hxxps://drive[.]google[.]com/file/d/1vqN2RsA3HakVthWjD_Ed7AgtUREA7vvW/view?usp=sharing

Analysis

max time kernel
1800s
max time network
1801s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1vqN2RsA3HakVthWjD_Ed7AgtUREA7vvW/view?usp=sharing

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	CCleaner64.exe

Executes dropped EXE 6 IoCs

pid	Process
3576	CCleaner64.exe
3548	CCUpdate.exe
2380	CCleaner64.exe
3040	CCUpdate.exe
6780	CCleaner64.exe
6628	CCleanerPerformanceOptimizerService.exe

Loads dropped DLL 26 IoCs

pid	Process
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
2380	CCleaner64.exe
2380	CCleaner64.exe
3040	CCUpdate.exe
6628	CCleanerPerformanceOptimizerService.exe
6780	CCleaner64.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
1428	CCleaner64.exe
5952	CCleaner64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"	CCleaner64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"	CCleaner64.exe

Checks for any installed AV software in registry 1 TTPs 32 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleanerPerformanceOptimizerService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	CCleanerPerformanceOptimizerService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
6	drive.google.com
7	drive.google.com
18	drive.google.com

Writes to the Master Boot Record (MBR) 1 TTPs 9 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleanerPerformanceOptimizerService.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	ccsetup627.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_aa94d04ecf56de1f\vhdmp.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_0abeab1ee6572232\cpu.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_28c103304ddff3c0\cdrom.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_cc4dba2066ccf53c\disk.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_b78a9c5b6fd62c27\umbus.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_8a98af5011ee4dc6\monitor.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\pci.inf_amd64_66614bed5c0a20d8\pci.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\swenum.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	CCleaner64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_fe5b23ea7991a359\hdaudio.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpi.inf_amd64_605a5cafbbd86f6a\acpi.PNF	CCleaner64.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\CCleaner\Lang\lang-1071.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1086.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1093.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-9999.dll	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner\LOG\pd.log	CCleanerPerformanceOptimizerService.exe
File created	C:\Program Files\CCleaner\Lang\lang-1029.dll	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner\ORI_\CCleaner64.exe	7zG.exe
File created	C:\Program Files\CCleaner\Lang\lang-1102.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1110.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1155.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\wa_3rd_party_host_32.exe	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\gcapi_17242663956780.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1026.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1079.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1038.dll	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner\LOG\event_manager.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1048.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1051.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-2052.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1027.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.exe	ccsetup627.exe
File created	C:\Program Files\CCleaner\CCleaner64.exe	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1055.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1066.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\CCleaner.dat	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1049.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-2074.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe	ccsetup627.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-16.png	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1090.dll	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner\gcapi_17242663832380.dll	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\ORI_\CCleaner.exe	7zG.exe
File created	C:\Program Files\CCleaner\Lang\lang-1104.dll	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner\LOG\DriverUpdEng.log	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\LOG\DriverUpdEngTask.log	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\temp_ccupdate\update.ini	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1060.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1061.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-5146.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\wa_3rd_party_host_64.exe	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner\LOG\DriverUpdaterLib.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\LOG\DriverUpdEng.log.tmp.29012aef-54c2-41ba-ab14-b423f49e0c9c	CCleaner64.exe
File created	C:\Program Files\CCleaner\libwavmodapi.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\uninst.exe	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1059.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1067.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1050.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1056.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1031.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1032.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\libwaheap.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\libwalocal.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\LOG\pd.log.tmp.8027bd1d-3f46-429c-81b2-0e51ec190514	CCleanerPerformanceOptimizerService.exe
File created	C:\Program Files\CCleaner\Lang\lang-1043.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Setup\f15ab46c-ec71-4a21-a6cd-b1dc39cac4e9.ini	CCUpdate.exe
File created	C:\Program Files\CCleaner\Data\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\3ded44ba-81d7-4538-9132-ef07f0b1f6be	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1041.dll	ccsetup627.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\lsasetup.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000A.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00005.log	CCleaner64.exe
File opened for modification	C:\Windows\TEMP	CCleanerPerformanceOptimizerService.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000F.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00010.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	CCleaner64.exe
File opened for modification	C:\Windows\WindowsUpdate.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\sammui.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00007.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000E.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log	CCleaner64.exe
File opened for modification	C:\Windows\DtcInstall.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\security\logs\scesetup.log	CCleaner64.exe
File created	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000B.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000C.log	CCleaner64.exe
File opened for modification	C:\Windows\lsasetup.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CbsPersist_20240821184625.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\NetSetup.LOG	CCleaner64.exe
File opened for modification	C:\Windows\security\logs\scesetup.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00003.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00008.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	CCleaner64.exe
File opened for modification	C:\Windows\DtcInstall.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb0000D.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CbsPersist_20240821184625.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00006.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\PASSWD.LOG	CCleaner64.exe
File opened for modification	C:\Windows\inf\setupapi.app.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\WindowsUpdate.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\NetSetup.LOG	CCleaner64.exe
File opened for modification	C:\Windows\inf\setupapi.dev.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\PASSWD.LOG	CCleaner64.exe
File opened for modification	C:\Windows\Debug\sammui.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00004.log	CCleaner64.exe

Embeds OpenSSL 3 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0007000000023ec5-3560.dat	embeds_openssl
behavioral2/files/0x0007000000023f04-3763.dat	embeds_openssl
behavioral2/files/0x0007000000023f05-3764.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccsetup627.exe

Checks SCSI registry key(s) 3 TTPs 35 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LocationInformation	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceType	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceType	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver	CCleaner64.exe

Checks processor information in registry 2 TTPs 45 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleanerPerformanceOptimizerService.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup627.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleanerPerformanceOptimizerService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup627.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleanerPerformanceOptimizerService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup627.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleanerPerformanceOptimizerService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleanerPerformanceOptimizerService.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run	CCleanerPerformanceOptimizerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run	CCleanerPerformanceOptimizerService.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\OneDriveSetup = 020000000000000000000000	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ccsetup627.exe
Key created	\REGISTRY\USER\.DEFAULT	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-19	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_b8h_m"	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_b8h_m"	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run	CCleanerPerformanceOptimizerService.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\OneDriveSetup = 020000000000000000000000	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	CCleanerPerformanceOptimizerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_b8h_m"	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\Brandover = "0"	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-20	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	ccsetup627.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	ccsetup627.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\Brandover = "0"	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	CCleanerPerformanceOptimizerService.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\Brandover = "0"	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	CCleanerPerformanceOptimizerService.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	CCleaner64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA7carZnC2yEmd7RbPiPiauAQAAAACAAAAAAAQZgAAAAEAACAAAACDlFyUW4FSFNmuNPOkxY3YioQZNS1iCQJ2dg08S5ssXwAAAAAOgAAAAAIAACAAAABbD4qc+80fbyRTEOOEYm8/VAIyhJeDaUxRU6NB8bx4W0AAAABe9qTAcaxjCXR+cTNrFzhlOrnR/kDtdPg7ipseSpzncJ1ZkuOb4ZVluBQwTmdanzQruJogQNAY21NxirqBmzKDQAAAAFkFXsf+BlaJiATIi6yGxDaP0DgM6mAr/lcyDiObUZXAFNk5e33k1NB6Oav6tM/5MSW7V14+nWk7xJpnqp+w4Ws="	CCleaner64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "6faf9dfd-b3b8-4f2d-a980-57375b837a61"	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Piriform\CCleaner	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Piriform	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "65F115A51CCCDBF623206AEDE3B3D8A4"	CCleaner64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "6faf9dfd-b3b8-4f2d-a980-57375b837a61"	CCleanerPerformanceOptimizerService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "65F115A51CCCDBF623206AEDE3B3D8A4"	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{E1249B7D-BA93-4D2B-B41E-72227E589670}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_b8h_m"	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software\Piriform\CCleaner\Brandover = "0"	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Software	ccsetup627.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\CCleaner 5.89.9401 all editions.7z:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
3576	CCleaner64.exe
3576	CCleaner64.exe
3576	CCleaner64.exe
3576	CCleaner64.exe
3576	CCleaner64.exe
3576	CCleaner64.exe
3576	CCleaner64.exe
3576	CCleaner64.exe
3576	CCleaner64.exe
3576	CCleaner64.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4084	taskmgr.exe
1428	CCleaner64.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeShutdownPrivilege	992	ccsetup627.exe
Token: SeCreatePagefilePrivilege	992	ccsetup627.exe
Token: SeShutdownPrivilege	992	ccsetup627.exe
Token: SeCreatePagefilePrivilege	992	ccsetup627.exe
Token: SeRestorePrivilege	992	ccsetup627.exe
Token: SeDebugPrivilege	3576	CCleaner64.exe
Token: SeDebugPrivilege	2380	CCleaner64.exe
Token: SeShutdownPrivilege	2380	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2380	CCleaner64.exe
Token: SeShutdownPrivilege	2380	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2380	CCleaner64.exe
Token: SeDebugPrivilege	6780	CCleaner64.exe
Token: SeDebugPrivilege	2380	CCleaner64.exe
Token: SeTcbPrivilege	2380	CCleaner64.exe
Token: SeAssignPrimaryTokenPrivilege	2380	CCleaner64.exe
Token: SeIncreaseQuotaPrivilege	2380	CCleaner64.exe
Token: SeDebugPrivilege	2380	CCleaner64.exe
Token: SeTcbPrivilege	2380	CCleaner64.exe
Token: SeAssignPrimaryTokenPrivilege	2380	CCleaner64.exe
Token: SeIncreaseQuotaPrivilege	2380	CCleaner64.exe
Token: SeDebugPrivilege	4084	taskmgr.exe
Token: SeSystemProfilePrivilege	4084	taskmgr.exe
Token: SeCreateGlobalPrivilege	4084	taskmgr.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeRestorePrivilege	6672	7zG.exe
Token: 35	6672	7zG.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeSecurityPrivilege	6672	7zG.exe
Token: SeSecurityPrivilege	6672	7zG.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeRestorePrivilege	4888	7zG.exe
Token: 35	4888	7zG.exe
Token: SeSecurityPrivilege	4888	7zG.exe
Token: SeSecurityPrivilege	4888	7zG.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeShutdownPrivilege	1428	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1428	CCleaner64.exe
Token: SeShutdownPrivilege	5952	CCleaner64.exe
Token: SeCreatePagefilePrivilege	5952	CCleaner64.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeShutdownPrivilege	1428	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1428	CCleaner64.exe
Token: SeShutdownPrivilege	5952	CCleaner64.exe
Token: SeCreatePagefilePrivilege	5952	CCleaner64.exe
Token: SeDebugPrivilege	1588	firefox.exe
Token: SeShutdownPrivilege	1428	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1428	CCleaner64.exe
Token: SeShutdownPrivilege	5952	CCleaner64.exe
Token: SeCreatePagefilePrivilege	5952	CCleaner64.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
6780	CCleaner64.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
6780	CCleaner64.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe
4084	taskmgr.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
992	ccsetup627.exe
3576	CCleaner64.exe
3548	CCUpdate.exe
992	ccsetup627.exe
2380	CCleaner64.exe
2380	CCleaner64.exe
2380	CCleaner64.exe
3040	CCUpdate.exe
2380	CCleaner64.exe
6780	CCleaner64.exe
2380	CCleaner64.exe
6780	CCleaner64.exe
1588	firefox.exe
1588	firefox.exe
1588	firefox.exe
1428	CCleaner64.exe
1428	CCleaner64.exe
5952	CCleaner64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 1588	2648	firefox.exe	91
PID 2648 wrote to memory of 1588	2648	firefox.exe	91
PID 2648 wrote to memory of 1588	2648	firefox.exe	91
PID 2648 wrote to memory of 1588	2648	firefox.exe	91
PID 2648 wrote to memory of 1588	2648	firefox.exe	91
PID 2648 wrote to memory of 1588	2648	firefox.exe	91
PID 2648 wrote to memory of 1588	2648	firefox.exe	91
PID 2648 wrote to memory of 1588	2648	firefox.exe	91
PID 2648 wrote to memory of 1588	2648	firefox.exe	91
PID 2648 wrote to memory of 1588	2648	firefox.exe	91
PID 2648 wrote to memory of 1588	2648	firefox.exe	91
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 4276	1588	firefox.exe	92
PID 1588 wrote to memory of 1568	1588	firefox.exe	93
PID 1588 wrote to memory of 1568	1588	firefox.exe	93
PID 1588 wrote to memory of 1568	1588	firefox.exe	93
PID 1588 wrote to memory of 1568	1588	firefox.exe	93
PID 1588 wrote to memory of 1568	1588	firefox.exe	93
PID 1588 wrote to memory of 1568	1588	firefox.exe	93
PID 1588 wrote to memory of 1568	1588	firefox.exe	93
PID 1588 wrote to memory of 1568	1588	firefox.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1vqN2RsA3HakVthWjD_Ed7AgtUREA7vvW/view?usp=sharing"
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1vqN2RsA3HakVthWjD_Ed7AgtUREA7vvW/view?usp=sharing
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54881c41-31f4-47d3-a4d9-f57119bfb443} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" gpu
    3⤵
    PID:4276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f477652-0c2d-4a3a-a23a-877e3e2ac2ba} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" socket
    3⤵
    PID:1568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2796 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b11ddb3d-f0e2-4d55-a38d-9eab64e9933c} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
    3⤵
    PID:4000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 3652 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f33b20c5-1dd3-43a4-8c00-8925acbdbaa4} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
    3⤵
    PID:4364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4524 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4492 -prefMapHandle 4480 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {814dc8bc-5566-4152-a79f-6e07bf44dc47} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" utility
    3⤵
    - Checks processor information in registry
    PID:1184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5272 -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 5384 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34dd1498-bc69-473d-b0ad-1ae2c94e894e} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
    3⤵
    PID:5964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 4 -isForBrowser -prefsHandle 5400 -prefMapHandle 5396 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf82d32a-a67c-404f-8034-935c2e41689f} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
    3⤵
    PID:5972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5536 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c608e214-b8fe-426c-a558-383bea167813} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
    3⤵
    PID:6000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6280 -childID 6 -isForBrowser -prefsHandle 6272 -prefMapHandle 6260 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f927b6d-ada0-4419-b9e4-0771d8fd8a05} 1588 "\\.\pipe\gecko-crash-server-pipe.1588" tab
    3⤵
    PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4468,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
1⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5024,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:1
1⤵
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3756,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4552 /prefetch:1
1⤵
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=3964,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:1
1⤵
PID:5256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5580,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5600 /prefetch:8
1⤵
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5576,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:8
1⤵
PID:5124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5668,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:1
1⤵
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6260,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6276 /prefetch:1
1⤵
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6396,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6284 /prefetch:1
1⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=5552,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:1
1⤵
PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5216,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:1
1⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6256,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6384 /prefetch:8
1⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6128,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:1
1⤵
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6816,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6116 /prefetch:8
1⤵
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6116,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6984 /prefetch:1
1⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=7020,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=7048 /prefetch:8
1⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=7012,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=7080 /prefetch:8
1⤵
- Modifies registry class
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=7272,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=7256 /prefetch:1
1⤵
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=6732,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=7000 /prefetch:1
1⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=6608,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=7448 /prefetch:1
1⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=7080,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6984 /prefetch:1
1⤵
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6244,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6408 /prefetch:8
1⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=7584,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=7480 /prefetch:1
1⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7880,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=7860 /prefetch:8
1⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=7888,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=7680 /prefetch:1
1⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8700,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=8776 /prefetch:8
1⤵
PID:2584

C:\Users\Admin\Downloads\ccsetup627.exe
"C:\Users\Admin\Downloads\ccsetup627.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:992
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3576
- C:\Program Files\CCleaner\CCUpdate.exe
  "C:\Program Files\CCleaner\CCUpdate.exe" /reg
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3548
- - C:\Program Files\CCleaner\CCUpdate.exe
    CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\70e11cf0-d8e1-4652-a728-f9ae8ba63450.dll"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3040
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks system information in the registry
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2380
- - C:\Program Files\CCleaner\CCleaner64.exe
    "C:\Program Files\CCleaner\CCleaner64.exe" /monitor
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks system information in the registry
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:6780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5740,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8
1⤵
PID:3776

C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe
"C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:6628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4084

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap25200:64:7zEvent11825 -ad -saa -- "C:\Program Files\CCleaner\ORI_"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:6672

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CCleaner 5.89.9401 all editions\" -ad -an -ai#7zMap29669:122:7zEvent32573
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\CCleaner 5.89.9401 all editions\CCleaner 5.89.9401 all editions\BlockHost .bat"
1⤵
- Drops file in Drivers directory
PID:5212
- C:\Windows\system32\find.exe
  FIND /C /I "license.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:5852
- C:\Windows\system32\find.exe
  FIND /C /I "www.license.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:3360
- C:\Windows\system32\find.exe
  FIND /C /I "speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:6872
- C:\Windows\system32\find.exe
  FIND /C /I "www.speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:4916
- C:\Windows\system32\find.exe
  FIND /C /I "recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:1392
- C:\Windows\system32\find.exe
  FIND /C /I "www.recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:6656
- C:\Windows\system32\find.exe
  FIND /C /I "defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:4508
- C:\Windows\system32\find.exe
  FIND /C /I "www.defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:6644
- C:\Windows\system32\find.exe
  FIND /C /I "ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:7116
- C:\Windows\system32\find.exe
  FIND /C /I "www.ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:6148
- C:\Windows\system32\find.exe
  FIND /C /I "license-api.ccleaner.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:7020

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CCleaner 5.89.9401 all editions\CCleaner 5.89.9401 all editions\Read me.txt
1⤵
PID:4496

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1428
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe" /monitor
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_cc_reg_purchase?a=2&v=5.75.8238&l=1033
  2⤵
  PID:4508

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=7392,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5948 /prefetch:1
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCUpdate.exe

Filesize
809KB

MD5
943a4f169e9a3303ed6defc1ac3690bd

SHA1
e0bd76b866624164c10b85d37efb6474b84164df

SHA256
e531742a357907248de84b99f68ed7e8edd70e7ca918d21b24cc17ee4c128240

SHA512
da29cafdd63fd3ab3d2378fc6c2810d7579ebd6b62a4f99248458094cd2e42dc0071b83f0aee4185ca1c81139dec2991212ac383d77a737937558bbcb29d688c

Download Submit
C:\Program Files\CCleaner\CCleaner.exe

Filesize
37.3MB

MD5
01810f560b84f321ff3915022ddab99a

SHA1
7f08dbebd49233d6b8c2b98b38573b54ff9a8c88

SHA256
6178d8786aabcf14fc114a3bd53b5b09d41ba0840842d4dfb06ccd565ec01a5f

SHA512
ccc25dc7e8e49030c0bafcdd9a13e5a6b7ac78630b93ecf5a081e19f91fc0a756fd7d984051317e9862dd2a65e6e5882ff7b87dc2f74cd8c58b56aa478f4c2af

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe

Filesize
43.0MB

MD5
049c362975252b6a2d997a6b72d37bcc

SHA1
cb2766a228f5afe4a886e001fcce03ccebc2d30b

SHA256
4bdf21db063d16f7e20f59113276d1dee1cdbebcef30d42d777d9b90c7830810

SHA512
8075a71b5fe374061b675490883ba07b14c39372042779dd7f6d7498146cdc695d25a13a70fbf58f77a96b0ab962d7ba21bba67dcb8bb43320eefe736c809495

Download Submit
C:\Program Files\CCleaner\CCleanerDU.dll

Filesize
13.1MB

MD5
de9034617feaa2a80c5411b3aab0c921

SHA1
9827b7b91ec51ad7b03d898a6df3929fbaee6459

SHA256
35690a69c1f91c30071d429bdce066d868a3f0143dbe1298fcbb69420582e518

SHA512
191527df1808e6d7ac49fa4958d8a1a95549e81772b3cc46f3b2e2560c06ee6874238a7772ac59517a6664d8091473798003a9a6874ec2f4959d6b86fc4f62d0

Download Submit
C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll

Filesize
12.9MB

MD5
9342b79cd742ff82e4a0a8befe7a3b98

SHA1
70e9456601a78a586eeffccf0456c17c22025131

SHA256
1772e07b73b1c5243e4c25dfb8c826d102841ba88f8f2de13d5d893c322dc45a

SHA512
d8dc445d3d01bdfb937ca341e0c00228d2010fa96480c6b3d599c2d1cba873c51d80ae0bdc703b08b94ef2e234b6385f4f326a6fac18b7423cdca49f2d719311

Download Submit
C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe

Filesize
1.0MB

MD5
1510f28b2c6dc25771dfe7737c709fdb

SHA1
6f47e03d924f934aed4edee35396fcfa9ae7bb4f

SHA256
026ffd4f17c84b8c0beb3507940bbfa585beb4906e363181d659f30e108c5a3a

SHA512
cf6d09a4c9b1b1d848a8e19e33de3880b076e4f139a433b0756c6b83f87f4604c05342cebbdd0a61e7bc7da5a9662840ab2a71aa6fc1539c88c84b19379d9c82

Download Submit
C:\Program Files\CCleaner\CCleanerReactivator.dll

Filesize
2.2MB

MD5
f7f8ecda72f4be1601d230239f09a233

SHA1
dbe8af90a025baf60893cd7737b16851a3c26f31

SHA256
a7c20dc0691f75bdae271eceb26a43f11302e9408d248320eec409a777beeded

SHA512
55ef457270ae05b4eb788494e6bae73d723d191f4f445b9fd020525b3d366c782bdca835023a318f82226193a08ecedad4862303c961f50ef9d78fe113b685d7

Download Submit
C:\Program Files\CCleaner\CCleanerReactivator.exe

Filesize
188KB

MD5
6947b7f2d062a834358f3cd03f3c52bb

SHA1
c0f90ccbdf9fe69f2bd951fdb4c071e2848bb269

SHA256
7364af69f05252da222be9f644e91a6843444820279a4c266fb0970046cfe18e

SHA512
1ae9847c6b89b66221fee964df816819f4d3430a002fcf4c3579b804996aa671727272a66b38f3286e53b64ec86c282243c1af3614b0453b87e4ccf74d5eda6a

Download Submit
C:\Program Files\CCleaner\LOG\event_manager.log

Filesize
106B

MD5
80340825f5d14ad96a05bca658d9020e

SHA1
f5d389d7100f7f5905b87c0b229d59d0625438de

SHA256
2be29652debfea7f953243c0f0d798634b590322107b6f33a17a45dace79532a

SHA512
249160b28537a353de5d07812cb176dfd10009e4b7b3beb832da34b371214150f19dccb4f19a236b16081262a8df228d0ceaa4e7c921253aacb2282ab82b4958

Download Submit
C:\Program Files\CCleaner\Setup\70e11cf0-d8e1-4652-a728-f9ae8ba63450.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\c136da32-be7f-464a-8696-22432e1585ed.xml

Filesize
823B

MD5
e63fa740bd2301d74ce165764f0c36ef

SHA1
1f9ad7e45306e90f14a7ce6e98d2eb4d8bcf91bd

SHA256
258a3bbf21ead2f93273f741910b7a1d54632c294e928949f601bbff8008cfac

SHA512
0dd73c5e7ea18feddd2797131b8fbaf3b541b81d4625debccae60c060b2f405a8ed7c0c3440c4d7e52f7dcbcf6ce47f39423904be74dcc6a515af963a7fe75b1

Download Submit
C:\Program Files\CCleaner\Setup\config.def

Filesize
27B

MD5
05927e894c81eb42c3b4dae5a5a6c937

SHA1
7ec0660aac7c3396599447a49f30ba18e1f0db49

SHA256
09c65b39bc891e12956ab7bb30fae147ef7c8fa37542b6f040613436b566e7f8

SHA512
c06e2788952a3550597f5b539cf8f5cf7a569e33192951bc8ce97d4570bd4ba35abce99586f309f3e1cffe6f1d83aee98b79c0c26503ef4cd4d1fbfb40e1ba4e

Download Submit
C:\Program Files\CCleaner\Setup\f15ab46c-ec71-4a21-a6cd-b1dc39cac4e9.ini

Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Program Files\CCleaner\gcapi_17242663832380.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\temp_ccupdate\update.ini

Filesize
138B

MD5
3774080aabfbebbaa24a55309fa95d69

SHA1
b7317c2bb7f96f0aeb8971c38e91a24f3e8f43bb

SHA256
6d7172f318bf55614febc071b47eabe8a54cd153831039322f978901ff7f1782

SHA512
aa7d7146eaf4d95e9c920e9527a99c0ac6be256d352d633ed38b3dce3a03f7501142e724deda2c7083bb25b5fdb5ebaa03525c15c3ce3cecc2d9553730b0238f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d0438093782644ce1caea370c862cf0c

SHA1
c009e4bebe9122d056d1b5a5c438de9308f27183

SHA256
86d0fb1b39befcffd019a5e55023bb4b301b45f79585a16ce458902f3d2b4f76

SHA512
7ebc4e82a4e84be7d78bbc4e3ec73cc9617246d8e867688c3f9a88ce2effa9fdf9addc5fb9fb15f24122dd9577a04707792177db9908264ffef1604f3f0d2bf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\535B881A245271C1F6B0A8B8169B4616_453BF86EC6CE9ABE013766BDC89C1BA0

Filesize
472B

MD5
ee56afc3cad636a37295ef31f0f3181d

SHA1
afaa45f488f28bc94493f84aa7d1f3b59a745a0f

SHA256
2d391501d54546e4eddb4a63649018414fa072e17036826ea243752e61a44335

SHA512
b0ca58141847605bd635e96576fd0751d7b8a97fd6d5d74c7dd34eb30f25345cdbd2c5f98d8df14dd69749f46d7b8060a56fa854a531cd960158b056ef3ad204

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
f70fada16fcf34c0acccda8cb7e88286

SHA1
2325a7869daf04d136a412504969fa3da50eec14

SHA256
01b0fd05665506b16da0272b535a880dac1d7971c14ffb09677689a4acf3a1a5

SHA512
c47a5e0820d02ac5b4e5a432bfc6da3bb6355208f2ce9a0b02ec28c50abddac4bbf20c9a36dafa250b668dc51a2413bbc5f29cb13c5a48e8e0fb0e9d5314c2e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
5b4a5d1efcf582ca272e4ba788afcbdd

SHA1
de90ce3069a7de234ba0570a6ae5a15fd3039f44

SHA256
82e6f569e4a17d49ffb2b8d11a4611a25ac349dbdd51524f2e03fd9595eca5a9

SHA512
ab37423aa2ac05cc69839780f3b938ff27b773e9af588b21440597e428a295bc3b8e3f1ab909c2c311ad831cfff55dbe5a595344be8c8c2a3723ad568984e604

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
dca25444eedc26d1c20532f80e7ba7a2

SHA1
789fe4f4cf8adaccb4ec6b4b9cb57f09406cb3be

SHA256
19113b41d73039e6e9816aba56058b2e3302b6eb09afdb5b093d710baae80ad8

SHA512
40bb7712bcfe1443f51ad4e926f9bc02b2acf16428212d0a797ea27fec3571e1825b9aadaf459e161e75ff566ace20f96016b6cc85f6c8ac4210ee43de30d2e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\535B881A245271C1F6B0A8B8169B4616_453BF86EC6CE9ABE013766BDC89C1BA0

Filesize
406B

MD5
3af3b8a1e366d76e0f940c9a4cd16cc6

SHA1
52126d0fb318f1a779e430a9d230e91d0483788b

SHA256
0710e84ec52c791c6dc29f7392da4038218c626c96d1ef0fe5b3a70552e70704

SHA512
a56d71d5b5a367966bc7159b2b107e499a581c00a7b2e0fdeb062f84553670a7527f37e09bf42552b2fe75a55f3548e81742b3566df408f54a7e6905a061f89d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
ce2d212d35bb8cdadd86e81240a8758d

SHA1
d8cce8bc0d809a3b4cbd8300986e54df45d0cbcd

SHA256
81b3d0c700d289f317270c9b1779d9593baf4bbba3ec41fc9e1ca8153ecd20bd

SHA512
171279e7065a8d1d0a2955a08f703b73a1b374e28086e24844d1e64a9be6bbb9bb78dccb3a9ee366d6c782c977039c1cf060d88c9d072818f4ead81226f83db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCPU4OJ5\90JCAJFD.txt

Filesize
1KB

MD5
f53b7f9833c6855ec8a356ab719d8238

SHA1
b33f85cb86a8b7fea40dd96499772ea41fd33b22

SHA256
061f8990e9318a2dc1a7f4038823f14ebe5e4bdafcbe165398f7ec54550d34f2

SHA512
ac5104e3194197bc14ac8c84b728eb6873560786ac101596b306099bac99e1fbf77bdcaf1cb247f37054c99dcc7bea44a83872c3d3c9c2e202fdc58dbcf4f8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
28344d38f95a3368dc767599809009a9

SHA1
8268cf6a5f4a61d81f6c8c2a952e06aec0c93922

SHA256
37f2010a226469ac290b0c77d45a691fa48ec8f2ce0ed535fdbc734a488b8b80

SHA512
86a217c1af97f93a0c5382c96a644603a9f1959611904e24970977ea626529dac20623607dbd246df6845a13b515318126ba1fe7cad5d8b1fbebb76d162bedfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
d54fde5b7b84179b58ff83745100bfef

SHA1
188da91704cfa0f5e3b738ceaab52a98d9d66c73

SHA256
0f764687660fd60a44e6b31824d0c26cd75838b19685ad8436d6c01c31e08eb4

SHA512
8d5fc5d7b29f8663b4e39677963a356af3450b63f3426717844e57df49cc5b44bb540cd04ca307a38d01983c0ec5a7ee58afb7204f5ab98885d9146f1a5dc425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
ed5570fe5fb160670c512f15e4314db9

SHA1
456f9a10fdd087ea87e07ee7aec300f7a4a9bf9f

SHA256
605377d802fc2ac0c651810725a64972e69faa76c95305c738efb035173e202b

SHA512
d575345c06e71be255fc1f5698ec7ed8d345897f83efa4e03cbb8909baa3f3a8c637048d0ad800a5994ccc17a0813da1930b5c97afc30b9aab5897f480aa3e49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
e03aa8bfc201f14e23ba3a7d7c12d02b

SHA1
3bb5384f7c414d574b432d38d4d6183181aed9e5

SHA256
1d66fbc66a8b0b41c45c834c3351b9e28d8db3b7cb3f7e48e190e941fbb5c092

SHA512
6a3f617031829d0137c28d13251a083f3780a33684ad42950e9cae7edb6149225b0deb4538a6a0e60aa3020210f3d84578bf0f5c9a70039fcc9d49c60a73bb34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
06be86dbb41fa35a72d4ce65ffab3b6f

SHA1
f8ddd5cd5303664e2a784ac4ab6dd81bc83d2178

SHA256
dc45ccf076c612682b53a2a7a40d2fdaa9fad1b6c89a5ae511c21416a9278d95

SHA512
494d05a3eb3504ec26b73ef178f579d347e0054f575470d67ea9aa210f71334c9a424ed0a93e2fe665dffc969044da5910ac0df1990e9abbda7c34e727c542f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
ae1ea12c8ac9357282b33f972405fb21

SHA1
915095c86b2f6fb50e9d84a29f7292a9adbb3735

SHA256
9ed3a63ffa2eb1b8be76f687301e756234c5582507adecb927c4c3d9c7c1ab44

SHA512
d96b33f86eb10b44488eb34e48fe512505cd115309306c8a52252d41b6b7bc80113b856fbfde0d7d28b606cda43b5de24d511df76e65d518013ee044b14b68c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
e6a6cc483b2196a8ee232218d12c97fa

SHA1
58105e8c6f040c615e617e1e41cd109ae663a07e

SHA256
6287f7119da13572ce8c6309d867dbe748cb63007c0e188e0b507c3e3411d98f

SHA512
bcf07c6015032bfb7900a2eacd65f5fdd996d8ff353814db670b0382f2c789754a7d00c7a338e9d684eebee5179ba6b9c80f37ef4c003abf899d8e92b1c4ef2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
dc9d69b45d1daffea1a257e7dbbc3dd3

SHA1
6170244bec2d25f49807b068714b4a9557535763

SHA256
c259f25b2a5096371e6c878558fa35be4ff9d0906d44f5bf4d806aa02c060f7c

SHA512
818980a10ccc125a1c1b9be10fe9bc71280f9aab961ed4b068fc1f8713154b12cba2c46d5f00f514fdcde547bbf76a14262cbd52a6c784ef5991eda549271c57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
0fd619ceacf7919f615c01479cd59e79

SHA1
7102fe0cd190d33bd5904e974b8b5e3c18b192ca

SHA256
853633dd79fabbf0c523d3d211843395a8ae1f6517a0e6cd4163d0bf331320fc

SHA512
4d3dd4af49b15cf07ffcfa0ced83c7672e77a449864468a2f0cb5899d7d5dd20bc2f18c395033889eee9aee5b2835b8db1671907db128a4a3a6666b001f83449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
c4afc1a9b7a3e76ce727b671120ba37c

SHA1
7fd48e2a59add4813de2fc1b59a4779b656374d6

SHA256
d1ddc76a7d641c9e4f8a47d9cc861f482781e71c7ec735def13f4655c43286e4

SHA512
d03136705ed258d886bb6367090844ce3b1049ce0fdbe854f3e79743b55a44a3780b1984486965f0a597813b438baecce2d263e0f1ad58477d44aa4fe9bf9f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
f8dfa9178897e0326f93bf113346d98a

SHA1
8c759a47cfe30a4b871462550c3d5e6f7edd29d3

SHA256
48e20a21a649dadab1ecd1326f461d0cff573762a00ab6882ecd6234b9e1bfed

SHA512
4712b93e5d0c9a8ba93358448c27607803fa581de37201c2344d16a0286dee0c866100dad6e97777b419dd9136d7137efdd09beb49c2d59c79125d933e5c5d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
dae9316cbb7ac55ea9bb90855b73db6f

SHA1
2dd2e0d363f68d88e9993c513656de1a8cf464a4

SHA256
d4953f54e1ee72a4f94f895fbca1fb9d215711dc1e267ddc0cef0f9176a6e60c

SHA512
0ed55f1f915506f7d5955ced12e0286032a01559b7a08ed604c13c4b136d342a5718fb3298b5b02bb033f2b9414edb1e8093175e519790d154447c868821848a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
e66a88e210e14ae2243add001f49ec8d

SHA1
c105b8c93f7f95391bdd7bb8a4b10fd029d013fa

SHA256
70a54e7b7717b96ae4141b6d75f965db3ac49149db49a13ad34c5a6eb324902f

SHA512
0ee2ecfb05c8be3d19692b458a81682630215ab778fb9eb1850ccbf031682d24f5e311391f0425cacea3b39fb21d44135ae85581d5a773f6a368ee6214051232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
b6dc1d28ae1880bdef7fd3698ec8cc0f

SHA1
c62dc00fb5bc6321400459c2bc05b5738ba4661a

SHA256
4ef9605c11cd8c15ef248060e979fbb1c43ff14bb7ab5c0bfdc06307ee2f5c74

SHA512
a8ac99adf39184db0530ba268ad7462654dc31a524a20c3ef6741af69dd550b86e865ce550937b1eacabf8fc5f87cdfac3f897c00f016b75f6e3687512b2ab78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
1664ef251e287ebdb4bdbc42b969aab8

SHA1
2f3e944754e05100aa85c50b2df97b36af8c16f8

SHA256
c280c7b0d4c83bbdf890b42f4be8966ef6b04aa21983f7b544bccaf7004e6e17

SHA512
0d6bd68675f23ad1a4bbb643ed099c8e6b1707317a42dbd5c54ce770f1efd80f4d4f365a8d94bd56b7f6b212b5fed888de72a7feac59d80c135662d17f27ee8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
2148a45eb56e6f6d9d6f565ceec8074b

SHA1
534a0bf4c93cf8e50c4af12d70ede00d36999ebe

SHA256
b87606539145e6db4689e85453fbfe46bf4be2c544baebf4aa3e2736e17eb773

SHA512
0d226c4b2e91973da068dcfebb577374dd47bbe95e933120d8927b6643ac0fa7062fc6bba8af442dc29c7306c843aa50dd56b001564fa1a3d15d7e777198610f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
bf84751ffd197a38814bfe4801af4906

SHA1
d02805145477e5933d077fd62c614bfb519978d1

SHA256
de835b76467b2392ad598400a8fa84e0076edc18d269aecec09f6d093cf92c63

SHA512
1deb718d4348e843f4fbf1c095d0388eaa23635290dfdc47eba2e05c2d289eeb8e2f5f32a76e06f76ebee5f183a94bec5ae51632c037e237b9740c2926f4c426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
b6b0b15be3f66a063854b9ad9b4aa089

SHA1
96d65a45ff0c58d0182d646ddc93070928d073fe

SHA256
9edcb19db0376eee9077e3b99ebc3481c9f5745a379ba2f22d2655ee84a33b50

SHA512
9deb0aa6a99bbed1645127e0942c6471d79565911ffc8b8fa47ca6f24327deaf2faed920e6038b8b1a0f9dd5f0aecdb7f24bf92137f899843762b4862c094a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
4463ca27a66e55d145c8f4682f9f01d3

SHA1
5bbea8cef15084036d572935313d722bcb77ce59

SHA256
b1d8b8964ae7df1650113bbabd9bb443aa1f5d85e5eda3d3364983a150ac079e

SHA512
3b345d0bedc4d5a4d6ce7274448897bcd4932930c09d011ee9a9a4dcfaa5d1790d87c5b989339463a0ee7d7644f0fb9783dabba64f871f865fe8986fb2d8b422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
971eed41d2cb420ff3c61cde1a7e4429

SHA1
8493e90cb5e1db450068abc89155038f4ef426d6

SHA256
8520236ae881a0d53e0dce5e6bdd8989e985ba6370fe902854c7264f5d200aeb

SHA512
eba5abf12b287d13284124df14128286a1da2e615a97430342004021c25e56526e180ff7c77919d1a2ab15771cf98045ada74166a53e70b6db8e13974f55a765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
1834de9e12cdc883c27a19d1e402caf4

SHA1
c17bcdbacb0af9678fe931f2e8d857052b61489d

SHA256
ca4935fc22467e272f8c54124d50aca39efaf603b553293882c9722829604c07

SHA512
a7581ccdb79cd426646d0e1c1fb4afaeb77d15cc95dc86e8f28bfa3abf4d55bb8dfa954b59817e30bcd67fc88d19345acbb059635f33d8a8d0e950c8b98aabee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
d83ce6e89039594cfd2dc7615906297d

SHA1
61642583e6d6181330311f0aa7b4a996b3a110d9

SHA256
aaa4dca25090010f0851bd6d616d9a8d4c2916a5fabfb589fdeea34958970989

SHA512
8a2ad443ba402e19cdf81ffa51fa299d4a42d389327cc95e7b22063863cce26ed70644564064d29c8e5a0ff40233ca05e5d91ccb753903cf08f9e76ab8d15081

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\doomed\3451

Filesize
15KB

MD5
ffd06bac35f2815990b31236279e064d

SHA1
ef9ecffc41e7e9f68f93a41f69236d275683da8e

SHA256
b28c364c756e033c6fccaa11c8051405d5b910dcecc310bcdf00bc46ccca0127

SHA512
8729d466951c3650b57259d8e6ffe86e7848e02630cc76284984430f8870f012cf5e122f1790cc8a06ffc411e3c7f8cd4da03ad4829cef7d119fbf13983195d6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3

Filesize
16KB

MD5
e58cf4ea0827704e52a0e7da2158d7b8

SHA1
78a85ebfad9655ce35547f4699f02db6efa94bec

SHA256
79d59031bd62aac6aa83b77a3bf09721af10d65d8f05377ed92893277b4c3f02

SHA512
17ab0ef910bbf5884ca5f251ea2a9d2ebd63111ac7217cb2b7477fb74db7db665e070059b71699a642f13a20d420dd28368fe1b40d583b457c77c58b67efee15

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
8b2f38c5bd39ec467df8d34f539a41a5

SHA1
d9906bbca3a3072e4e67e56065b1d603fd013770

SHA256
5622465531199fb6ea255e3615b481983f219c4a3fcadd057c4e189bb1bc551b

SHA512
debb136252b59178a0ea3d18c41525fceef8848da9c98ecfa17453c18919153b0cd0458bb9e0041594e190218741a37699d52a2f967e24c134e20f7ec7601d1a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json

Filesize
67KB

MD5
6c651609d367b10d1b25ef4c5f2b3318

SHA1
0abcc756ea415abda969cd1e854e7e8ebeb6f2d4

SHA256
960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9

SHA512
3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json

Filesize
44KB

MD5
39b73a66581c5a481a64f4dedf5b4f5c

SHA1
90e4a0883bb3f050dba2fee218450390d46f35e2

SHA256
022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17

SHA512
cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json

Filesize
33KB

MD5
0ed0473b23b5a9e7d1116e8d4d5ca567

SHA1
4eb5e948ac28453c4b90607e223f9e7d901301c4

SHA256
eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b

SHA512
464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json

Filesize
33KB

MD5
c82700fcfcd9b5117176362d25f3e6f6

SHA1
a7ad40b40c7e8e5e11878f4702952a4014c5d22a

SHA256
c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780

SHA512
d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json

Filesize
67KB

MD5
df96946198f092c029fd6880e5e6c6ec

SHA1
9aee90b66b8f9656063f9476ff7b87d2d267dcda

SHA256
df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996

SHA512
43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json

Filesize
45KB

MD5
a92a0fffc831e6c20431b070a7d16d5a

SHA1
da5bbe65f10e5385cbe09db3630ae636413b4e39

SHA256
8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c

SHA512
31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json

Filesize
45KB

MD5
6ccd943214682ac8c4ec08b7ec6dbcbd

SHA1
18417647f7c76581d79b537a70bf64f614f60fa2

SHA256
ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b

SHA512
e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_finance.json

Filesize
33KB

MD5
e95c2d2fc654b87e77b0a8a37aaa7fcf

SHA1
b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc

SHA256
384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e

SHA512
9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json

Filesize
67KB

MD5
70ba02dedd216430894d29940fc627c2

SHA1
f0c9aa816c6b0e171525a984fd844d3a8cabd505

SHA256
905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34

SHA512
3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_games.json

Filesize
44KB

MD5
4182a69a05463f9c388527a7db4201de

SHA1
5a0044aed787086c0b79ff0f51368d78c36f76bc

SHA256
35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85

SHA512
40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_health.json

Filesize
33KB

MD5
11711337d2acc6c6a10e2fb79ac90187

SHA1
5583047c473c8045324519a4a432d06643de055d

SHA256
150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565

SHA512
c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json

Filesize
67KB

MD5
bb45971231bd3501aba1cd07715e4c95

SHA1
ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a

SHA256
47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d

SHA512
74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json

Filesize
33KB

MD5
250acc54f92176775d6bdd8412432d9f

SHA1
a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65

SHA256
19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54

SHA512
a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json

Filesize
67KB

MD5
36689de6804ca5af92224681ee9ea137

SHA1
729d590068e9c891939fc17921930630cd4938dd

SHA256
e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52

SHA512
1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json

Filesize
33KB

MD5
2d69892acde24ad6383082243efa3d37

SHA1
d8edc1c15739e34232012bb255872991edb72bc7

SHA256
29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a

SHA512
da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_law_and_government.json

Filesize
68KB

MD5
80c49b0f2d195f702e5707ba632ae188

SHA1
e65161da245318d1f6fdc001e8b97b4fd0bc50e7

SHA256
257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63

SHA512
972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_online_communities.json

Filesize
67KB

MD5
37a74ab20e8447abd6ca918b6b39bb04

SHA1
b50986e6bb542f5eca8b805328be51eaa77e6c39

SHA256
11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f

SHA512
49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_people_and_society.json

Filesize
45KB

MD5
b1bd26cf5575ebb7ca511a05ea13fbd2

SHA1
e83d7f64b2884ea73357b4a15d25902517e51da8

SHA256
4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0

SHA512
edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json

Filesize
44KB

MD5
5b26aca80818dd92509f6a9013c4c662

SHA1
31e322209ba7cc1abd55bbb72a3c15bc2e4a895f

SHA256
dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671

SHA512
29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_real_estate.json

Filesize
67KB

MD5
9899942e9cd28bcb9bf5074800eae2d0

SHA1
15e5071e5ed58001011652befc224aed06ee068f

SHA256
efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a

SHA512
9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_reference.json

Filesize
56KB

MD5
567eaa19be0963b28b000826e8dd6c77

SHA1
7e4524c36113bbbafee34e38367b919964649583

SHA256
3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49

SHA512
6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_science.json

Filesize
56KB

MD5
7a8fd079bb1aeb4710a285ec909c62b9

SHA1
8429335e5866c7c21d752a11f57f76399e5634b6

SHA256
9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32

SHA512
8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_shopping.json

Filesize
67KB

MD5
97d4a0fd003e123df601b5fd205e97f8

SHA1
a802a515d04442b6bde60614e3d515d2983d4c00

SHA256
bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6

SHA512
111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_sports.json

Filesize
56KB

MD5
ce4e75385300f9c03fdd52420e0f822f

SHA1
85c34648c253e4c88161d09dd1e25439b763628c

SHA256
44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14

SHA512
d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\nb_model_build_attachment_travel.json

Filesize
67KB

MD5
48139e5ba1c595568f59fe880d6e4e83

SHA1
5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78

SHA256
4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa

SHA512
57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\personality-provider\recipe_attachment.json

Filesize
1KB

MD5
be3d0f91b7957bbbf8a20859fd32d417

SHA1
fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10

SHA256
fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7

SHA512
8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aswcaeeafb84d61bb2d.tmp

Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\ButtonEvent.dll

Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\INetC.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\a\asdk.dll

Filesize
1.0MB

MD5
e3f60a2cf6b1d155f5f7d17615907013

SHA1
8191871854dcbcc4fe34218040215581b0fccf43

SHA256
74fcd2367fb1d9c0084547ebaf1c6db081946453a5d0a2d668d83d3c489a60a9

SHA512
20a57a1d2ce3d081958b4b3b48f1c902039f26dd28abcac94fad6f20e8e5d630bbfd2365eb7200f7c8d676c593cb3dc465a406e8536abdf63bd7ef76bb86df2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\p\ServiceUninstaller.dll

Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\p\pfBL.dll

Filesize
6.0MB

MD5
5608c585d25c6f3d75762cd0a44cc153

SHA1
a9ae6ecca38b1fcfb08f7fa45a0f063fd9393828

SHA256
ed5826c816ace3bc5fdd471871a0034554773e7da20dbc0a2eac7152cc7fa260

SHA512
6e24928d93b8068f4e03d97159e7dd2ff5ea7817c37a5a06741311b0477fd54b5750451652f79cf53130efc03b9268ce5fa8922e63caf17c1d88d23200eb9867

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\ui\pfUI.dll

Filesize
10.4MB

MD5
9458f8983400a6f1edb9aa70988eb491

SHA1
9b6c0cf5c593e611960be181a13eb078ac9685c5

SHA256
6e1e9e1c9087289e44804dc47d489ead4d00dfddb5651d450f7e6299a994212e

SHA512
f57432d7475507922dd0bdf180dc77c0aae764c35f0ab16dc3eb43b58dcf928c2c8eedf82208692f6f8e040c2f5c7408ad49ce2c3bdc9a054a62057e260342a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\ui\res\CC_Logo_40x96.png

Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\ui\res\Montserrat-Regular.otf

Filesize
44KB

MD5
27e50ffd6a14cbc8221c9dbd3b5208dc

SHA1
713c997ce002a4d8762c2dcc405213061233e4bc

SHA256
40fc1142200a5c1c18f80b6915257083c528c7f7fd2b00a552aeebc42898d428

SHA512
0a602f88cfba906b41719943465edb09917c447d746bfed5c9ce9c75d077f6aed2f8146697acd74557359f1ae267ca2a8e3a2ca40fb1633bde8e6114261abd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx4B03.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
397052d737fe1a353e511240bb3bd709

SHA1
397ad9877b3f540fd7224a433f6d9b8c445f4f7e

SHA256
e507963f133fddec30c7c9fc505499c0fbba2fbb3ac68c77047ac9221e152aaa

SHA512
90b6e512952db7b8c13ffcda688aa0934c699e711e5b2bcffc70c1597b2804b2985f1179ba1df4722fd276ff44b59409f326a22f6c73be59faca52a8f5b30b0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
1d7947608d5c8ddb59cc8528136776ac

SHA1
85cd45a8b4e635e0c5dd923aeecea9aba915badd

SHA256
2f0e801bd6387a17dd4f1a29a143f81eed2b1b464e468c9aba3913cace68a517

SHA512
e5ffb3a846a9bcfa082e6eec00abad428161b5477188b4b6b722d1a0055e768ce724393d32dc75843ba7d7165eb571c428e760a7b1f3eed4318058a485c0705f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
fe78bf9e7256070bb3ac33b13491d1fd

SHA1
83956ad1d4e021d6d0fda16de5c837bf430bd653

SHA256
d1e298936584c98535560bb9b18498d6a65f568146cfd6778e7ebed2e1a9516b

SHA512
9efe79999dcdcb80395b41c228486cb9f3bdf5b57af46a3030906b87af7dd87b70b328437819d33afdac22758d78e0b3e1bdb68648d956c3e950a04e10213eb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WP4O4XEZIK8TOTTFGMFR.temp

Filesize
11KB

MD5
9c16db1db12fb10937f1f0357e53cb4b

SHA1
a6dad3f65443a17afb2b867be248c681dfc87daa

SHA256
f709bd2f8b2e545cc82692c26917342da5f767855697cc8d7dc1b42033d5e278

SHA512
1de911c088f55578af452845279acdb71ce446b8b1983fbb089009fdb41d39847684f57257e2d076bb53f35ea3a242e5af708a35fec1a985392d9617a719d784

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-ms

Filesize
8KB

MD5
fac4336c91eab09ebba860da05798f97

SHA1
41a9d88e8f9b9319eb618d9e62fed1731788d7fc

SHA256
ccca33d690d28f356dcdb60fde24291bdfd03ec31576d706001189b8cfa924c2

SHA512
d7e185e275c23073ebbc17a6fdc3953dd2005b2d9cab88c8d753e2ad2b90ae183fa71e4fd201300276ab75f90c14f349c08d5e40191087b027e400c629375322

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
26KB

MD5
010eb40e65b36b51d1d2d551781a2ab3

SHA1
b2fa641b8584bf2d8eb766cb1170f4f3e7443dff

SHA256
a548538541565016ddb1b5e49e98489431a480ad039de992c93b1c902663b48a

SHA512
26076226cfd24a3e70e3de2e55ed3002966ed006a6c54497bc66d3af7d675f6b1cfe3e7c28c90a0066f8afb4f8a9ddc7033ec681c1b0bf8a2eabbeb4ff63a52a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
10KB

MD5
57b08fe02fe65448550faa36178bf25a

SHA1
e34272a15a93af545d8a3281add09cc89ad69a98

SHA256
59b7febb53159a6880f1e9996e7081de3cee4d6d716ce52df49911b368b2fdd5

SHA512
7ed905122d264d4a6c0886a517aaf6a3776573f079a10fd9814e4b86a6fc162eb7b45d77679a6839df710cd920a7a115e76336b705836fb896ae006f885576e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
11KB

MD5
ebd0beb215615b4769e72884557569be

SHA1
23c9a6a0a93c879542fa236e844588618626de53

SHA256
418e5f09946a51322e2a9aa5241c304499a158ec6c25cc2a0d6787cd5626f17d

SHA512
f2861d519a3bf185112d569815d5f99b3f4ab68c7f675301f0815264d08a16899e3cda345a636a36e3883aab58b8f46f3ff77cdde999990aa9705dea464f2c28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
27KB

MD5
07b8cae8d9391ef4268dda920eab85d8

SHA1
5b130572464ad8a0ced897af72b96ce86fa39528

SHA256
51761fb4b0b70666f1a8d3daaf3ebf9fa63cf4af61838470a30809b79d2a9187

SHA512
dce1913c10bcb8cfd634f7240af45669a22c4e3af5bcd28f804b8883eb65154f11f1a08129827ed09aee57c748a6bb0250a87bd53b9a7ce1e9cdd484f4f889b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\bookmarkbackups\bookmarks-2024-08-21_11_ur4QAd1T37d7n-N7hRALqw==.jsonlz4

Filesize
1008B

MD5
99a805992ec9e668f077d145f44c7772

SHA1
e12680aa9442d649197b0aa95c7dce714e469c21

SHA256
de60c0ffe55b67100bfbcb3129221cb3f6b427ca3b575d0c1f9f3d634fff054b

SHA512
1a816aded29b43ee6f7c436e71adf8621da746e27626eef7fa7ce3193b4938f8fd17ef464df715c13d6152fdc64dc69c61cb790ce504436b265ffd1fb064d427

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cookies.sqlite-wal

Filesize
384KB

MD5
c63137fcde39dd63d6f00b21412ea01c

SHA1
452cc95ebeeb596566dbe4022cf7490f7448763a

SHA256
d708d2e9d6eac5193722a6cc567331a9f0457f479ffa3cf4f0047a1456e3e00f

SHA512
3095fd7f3ebbbbec4c34f9604566821bfd8f938cbdf89fe209a0651f3f8ae3fa30cc8b0692060ca79c2a7ea7f7098be3c8d3aa84dacf8410b4dfb3480e37d0da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
4KB

MD5
489811faa9ed5c05e7a8f3b905584ebd

SHA1
f9a3c85bd78f401eb6a14389aed892749a9f67da

SHA256
a113b35a405bf09ae0563a4f9e480ce4e800144ba46b321ad964bdfd1f1fea0f

SHA512
09b46effc213be174521d4e92c4e5ca91715abca8d6679252162751c1b95ab44b418916baf70dc6326ac0db68dfe96f719b6c821017a13d64c2ea9ad722634bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0265735d4561dd46f4a087bca2dd11aa

SHA1
545157da3aa4c813c6e18316ceccab58f45187f4

SHA256
73c142005e86a17ba012d3830045a34889018329752c4d72d2b3f7dbd0812d2e

SHA512
fdf6138b2ce4a2c8c924d45064649c050f08d97cd839fd31e6a33db4d560ce1108a5c6dd047986f554a7ff22fb8f3336cdeddb3ef929233cf1377fe426d31866

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
39KB

MD5
5fee95f758bb404650b4fc116ae5b763

SHA1
1257de425aaae8c8ff9239c60ba9aa3797a86b82

SHA256
feac81dae6ad94bd80eb13e9679fe7bccfd55adfafaf2bd1b6c84a06fcfe8a4b

SHA512
b21f092ee7268ce3a958661a0b3b802fc9871ec988760d82bda417648552e8c65574fd22551c03d0e2472e3a02669f5e91599a5b8f6ce7b3eb3ea16523c01d8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
b58aa8f28a799948225c5cc16726ba73

SHA1
e860aa6b6455d81d759320269ca1343ec42be659

SHA256
7ac7091bf39a4de29ae04fe74eaea9a3a13dafaa70f9fb637282c68a33d8d60f

SHA512
627f4dccb8183901853689c1d9b4bd9ef7cbcc9ebd8d02c3cb92af8c1f4cd10368de04aa9665a34c2dc45f05440430b5e8270bb7167579d025dbc7ed5f9ab0fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
27KB

MD5
d3249a358689517139bd0f0d652e2bf7

SHA1
29d9e830b2acc18ec1b4e5ba163e4e90881ef0f4

SHA256
f09fe6ea0a449dd6034390eba96ca68d18c63a7dec220d65a3eabfe6e281fdf8

SHA512
2b5b8ebed4cf013625718d1bb76ebbac4ced6cf2c2fb8d1de83fa3bd1c642edf7c299bf47f91d9c6d9fc25bac1f0e3240a71a5a92b0c2e087d31c2ab0fbc5a1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
40KB

MD5
fa8868df16876d450a1fe92b0efb88ec

SHA1
f7590ff3a4823d7926a64a9896e01a9564937c8c

SHA256
de190b8359413d27345d6bce08d7346d82293df29e4c2e23cd85cd6b8e31c5b8

SHA512
0fb9cb421cc4d0d1102b494757369dfed6024197c569a4d130ae3903e7a0f4397cc5751e0cb492d962b924cfc55e02113adb02beee6af8484497bdcfbb3acb2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
40KB

MD5
3e2699228dd1fd7ebfc01ae3029a212a

SHA1
6d26e10953e0253dfecbd9d5f7ee6a7f00a096c4

SHA256
9b2e703ff3b813d84ba9071cac14039c05decc95dcb0c2b796017ab4710d539a

SHA512
7d38fff143f98c3ec0cb308d63173a532ddc901203d6415900c7a4a7e556dcf7501d40bc45de468831776f0f11954fe4a88c92b4372e311a3d83fed384987823

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\738dc441-abb0-4340-aba1-585f8c09b27e

Filesize
671B

MD5
9e93f0d6ffaf7151c24c45d45835d99a

SHA1
4a3fbda01123d6c26433be31be720004b623004b

SHA256
445c8d1c8522c14d0902fd6dc37fcba8655be3f2d7ef100f8afab11e8f49dc59

SHA512
d1769884e0ef43d3a348c9410861c23cddf2d9f0af6a6d9369526349b3fed9c805328359362f5efdfbdbd52340c1f3fb523755375f2fef1fb9cb68add1945187

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\8e9f0989-68b3-46eb-bb62-ac80e58b0830

Filesize
27KB

MD5
3e80047fb28a805b5fd7ec71f4b69e2d

SHA1
abfcaa0f3c78514344beb3a0111012822d49f467

SHA256
1f02c66df0ee00b8acee71d9c67365f164aa473e2e44685cb5a4a91b442459ea

SHA512
61957fbd8234505d093f487e11fd751372cb9be7b46e159337cfd41ef4ea990c3a2dcf01c91497b45f6d12f882f3e62b1c769600721ebd7f1d34b04a85efc80c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\9bf4ba07-f3f6-4c6d-b3b5-1f8e6e49bd18

Filesize
982B

MD5
7b39b55b67a2d654e864e48d6294b889

SHA1
2647e5737dc7a4b91e06483778976fb4d27077d0

SHA256
cbe58b733ccccc13a1ae05586cc6adbe37c7c9bd5db36db38acd7c06fbc429ae

SHA512
83609f63a1c52ec30dcd593035754e6b23988359f9e9477f441945b54bd9ed0c1d4a7de625d4f80bfbd32a389a9cafbd0948b9cc3f63745bde65139531326d55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\downloads.json

Filesize
828B

MD5
c3f7a20cdfbf0106cb33e3f011d859e5

SHA1
82d45694a166d504bbb67439d19bf02d8259dfc8

SHA256
1816e4e387b595fdc740e6752106aca51be701270f343bdc7d61f442268da4a9

SHA512
908c34a6b99353c823fda6e91696deca4e7424d7798b97af7342805196c726c2db09efa9e1be48fc3a0072e3f1eec34cb9ce5700c6cfe71554ebd0497d0796de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
11KB

MD5
57633a49fdde1bf4272463cce83105b7

SHA1
6ed6d94dbe38b678de6349277e5f160640eda52d

SHA256
c837ee9e8334bcddf23cbe612efdca02f96d878b49cecc44798afb3db9565760

SHA512
fbf54c424ad7e9e4e52f721e5a6e0f8ade991d67177b1a34cba805ef9a0c75ba6a4a0b0a2175e49b622aa23415bee1d68e09077cf7bc3430cd6fa57ab23fe8c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
11KB

MD5
f3c59ce9c13a45a7316259d53ed29d37

SHA1
c4cdb57e77e9eb40c45489db3e03dc600de8bc5f

SHA256
d5bb94e0dd06e9c5d7d8f167d02ac6b51ed9fc9a99cbdef74a29ad8466d571ad

SHA512
5fcc8fcffd0b8d24268f781f25724ae5db5ca0b6d1dc31cece9ef9488a8fddc1c2088db509f2e4f031b281c8027b70777d57c68f8bcbd40e7f24812e59870223

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
16KB

MD5
71b9b9a4373dc6ad9bc5c7757fe44602

SHA1
dbfc16fb14782ca78711e6c495f39e6d8ca5201f

SHA256
fc906f4e71c249d8ceeb803edf97d540a5455b6ed29b1e86bddf673dab391d5d

SHA512
7df1248abf545b582cfc729f2155b801290d781366a137755a6cf4e973bf3fadd3047c8b3b687e953832697ecfcc5b7e3646e9d54cf10451deaad12983a83a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
16KB

MD5
0ac590e18722f89cd455385dff535c22

SHA1
ada69ee1a759c5c000266e12f04ec1956bed204e

SHA256
b25ddf391f6419b3e3eba17e743b99de565c33d3c002009ffb895b14e4bb0686

SHA512
b4a51842e73e15cf148b6629aa9dfede86334df0ee09b91330071aa6f32a49a8cef39565b689623386ce64ff443d2d13b39b93facf2dd338efd1fc1433b9d801

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
16KB

MD5
2c74b27b3e35502b4e396f24fa6f825b

SHA1
afe2331d7e5008d8d77931002b2298282c2d1015

SHA256
daff71ecf3c08f6bca521ad8a9d8da9a427ac17a6db0580d049d4c834ca9f2a0

SHA512
eee47be57ad63774c0a6f3f54a3932b72f55452650fecd0441b08367b781bfcaa9327efb9254ac1f53d1ab0c3deafd6b2a379405560e150eed7afcae7dd090fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
216a8677e259d9aa712316aa8deb7ae9

SHA1
550adfca46fbe304e279016bab95a7bb8ebe563e

SHA256
5b55f883c297b3a6a11e971eb30b50822dc7b07629283ff96284557b6f909a24

SHA512
ab94bc1f4f77ec2ea3b1dc8f98e6c8555c1a185de18354a7596011ca33f177ae9a3bec71de505de3274c26425382b4d1eb4401b87006ebe5abcec86540475f98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
7cb7fc662af9fff281e42393d72ed5e7

SHA1
c0bbdb066169b0c8cffcc9b3a7c8e865f5be9ae3

SHA256
56f8b6e4673c4d3d36ab7b811fe413e75a812441603c118323620314bf295adf

SHA512
d38dd279baef3d8651ee421b1ccd8f3e3cad940404bd0050942abc5c559298543d4f0df0f70ecad975a3a20d7dbafcba4b67c1a5d2da302204995883ca59cc25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
817d910c5a376577540acda2979d3f90

SHA1
0fddd08888182caa88378713325588ab68b06b01

SHA256
d5c528bc0cf57476750e3e72c29365ddd774923a533c2d0c46962cdee2030c73

SHA512
d896acb265aabb13753816598cbb552ad6c9c842af89f8610510d07f6a37391ef18b67e9e259899ed124a0936d6f6212710ed5adb82c6f293b7f7a1f39eb93d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
3172f47e1bd8a83853d9f313eb0d3461

SHA1
ff3458e10881a5d47dd2518d5a7badad0a022090

SHA256
b4453ac674a745a2598cdb3cfbdf947d01d0d3bdec742eb6a31b58af5f42be14

SHA512
b8dca2186e33829b9741d2256aa0f447d2a63fb28670469e422a03c84edd1be4c332c1718614f4eca9e3025d8c08a38234157cb13dc640996ddbb5249a611156

Download Submit
C:\Windows\Tasks\CCleanerCrashReporting.job

Filesize
666B

MD5
ffc691b4d663c35321d2ac1c9cb67374

SHA1
56ad79ee09be4023c87246d9ca5c0d17676aa0ad

SHA256
88f1d0f1d22c1aecba336c939d83bc5d4885758d01cae14845ac8efdd27443e0

SHA512
7384d2d93e2be35c850c9a4afd5942bf8e15bb4da9ce06490d88dc5e2a14aa19ae9f1e92bbfad9d4f566a7737407d2ff9be142d285106e9ab3d25fcf83a75859

Download Submit
C:\Windows\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

Filesize
64B

MD5
cf7d2ba867042501d22fe4651ec2084b

SHA1
ee2b6143daeb6693a034f46fa69cafeb798a7449

SHA256
50e2919ba15af354d757bdd8ae19eb931e4fb9ad8c0a05b6acab7a97898935a6

SHA512
4f8807fa9c3fb81b6a3b53396a0bc18aa7cb68f1a61b804c3b848f433baaed380baccdbfc50442dab5a225031ba8ad1e9c9024823ba3306f92334ee79d7ffe53

Download Submit
\??\c:\program files\ccleaner\CCleanerBugReport.exe

Filesize
4.8MB

MD5
0b1f7332e75c8a49cc51af507c415d9b

SHA1
bb5c364f8acc87f472579925ea28a991f7ac521e

SHA256
a6d2c63cebece8e8af73742a7d3ebe8d8581be84bb9371420cf2046ddf89d399

SHA512
f4404cbe65bd566e94051d829d0a9a55f074a0dead57771b1c8a30120ce0482e1ed16876bb863facb3ace332be11b3fac85753ed113dea693119afe5643ebfdb

Download Submit
\??\c:\program files\ccleaner\uninst.exe

Filesize
2.2MB

MD5
0650e243a43a488cae9c995e232cbc4f

SHA1
583c5676bd34583abf96ee3b2cf58c5a7366f330

SHA256
786fb3be329f22c5ef886a28d05e679962f5045604b6093c4d2c763d3c653f02

SHA512
836445fedeed34154725a16a6beb881993ea865695c4bfa0907ebbddd8ea974fe25e60613faa8f9dc5f499713f08c25e61c542e72cbc3c5e9f88cb9934a50e25

Download Submit
\??\c:\program files\ccleaner\wa_3rd_party_host_32.exe

Filesize
2.1MB

MD5
0b9199f978354026e8a571d0b87aeab4

SHA1
c58872ef4cfc8994550e9c59cb70839afeaadf31

SHA256
c2f77f4ac4123b0083096d1ac9218a2da14fa3c28399fe75f3970c740e962c6a

SHA512
3e70085bfa174a74723959bf832ce10155c55def270431f3bb9401816468dfb8cf3e16f4108574900434fbfc5dfb3b325ef1dc0e797906e109514e513f38337f

Download Submit
\??\c:\program files\ccleaner\wa_3rd_party_host_64.exe

Filesize
2.7MB

MD5
304f226dadc5468f039fe02dfab3046c

SHA1
f50b4b6bed200b6eadf67508fcb6a7c68f1f5b13

SHA256
e5410f5680c636ea57b4dbf730e7d1c2c17b43c43b10cb020ab254a1d793ea0a

SHA512
5e6e82a3ea2c7b616bd17af3ec0ecc3157525d0d530422a86474e4fb83a0ac8d7052a56c44646238ac19be41bbef9d0c7543a3ec8752cbf22d384b30ad14aece

Download Submit
memory/992-3287-0x0000000006C70000-0x0000000006C80000-memory.dmp

Filesize
64KB

Download
memory/992-3305-0x0000000007CF0000-0x0000000007CF8000-memory.dmp

Filesize
32KB

Download
memory/992-3307-0x0000000007D70000-0x0000000007D78000-memory.dmp

Filesize
32KB

Download
memory/992-3308-0x0000000007A90000-0x0000000007A98000-memory.dmp

Filesize
32KB

Download
memory/992-3309-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/992-3311-0x0000000007A90000-0x0000000007A98000-memory.dmp

Filesize
32KB

Download
memory/992-3314-0x0000000007A80000-0x0000000007A88000-memory.dmp

Filesize
32KB

Download
memory/992-3317-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/992-3281-0x0000000006AD0000-0x0000000006AE0000-memory.dmp

Filesize
64KB

Download
memory/992-3329-0x0000000007B30000-0x0000000007B38000-memory.dmp

Filesize
32KB

Download
memory/992-3331-0x0000000007B70000-0x0000000007B78000-memory.dmp

Filesize
32KB

Download
memory/992-3334-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/992-3338-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/992-3384-0x0000000007C70000-0x0000000007C78000-memory.dmp

Filesize
32KB

Download
memory/992-3386-0x0000000007E30000-0x0000000007E38000-memory.dmp

Filesize
32KB

Download
memory/992-3389-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download