ebd3bc74866f6cd818141da0ff7ae51b4b1970dad1695f3f57845909f9c7b7a4

Analysis

max time kernel
95s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14/08/2024, 03:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccsetup626pro.exe
Size

72.2MB
MD5

b0641da60584a9ddbbc5a5c14d1e2c25
SHA1

9a3a808fe55c5174e262762de319aeea2701bae8
SHA256

ebd3bc74866f6cd818141da0ff7ae51b4b1970dad1695f3f57845909f9c7b7a4
SHA512

3a66626336034210d847757c87b005763169eece50b678dd44d90a5527dce2ec55b3d3ecee3c3b5e750052dbe5c0cea52e42811d8b566c33f5c43e77ba1d0d00
SSDEEP

1572864:Hcsg1pG3zhIExyRA2V/eboTJKq7/89/6C6KOhNMi:HyG3dI/RAUUoTJH7/89/6C6KUNt

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Downloads MZ/PE file

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ccsetup626pro.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\CCleaner\branding.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1051.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1056.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1155.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2052.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.exe	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1043.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1044.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1055.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1087.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\wa_3rd_party_host_32.exe	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\libwavmodapi.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1032.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1038.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1062.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1067.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1086.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1102.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\libwaheap.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\CCleaner.exe	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1025.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1029.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1046.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1063.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-9999.dll	ccsetup626pro.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1110.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\libwaapi.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Setup\959a9ad0-8f14-4d55-9ad5-052cd6f713fb.xml	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1059.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1081.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\wa_3rd_party_host_64.exe	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\uninst.exe	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\CCUpdate.exe	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1031.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1079.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Setup\253a35ed-e3f1-4e9e-9628-68e736ecace2.ini	CCUpdate.exe
File created	C:\Program Files\CCleaner\CCleanerBugReport.exe	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\autotrial.dat	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1036.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1053.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1060.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1061.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1066.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\libwalocal.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Setup\config.def	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1034.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1041.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1048.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1092.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1093.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.dll	ccsetup626pro.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\libwautils.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1030.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1049.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1057.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1068.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1071.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1109.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-5146.dll	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\CCleaner64.exe	ccsetup626pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1027.dll	ccsetup626pro.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe

Executes dropped EXE 4 IoCs

pid	Process
3524	CCleaner64.exe
1956	CCUpdate.exe
5188	CCUpdate.exe
5360	CCleaner64.exe

Loads dropped DLL 18 IoCs

pid	Process
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3004	ccsetup626pro.exe
5188	CCUpdate.exe
5360	CCleaner64.exe
5360	CCleaner64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x000100000002ab49-393.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccsetup626pro.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup626pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup626pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup626pro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup626pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform	ccsetup626pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner	ccsetup626pro.exe
Key created	\REGISTRY\USER\.DEFAULT	ccsetup626pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-20	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	ccsetup626pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	ccsetup626pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-19	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	ccsetup626pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup626pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup626pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner	ccsetup626pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup626pro.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command	ccsetup626pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\SOFTWARE\Piriform	ccsetup626pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	ccsetup626pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	ccsetup626pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup626pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\SOFTWARE\Piriform\CCleaner	ccsetup626pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	ccsetup626pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup626pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	ccsetup626pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ccsetup626pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup626pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ccsetup626pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup626pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	ccsetup626pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup626pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup626pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup626pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup626pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Software\Piriform\CCleaner	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner	ccsetup626pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	ccsetup626pro.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\SOFTWARE	ccsetup626pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup626pro.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe
3524	CCleaner64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3004	ccsetup626pro.exe
Token: SeDebugPrivilege	3524	CCleaner64.exe
Token: SeDebugPrivilege	5360	CCleaner64.exe
Token: SeShutdownPrivilege	5360	CCleaner64.exe
Token: SeCreatePagefilePrivilege	5360	CCleaner64.exe
Token: SeShutdownPrivilege	5360	CCleaner64.exe
Token: SeCreatePagefilePrivilege	5360	CCleaner64.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
5480	MiniSearchHost.exe
3004	ccsetup626pro.exe
3004	ccsetup626pro.exe
5360	CCleaner64.exe
5360	CCleaner64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 3524	3004	ccsetup626pro.exe	85
PID 3004 wrote to memory of 3524	3004	ccsetup626pro.exe	85
PID 3004 wrote to memory of 1956	3004	ccsetup626pro.exe	87
PID 3004 wrote to memory of 1956	3004	ccsetup626pro.exe	87
PID 3004 wrote to memory of 1956	3004	ccsetup626pro.exe	87
PID 1956 wrote to memory of 5188	1956	CCUpdate.exe	88
PID 1956 wrote to memory of 5188	1956	CCUpdate.exe	88
PID 1956 wrote to memory of 5188	1956	CCUpdate.exe	88
PID 3004 wrote to memory of 3780	3004	ccsetup626pro.exe	89
PID 3004 wrote to memory of 3780	3004	ccsetup626pro.exe	89
PID 3004 wrote to memory of 5360	3004	ccsetup626pro.exe	90
PID 3004 wrote to memory of 5360	3004	ccsetup626pro.exe	90
PID 3780 wrote to memory of 2452	3780	msedge.exe	91
PID 3780 wrote to memory of 2452	3780	msedge.exe	91
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4024	3780	msedge.exe	92
PID 3780 wrote to memory of 4592	3780	msedge.exe	93
PID 3780 wrote to memory of 4592	3780	msedge.exe	93
PID 3780 wrote to memory of 3264	3780	msedge.exe	94
PID 3780 wrote to memory of 3264	3780	msedge.exe	94
PID 3780 wrote to memory of 3264	3780	msedge.exe	94
PID 3780 wrote to memory of 3264	3780	msedge.exe	94
PID 3780 wrote to memory of 3264	3780	msedge.exe	94
PID 3780 wrote to memory of 3264	3780	msedge.exe	94
PID 3780 wrote to memory of 3264	3780	msedge.exe	94
PID 3780 wrote to memory of 3264	3780	msedge.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ccsetup626pro.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup626pro.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Program Files\CCleaner\CCUpdate.exe
  "C:\Program Files\CCleaner\CCUpdate.exe" /reg
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Program Files\CCleaner\CCUpdate.exe
    CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\70c9b85f-bf47-4af2-8b76-0b93b460c24b.dll"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=1&v=&l=1033&b=1&a=3
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa51203cb8,0x7ffa51203cc8,0x7ffa51203cd8
    3⤵
    PID:2452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,1330511639565632459,14641089765873982967,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
    3⤵
    PID:4024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,1330511639565632459,14641089765873982967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
    3⤵
    PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,1330511639565632459,14641089765873982967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
    3⤵
    PID:3264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1330511639565632459,14641089765873982967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
    3⤵
    PID:244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1330511639565632459,14641089765873982967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
    3⤵
    PID:4476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1330511639565632459,14641089765873982967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1
    3⤵
    PID:5352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,1330511639565632459,14641089765873982967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
    3⤵
    PID:5204
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5360

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5764

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6d9beeac63954009b2cc3d09f6185d83 /t 2704 /p 5360
1⤵
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCUpdate.exe

Filesize
809KB

MD5
943a4f169e9a3303ed6defc1ac3690bd

SHA1
e0bd76b866624164c10b85d37efb6474b84164df

SHA256
e531742a357907248de84b99f68ed7e8edd70e7ca918d21b24cc17ee4c128240

SHA512
da29cafdd63fd3ab3d2378fc6c2810d7579ebd6b62a4f99248458094cd2e42dc0071b83f0aee4185ca1c81139dec2991212ac383d77a737937558bbcb29d688c

Download Submit
C:\Program Files\CCleaner\CCleaner.exe

Filesize
37.1MB

MD5
6b4c65034b779fa91129d036f2854a55

SHA1
b0c21f129f58f4195cbffb8268b5693b0a4c4f2a

SHA256
9cea0bdcf677382833e973158a0c7c9b5dee86fbd7c6fdb8b114aa7b23e64d58

SHA512
b3d16086c09b23b6e8fa796e307348c005a2885c6067a5d180eeba39178d1a37fa6dffd4aad6f7a1624c9e150bf3b62f49ebfaa7612ebb26dc34264fcee88dba

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe

Filesize
42.9MB

MD5
4ee9df4bef3571c74b1a4556e6afae6c

SHA1
4cd037edf6984b026f25572298e5c6345cbd7b0a

SHA256
c02731acaa708f929e4935da2338cda307afb4729c962722708e5a4e3b8aeb33

SHA512
a295f2d91639db79c496b31c3f03f175a9b1649d1f4c5342bdcb01c2e8871d3ef48938cfda72c57cc8724ad94d9284fb8f8e9135886e51d69f075b01a8d95085

Download Submit
C:\Program Files\CCleaner\Setup\253a35ed-e3f1-4e9e-9628-68e736ecace2.ini

Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Program Files\CCleaner\Setup\70c9b85f-bf47-4af2-8b76-0b93b460c24b.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\959a9ad0-8f14-4d55-9ad5-052cd6f713fb.xml

Filesize
818B

MD5
ae6a8195071ca62513212cc891097046

SHA1
59e970ce9228067477754b352217bcf6aa7624a6

SHA256
6670a81a48ea5c942c3617f0cfa026352adfa1a9bcbb7848f4c41ea427585ff0

SHA512
ceae43a60089f75f654e9a639a06afbdc213f031d5aceebb73ef5cb41e300e7ea209c17bbd3c5f1de5b5eb7bf3770ae7222263c0ba23202ef48ecfb91072014e

Download Submit
C:\Program Files\CCleaner\Setup\config.def

Filesize
27B

MD5
05927e894c81eb42c3b4dae5a5a6c937

SHA1
7ec0660aac7c3396599447a49f30ba18e1f0db49

SHA256
09c65b39bc891e12956ab7bb30fae147ef7c8fa37542b6f040613436b566e7f8

SHA512
c06e2788952a3550597f5b539cf8f5cf7a569e33192951bc8ce97d4570bd4ba35abce99586f309f3e1cffe6f1d83aee98b79c0c26503ef4cd4d1fbfb40e1ba4e

Download Submit
C:\Program Files\CCleaner\branding.dll

Filesize
50KB

MD5
e5f8138cc87bc199a98bb484db9b4076

SHA1
4ba3693662feb8661937fb1a3fac771702f70a25

SHA256
3289901e88e38e1a9dec202e7a731d1fadf16855349a394d046107aa40c93d84

SHA512
f55e43d4ebbaed6a27631a43368bcdd2bc9aedb16d06c631af2b7be2e1a411f66a1dd52a07a2c26b0b86ac47693d63b94cbc74a75be19aa4fabc949db64c0762

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
27cc9762ba0aa5f6ddd0326700b2cfe7

SHA1
b5e36b6d05c9d942f4a5738835ed83960603c7ee

SHA256
eb0cadc23ef08f1d6e2e2506f3a4cb1bb50cb5d06e6eca1528a7cf84a34cbfb7

SHA512
d6045875c96ce6b6f3acfd57733de4626747b26c37d5cec39adb2ace15b23a2e820ed26bdd16c62ee12bb0ae9256fc21484eea41a1c5b1e9cfe1136b44b47717

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
6fe8810b7655494e7d6d3e8c6b6b78f5

SHA1
425ed930be351417e6e80eaf88a3456a4c2c80bc

SHA256
86c27af92621e3c2d2073d2845353a870432ccbfc34c69250d51ee7301d0d4c3

SHA512
5ae7e404a381b05b222c1b90dd3a15cf5eebc82390673935e749001d6b9e69ce39256660387cdaa59811ce55e4dd78afb240e6258f095e6ec98d765e4a1464d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
7f2141754f93a64f472a8ee062393afc

SHA1
0f80da172532019b36b036416e27f4a44fd41f33

SHA256
07c006da67cd466b4347b877a831c145bcfa09672bf1ba9182abede717bade42

SHA512
c3b714a2077431a77dd737d221c95de8636079ef02dfece061fb43a95119876e55755dbcdf708ceb95c5e37d0c67a302e5b0b523e4996e68fc0fba72414520f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
16face7e6e3bf6a152880e008d7c26cd

SHA1
989233a9f44cf080bffa73f6759e8340f9a6321f

SHA256
bc38bfb9b8c6364a6e5f6fbeca7f2466a0e1a4cab2fc3c746501fcc530925539

SHA512
40a4683c0eb757054ba4fb44c9ebb92e54f0c10f902f071fb40813ce6f03b68eb498b4fd10d408e6258b1f557990de19437146113d3b8e1afbd450d2436d6074

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
874b606a3fdec9daad493eb99fd585b0

SHA1
39d19d74562e3400c41462e82ef2264e2920a96a

SHA256
efc0365c8265f262cefeb27c4a85f9a55118ef89d58e3e88ef87eaaa037bd089

SHA512
16fb84fe55156e9e8ef03033cd986ba792b7d1ae93409d4ed3da72c3fb5533ed26b0913ef1ba1434a23ef152a2066f5be7e0cb46e2e6219276ce0d55fca45fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f74f80cd052dc4903da98dd6916f375d

SHA1
3e3512884ee41291824b30b256670b3d0a1c8d40

SHA256
d9589878daebff7c0991b2007a7af982f4760512545b4e331708f3f3308447ac

SHA512
bd186699a85c91cda88df15ebee640f99b55ff168e228dd0de8d7416d62de1bcb57e88beb3b12ce74a54a9c7491934ef3dd5fdd6b92ab5c909f129b419d96b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c32b6fc873c040253034fe4bf5037bd0

SHA1
fc58579eb5bf46c8d5246a45abae3566898c2e27

SHA256
8d59014ec29aebf56b641a018b29b6c64e33764d7a2262283ce51319071f930c

SHA512
e8ba0e9e78bc58b3d6d671a1e693cbe81745f000daaf281cc6aa6c591ae261b981f704e3dcb32f0fef87424aab0f42e4cfe40e445d8ef5a529c7bfda8ac510f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
9426d0326d6016be6f3c4c161dbe01f5

SHA1
97f6dc8df1c7bc4bc4d8d02cf9f443881b3f43b5

SHA256
bf2eed5f0cc111d4abc26f8bbb95b0d2bcdef9114a300894580e81acd6643b60

SHA512
704ad0984a8cfabdf62155c8e758cc61a1a63b044bcb36d94bbcc4fa64a4b5c38812143fbab683063c3b4da8b81a472a9134153054437c7aa2f40f1e14fc88b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b0c49973db4be3abe51d3c56e2248c7d

SHA1
351334c218a309ddd12b65bae583287b757b0ef8

SHA256
8c23565d8fd73bbac510623a8994bd94b6e055a9e03688a85c921a8dfbb196df

SHA512
91452fba75cf7c4f0183c8ab575a08e7391153bbc4e36042d38c12dbfefa29372a95cc31b9c91d2c2ef570a67e650a4fa280e7d6934a398becd13c93f155403e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
402ce52c60972f041e4f7d8fcc760a05

SHA1
dc68d87fa7724cbcfe2a6e61fe0438c3c197f467

SHA256
12df37dc972bf21e8deff5ccd65b971a69843b65f9e90b2c466de4c116610117

SHA512
dacebad37d5fef06f0edba198080865801ce645ccffec8bcdb75a47e4a00c4a418e08b96a1e9d8f465a528ee98704c81452060bcec69bc46ea970f21cab4a983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b94562b7a029d67318fa7fec4e473e7b

SHA1
e60f69856e212653001dfc4356876d2daf76ef20

SHA256
1b2c06c8dceec0de6bb9fc7ae13903acd0a6bce718204ac468801c28926fa65c

SHA512
292359c710f7d2d49ccac32c4c5e2ebcbdd5e0347fe91a24bdfac432c2586947281e7d1077996c5b15391aa3501772a0ed0bd97c8662795658230a041387ac31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
5c3d7765ba43bd1edee4b831682a4b15

SHA1
85b74a85860b724221380ac36104c4cee5ed4b38

SHA256
c5f1bd264450e4e5abbc92baa64264e8621ffc3dc7ffe360145958651635b186

SHA512
9e6977b042efa5eb699dcd81cb8246309dc51e89b4e90ad752d4dbafba629c2f55813da36959e4489cae1f738f28c9e1bb976bc030b34e0c956a7656defeadf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3fba7fcc4fa38a3d244544cce8e188e2

SHA1
6cd8c92dbb4d5c83e0d503cf643e04cad07a7cd9

SHA256
53d75d5a34e2bedbd600613f46afaa12c0781969d8bbbac39fc756bccb6c2cc3

SHA512
b396f76a1c280b775e6be5d5513475ae12aedfe48c95ada5572f4e2d451c6d55ddcf52afc2e51df080bab30a033b9d6055f155f27188cf570a914d63d9eeb81c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
ccc255ef6d9af1c10fe4d0b4dd39f35c

SHA1
d6f025ece0cc2589ec25101d407feaf7fef88eed

SHA256
d16fa132a8627979127917ecd285636a2d1cec4b4684e7686e72ae1b141f8c97

SHA512
7357ae43ff99854b39a52ba53475b674be414573b4e261f39bed4e3a17039b4bbb566416bb7b4f78acf66427be46c6d2b9d759a54f3dc664200c7c6d67a32139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
1f18607067da61023c4fe50e996912d0

SHA1
2a65f6e75dca2eb789b1b6efc5aaa26fbad56ce2

SHA256
4c0af43708d708c0e87451a510bc423aaedd5fc1947679e3096c2f59910da34c

SHA512
740cd6cb1bf3b79a88403ae22120cb37c330597f0b0c4f482ea00196a85b02d60d0eb60876018a2c7de0e61942e33903a5ebf39b2e7da7b1025b6db59a2c3aa3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
3e1f5eeae74491d8850ef2c8b03a9a3b

SHA1
0c02c9c2550107de6dd0eb740ac5668f292883c0

SHA256
66756c0edf3925de7bcb685385e2a4f0b854cffd796a9e90eb1ed064b1fb0e30

SHA512
7637f0807d88dbceeb68823a044583e2248ac1ba73c000da6560f94075635a27d15970df7e52f8315bdc2f1c45cff6f1ab7690e916b58307a533f8df24329c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aswb17427cc941ed194.tmp

Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3A0.tmp\ButtonEvent.dll

Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3A0.tmp\INetC.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3A0.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3A0.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3A0.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3A0.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3A0.tmp\p\ServiceUninstaller.dll

Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3A0.tmp\p\pfBL.dll

Filesize
6.0MB

MD5
b17e3a7bcb1cf4a0d5959a21ffe3336c

SHA1
c1bc1b1b715007c05f79162cab00ba3c23d94efc

SHA256
aac187b6ca8256f90f64d940cbd9aa457f3b52229cca5bb17d5ec4ac3f8993c4

SHA512
9e02ff8f279fe0e17ef03dec289c7ae623b2ec2b12434bc08479d8c676e25ed3d0ebac54a44a7e571b6bd65e50aa056338b5db90e94ab5ed3b279d514efcde47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3A0.tmp\ui\pfUI.dll

Filesize
10.4MB

MD5
bfcf84b904fa8cc6fa2ecd12b451b10b

SHA1
d8a695ad1d12e0c5ef4867c64526c71446edffd7

SHA256
d5743d79630a56e3a84baf601c26f2744f3c9d1ccfe1649e8f6fe4a75ca8b309

SHA512
bdf7cfc299c26851f20f1fb1a96c258b882d348de63d666fa2543d30449b2aa4249f8972e9957e71ee4126b33f2f55397b0ce796af30006d033d4b61930def69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3A0.tmp\ui\res\CC_Logo_40x96.png

Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3A0.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseC3A0.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Windows\Tasks\CCleanerCrashReporting.job

Filesize
666B

MD5
ef63af2c5124eb2a9d1592fa26d2b364

SHA1
ac2a204493dd6a7da7dc59b9df218bf8fd700926

SHA256
f4441d0cd101e9959d1cb71fd03af45726b205eb8e497f856e27a1f3a0472ddc

SHA512
db565ddc81b4844b2e189d0623d921e31324ca48b8ee1230085369ac86fbf05420077aaf9383b17f55de9b1573f518ad72303de311c627540a7b29edee8d9317

Download Submit
memory/3004-164-0x0000000007BB0000-0x0000000007BB8000-memory.dmp

Filesize
32KB

Download
memory/3004-148-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/3004-145-0x0000000007E00000-0x0000000007E08000-memory.dmp

Filesize
32KB

Download
memory/3004-121-0x0000000006D40000-0x0000000006D50000-memory.dmp

Filesize
64KB

Download
memory/3004-113-0x0000000006B80000-0x0000000006B90000-memory.dmp

Filesize
64KB

Download
memory/3004-150-0x0000000007B80000-0x0000000007B88000-memory.dmp

Filesize
32KB

Download
memory/3004-147-0x0000000007B80000-0x0000000007B88000-memory.dmp

Filesize
32KB

Download
memory/3004-153-0x0000000007B70000-0x0000000007B78000-memory.dmp

Filesize
32KB

Download
memory/3004-156-0x0000000007B30000-0x0000000007B31000-memory.dmp

Filesize
4KB

Download
memory/3004-166-0x0000000007C90000-0x0000000007C98000-memory.dmp

Filesize
32KB

Download
memory/3004-169-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/3004-173-0x0000000007B30000-0x0000000007B31000-memory.dmp

Filesize
4KB

Download