca41fb7147d772
SHA1 fa514d9f56fa7eaa93a96c61a2d5e5cc82e44ab0
SHA256 4724906c68305be2e6b3411d24f27eeffd77e38b69518714a0ff674504b38b89
SHA512 d096ffeab868e23bb9e8842212cf02e90d15dd0b171ccbf7b35ce9474ad6350a6fbfa9d4f3b034d8e48a26381f5ba92a9ba688829cfc9256469065955186897e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d9b322a9437b5cc5a3bb7f3804227ba7
SHA1 a765fda0aaaeb1e0f0f7d4ea9ab46d2b8282c89e
SHA256 da96ec773298a65fb6dd39e284e3c4e5df16b96bfed992900f7294032ee2658b
SHA512 d58caf819a4c4dcd8347095a92e8b27d07601decd8982ac63cff56dcddeb5d9230a8a9bd9e2c1e476f20f9d21ecf1ed0c0cc0ead2f2ddbd54c73dae9d952b19b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ceb8310fd876c4dd49487c54d8ffe65b
SHA1 3f98c9f6b5f85ec1bcc98a93966f1f55f03a281e
SHA256 08c003520954a204011598de16609eefd98684d3db1d9af7c8399bbee0551b53
SHA512 eaf813c3499e803bd53ce10d3ea2312ac4466f6c09c6dfe9ca7e2b1802430c744e506a2d05d7e7359470d3d024a1c9c7a0c647c1633b1513dd7320f7d065de2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 74b92d921538718ef4a90085ed927af1
SHA1 0477889074642281a40175b61f7fb58ca528ef48
SHA256 05c2b43037296bb2d88e1a48a43ee65861c9b1d018b9e55d6288bb07c8d3bab1
SHA512 323f17c5189d329e3ff78a944bd2f7f06862014ea20f16ee39100080d9313987d940f867be8cdeda0ff5c2081917ea351fe2f33f5a9e55f78f376eb3e6270afb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 abaa9f5b61dda3205be679795f820dce
SHA1 a8f23b5986a6bc121934e7c5c731b9452373b371
SHA256 b3dfa258137edf2dff988c781d5e0962ed939903de158eb3fe192d3e14e47823
SHA512 75bb846afbe5fa76bb57f1860a9615b914c1133bde1ddb54a2e48c59c7a2082b25bd5bc8adf8ec37fd9af06bf805bf0647b7954bbcfb2b962a2e663dcdfba648

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 f067ec6387af9962b8ddf98c46826c9d
SHA1 87f914b4560dfc85b93fe5197d6a1c78170c69c8
SHA256 be7248321c98f8dbceb61b98610982eeb1ac54465a34de4048ae51dee6450d9c
SHA512 38bdbd415e0fe84f8572f4c469798b93bea39be5834b5f69553f5cfbc357422976e8f1bd3312c200297f29ff547668ce240278b83b6f492d97267e208e18438b

C:\Users\Admin\Downloads\CCleaner.Technician.6.26.11169\CCleaner.Technician.6.26.11169\Patch 64bit\Patch.exe

MD5 f3f183ba8a3c43dfcbef0396ad5d917b
SHA1 8a6edcfa27a7f29cab0d6e2f0595eec2c8b2c123
SHA256 849d56ebcfdc2cb97c4a7ab9c961c3b7b80700d43963b7db2b6934609de6104d
SHA512 2b997fa759e206ac1576615e048f0f11665c2ae57abe55e780022796c02214aaf66fbe6d7ea37152908f833ab8c6ddbdf9a53fa96910f499aa9850e6e3170c77

C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll

MD5 0aed5af9cae586f68e77d952e2df6e38
SHA1 6bfa5f7f33089145911ec87936aa2454a8a70455
SHA256 ec98d49254b648dae0dafc81f2ea9f2a71fee1c7c21a11640f30d9b9b501693c
SHA512 9dc72e67d04b2feb8b0ec03a48abe6bdf18696adf5fe479794080e8f3a48011e6b1b9948e49f1b5979f92e4cc9da7716d326009816e4af9d889b50e56c2b5253

memory/7120-4009-0x0000000075830000-0x0000000075856000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 70809cd25a7156ceaa842a6d11d98fcf
SHA1 52eeef0faf1fb4d76366229fb14d0d5c77489fce
SHA256 fd1a1472795deb9f898f0ee8d14be6f39c72a13e09be36aa6b2308f353a4f900
SHA512 e00702864a178e24fa41f6096a7d9e3062257710c6130f94739f1f70bcb83b2973596d9e191909c79e3dc1df2cfc6df2ede24201c44cda2abb8cc46dc6d87a22

C:\Windows\system32\drivers\etc\hosts

MD5 ad0b57ce666c9c3d169da07aed9af78b
SHA1 e9e4233995efe326c3c627c856fc95b9aefcf9c6
SHA256 37e59dcaa10f3c38eea641c753a8be9c16feab65095857a040c2003d74c9100f
SHA512 6df1ee11a97c6a0d2790c89bdc69d7b9e83defaa7e2a90e0677e2faeaf05c848155e06ee7fc924f7621b09d9b7564c764204b1381f01acafc602d6c19de07caa

C:\Windows\system32\drivers\etc\hosts

MD5 b45200515c29a4beac5d3dcb914a7fc4
SHA1 49b6450f15336ed7f9980c4f5476d81b54fefc29
SHA256 957b94d5a0ad789fc5e6970757f8dc9c246423ea92055ddf60d2844dea745133
SHA512 d62555cbc390be0a16ce311c0fbf5876a1f506f25d5bbb4e49640d805db50c17eacba580d53533fa3f1b4fd9210a6c6ca5878d369116d477c30df83472b83c4c

C:\Windows\system32\drivers\etc\hosts

MD5 5c91a3889e4a188e80312f93f9881d58
SHA1 d89657fe43a98d45d4af5490b62dd714e26daddc
SHA256 60282a234ba110d3ed9f1d2018d8828f08aea4231f3c817b23e57f012b7ce55a
SHA512 5a112b2236218ed00d31bd7880ba9bd4598689c6ed6715ab71c4e86661a8030cb764c951e59261b2073363d26ff2a2b5125e16cf3215aa40428968b4a776251a

C:\Windows\system32\drivers\etc\hosts

MD5 8e01c79df4903471d0b5a822770b3ace
SHA1 72700ce1969e75ee52d6db0811f34a3fa4ff7731
SHA256 d1f073bdf8ebc6a227dd6e9244cd5ef23cf6981a87157d3c5f77b0321f91f5e3
SHA512 3cfcf744c9ccbb583935a340f997ae46fa18d6c1741eea535c502b5b915e2a88725874f84c434997135cb2f64a43f97ff42b9421a83291882d906e226bb4fe7e

C:\Windows\system32\drivers\etc\hosts

MD5 79d033feb5668b9617389d58be8f8ead
SHA1 ec216d3223200e427c1fb7bb563cb0af25e3cf61
SHA256 1312905ca1051276ae1e0b8bf811e1a80fdaede690b44979290d14ebcc82e9b0
SHA512 cb0c32963e31db40e2062ba59c5ee476e224f785ae1eb02654169b724d6d302b0a76df431b5471bd2053aba2aadb89c12af93b94960d8b9f3b6c744b425d568f

C:\Windows\system32\drivers\etc\hosts

MD5 3f358de74cf8a61f7e6fbc5e24535ec4
SHA1 598ee1c79f324fb4181489bff2fa7782c18b4334
SHA256 4fb35d4656edc4e693d990c67acd21fed25f0e3376e7b946863eadbd02fbbe9c
SHA512 553079ffd0c00961130141bee90b3d7038b94394c4b430838c84164c3f738feb3849ab9ddf87f2eb14c80085e5dce77c0c7844f144c99d0baa82b935cbf448e0

C:\Windows\system32\drivers\etc\hosts

MD5 05ede6389e1581ee8d56e468699ecf87
SHA1 40643b63b6f1d95f70469db0e2164197fefba265
SHA256 99942c3c7b073592f0da6eb296fb63daa1e139f05a9bd6dc3685bdb9ef6a2768
SHA512 2b3d1159bd73b5d840b2872d85a25ffef3c5e200c2027166385392ee80889c89aa73a769e1882bec82654f0ff7a353744322024381c7710ffd3ef1ba20b3771d

C:\Windows\system32\drivers\etc\hosts

MD5 a3b83bc2bbc323a0fe9591b4f2341f5d
SHA1 12a9049771222e39822293f2e49b5cef56b6f11c
SHA256 8231fa62369f0ab4fb4de709a9f2f8f7092fae9c2aab9a369bf4fadbf031e638
SHA512 96d550687ee82f4b0435906e37646bcd1fa7a9c2f44f6de35868838711064f5c7fa9d6a508383bf4b17472ada1b1e4ea13334b918b6dc7644bf33286768dff8f

C:\Windows\system32\drivers\etc\hosts

MD5 6e1461c4232df9de51d7499c3a5830f5
SHA1 735fc6cfcd8950ffc5dce3c3ba95341532ed6e1f
SHA256 ca72cb1641543719081fb6607ab405add80d99e4c2d1690cd74868164823eb12
SHA512 f7d0a50444cde595473285891e8c154e4064ca16754c9d82bf71a17fa0237f43bf9f85818080a24b16de42f3fe3597d412bbdd01faebf08c43470167e8761f00

C:\Windows\system32\drivers\etc\hosts

MD5 276aabf22b1439a4b420d405f7cd71ca
SHA1 bc08f7ee108c533ca754c7a34253122a9a3fd32c
SHA256 492b95567565fb33e4bf5f1ecaeb4be8aee8a20a67c54660f0deda8f6d38ebd8
SHA512 aa026f61bfd832578099f42a9dec1b90e8cae01f13cacd027ff6e2a78c9fa8250edcc3434a127393c4d78e050a87f0ae40b79758918f0d2660dd789136e6b4ae

C:\Windows\system32\drivers\etc\hosts

MD5 996c623bbabea0c23e55b1a7a3a23460
SHA1 2a7be56aabc8d469ba2e51ce1abc3b2202d44fe8
SHA256 09103bae19af0841e6ce4687d5108e5c26739bb464e7fd33b5959e235b7b6d6d
SHA512 7abb4b9eda2305aada65eabfee06dc6da8a2957edac78b0cceaa7893e41094873b97ff4ea1feb6427313c6c8826e8829989c9ecec9596b728ef4c9f6aa941efa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 80963ee7221f0a972f796a1ca1ce37a9
SHA1 329d12c4320d4a09537138797f29474e97bb3fb8
SHA256 51bab64fa714265aaf1aae189240198c6bf314661ff8c4a98d519ecf9e293ea6
SHA512 2d8816231175870f72f17b630e6fef3533fcb4c983892fc55dea04d31b0b09a2a3f62ade040597e5ad61caa0dedf475659c5f73ddc5da671270f6139a764110c

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 c474d74e7614680164db48fa83d1be11
SHA1 cdd680532d8f6f63b0b500b51b8876da7f494154
SHA256 193d860a670118faefa95486ede5b5c335262730edcb0d2ac0b45b62c92d4570
SHA512 421fd8d7665ea657f228e1065f71fb6db30e86d6d215420650fa36c178000b09e4486fdad7687aa8168f51c3a1512fb12d70b916016d4aed6de9731742a0ba5c

C:\Program Files\CCleaner\Setup\config.def

MD5 05927e894c81eb42c3b4dae5a5a6c937
SHA1 7ec0660aac7c3396599447a49f30ba18e1f0db49
SHA256 09c65b39bc891e12956ab7bb30fae147ef7c8fa37542b6f040613436b566e7f8
SHA512 c06e2788952a3550597f5b539cf8f5cf7a569e33192951bc8ce97d4570bd4ba35abce99586f309f3e1cffe6f1d83aee98b79c0c26503ef4cd4d1fbfb40e1ba4e

C:\Windows\Tasks\CCleanerCrashReporting.job

MD5 b434d315b133404b868307293cd15dac
SHA1 83a3278c43ca69d03144cf0da73016a8f758dc42
SHA256 c073dc6e3b31badce1789d93c514ff5436e133c8effcbf73e7960bce0b470059
SHA512 1840bb0e0404bcd1d87abb44fe06c8f790aef156027581fed5deac353b2ff6d36f8a41922b9b0d5d89ae3382a4157061dc91c37f34056a2acd3ae9bd497c1140

memory/5176-4136-0x000002094CAB0000-0x000002094CAC0000-memory.dmp

memory/5176-4128-0x0000020949CC0000-0x0000020949CD0000-memory.dmp

memory/5176-4160-0x0000020955090000-0x0000020955098000-memory.dmp

memory/5176-4162-0x0000020954F40000-0x0000020954F41000-memory.dmp

memory/5176-4161-0x0000020954F50000-0x0000020954F58000-memory.dmp

memory/5176-4164-0x0000020954F50000-0x0000020954F58000-memory.dmp

memory/5176-4167-0x0000020954F40000-0x0000020954F48000-memory.dmp

memory/5176-4170-0x0000020954F00000-0x0000020954F01000-memory.dmp

memory/5176-4178-0x0000020954F80000-0x0000020954F88000-memory.dmp

memory/5176-4180-0x0000020955050000-0x0000020955058000-memory.dmp

memory/5176-4183-0x0000020954F40000-0x0000020954F41000-memory.dmp

memory/5176-4187-0x0000020954F00000-0x0000020954F01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 4473253da606797a4322536ceb018eb3
SHA1 a4e01b1ef1bd54da20e4073ec293ff1a35fd33f0
SHA256 43a42a4dad3746478d650147da3e3eee68c752089912c82fb1d461c0e19c5c1b
SHA512 a50b2b6471d46aa720a96419f9a199ee39745aa9c1d3f5bd9497c5b40b34a15d813d8de66bc68cb2e9c3948211042091809167267e638720782b97483b04c0b2

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5 78451de73936ab55658f57be7d17f869
SHA1 035e56b23cc86cd4e3c89dbaed7fca0f69e8edb8
SHA256 3c913e725c01db0d6e85ffe4438792a6e9de04d379126945025d5d079e73f9be
SHA512 7391cf4eb8df3330fef2603670eb09a18e9fa10d4332532220efcd4399de76b3a51645d065d6094a3a95b09bebcb4df457ef998560769f2a95e30715ad2925ff

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

MD5 8306332f5bc6920dd4c696cb711822c3
SHA1 6c03faf40267c41e204a29f674f8afb568da49d8
SHA256 9a6b170dbef8a633c4733357f2875d2e0978f09ddd876877cfc82e3624466c7a
SHA512 f02f016b980afc782429d03815afa4c7ab0010c81dd7095faca99941f83d24e173ce76b327e87aecb2e4016aa87b74214355fe9e6da57925df8e847c8329357e

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 e6337fda1bd68f60afa7c247cb80e366
SHA1 a97a8607aad654f2d92d5722f9a912a53ce9a81a
SHA256 0f8b015f40a8f0f04e4b967d28aba37e291e5e543e11dc3e7527aee526c0e7f1
SHA512 daff22502489f8819d0993b0510ac5932932599f52aa3f991e78f7d30f94b7b0140b79ac8bcc3e1eadca8e79c1d6c42b848fc7a1cf3727742f17f0f3e584c76b

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

MD5 72d50cf1e9eec6ef4b5fb5fa077d0a22
SHA1 d43bfbfc76ef46958f0bdf1c79f250d29d330525
SHA256 60bfdce6d6c14bad9ba0d2d9502b0d7abf501e172300c763c9ea2f2af4b4a9fb
SHA512 9280844da5e9d50a29d54ce23dc6f9c449a363590ea1494c1875ac99d3ac6c8a802ef799d8a7befd9c489fcafcc6d777806b0aa08642c7148ea1a58892bb3a2d

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 3b12a3a16922b526d979d743922bdac9
SHA1 72c97fb32e08e86663364c725bf6a311a2f92d17
SHA256 c50c73a8ae41d920cc1f81f2a480cdb639d266da8668fd937dcc7d641ecb557b
SHA512 345290c44a567aa318403424ab36880bb568216fce05289bccf2f5546f8c9257b6bf3c252a8a88c70e2ee390c08454571accb4da47772bbd95ffdaa165775837

C:\Program Files\CCleaner\gcapi_dll.dll

MD5 f17f96322f8741fe86699963a1812897
SHA1 a8433cab1deb9c128c745057a809b42110001f55
SHA256 8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb
SHA512 f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

memory/7092-4392-0x00000000038D0000-0x00000000038DA000-memory.dmp

memory/7092-4393-0x00000000064A0000-0x0000000006ACA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5kjpxsjj.5rc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/7092-4402-0x00000000062E0000-0x0000000006346000-memory.dmp

memory/7092-4403-0x00000000063C0000-0x0000000006426000-memory.dmp

memory/7092-4404-0x00000000062A0000-0x00000000062BA000-memory.dmp

memory/7092-4405-0x0000000006430000-0x0000000006466000-memory.dmp

memory/7092-4406-0x0000000007150000-0x00000000077CA000-memory.dmp

memory/7092-4408-0x0000000006390000-0x00000000063B2000-memory.dmp

memory/7092-4407-0x0000000006B70000-0x0000000006C06000-memory.dmp

memory/7092-4409-0x0000000007D80000-0x0000000008326000-memory.dmp

memory/7092-4411-0x0000000006C60000-0x0000000006CAA000-memory.dmp

memory/7092-4410-0x0000000006B10000-0x0000000006B2E000-memory.dmp

memory/7092-4416-0x000000000C390000-0x000000000C6E7000-memory.dmp

memory/7092-4417-0x0000000007A90000-0x0000000007AB2000-memory.dmp

memory/7092-4418-0x000000000C820000-0x000000000C86C000-memory.dmp

C:\Windows\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

MD5 cf7d2ba867042501d22fe4651ec2084b
SHA1 ee2b6143daeb6693a034f46fa69cafeb798a7449
SHA256 50e2919ba15af354d757bdd8ae19eb931e4fb9ad8c0a05b6acab7a97898935a6
SHA512 4f8807fa9c3fb81b6a3b53396a0bc18aa7cb68f1a61b804c3b848f433baaed380baccdbfc50442dab5a225031ba8ad1e9c9024823ba3306f92334ee79d7ffe53

C:\Program Files\CCleaner\Data\DUState.dat

MD5 333d99d5a1f0d6272365b891bc9ca4b0
SHA1 17ff37719e686ab252f2bcf266488cec051ba3e3
SHA256 7fa8a4ae18ca8a46a824501049718b6272d7758b38e33e5cd4336077f20f59d4
SHA512 474bdd93a7c5d2698f6b56799158a6fd9d740e7fb9b1a251d67ae907ae77ec56025be692b54150e7d417350c718d799ea6d924e945a963902049af7b0f86ec22

C:\Program Files\CCleaner\Data\usercfg.ini

MD5 67f004f0da91095ebc35059fc7cb9c91
SHA1 d547df4fbcb60cb4a1fdc8d13c493218c15c7903
SHA256 6cee77f42305df556e2ef7d8ab8b0e9056f7792da80172a52b3d3a087438ad3d
SHA512 fe3bd34447acdcb95d21a33318e426e634ee8ead3b97ea0e85de3680e0fb941f64dbc389c1265807ceae44568ff936dc8ca0aea7ec576b290a1c95507b39e739

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 7fed1a89281d7e93a7a0c0494cf9578e
SHA1 7c8f94c5457aeb8121b35465c096a159266a3b3b
SHA256 86c02a22e3ba1a2dad84902521b9274fd63de4ea05486c2371bbea20c9fd2078
SHA512 5e3bc0b42e80af817d7378036b2d895098e3268e07a4b1a6bf790b7fb7a3145c10697f4df44743e0799cb53ed4deb156fd96fc30498a6f7e1d5d5145a8694e1b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5f6635.TMP

MD5 43bc396d0bb62ef6eeb004ff5f601f85
SHA1 144253540bd5d2cd75754def383945d02e03e651
SHA256 ddc9d43e831bcca13369b05ea4a88627e11c9b0e0decf079642562bb5657c75a
SHA512 e9f29c22dacedc224712cf71c5021ac2107a12db5836b5009ad1df28f1f43e6799cd1804029f8e9dab35a27ae1c7ed15951aefab477ad63e353d5bb5743036a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\567582ba-0b0a-4bfa-b173-fccd9f29034e.tmp

MD5 b147821e69fe651fb064ee08e7d501e9
SHA1 2d2c99a097a299712b25ae5ddd2746432d9ef22a
SHA256 cea121e7df8ea67683e3a3330f851c387f5af158445324cac2b4746cf7d33ff0
SHA512 51aec1d5153f056ae99946035dd76ece4aa89e29102e763892dbaafb97d1fc72bd8eb501a76aca7d87964d4658e4e1c71c9bccd504df0983d074dfbd46c2f47d

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 baeec8c41912dddad83738647623eb8d
SHA1 77c9dde301355a34225a74410e4af833a1850835
SHA256 8fca12c0e819527384809e983637e1ee28b178afef658efde6df8487d5c9c45e
SHA512 2b9f01aa71ff378d62c14db456531e317b6965ee5899e7889f6ac8e92e9f94d48f28c6b1a727b13b2e4960bbc8812d8fc147079c2e3751659f5417906fbebcb3

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 6369d6a68a8dd290aa8e8ec2f04a1be7
SHA1 218cb6a10757ce77871594ca4ee7f58f1041225c
SHA256 54f01b2000e38a52ed9835ed2b7c65d5c63fdc823286b7525a5d5722b01e99b4
SHA512 0a5e6812d5fba1aec93f796901f99e34a6d95984d47a926780dd01d222de4a8b57d4e44a89275774ca7fb20050452e0a9bcf489fee3a49bdc37733e5f7718e30

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

MD5 708e959d3f43c4e045eb87915c3319d1
SHA1 536142e047ba649d2aae885431a489e37625cc93
SHA256 a07d32a786589fe208411c86aee2bf19e6fcfc895122ea387cfcfbb66949ecf2
SHA512 247177cd262ba50f8ce4f567616834b47ad8b550f4f234f13af513a6e724e000c6e31eba1ae831f46dff0fd3f3491664b2cbada0bec770ce80c6807933f0c3a1

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 869c218cc803e570326b6c0789fc4377
SHA1 039e86afd73a733e3a92b375d1bb818c9881e270
SHA256 61519af81a1a6a9106c7fb591f9ca3d3fcb26f340359b40049de219b0eaa38b4
SHA512 31df5c73de3e8c59b4a42110570d1724e263307186571662fedc21d343962d1cccba4139775e3ef9db8239b65c502ad72591a50001f949fca0c29b33df5da9bc

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

MD5 bd8970baa17ecc791d1f2c9c6612020a
SHA1 67852dfb5165d735354b19b02c2e3306e52d505a
SHA256 c05275da7aa6fa5b54300646924914b816a47fba8c96e4088cd06e3e2b917f69
SHA512 f38b09302b90dad7064b6f41f5a775a8f20065c7240dd63064338d8d9cc582b6e6fdc927bee9964f22d12d8f1275096a0cc81fed4c59c90e92af32c58d6afc69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 15b3c630918474f4fa3ef97ef42ff937
SHA1 45499a23e282b11ca9482474549aa93b7fb74a1d
SHA256 aefb68bfc3f33157d435de590d98daa84493272bd4ae7ee1fbead9ca5b3301bc
SHA512 d52c9089ea45db0335ffaf2fb19ab36cf4c9efe377f87d00442be151b37400b6b0bb7df6eeee0090e480846c9af5ba0dc2f161676d73b92a76de17eac79e930e

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 29208332bae4d22f38ac42298e53c621
SHA1 abb33802af576a774d7bdeca15b54d8c620645ae
SHA256 c23aec960406572158208a5fe75549614f0ae60c80b78b29025492aa7d79fd45
SHA512 4302865ed3839031dd9a077be5b7260313f4ffe6361f5d19476e329181e79aff0ce82cb1b7e77cd28a7c3e50bb6fae8d0fef37eda6ca3a497bf054837f761eb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 3075c97cef41306bee2d37ecb351e423
SHA1 ee36413ba3378eaa0c2ff2d6056966b07ba60bf5
SHA256 0c2c782d942258b914052c40adcfeaa370c4fc5fa7c153e2c5ca43b9a9d226ac
SHA512 688bf6ad230077d739137d4f63d7dc310c3684050e83bc94a45b23e40f2756820bcd432efe1907321dd4f2d8ed46a53b19ab18a22786cd1d59ad8956c858da56

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ZZZZZZ.ZZZ

MD5 ce338fe6899778aacfc28414f2d9498b
SHA1 897256b6709e1a4da9daba92b6bde39ccfccd8c1
SHA256 4fe7b59af6de3b665b67788cc2f99892ab827efae3a467342b3bb4e3bc8e5bfe
SHA512 6eb7f16cf7afcabe9bdea88bdab0469a7937eb715ada9dfd8f428d9d38d86133945f5f2f2688ddd96062223a39b5d47f07afc3c48d9db1d5ee3f41c8d274dccf

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 ed7ce1a4b854131e3e7478dd9e54a015
SHA1 ef2e67e09298d44864b912a0c546873ed05fb365
SHA256 a65a8d1926d90b754c9de6dd571af184d12f9b45a4ebe459e86853c92c061210
SHA512 00606402fad94fb66d0315208e35ea46477ef69f90d147daed37703ef4000d613a6822b68469712edc012ab9f3afa9cf12ec00b99d30b697cddf9e57c1ea1b25

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5 8b8d47f36fd8f80d1cb5c58255813089
SHA1 3a03536b495afb4ebee3df803906a6298a136302
SHA256 457beb4cd27043d6f62bfc4a01e204e94ea5f2e2270b24ba1da62c68a915339f
SHA512 fb421be546c80443080016eafb3224c7eea74c9f17da47b0b62338ffddc677d4050c5b0aa484a4398d1bbec2ca3f436c1373ca6ccdfe338010c3adec319c0f9a

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 7252c56584082839b280b78032aac5f6
SHA1 fd26149f686e7a0fce3b3fcda8a6699652d2b7e1
SHA256 4f01fb1be92a5d9b796471ef96937e17b455aa653be701a4e373d82a1697934d
SHA512 84d0a62399215102d6f59cb79ab35849763119ab1c69496b8703827e50ef39dc28ac6579cc5b0009707c28efdcd9ccea66c760e0efd1da9c726131562020713f

C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

MD5 2893d2f470ce917bb13832d9dd103e05
SHA1 6551645a8179e79fe30cdcfce32931ee56da876b
SHA256 ebc7c006dbeedb1ea29ba183bccf6f86e2e5ab874a7787d477accc34df1c0213
SHA512 35354db31228d7bcf74e1007846e2d9e0507d5e62cf4568eef564f3af8f0de9251c3c9a0147acd80b0ed46814a54816e6d9373099018a5c651ebf7a33ab2fe0b

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

MD5 4a3b02de85eebb2e908021e6bb99d1d0
SHA1 6c92d6197483b15c4c280e036eb33ae2d9ae867f
SHA256 94f23306569be8730a09fa473c12290f68341d697c252fc895ef276056ffaadd
SHA512 0dc3417e898e9def48e1b5a3b88000ff7c758908750ae1107440c393c5d341bd1ad139f38e16d9cd05aeeef00e76190d40cc811f1d8f8a653636ba3359508313

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 e79ca79fa36da13ae06b7485a31ec6c0
SHA1 a433cd13153769dae1f5ea9e6a8cff8ac71f1b46
SHA256 193f1bd9c3a6e8cfe3c66f412a6ab20f19be9dc41497fcb1d831475ba5720224
SHA512 fcdffc4a1cbac79f2eac55a8e9c80e74766855130b94e8734722dc53a0b87332a943f319100b3e3138ed76c9984d2e4fc73ed61027d68b70cb84ab06eb1084d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 7da9a79986914b697a41c83bf38e484a
SHA1 6f17e9cce43493a074fdfd8935f4c4b6faa06b40
SHA256 44ea10ac6c2d4c9cde0537ba37d06e5ec4895125b5deeb6637ec584e8a4d04f1
SHA512 31cea0d88857c9cc167afe075f4bb49264e1ac3cbcef18fcccd8b1a17e90fb42d6fec6bd6daf9fa8132fe7e0f338aaed33313c6d1f2d5f10525791e132160f04

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 cb272b99840018ff4ceebb40ce2b9621
SHA1 dbdcebed4afc9e47ba0f8a955eeae7e131c8273d
SHA256 ee3cbabc74a18e3c043dfafc7c9f4096941da0c51f7d632ed845b58f908e9e39
SHA512 8f77098f2077ae2319b44568f0a9f769650dea88ad9b467200109a1291723a308c93bf8a5d52b3b25a26e0a4292803b38c4253894259beebdabce2b01ebe47e8

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 bfc7131cea32c3e9c6788dbb2ff7f178
SHA1 0078cf3ad51ac8f2e53a85c07fcc85a0b7eef769
SHA256 ff3c1a40937086ebe6bebc5fbba4dfc53c5ffcdcf0215c90828608e956f84f91
SHA512 35340819ec3eab8fb85373a20dde1b37664f273545cc18e7ae253ed6d5e6b4ad0a45c0056e659ea9d4279fc90f10e329c29c326d4c69c38fae12a63f1937c11c

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 ac5cbd03be6ef7cc361b84891a8c3e0a
SHA1 788d9f8f2af5e880d764b729782ebd16b6c029b5
SHA256 544ea4388295200ddc05f3fd2faba9f3dff1fd78c870bc2805336371b38b389c
SHA512 c968196922eb37823a7969de4f9620a11e6c312a1a51657cdd3d7dd52ba9fe89cc55f45c4289ef8173a1e6118d142b18d4e19ee40957e8cec18396a47f29d7e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

MD5 a79c47d3daa0c2ea56c76caa657c2577
SHA1 7172b22c28e4f38b99d84531a998e2ea2ac75606
SHA256 e6ba95917ac4599ddb62553650a0f04083fc45f8fcac6803dffcee41fa59eec2
SHA512 423e98f2607a4c3cca01b61833db3ae7f25771b2b18133e0cb34541ba1ab7cdffdc85875a686f403b07bfd6820047d9fe1a6a730b761e8af511ec37694a3e2a1

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 2ebf1c44a607d662ab5df00f78c6de49
SHA1 1bcc61dd7d0ee99873b5efe7a52bad40041029b8
SHA256 14584e3c6e2e1316e07861ce1d4b1226020addb8bb28b8f63fc3f8c67614647c
SHA512 a5c7c5a6be573d258cd919428b3322a7ca591320bae75d0b0d93db8b628ac421f7a97de48669abc1b5625b4e2cf73922c566dfdd6bdd0c542b82e2ea5c8a1714

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 7285397ecb2bf082b6aa5ddfa673fc64
SHA1 b0771acdbd64b5798095959e8dba9abc9a96a7a9
SHA256 c5d9ceeb7b5759c9542daadad3b29fd14734277a620cba8b60cb88d4a0916c29
SHA512 160848a2965e6f18ee3878454260179a18c0d2235971aaf1b5cf6f281351da60804424b4c9acc0abe1675d643c9672306d3932e500c61d740465fe6e6f2b8390

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

MD5 0598e4e7bbfed0f4994d8134d9e5ba5c
SHA1 dc8a95fbe5d555bf0e9234824542eadc3fe405e2
SHA256 72f0e482fc7169bdf79debd23cf8b5af4007d8ef68f650a8fdb48c348274c4ce
SHA512 3f1ed0dc2f8ad424a15b2e3075ad21cc9a83fead1e820b840d73be03ed7b084cfc8c61c7efe59f9d34d31ea662b57f83914962a1b0130dbde722bc93b39b3e03

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db

MD5 d614a3572ff336119a699b94b6f7a489
SHA1 e5cfb534e9316dd0821e28449e4183da5974de37
SHA256 fcd6ef71df2aa1134bad38a9ffddc1ccbe7d20667340197454a01d4463beacbf
SHA512 bd6a914a205c150bbc60c3d61037050088fd4ac777aae2cd5849a570956b1a8ef1bb15ac1dffc28a532b1998cd507b1a1754765a2826a08f6a0ce2eb427175fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

MD5 c251be09b85bfb247096bf24d538ded9
SHA1 8857aa800ac2f5ee0365eeb10619d0f87d5e3e0a
SHA256 b72211ff34392a0c9bcb52424a7392f45b490b77302c0753d61b5294ce865a6f
SHA512 92da61faa6e75a1f85227cbfd310626071715a8503ee1da9785f569581643983465b10721a62b8de6da8c6aeea1205a8f8f082e7da0b4a592e47c748e8d66111

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db

MD5 ce19e5a951a8593fc2f00a3d8a9c20be
SHA1 c08512cb6a1ab512e3fc01738924b74208d4e15e
SHA256 7f047d62d9f647fb1ca8d7fd7227528c781c0a13e4c5cc5e830c261bd8babee7
SHA512 9a2b5d7ee30ac4d9e82d478d381a15f7488a07c941ad1567e0700ea5b9be6ef74b8cd3a7429a98c2072529a4a795943e35604f111df46a3fddd4517ed4b74a2f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

MD5 c5429b2b4fec66f1b566588b8637f82b
SHA1 5514370f6ae8b67a25677e915b9933597f19cc88
SHA256 9655d302cfdd780e5eccfc297f277af2d2b87f8f850b1fee522efc82f0355cd8
SHA512 84d2bc5edb402f23c5a11dddfac0374636c76c4ea2c3697d66beb3c7f09a73ecbb1ee4adc901ea25aef9b918f7632a4d369c1457aaa3cf93a9707557439866bb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

MD5 6f2ff2bcb8b0c09fe1e5d74f3e41abc4
SHA1 54a721ef26d29ec175bf563e28f2deecd67e0fe7
SHA256 7190fa9449fd51b4dac65d68c40530ff359c96229d1b7148b236f35dfa662db6
SHA512 efdaac09d0749bbcfd2f3c41e20056089566331130b266943c3bd66f35e8b3fd1ac00ede715e5a53fedc4674b24b8223790ec4c1293bd6163f8ba31191a95858

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

MD5 eeb195a9e8455140c4e8a94e56fe24e4
SHA1 5f58532505ee033ed2f95b92a47b67c14ba93e33
SHA256 6fac3cba525b7d4b75e056c6c5c849840eaa70436032985f0914e1ba69b967f0
SHA512 cea1470eba257a4420e52e891caafd3bc036be7525e98d6edd49059d4dbe72522a33e4eb3b33b32cabca68766dc1ef0a272fed1f983f92d01585ba9145f678f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db

MD5 e073961a203975828821f7ba84bd9f90
SHA1 e6199549a5ad7dd9c97e764ca8b24d35996dc6ab
SHA256 581ae7382ea9ae4935984bb6f95411d2146e207f4bc39539a30a186d8d68f17a
SHA512 354b0d2fa014702676dab6b194aec31c7095a1fe7fc8e4da6af3d142313ac5cc02ce9771014a9ac1d3f951f67e297bbc84e6e6ed01f8de0e5b424200e335f272

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db

MD5 b6524640ef23112389026e0d54865993
SHA1 0d51175befbe70fecc2c928cd92859d8f161edf7
SHA256 a59331eee6ce259d384008f0ff9d0cc67c70b6a94a3573fc67bb7808983077f1
SHA512 aa39e2e1acf1026e6f26506c351992d3c616cb29b5184a96f8c868722919d90b088ad9665258c2be60e73be6a929ad7607cd79bfaba83e32f1dd2cfabac35248

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db

MD5 cea28b78f8d13a0606abc12ae5f31ace
SHA1 f8dcc9234ab6dc9f86bb6eb0d928fc26abe415b3
SHA256 8f7a066fba201d4bb9aa992e0bddad1162618beebaff5c47943a32328b57e21a
SHA512 a5672ad0b418b0d7968f3c9c375242bbf384b53800506761411882938a5d170c09b08343f8d85977142d7e24b0940c23e9d766be8972a554aff8a72352ea18e8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db

MD5 fa44ec4ab7c0fdc1113f4c732d1b57a2
SHA1 366eca0008f113efa6ecd5699f7448e3f5ee5afb
SHA256 05d6268bc072e615dd5c3b2f258e5574c504b5bf478060127151a4937fb000bd
SHA512 d87b34b8b794f2a252060a20c749eec9b011dccfa93f09a4f7efa881ab5cf33334940ac4fc0d8d3119a4f219a4ef4e854a746027db02e1443e0b1c4fde0dc460

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

MD5 82f31078a2f87673ba8c42f10bcea507
SHA1 bdbd3274d55a99cf2aa5997a3badd0559608497b
SHA256 8db0c20fc61a982687144f7d64f77ba65324c1920d376d0f44933267510155bf
SHA512 5813ca3d1f7a13a38ddfc07f7a4a791e611aeec446dffeddcc7e00ea8e806d8a322b44ec2f0558cabc21e3d31a951d7278bc3c4e9b5263b01e392ff3a72df63e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db

MD5 1a07b0e2f77f61034a7d612e1e5f470e
SHA1 9360c180041c05d5ef664148adfa1abd11581f1b
SHA256 50292d63f45b6b65351f0398605b0c48be6ad6b615580302403823ddc8d6e6b3
SHA512 69c02313273c085a752316bf92fd5b88d02512e876497968f971c3f414ffb073c605b98913afab688432a5ec9be392d1294a89bd33341a2687a6be9273dd4a17

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db

MD5 ebd53ed843732cfb616bd5b28a20209f
SHA1 2275cc01a69d04a4ac495dfc1a6b2a5f0f42a236
SHA256 6a956576b437f458dd3ef22d81f1f699ea218020825016d8f045cb318aaa4057
SHA512 42e7363e3427bbd97615a2b6491db89d047daf1fe0aaad84eb762e51c4f5c970616af1a74ca691a9f67f7da1221d62fe546d2f18494ba9c4c9cf0667a4126742

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db

MD5 85df711aea9a66b31e77560048ed4b39
SHA1 59fb6fb7a99ab79ff58668e2ed4d1fd1bfdd76ec
SHA256 f813172fba3106896a1fe49af010959fafd1a8fea2cf1fd776418c45e957819d
SHA512 26e3b5d16111c7e0fc4f0c1993c766917bd9d228ad46a544924a5462aa402227c5141a09abbd45651accbf1f3f244d20dcb261040dbd6aa679cc7199e15118a6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 f8a4359251b02a841ce22945bcd9b19e
SHA1 1693bf5f34781b590214b471fb8fe81d8f748f91
SHA256 7b39841487d0e06d41ea079117152034dad265c7786d59d4c98204ae90979e52
SHA512 77cb16f3fda817c082819ffea92968316e95ba035e3d4060cb99cab90f5480ae13ae9b72f7e0e163ed260d8bb9d5a60d6540cff543e239dcc58d1e77f538f449

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\cookies.sqlite

MD5 7b6c71a538007678e4c50c7256453710
SHA1 445be273c09fa1500fc7bf7e7a838acfcbc2e3b2
SHA256 f27da636889e0f45596c10bf74d6878172d46b0ad230ff8024790c3d96c1ee20
SHA512 fd7a52886f9f2348bc26632a54910e62e6ec42f0b3561c85c662274678f59c0e5764f14e7a66b4b484cf792dba08211f726b73198d402ed63a69e09d653c0aad

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\places.sqlite

MD5 f5e62fd89606c17e58fac48a47202c2d
SHA1 03538236437f4cf123c4cd000e671d89128aec5c
SHA256 00697632ec1a5db20c5d46242b031a307f2591f8502afc5a3f30f0460a7fd6ed
SHA512 40d80974a9ba8548e3655e58770e2233ef3c0787e87a5e2bd114e66aca852d56b50c9db00cd463f0dbae0086888d205d25821149f9a7f4d469deea3413cf22c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

MD5 21af19046b0bc7ddbbc0bcf6a8b66d15
SHA1 a476996c623d928715205f20b57baebada03618d
SHA256 1ee66eda487f80facf836ce8f5cbdc1847ebbb61879ef008332f70aceafbfca0
SHA512 20835d5eafb4683f5e6da470098e24ea2c5048fc7d59a584cc46cf57367b761560c825ba28540cbe60cfffe3d6e698ad1f3ef47be0a1a939936033b9979addad

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0140aa0e16081e5bd9aaf88588d41b12
SHA1 d3b8aaf88c9564ee06b5b54e9a357766e0440af1
SHA256 51f244c726aafbff6c7fb57ed602d149bf2593440a7f2c17663a4e9badccd622
SHA512 d05a9f8c2b40a8ed89d41b12f015e86207d04b7323bad646fd4eb90e7eb0a0953abf0efd221d36120f6a3daa8429276af96705d099c5661181a85bfb2fef7314

C:\Program Files\CCleaner\Data\StateHistory\DUState 2024-08-09 19-14-41-474.dat

MD5 0a1a6f7cdf61e40eaaf2270a84192b31
SHA1 541374bf7cae2e05f450db223ea945f7ce72571d
SHA256 ac3c7bd4cd2e5fdb105789e81968c4c8695b9bcf26a5d84a0c788b33d3362fb9
SHA512 d154a548aed536a0926705d2688d6f8400356a4c52c16d05b296196ef951074f09dc612873d1a60b0d5f926bf703f2916e051b0f82c66ff50d1b37172455e60f

C:\Program Files\CCleaner\Data\usercfg.ini

MD5 b061fcf4daf701b54c39a57171b57001
SHA1 71c4442fbbd5f8ebea9a1cd37a9a02ed4d9ab596
SHA256 02dd879915114fca120a3ac4db4b52973acbb4bd558c60c5a62f1a744e0ea3bd
SHA512 d4b58769ac166edcfb8ff892e8c9042a027b63204d163bde8f471df96e9cb06ad57ab191852ffdbff0ac2afa88c2c4cd8fab2177dbfc87647a86d07dd6e0a731

C:\Program Files\CCleaner\Data\package_download\603584132f9204bb981aa93aa1a64f284858effc.sig

MD5 3001b388b37161962ce4f9795f6bcc23
SHA1 d29594979382b8d0491355cd6d6e33b2a57a6db1
SHA256 a863478d458508befc80cb3e4644cd032d3770d196c9a55274fe6076eb78c9ec
SHA512 61c8122ebfd0c563d7339aba4c8e9c172d18c86531b4e6c313318e48f37e388f9d1f5ce14de94880c417ab8b354af48b5da08d0837e6e450060937b523771efb

C:\Program Files\CCleaner\Data\package_download\5ab31921e7608b750e5af368503de5de1f7440f8.zip

MD5 ba25338429003f64b2df2a0b0ee847e5
SHA1 43819abbbd8f9fcc8ed3b2ef89d4e2ef3f6ee2c6
SHA256 3fe26c1dc1b4b00ddcd1a474a7deb332a6bf5e40b9e9a38020eb43acea97242c
SHA512 e547a3bc955760030aa55b32927beb01d4ed98ca439a6fca2ea509b2784d2bdb58fb87804fa024777b48f2636ec7ab765b9af9a5b0c8055f605feac104dde8e4

C:\Program Files\CCleaner\Data\package_download\5ab31921e7608b750e5af368503de5de1f7440f8\cdrom.inf

MD5 011c578ee95ffa84fd413045776a8387
SHA1 bc543c4377b4788f36180bb2b045c5500835191a
SHA256 56a5a9c23f802264a963f17ef1631aee662cdde971753dd6ec30242ab78db608
SHA512 fd6297dc14454470dfbdc6738a880b475d7a75b97c6940278628e410bab90207731821a511d74b00e06529a430490aa64a860e470f559e94f83433dc50a2ea6c

C:\Program Files\CCleaner\Data\package_download\5ab31921e7608b750e5af368503de5de1f7440f8\tstamd64.cat

MD5 db7ee31f61cb4aa3464cf92eb6824b5d
SHA1 5c5db1ba51da70dd552704ae5b35cb108f7215ba
SHA256 b70afedf8be7d9df46e65a6c30f258d3e03ceebcf505f44682aacb3a8a0dd2a6
SHA512 afe3131103092d3ea3bd7adee1e7caabfbdd31f77ff472059fc615e26f3c9eac0700c8c4c035141c902bd31285b347ee2f4e8187e4de2960bb47c46d66aaf6e3

C:\Program Files\CCleaner\Data\package_download\853c8e15e9910004b3aedff1cf9474b5b42f363c.sig

MD5 aa62de79a5486153af2a4562ac171545
SHA1 86f82041f1d2237052179d0ad23d1325fec26c2b
SHA256 6ed8efdcf0a813207991cfc87e2aa2a46e6a958bea842f558538940bfd602286
SHA512 cc4af034e5530d4581a5acc5dc7d29c961217b3f89aa3a726f39bc87b39dacce38d4b800d70aa7d258c7bb49006e46a5d944dcbd999aadd92c731db737fb697e

C:\Program Files\CCleaner\Data\package_download\df2052ab846c543608316e16ec18ed5eb296f4fe\ich9core.inf

MD5 bc7ff14dda8cb5df1fc5f5e1bfee7491
SHA1 b081e57b1455374fb610eec26f6154a8870b8859
SHA256 791623f421c6c6cacbaa1b04d339c23ea527471a970ac65b7a81940cb9d655ba
SHA512 a062b227766217a3e55b8b13a12118667453e5047cd2b9cb29336a8a2ceb29791f01fdd0ccff844958b6150129d7a3d5bd40aab4f86607b4caf0170d439e21a2

C:\Program Files\CCleaner\Data\package_download\df2052ab846c543608316e16ec18ed5eb296f4fe.zip

MD5 cf4255ef5a4c58040f8ad1fd810e676d
SHA1 85079b7050ebfd52ab46fcf78e57845ad89daeb2
SHA256 c3ffd03177145aeed6a389b81995c48a2dfd8ad44a95e4a0e48df176fdc9b024
SHA512 5a5d7162092a9de68737f62dae718c93576a7b4836d0fefa064767cbc0f0809e8e557e8198d80f683de2cf0d130a202d13ec0ca406cf51ad94ebb93667c77466

C:\Program Files\CCleaner\Data\package_download\df2052ab846c543608316e16ec18ed5eb296f4fe\ich9core.cat

MD5 411a36c3a680de7b6ddea05daee17a71
SHA1 1d61d17d2803b22911b5d35914301aefb36d8a6d
SHA256 6e1d3f88ff843f3b824b3606409e67015092bb4b262e68d9bfd9cfef29adf953
SHA512 a0f370f5b16f2695fb1c945df93baf58cd0c378f8316b48431de7f1836c50f20f6e9673d3bffea606e1acf3af0c446bcdd41687a395aa5dc215d29a2c9ffbb3a

C:\Program Files\CCleaner\Data\package_download\c159b16b2d5bcacea4edce02720f3e2fb1220bfc.sig

MD5 2fa94d9cb96d8b1861efb8c9e3169874
SHA1 af73f0646ccaf40a1a549c427fcdc6d8ea9bc5fe
SHA256 f19d3b6d94bbe9d89bc84afb9d6e90eb2a1bf320aa5b5ab1a93e18e6e450ba66
SHA512 30411ce9bea88bf5307787567427ee02b02957cf5e3a164c65cb068393bb610ea02c9828a947e5115bdd8e4e0513adad5381eb0aba4ed4b5e1977b76fc41a5cf

C:\Program Files\CCleaner\Data\package_download\d3309a95bdd4456290d2571593848ea9323e84b9.zip

MD5 4d996fd9e91c80748afad1de3a38c70e
SHA1 9bc5bbf85c9d7d01380c84d9748678e5daf3df5f
SHA256 cee5f833126832bcf6118327cede07a4d1f43cdbb1a1fb84c62a83ca4800697d
SHA512 be6d3c2741a5ce93bf306fdc7e7d449a7bc231b9b5dcdd5a50019b50152a6c65aaeafbba74b5e013954984979a39706f07db87241ea584b80da37a24955a6270

C:\Program Files\CCleaner\Data\package_download\d3309a95bdd4456290d2571593848ea9323e84b9\Netrtl64.inf

MD5 74d25cd2f242dd012b789a72830fd20f
SHA1 66fbe5eee86a6de50f6f61bbadbc1e11169f71b3
SHA256 3345152381359ab8363ab0aae9a4defc5984c0182743008951135d0e60607659
SHA512 b1c2f0726339c6134c72498aa7489e2bebb7cbfcf5985d6ef8d0c85a4bb4aab50f5a71544f853f7fafae061b22d6dd706464e9caaaa1136cc49b8fabc40066a0

C:\Program Files\CCleaner\Data\package_download\d3309a95bdd4456290d2571593848ea9323e84b9\netrtl64.cat

MD5 7e72f9e83dcd9de4f61bee95fc124f60
SHA1 2c96f9d62e751d1207bef6a3904a4a908acbbad7
SHA256 34083f817b214ec27860c6ca743f163b3e81a631b99a53474a7848950734da91
SHA512 da7329da973f7675e4dfa42cbc89bfa3eb5d8c50bccbf99ea259e52a3fc49635934095ebe60f00bd606b029e2a72af6d2faaa7ce6089c3be10e437bb30a06f55

C:\Program Files\CCleaner\Data\package_download\d3309a95bdd4456290d2571593848ea9323e84b9\RtNicprop64.DLL

MD5 45fab8bac606608166f774f3970cc17c
SHA1 06bc3d94bcfb0c764cb34355c91dc2b5812e0226
SHA256 740e5ce1fc7749daab3e44505248cadd303f05aeaddb5ebceb922d51f6dc30bf
SHA512 ac05d29368c80507b72f4a6f0326f53b119360a0e0aeb456da977984688e20abb01be9c0a61cb0222b1b6e30dd8037c23d2547b139886751c1ad54ec320ef24f

C:\Program Files\CCleaner\Data\package_download\d3309a95bdd4456290d2571593848ea9323e84b9\Rtnic64.sys

MD5 04c2d5bd8d0776320230978a0aec3bd0
SHA1 7349c1471fc9f76a4a7500a69973d6fe7ff793d0
SHA256 88a58e4a2ca66cbe5bf07cb82800b25206c90955067187e96adfee5263bd0612
SHA512 c9dda00b706014ac6ac04e10a4239a91a7df7be36b5a846ddc9f6d7ac77a30765a93f782b165776b52ec06c51a02170aa93fa2270d2721dccac936666f5e0581

memory/8048-3746-0x00007FFDE54D0000-0x00007FFDE54D1000-memory.dmp

memory/8048-3747-0x00007FFDE54E0000-0x00007FFDE54E1000-memory.dmp

memory/8048-3745-0x00007FFDE54C0000-0x00007FFDE54C1000-memory.dmp

memory/8048-3748-0x00007FFDE54F0000-0x00007FFDE54F1000-memory.dmp

memory/8048-3749-0x00007FFDE5550000-0x00007FFDE5551000-memory.dmp

memory/8048-3750-0x00007FFDE5500000-0x00007FFDE5501000-memory.dmp

memory/8048-3751-0x00007FFDE3DB0000-0x00007FFDE3DB1000-memory.dmp

memory/8048-3743-0x00007FFDE54B0000-0x00007FFDE54B1000-memory.dmp

memory/7120-4009-0x0000000075830000-0x0000000075856000-memory.dmp

memory/5176-4136-0x000002094CAB0000-0x000002094CAC0000-memory.dmp

memory/5176-4128-0x0000020949CC0000-0x0000020949CD0000-memory.dmp

memory/5176-4160-0x0000020955090000-0x0000020955098000-memory.dmp

memory/5176-4162-0x0000020954F40000-0x0000020954F41000-memory.dmp

memory/5176-4161-0x0000020954F50000-0x0000020954F58000-memory.dmp

memory/5176-4164-0x0000020954F50000-0x0000020954F58000-memory.dmp

memory/5176-4167-0x0000020954F40000-0x0000020954F48000-memory.dmp

memory/5176-4170-0x0000020954F00000-0x0000020954F01000-memory.dmp

memory/5176-4178-0x0000020954F80000-0x0000020954F88000-memory.dmp

memory/5176-4180-0x0000020955050000-0x0000020955058000-memory.dmp

memory/5176-4183-0x0000020954F40000-0x0000020954F41000-memory.dmp

memory/5176-4187-0x0000020954F00000-0x0000020954F01000-memory.dmp

memory/7092-4392-0x00000000038D0000-0x00000000038DA000-memory.dmp

memory/7092-4393-0x00000000064A0000-0x0000000006ACA000-memory.dmp

memory/7092-4402-0x00000000062E0000-0x0000000006346000-memory.dmp

memory/7092-4403-0x00000000063C0000-0x0000000006426000-memory.dmp

memory/7092-4404-0x00000000062A0000-0x00000000062BA000-memory.dmp

memory/7092-4405-0x0000000006430000-0x0000000006466000-memory.dmp

memory/7092-4406-0x0000000007150000-0x00000000077CA000-memory.dmp

memory/7092-4408-0x0000000006390000-0x00000000063B2000-memory.dmp

memory/7092-4407-0x0000000006B70000-0x0000000006C06000-memory.dmp

memory/7092-4409-0x0000000007D80000-0x0000000008326000-memory.dmp

memory/7092-4411-0x0000000006C60000-0x0000000006CAA000-memory.dmp

memory/7092-4410-0x0000000006B10000-0x0000000006B2E000-memory.dmp

memory/7092-4416-0x000000000C390000-0x000000000C6E7000-memory.dmp

memory/7092-4417-0x0000000007A90000-0x0000000007AB2000-memory.dmp

memory/7092-4418-0x000000000C820000-0x000000000C86C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 19:04

Reported

2024-08-09 19:05

Platform

win10v2004-20240802-en

Max time kernel

31s

Max time network

43s

Command Line

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://soft98.ir/software/optimization/212-ccleaner.html"

Signatures

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Browser Information Discovery

discovery

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 2020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4936 wrote to memory of 2020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4936 wrote to memory of 2020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4936 wrote to memory of 2020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4936 wrote to memory of 2020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4936 wrote to memory of 2020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4936 wrote to memory of 2020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4936 wrote to memory of 2020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4936 wrote to memory of 2020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4936 wrote to memory of 2020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4936 wrote to memory of 2020 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 4756 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2020 wrote to memory of 3236 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://soft98.ir/software/optimization/212-ccleaner.html"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://soft98.ir/software/optimization/212-ccleaner.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a54d662-5736-4aa7-8bb1-d661f913b857} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2516 -parentBuildID 20240401114208 -prefsHandle 2488 -prefMapHandle 2484 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca22ee40-e997-4f05-8834-16666667cee2} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2940 -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 2892 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b94b9c33-185d-4dcd-9018-2c1cb705aabb} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3736 -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 2764 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f91022e4-d4e9-4ba0-b661-8192138d9146} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4448 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4400 -prefMapHandle 4408 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c441e9aa-ba09-4221-b140-28964d782f09} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5184 -childID 3 -isForBrowser -prefsHandle 5208 -prefMapHandle 4668 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9798d145-7e96-4260-aebc-548cab02aaf5} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 4 -isForBrowser -prefsHandle 5576 -prefMapHandle 4668 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21d75a0f-fd09-4ff5-913b-ff9ecccffbc8} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5728 -prefMapHandle 5724 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6044af12-b5ee-4a95-ad8e-e7d06524cafb} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6236 -childID 6 -isForBrowser -prefsHandle 6240 -prefMapHandle 6164 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa823b40-1002-4417-a204-a0effa350a75} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" tab

Network

Country Destination Domain Proto
N/A 127.0.0.1:56799 tcp
US 8.8.8.8:53 soft98.ir udp
IR 79.127.127.35:443 soft98.ir tcp
US 8.8.8.8:53 soft98.ir udp
IR 79.127.127.35:443 soft98.ir tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 soft98.ir udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 35.127.127.79.in-addr.arpa udp
US 8.8.8.8:53 200.110.239.44.in-addr.arpa udp
IR 79.127.127.35:443 soft98.ir udp
US 8.8.8.8:53 img.soft98.ir udp
US 8.8.8.8:53 cdn.soft98.ir udp
US 8.8.8.8:53 beta.kaprila.com udp
IR 79.127.127.102:443 cdn.soft98.ir tcp
US 8.8.8.8:53 cdn.soft98.ir udp
IR 185.18.212.82:443 beta.kaprila.com tcp
US 8.8.8.8:53 beta.kaprila.com udp
US 8.8.8.8:53 beta.kaprila.com udp
IR 79.127.127.102:443 cdn.soft98.ir tcp
IR 79.127.127.102:443 cdn.soft98.ir tcp
IR 79.127.127.102:443 cdn.soft98.ir tcp
IR 79.127.127.102:443 cdn.soft98.ir tcp
IR 79.127.127.102:443 cdn.soft98.ir tcp
IR 79.127.127.102:443 cdn.soft98.ir tcp
US 8.8.8.8:53 img.soft98.ir udp
US 8.8.8.8:53 cdn.soft98.ir udp
US 8.8.8.8:53 img.soft98.ir udp
US 8.8.8.8:53 168.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 102.127.127.79.in-addr.arpa udp
US 8.8.8.8:53 82.212.18.185.in-addr.arpa udp
IR 185.18.212.82:443 beta.kaprila.com tcp
N/A 127.0.0.1:56807 tcp
US 8.8.8.8:53 region1.google-analytics.com udp
IR 185.18.212.82:443 beta.kaprila.com tcp
IR 185.18.212.82:443 beta.kaprila.com tcp
IR 185.18.212.82:443 beta.kaprila.com tcp
IR 185.18.212.82:443 beta.kaprila.com tcp
US 8.8.8.8:53 46.36.251.142.in-addr.arpa udp
IR 185.18.212.82:443 beta.kaprila.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
IR 185.18.212.82:443 beta.kaprila.com tcp
US 8.8.8.8:53 panel.kaprila.com udp
US 8.8.8.8:53 panel.kaprila.com udp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
US 8.8.8.8:53 panel.kaprila.com udp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
IR 185.18.212.82:443 panel.kaprila.com tcp
US 8.8.8.8:53 ssl.google-analytics.com udp
US 8.8.8.8:53 ssl.google-analytics.com udp
US 8.8.8.8:53 ssl.google-analytics.com udp
NL 172.217.23.200:443 ssl.google-analytics.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
NL 172.217.23.200:443 ssl.google-analytics.com udp
IR 185.18.212.82:443 panel.kaprila.com tcp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 200.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\40ff3852-b852-4e5f-acd6-e58ebf8e97f7

MD5 6e9d48fb06777f3944e6b45838c7929d
SHA1 86bf0100c28be0de312a246de43cdcd9f9bcc588
SHA256 24e5346e7aae181b0e527f35d97ba619466f697167aaef9c2bc01b5b61f8923b
SHA512 816b520cff4e6978c58ec897f08d5dce8e3ee8cbcf37b004d27c9236b808724aa68ec1bf5b75076d4be0196d008e4216639f7ff5ceed532768697c734f881974

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\53491d14-d501-48d7-9b5b-12e4b9cb3eb4

MD5 13ff7d118b5004662d79f71b9c096d0e
SHA1 c2a5a7fadc8f7b2dfe198019076c65290f741d56
SHA256 179dd9d4254e8039421e8e8d3427ffd3c9c1d0bfce892f56bfe849a472d6beb5
SHA512 8dab73d8524aab07169c405d09469841e9f21f47dbc76b2f713262378093d5066c0527f96ab6f021868b4202a3d371e98452713a9ba140f7f1da29b280f398b7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\f0aea453-fdca-43d5-9e1e-ea5862af84d0

MD5 9238c619ca4e1624477ba0e6ae79b28f
SHA1 490af1c0f8e7c7b579b1cb95837685ca21fc1493
SHA256 16d6feda866ff03ec4ffa57ccecc349f803462ed94e0e870ac9fd4760d1ab15b
SHA512 240b3805ad7ddbad91dc3cb65e70f9d9128a67d43e7e466ce823e7e30b157091719ab1d569cd2500ed359626ce9b4b95dd58a87ef7868803e5e4108e835cb7c8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 1ad0bd7a36bba5b88379c455e695f8c0
SHA1 c5c91a58cac9204ebf1afbc857ca0a1f2fd30d3a
SHA256 feece6ea7223cb66d1b08eab0d5268c8181a17ae921cb2a679e6d4ef4a5e0fbe
SHA512 6ab84fce49e63a550dfc92d84bda5a04503c94946abf62d692315ef28db4e1f6088bc5a6e91b1abd968c8a5fa5a1dea33cfe5439d1f77a62c1fade6a6eba1f6b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 2f5441873e330d002280dd927ab77127
SHA1 5ba69f85a69106e6a926292408785290cb6dfa77
SHA256 8249c504e2206af0e2b93d41d715e1cf0953d4d7d2fc09fb0c7519b1db146392
SHA512 953f08307739d22de36d2d3fdcbfc15659e318fae044cf87f0b02bc38b68e88a78cada3f99f4961de355d4badcd63cd7e21f19c2a5bfb4f509713c6192ef47c7

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

MD5 8a19de3579c44259b45617849203950c
SHA1 b9e92648342f14c403fb83a24f00546f54d50379
SHA256 70ec2e5e4d81a3ba9c4b6b694be29386b910ecb7075bb3d6352cdcfc30052988
SHA512 aa496f44412e7c5a29ac2f29de272d7de6703b7699de8202867f0a063b065b8c099779d56e3e597d2f4a4d7841ac9b514f196132eedfb8dcf6f7a3ef3517238c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

MD5 49ebb1e4380090f942f7b7e0c3e9b87b
SHA1 d885efcc30c0368ef992285e9052cd5642c717ba
SHA256 7d7cd22840ee87c6151bfdf3435adcc864f77c9fd763eeaeaaeb5a2f84b036c8
SHA512 c2aec9a4d002ae94eaee66e5762c2fae19df83636972184ee5f9f6bbb5fae732865f6faf95030ae30ed6ba4afe5366e11c561ddc0784d91b65f81d3c764fda33

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

MD5 ff63488b1f87beba8d131eca7a65d1c2
SHA1 d9dca4d30eec3d344f9879621d32641b919abe41
SHA256 3b467bf859eef4a8d72727832ba8da3c8d5e565f86249044304d7b9ebe700546
SHA512 c7ec1ecafbc6392f99337781a30b1ff57dee1c94434888f242878ab88964e3665ab4bc2843e57e91c4f1c4a326fe3d047e5465cdde4f62272a699b7166c12452

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\C3ED3F8B19241B4FA98510088BC4BAD52E3863DF

MD5 7e7011dbcad1954c95c460bec41a0735
SHA1 5dbb9860f8778629fc87f9455cabafa0c480658b
SHA256 911146b7d68242ce0a539158f1302d6f626499089328f15546756f0d8aef8a5c
SHA512 75e4e10ba286a6b31f3b7741d15617f9f9124c849b20aa794a5281df6d768afe0b7fde817c2c020e00a52eb13203f6e48c60a664622c3e1ce88fa08821a3478f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 2e76e4ebfeb3a625565471d4f7b12a5b
SHA1 26194da46da80c60ca2c4785ad489e2f014b4dd3
SHA256 d13a9cffcae5efecb5608b88f5407119e6f5b5b55048d4b39b04d415ba7e57e2
SHA512 8185a37c7ff0f4abd3e464776228fc129d46a9fc4ca626688785d78d0eeb0709b2407eb5ce818bb4b4f65a79474e5255b5001b8af44cb38564d38f3932318555