hxxps://drive[.]google[.]com/file/d/1vqN2RsA3HakVthWjD_Ed7AgtUREA7vvW/view?usp=sharing

Analysis

max time kernel
1799s
max time network
1803s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-08-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1vqN2RsA3HakVthWjD_Ed7AgtUREA7vvW/view?usp=sharing

Score

8^/10

bootkit defense_evasion discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
4736	ccsetup627.exe
2412	CCleaner64.exe
2208	CCUpdate.exe
5932	CCUpdate.exe

Loads dropped DLL 20 IoCs

pid	Process
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
5932	CCUpdate.exe
5544	CCleaner64.exe
5048	CCleaner64.exe
2408	CCleaner64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"	CCleaner64.exe

Checks for any installed AV software in registry 1 TTPs 18 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
12	drive.google.com
19	drive.google.com
21	drive.google.com
22	drive.google.com
2	drive.google.com

Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	ccsetup627.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	CCleaner64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log	CCleaner64.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\CCleaner\Lang\lang-1052.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\libwalocal.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1040.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1071.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\libwautils.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1029.dll	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner\ORI_\CCleaner.exe	7zG.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-9999.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1110.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\wa_3rd_party_host_64.exe	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1051.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1058.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1059.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1027.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1038.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1057.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Setup\config.def	CCleaner64.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\CCleaner64.exe	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1046.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1054.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1056.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.dll	ccsetup627.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-16.png	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1028.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1068.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Setup\ebdaf45b-8af3-4771-a125-d4e71a7d75f9.dll	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1030.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1053.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\libwavmodapi.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Setup\41f601c9-dabb-4c92-83c3-9707eee960fd.ini	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1035.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1104.dll	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner\temp_ccupdate\update.ini	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1045.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1087.dll	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner\ORI_\CCleaner64.exe	7zG.exe
File created	C:\Program Files\CCleaner\Lang\lang-5146.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\CCleaner.exe	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1032.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1050.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\CCleanerBugReport.exe	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1041.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\libwaapi.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\libwaheap.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1042.dll	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\temp_ccupdate\ccupdate627_te.exe	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1036.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\CCleanerDU.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1026.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1067.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\CCleaner.dat	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1109.dll	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1061.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1063.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1066.dll	ccsetup627.exe
File created	C:\Program Files\CCleaner\Lang\lang-1093.dll	ccsetup627.exe
File opened for modification	C:\Program Files\CCleaner\temp_ccupdate\update.ini	CCleaner64.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\sammui.log	CCleaner64.exe
File created	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\PASSWD.LOG	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	CCleaner64.exe
File opened for modification	C:\Windows\DtcInstall.log	CCleaner64.exe
File opened for modification	C:\Windows\WindowsUpdate.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\inf\setupapi.dev.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\NetSetup.LOG	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\lsasetup.log	CCleaner64.exe
File opened for modification	C:\Windows\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\security\logs\scesetup.log	CCleaner64.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\ccsetup627.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral3/files/0x000100000002acdb-1845.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccsetup627.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup627.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup627.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup627.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	ccsetup627.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\Brandover = "0"	ccsetup627.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_b8h_m"	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	ccsetup627.exe
Key created	\REGISTRY\USER\.DEFAULT	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-19	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\Brandover = "0"	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-20	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\Brandover = "0"	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_b8h_m"	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_b8h_m"	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup627.exe
Key created	\Registry\User\.Default\Software\Piriform\CCleaner	ccsetup627.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	ccsetup627.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	ccsetup627.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform	ccsetup627.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Software\Piriform\CCleaner\Brandover = "0"	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_003_999_b8h_m"	ccsetup627.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1735401866-3802634615-1355934272-1000\{DB04706A-6B7D-40CC-A263-B2F7F682DB54}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Software\Piriform\CCleaner	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	ccsetup627.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	ccsetup627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Software\Piriform	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup627.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Software	ccsetup627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ccsetup627.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 678106.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\ccsetup627.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CCleaner 5.89.9401 all editions.7z:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	msedge.exe
1336	msedge.exe
3100	msedge.exe
3100	msedge.exe
5896	identity_helper.exe
5896	identity_helper.exe
5652	msedge.exe
5652	msedge.exe
5256	msedge.exe
5256	msedge.exe
6032	msedge.exe
6032	msedge.exe
6032	msedge.exe
6032	msedge.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5544	CCleaner64.exe
2408	CCleaner64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	616	firefox.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeShutdownPrivilege	4736	ccsetup627.exe
Token: SeCreatePagefilePrivilege	4736	ccsetup627.exe
Token: SeShutdownPrivilege	4736	ccsetup627.exe
Token: SeCreatePagefilePrivilege	4736	ccsetup627.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeRestorePrivilege	4736	ccsetup627.exe
Token: SeDebugPrivilege	2412	CCleaner64.exe
Token: SeRestorePrivilege	124	7zG.exe
Token: 35	124	7zG.exe
Token: SeSecurityPrivilege	124	7zG.exe
Token: SeSecurityPrivilege	124	7zG.exe
Token: SeRestorePrivilege	4800	7zG.exe
Token: 35	4800	7zG.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeSecurityPrivilege	4800	7zG.exe
Token: SeSecurityPrivilege	4800	7zG.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeDebugPrivilege	616	firefox.exe
Token: SeShutdownPrivilege	5544	CCleaner64.exe
Token: SeCreatePagefilePrivilege	5544	CCleaner64.exe
Token: SeShutdownPrivilege	5048	CCleaner64.exe
Token: SeCreatePagefilePrivilege	5048	CCleaner64.exe
Token: SeDebugPrivilege	616	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
5048	CCleaner64.exe
5048	CCleaner64.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
4736	ccsetup627.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
616	firefox.exe
2412	CCleaner64.exe
2208	CCUpdate.exe
4736	ccsetup627.exe
5932	CCUpdate.exe
5544	CCleaner64.exe
5544	CCleaner64.exe
5048	CCleaner64.exe
5048	CCleaner64.exe
5048	CCleaner64.exe
2408	CCleaner64.exe
2408	CCleaner64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 616	2400	firefox.exe	81
PID 2400 wrote to memory of 616	2400	firefox.exe	81
PID 2400 wrote to memory of 616	2400	firefox.exe	81
PID 2400 wrote to memory of 616	2400	firefox.exe	81
PID 2400 wrote to memory of 616	2400	firefox.exe	81
PID 2400 wrote to memory of 616	2400	firefox.exe	81
PID 2400 wrote to memory of 616	2400	firefox.exe	81
PID 2400 wrote to memory of 616	2400	firefox.exe	81
PID 2400 wrote to memory of 616	2400	firefox.exe	81
PID 2400 wrote to memory of 616	2400	firefox.exe	81
PID 2400 wrote to memory of 616	2400	firefox.exe	81
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 1896	616	firefox.exe	82
PID 616 wrote to memory of 4716	616	firefox.exe	83
PID 616 wrote to memory of 4716	616	firefox.exe	83
PID 616 wrote to memory of 4716	616	firefox.exe	83
PID 616 wrote to memory of 4716	616	firefox.exe	83
PID 616 wrote to memory of 4716	616	firefox.exe	83
PID 616 wrote to memory of 4716	616	firefox.exe	83
PID 616 wrote to memory of 4716	616	firefox.exe	83
PID 616 wrote to memory of 4716	616	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1vqN2RsA3HakVthWjD_Ed7AgtUREA7vvW/view?usp=sharing"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1vqN2RsA3HakVthWjD_Ed7AgtUREA7vvW/view?usp=sharing
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c41357b7-6e0e-4ebd-88a3-f86a9ca5dd67} 616 "\\.\pipe\gecko-crash-server-pipe.616" gpu
    3⤵
    PID:1896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7473b520-8b55-4203-a1f8-41f5ae50a61e} 616 "\\.\pipe\gecko-crash-server-pipe.616" socket
    3⤵
    PID:4716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3532 -childID 1 -isForBrowser -prefsHandle 3512 -prefMapHandle 3528 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce593868-dc15-45e5-a1f8-f4363149566c} 616 "\\.\pipe\gecko-crash-server-pipe.616" tab
    3⤵
    PID:2664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3904 -childID 2 -isForBrowser -prefsHandle 3264 -prefMapHandle 2736 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4efe6d4-a203-4164-b765-e91e53099036} 616 "\\.\pipe\gecko-crash-server-pipe.616" tab
    3⤵
    PID:532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4544 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4420 -prefMapHandle 4436 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96e1351f-f1a0-451c-ac03-be61327c0fe8} 616 "\\.\pipe\gecko-crash-server-pipe.616" utility
    3⤵
    - Checks processor information in registry
    PID:2524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 3 -isForBrowser -prefsHandle 5448 -prefMapHandle 5396 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8a6c141-d1ce-4895-91a7-631778f3b248} 616 "\\.\pipe\gecko-crash-server-pipe.616" tab
    3⤵
    PID:336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a4cc2d9-f55f-4e92-be9a-04e33b388d0f} 616 "\\.\pipe\gecko-crash-server-pipe.616" tab
    3⤵
    PID:3636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5876 -childID 5 -isForBrowser -prefsHandle 5796 -prefMapHandle 5804 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ac935b5-7234-4adc-878b-d864ac83a4dc} 616 "\\.\pipe\gecko-crash-server-pipe.616" tab
    3⤵
    PID:3592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3852 -childID 6 -isForBrowser -prefsHandle 4108 -prefMapHandle 4116 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54ac760d-af1b-4369-a41c-1153b3f01f1a} 616 "\\.\pipe\gecko-crash-server-pipe.616" tab
    3⤵
    PID:3260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5172 -childID 7 -isForBrowser -prefsHandle 2884 -prefMapHandle 1124 -prefsLen 30817 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b67f40c-45a9-443a-b441-1c59da494252} 616 "\\.\pipe\gecko-crash-server-pipe.616" tab
    3⤵
    PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbd7863cb8,0x7ffbd7863cc8,0x7ffbd7863cd8
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2732 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1904,10700542427449850387,4169541377299831896,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:5640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:232

C:\Users\Admin\Downloads\ccsetup627.exe
"C:\Users\Admin\Downloads\ccsetup627.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4736
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2412
- C:\Program Files\CCleaner\CCUpdate.exe
  "C:\Program Files\CCleaner\CCUpdate.exe" /reg
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2208
- - C:\Program Files\CCleaner\CCUpdate.exe
    CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\ebdaf45b-8af3-4771-a125-d4e71a7d75f9.dll"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5932

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CCleaner 5.89.9401 all editions\" -ad -an -ai#7zMap12218:122:7zEvent2625
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:124

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap1505:64:7zEvent7610 -ad -saa -- "C:\Program Files\CCleaner\ORI_"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\CCleaner 5.89.9401 all editions\CCleaner 5.89.9401 all editions\BlockHost .bat"
1⤵
- Drops file in Drivers directory
PID:972
- C:\Windows\system32\find.exe
  FIND /C /I "license.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:2504
- C:\Windows\system32\find.exe
  FIND /C /I "www.license.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:4152
- C:\Windows\system32\find.exe
  FIND /C /I "speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:5660
- C:\Windows\system32\find.exe
  FIND /C /I "www.speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:2244
- C:\Windows\system32\find.exe
  FIND /C /I "recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:6016
- C:\Windows\system32\find.exe
  FIND /C /I "www.recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:5944
- C:\Windows\system32\find.exe
  FIND /C /I "defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:388
- C:\Windows\system32\find.exe
  FIND /C /I "www.defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:3048
- C:\Windows\system32\find.exe
  FIND /C /I "ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:1860
- C:\Windows\system32\find.exe
  FIND /C /I "www.ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:428
- C:\Windows\system32\find.exe
  FIND /C /I "license-api.ccleaner.com" C:\Windows\system32\drivers\etc\hosts
  2⤵
  PID:776

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CCleaner 5.89.9401 all editions\CCleaner 5.89.9401 all editions\Read me.txt
1⤵
PID:5004

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5544
- C:\Program Files\CCleaner\CCleaner64.exe
  "C:\Program Files\CCleaner\CCleaner64.exe" /monitor
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5048

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:5832

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCUpdate.exe

Filesize
809KB

MD5
943a4f169e9a3303ed6defc1ac3690bd

SHA1
e0bd76b866624164c10b85d37efb6474b84164df

SHA256
e531742a357907248de84b99f68ed7e8edd70e7ca918d21b24cc17ee4c128240

SHA512
da29cafdd63fd3ab3d2378fc6c2810d7579ebd6b62a4f99248458094cd2e42dc0071b83f0aee4185ca1c81139dec2991212ac383d77a737937558bbcb29d688c

Download Submit
C:\Program Files\CCleaner\CCleaner.exe

Filesize
37.3MB

MD5
01810f560b84f321ff3915022ddab99a

SHA1
7f08dbebd49233d6b8c2b98b38573b54ff9a8c88

SHA256
6178d8786aabcf14fc114a3bd53b5b09d41ba0840842d4dfb06ccd565ec01a5f

SHA512
ccc25dc7e8e49030c0bafcdd9a13e5a6b7ac78630b93ecf5a081e19f91fc0a756fd7d984051317e9862dd2a65e6e5882ff7b87dc2f74cd8c58b56aa478f4c2af

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe

Filesize
43.0MB

MD5
049c362975252b6a2d997a6b72d37bcc

SHA1
cb2766a228f5afe4a886e001fcce03ccebc2d30b

SHA256
4bdf21db063d16f7e20f59113276d1dee1cdbebcef30d42d777d9b90c7830810

SHA512
8075a71b5fe374061b675490883ba07b14c39372042779dd7f6d7498146cdc695d25a13a70fbf58f77a96b0ab962d7ba21bba67dcb8bb43320eefe736c809495

Download Submit
C:\Program Files\CCleaner\New Compressed (zipped) Folder.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Program Files\CCleaner\Setup\265e860b-a1a1-4d4b-90d3-44ad47fc4692.xml

Filesize
823B

MD5
e63fa740bd2301d74ce165764f0c36ef

SHA1
1f9ad7e45306e90f14a7ce6e98d2eb4d8bcf91bd

SHA256
258a3bbf21ead2f93273f741910b7a1d54632c294e928949f601bbff8008cfac

SHA512
0dd73c5e7ea18feddd2797131b8fbaf3b541b81d4625debccae60c060b2f405a8ed7c0c3440c4d7e52f7dcbcf6ce47f39423904be74dcc6a515af963a7fe75b1

Download Submit
C:\Program Files\CCleaner\Setup\41f601c9-dabb-4c92-83c3-9707eee960fd.ini

Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Program Files\CCleaner\Setup\ebdaf45b-8af3-4771-a125-d4e71a7d75f9.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\gcapi_dll.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\CCleaner\temp_ccupdate\update.ini

Filesize
138B

MD5
3774080aabfbebbaa24a55309fa95d69

SHA1
b7317c2bb7f96f0aeb8971c38e91a24f3e8f43bb

SHA256
6d7172f318bf55614febc071b47eabe8a54cd153831039322f978901ff7f1782

SHA512
aa7d7146eaf4d95e9c920e9527a99c0ac6be256d352d633ed38b3dce3a03f7501142e724deda2c7083bb25b5fdb5ebaa03525c15c3ce3cecc2d9553730b0238f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_F0E9D85FC3FEBFCE849AF4AB94C81F73

Filesize
727B

MD5
c214cb7297754d1598a7ac723dead8fb

SHA1
f43b96c7d32bd90780867b06116d3f4ebf081a8f

SHA256
4a304ab02d05b946839eb9d44f97666fbdb9351cd37c6bdbda99650a64cf4ede

SHA512
376c2ab736b35e5f5b32ab51d2e2be89a162fcf1d6f4f5d3f0a24accac89e09ca2328f66fec6c04084d7b56adef6c50b3da167d304ac20e8c94ef741dbf3b404

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
311753bbec6cb6ebc1b6d98180d59e9b

SHA1
5da79e665006da970e641b818c368f8c5bef1eb6

SHA256
bd569035309d5219aaa2e6dac78870387e0a72bceb67d642e620ec43ff445dbf

SHA512
c0794f5f511e4dbcfa982d3487bfb235247a38e0fe128846e18ba46cd99840f6c216195dbafaf39a00dc5c6aec61ef9657dd5f4d9fc30402e7061373269f7dc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_F0E9D85FC3FEBFCE849AF4AB94C81F73

Filesize
408B

MD5
67c487971e3713cd2dee94f8083a3525

SHA1
dd3173bf03c29ca3f796d0b74cbb3e1f8dcae609

SHA256
dee30329325e56bd34e18ec3ebae39c76be53eaacfe159ca264bacc700431b5b

SHA512
e9e77ebd81c0bf49a3e26135ca0cb0c1d98bc780374d2a748b3569844ae79820cd58e15b468db424b88abfe146c0e0e711c0f528dde8c2f58ef43a17be761b36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
bce32edd0da7a82a2483ea193fa19754

SHA1
1e2476a18ab094e892aeabbf15212c58f90295cf

SHA256
3f2aa2421f12a478a29e6aedfdcadb8e50e864e3e8af4e0832a3a10d79c4bb3b

SHA512
0aa22636faa465559730bb7e7f72b42a8955407bb8237bdaf4696801751861790d67b35468f5f84995e8f21edb4a2ef854cb29cb8d568e11317e7e24d3e53a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fdbe80e9fe20761b59e8f32398f4b14

SHA1
049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

SHA256
b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

SHA512
cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9828ffacf3deee7f4c1300366ec22fab

SHA1
9aff54b57502b0fc2be1b0b4b3380256fb785602

SHA256
a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

SHA512
2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3ebb0e22de40d30caf42dac954fafc25

SHA1
e53a4e8f699b2f146c5916c8d9b7233160200aa5

SHA256
fab5f3f24f52e85dce24a428af0e335d0e1f93a73a0708a83d69663ba832b774

SHA512
506ae8792ed6a915573a24d7402fbb14f7f1e94f509a866b266f17fba86f7c76a8a2766a3fe3ef98816adfef4d2ad2b015700b438ff2765b7ef11462c35726a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5bc4cae1bae7085564c92b243c5c50e1

SHA1
f6abb958f357a6cd6eeb6779765a573d075baa4f

SHA256
1cd0d6c1d0a8e862c6a283a888b287648816066e32fc4f6b44b4c246cabe5e2c

SHA512
066b3a5116ee9ce9c8fff460d94dbfa759145f2d66afba0945e7f376ebf816bd901e81eef3b33ffa6ff191002575d209b410666d1cd9e3eb9b8d508fbefabef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fe97a75a225995066c38860b7ae0861f

SHA1
bb578eaebc38ac98bfc3be673e17899ec9119e3c

SHA256
e8c2506f16b9a46aed4410440a1c1bd142ba6d71dc9e8138eda4db7fec472511

SHA512
d7e1b573188d930a95557e000d64b546d3bbf24b62c2dd70231a4bcbfc6d3d3352f575af96c07c9ecf580932920e15e96ddc0939e1100fb31a9479cfc39bc863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f6fbca0352e31bd3bdd585fa8c65dbde

SHA1
a6de3f291854805585f6028534d9807f7337252e

SHA256
0e4bf453376abcd8adff4a930a603773024a500f41147bf6e7f52fe9cb6be1d1

SHA512
d4e201fb22d2c056d1bf96440c89670ac935488f26b3f741b9643cf92875c585cfe1f787dae1be1fedee613c4f0625ceec9e70a79809cecbcca50233f0490e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3832899d796b3b4a5fc7a963e865b574

SHA1
b0ba281bc8ce77d00b493b94f4a0cf69141f252a

SHA256
f39c4aea754be93d8dd4ddeba61bb1f3c4759b01bf3e078a8bc0f39356ddb411

SHA512
6922cbdcd47ca5fae1ed8c7f6312d25c6b35b6343707c297132902b89de200184c80ba22dacf9c207f7bf1714d3888ce5ea8d49892d24e1e38a9f1a42c865d52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
49c985aa994c799b13a8e7ef3c5637ef

SHA1
337e31eae7b392d63f2038062608a55f8801766f

SHA256
a79e53d2e5298f2e0d1c947d2cb60a37eae7603105bb927ec7ebfa7e759d4e20

SHA512
d720654385d06efb5d6cd6b0cc3ff81f6127af4a329afdf34a668fe0869bf000bea48acb889a6cddd7272d456158f8f1111f1ba6b8a0590b209b7f2ddb93b0d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
63ef7f3618d0b56f891986a8b5208646

SHA1
de1f83fda9f83615d69b40100611eff9d8cdba46

SHA256
980783af58dba975383fad64246750bd693aabf6f06e16510790cda5f426436a

SHA512
5342a7ceac58fef15bd0f3e898622f0e91d38858ca3dbe408f114d653b5b6a025708819ff184d537f231495b7ec3ab458f32677697903020411f2c88d1f79e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cff93a690fed9c6cec950ed0eaf38263

SHA1
4cb44c6b89af3bd88483ba40ba616ad5223fd4ce

SHA256
5df3f6dd8cac9ded90ca24695c99356f2db7de7b34dc5df29d3ac0305bceca43

SHA512
b673c04dc25e9d5f1a628303345e026bd4a25f46ad931e42cd047cf40eda82371fe162fa6f95c59411c0641d4d562d3d81dfaaffd97c6577915fcbff2de71b74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5bf3cff80ba1b2a6c98e7e27eaa4b2c5

SHA1
c410999791a8b364ec1699f12420a988c575926a

SHA256
e4d96d8b7f574aaeba84c4d7b1ffee41868edd96a938e36245ba1c6f68c23b9b

SHA512
30a62f0ddbea2daad51f0b557fa7b68bb85c1378cc3518e36b8d063afe9e816b7074d1d2d5ae2a8a27cffe5f9da8e5c510d249cd80e49a8543fd374d3cedb13d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
72efed616ed48c6ce2693374d8af88ee

SHA1
c7c5c62cc9f64c3303a0a682923bdc9d2730403e

SHA256
9da7369b98a06cd3c441776c87677e4a0d7310c1d9963f4fe43741b99763ba09

SHA512
e6c267b90f29a53f6e6b27fb086c28e8835739bb9df7f007f647bf776acea9040a5196ac773fe520a76ae8772822d8cb3d2618aae55933ad529850a4f8a2fe37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
349b95d3eb89a455f7a863a0d32ee79d

SHA1
f12e3a9de3453a1c77cdcb7ee47789adfd865426

SHA256
4f39545d3e99a1dd83002692135e65de592779bb79ae956db94637b2216ee68f

SHA512
d89bd329f0a9bffeb16ae73f9a3631ce8b78ef4b0c514b3b2653c3a7614f7f36496cc99342e2c1d9a22c146c7d6c433f365f673413c69c16d70b217606777a82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7478605111770fc68b619f29c2cee3a6

SHA1
1ed7017724467d810fc61645e1e0d4dfccf9b3c2

SHA256
d16ba827dbbd3bf15d6bc3251eb5f607df1158f184a60945374afea3a4d366c1

SHA512
0aa2aa161ab999b629af9bd628882a1908f5593ec178ccaf1bee1908f9e68826b281dbfed0146e472622841d68394729aa843d6e6b61bef210d4ba23d1455f25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4cf02f8029c3d51e6fa645745ebebe1a

SHA1
4f465c4e7a4605ca3d98663b337713fb6958af56

SHA256
abd17ce794c142daf8e0014bb8c387bebdef215b91b55f13d5dbcce99b48c6b4

SHA512
545c9a018c282af39045fb2cfae8a772bee2966ef5a0c7746d3be8e25cb63ee60ca7b42ce337a54f75e5804d85387a7a79574397e12aef54935edc7578b97fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d0679a8bec19dd54dee6e54725f56279

SHA1
c41b8f4fc3df1748c63fab47d21e33a4649780f7

SHA256
a24db91fefdfbded99ab310d13aea7ebaa9fbd06d3be4e19c4c242ea392b64a5

SHA512
7cfd27f967d0fa815ad3fe4a7ec7d533f139115b79784bccde574f3520fe8ea035b5433e2a981303e3b9ce478d58a2bb9d831f672afecea05fdbec75e6cb7df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59f4f5.TMP

Filesize
538B

MD5
683798f951939bc9f5b2223ba1dda380

SHA1
f9b1273172e3b29128dff6d3afc28c5e82d131e1

SHA256
8d975f80ceb082e7be2d8fb24d7a4ba9154054db4a0c8d23b694fa1a5f2c92a2

SHA512
22179a92706a9710ea8f36b8efbb7b041f3321921134fb05ea8b75715d42e4c49345dbd462a6275a9473359e4e3cd60923bc0122d2afa17cfc011c7cbed44c15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
de10a8fd568291999512b607bc07c835

SHA1
6cd98cbc0b1f4a51fb8c71a06b0c708e6a4738d1

SHA256
4be5ae17b966f8de6eb4cf9cd7291c2e83965a01014f0314e7f780caf84371d9

SHA512
6bdb35473edb6429556f9eac2ce676c89610d6e5bce28e2225afffbf383787840ce0ba9f8de078d9275d55f6c601f5bb2e743c95f3ba85aff7a45b0670cd71fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be33755ba7cc2248da48248e283e5efa

SHA1
9a43364bfbd492940f5feb4a80356054a1c980a2

SHA256
afd2fb7bad7f4fa6c9305112cebd9113d5d80e326d87a564f5218b32d3e993ae

SHA512
0e552dc04a6e539268878727c2285f1108f6b8e585d25f6171ad6e19c1deaef20265fb26b53d512ee1f408acf4b37569dace8be065cf2eb7a146a8296ae5b032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a27ea5773a26c7b43f102a02318d12a4

SHA1
3cc34a4e3627b67ad99fd6f51592664a31385d8f

SHA256
f72de5b7468012197fbc2391bafc24f1ac0383a8459a4a523e9a102e0a0f05f6

SHA512
40901314102287ce092bc42be65ed87996539abeacf2c9fd746b0f2420ed915867f14e2728dc84a3e5ae78bede70985f552e0ea6aedcfef5e1090fd807b9d817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
b520bfda172b34a5facb8a0420ab7369

SHA1
5c93a2f46a9a2c4f3f255a9ad9b9b9c23a6870f5

SHA256
f5bd557cb05c976095b8b70c9acde56b597cf2844ed7082095e3141cc957812d

SHA512
595a5f9d5bca9433ca01990c954ba379469307db8e0117ff853a412c83541c9c4857365c9c697a4a12dc9c918b77c789d0eaf64449ddf5da2a489852692e0204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
3ad8d3d317ac7b3dd29a46b008be9e99

SHA1
eee3a540abb5682b0d9633b3826f71d7d48d46a1

SHA256
23f62adcfdae0b656e9adbeaca964efee11b5183f1760d439a8f5ca235371e74

SHA512
067732c9d388723535dbbe0d045ce55c627aee9b935e788853c6a4dbf6b3f043cfa8a6d824e4df68cfeea35fbc3d4e61aa014888e62aaf7b54f250bb452d3dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
c6719bcbb3693a60b0a04bdf43ece712

SHA1
3327d09de05b91117bdbc2dfff352fad33a1fc89

SHA256
c0f231b5cecb6ccc69f2f7bda4014b7d210bb4cb0b35a39d60acbeb494843d53

SHA512
cfceb58440937377054e2f4bc7ca7ab53d30cdcb561f299c3768fa0e023481954f1d76d6cfb288e52174feed28c38dee4e8d9beda8f2525ba5967795d6e539fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
eb6a899da295a6054aa019acf26f2f54

SHA1
6a37ef9a850b2e461e8d689a46755eddb523d008

SHA256
c6763ef6cc8279ef864b2a04e048da9c0da47dfbb6b749e2ca015338bd3ff8a3

SHA512
5a0e37f7906e82533d5d78c657a14b750aad3d679833d2ceb30942016c9b5664a7111f39d2bd2337e57189cb371cc3a4c8c7b7b68a4cb587088c82b06d07e0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
0acae0735534a6f5fea474ed3f9d8b3f

SHA1
2846a74dae8133f8463d48a81f94d7e4f397040e

SHA256
d71e8b2c4c310f4b290405fa6a9ac05c360c854e1c2bcceda9879c28b5129047

SHA512
07ea6dd04fa6918d9c2e87d7591611f3c4233ad4bea28f41cbca2f9818a5f6bd8f22ceff6f2985f5c37156a0ff1c2eb9c3afaefb5e4d9c55986e6f49541f5d85

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
ce8eebf8ccd7c087c15f76366af52e7b

SHA1
550de6a455764b4700e057a853087c2268126b1e

SHA256
a7168d153e9c02468942820063de7d1123cec0692e4f9b4f530b435707c820fc

SHA512
2f148ec8ce2be0f9f4760a35647042ec71cd8c87c3fa91bd85d35cb6285d577a21cfe6990fa18e70089f9490f14a916a913bc0c3b951463d657067214bf174a4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\cache2\entries\45F74106DA84A8B73658052FCC227331EEA75771

Filesize
13.8MB

MD5
abfe79b42770b5a60c98e1c2acae45c0

SHA1
ec32eabc2f652fd4346f6106c0a17eb5c1ecbdc0

SHA256
66440345eb7455d3d7f1f0db21e2e4cf5f82d6c38194c4a2e2ccf6eac82c2e7e

SHA512
9e4fbbd588ff606ed53a12aed113e5b0692938dda8f1e777f1dd86487bb3b6b91ed3a6c32ae9e053f217fc021a37623ed1f9f5b80cca7e2ef775e07b090ce273

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
15KB

MD5
914207aa9e21d595dfee322599b9839c

SHA1
29b496cb55b6ef17352af1d22c6cf8be715c873c

SHA256
b70633b3511d82e4d3d01f2b109d0d8be29248df236cd92abc5f1d5635026ef5

SHA512
2fe453c0e3789840c3c509e4f4b5accea4e6a3fc89655a54eae0f5ff2ca82abe05cfd69e5c93554df0c1cc86e6014e73398a8203341f8e2e0cdff2ac1703ccab

Download Submit
C:\Users\Admin\AppData\Local\Temp\aswef4dd227cfa79053.tmp

Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\ButtonEvent.dll

Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\INetC.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\a\asdk.dll

Filesize
1.0MB

MD5
e3f60a2cf6b1d155f5f7d17615907013

SHA1
8191871854dcbcc4fe34218040215581b0fccf43

SHA256
74fcd2367fb1d9c0084547ebaf1c6db081946453a5d0a2d668d83d3c489a60a9

SHA512
20a57a1d2ce3d081958b4b3b48f1c902039f26dd28abcac94fad6f20e8e5d630bbfd2365eb7200f7c8d676c593cb3dc465a406e8536abdf63bd7ef76bb86df2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\p\ServiceUninstaller.dll

Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\p\pfBL.dll

Filesize
6.0MB

MD5
5608c585d25c6f3d75762cd0a44cc153

SHA1
a9ae6ecca38b1fcfb08f7fa45a0f063fd9393828

SHA256
ed5826c816ace3bc5fdd471871a0034554773e7da20dbc0a2eac7152cc7fa260

SHA512
6e24928d93b8068f4e03d97159e7dd2ff5ea7817c37a5a06741311b0477fd54b5750451652f79cf53130efc03b9268ce5fa8922e63caf17c1d88d23200eb9867

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\ui\pfUI.dll

Filesize
10.4MB

MD5
9458f8983400a6f1edb9aa70988eb491

SHA1
9b6c0cf5c593e611960be181a13eb078ac9685c5

SHA256
6e1e9e1c9087289e44804dc47d489ead4d00dfddb5651d450f7e6299a994212e

SHA512
f57432d7475507922dd0bdf180dc77c0aae764c35f0ab16dc3eb43b58dcf928c2c8eedf82208692f6f8e040c2f5c7408ad49ce2c3bdc9a054a62057e260342a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\ui\res\CC_Logo_40x96.png

Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssFC5C.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
1aff6b7dcacfef736e286f5e77a5b2a2

SHA1
194958cd9024d65a791bb2fd9683a260f8480f18

SHA256
3556f128ba779d6e7aec11f1fd879a4876c997c7fcd2714df76b4cdd6952f397

SHA512
afab703ba80661474487f1982412449d40f2ab1129cd5683c9e37bb48894fa28ebf56e23d7de96b159fe788f7a9b40c3a50ff648799af8e57ab21ff00e4f264b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
0b60315f033ec43be4d65c04db966d07

SHA1
1dd9b63732e3edb4fb5cea7b7b6a9a246dab5660

SHA256
2595d703919f5cf20b922efb3025f403682292617cdc0ab937db30f3deadcd13

SHA512
68af31df2290b4639a82f33b8c460c24b98cd1c6d7d8e600b842e5a46595e394df9e3d1445379018acbffcf6a7b6ecaf0d1a7b2742ef8d052d0b9309ff653264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
968ab8e4185271c0c5902b1845d4de0a

SHA1
2c1f2ba7dd2c2518ce7ede17a632528a4001c99b

SHA256
ad18fc90ed05cbe00a82809e6817b52d8e6d14e531808f0cf2a18f7b441a966a

SHA512
698999e92fe4ac0c24ce28d584de45603ffbd15a336db128aa3021138bd18ab4a30eb07a1b430291bcfd9e8e9d31edded40bb9adbf8c20792cba35381193afc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
2a0b36a9554a0635839024ea9f88d93d

SHA1
a154422779eeb834e39835af748570900d72f137

SHA256
6c78b742ecb09009c0cb7ddee8b0a8ff12f11e1415f087865f9c375c60db6da3

SHA512
3f04aa0ee36c7130e30c593a6d18292949280ea6437b1c106ece07f12fcd61e2cb1ed796f6158d95f220829fdd6032439891e921df2e4883b95c9b091d766b77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PUD83T0LSKAT49VSP07Z.temp

Filesize
11KB

MD5
7f5a43867f92f786f621aab65a3364b9

SHA1
a970b80787b2ef1c4d72571452c0e7d92eaf88ee

SHA256
32b377446e6c25e23b43fda91e2c5fd2825c96831dedb2309e5ff22a58722202

SHA512
983d244ddf2b852b296d0bcb208e18553d710d18643ab6cf572184cefa4d2cd271d84e25a9e396f99e59b289a2ee5ff839cf49fb3778e601c8b756060507ffc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-ms

Filesize
8KB

MD5
879c7d47070f94cb87ddeffcb2a72b8b

SHA1
07d072ae5e54809a0aaf5488373cc901f2534749

SHA256
69efa6b4f77eb7e5d2fb1fc79b513cdc6453262d3533ba3c94f1f3f109a7a0a9

SHA512
b1cebe9b2bd1715d31a5ba9051c04ecb2d29184ea256d0fa85f751c12e1e51eb117da029a0df1eff4c5a1dbf42b4cae5c62e6f8ac383301db913826e4d935e46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccc0fa1b9f86f7b3.customDestinations-ms

Filesize
8KB

MD5
dd4dd2106f6dae7212b25a4fe162fa42

SHA1
edf9b17e89b1464be306720aeb5f3c951704c4e4

SHA256
aef05f69e9f54ed965aa68a46748bcbf953ff72bf47deec99dccedbc6006e91f

SHA512
3e60ed9404b2b87275f1af15aca30457b466c37b611b58457f3d24908b46de31e130a3b8b65c2e294466c7c0eb19893bcaf02014a2d107a5a9cb90bdde170f38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
28KB

MD5
c37e99566f100440c845440f8aaa3f12

SHA1
f6abe31b97a18e6d11e16492527a11837c3e587b

SHA256
a6a91727badd9a5afb0dfdfaf85444408f78ff82f28be3391b4e1bba8248c9d7

SHA512
ca11ae408b50a3a8938c695f037e8e5d4d8cc55f9c44ab262a557c772be58d5fe2f0dea9f4c9c5cd6d608493f03a1a6dc7f9f1b591eddfa0f529eb9ebb4a3672

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
28KB

MD5
5e1a2e589b04841bc4bb9b1d2c852b9f

SHA1
23390b1ed9322813195851f1650ba6e5cd117331

SHA256
fa40884265401c5b65080f04111de8323a0c4e2429d9fdfff48bf2306a86c9aa

SHA512
b041091a8d32402f6e753073ca4d5b6d5ee3d2ea3f546c9fc20e2463e01fb0211d795eaf035af97e80430c64b1e70a791bd902b4f62e500a0d57ded842846163

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
8KB

MD5
ab3297ea669ddd4a584d012e5232fc8f

SHA1
4b52725f14d0524898dfcd9d5c58aa9abc0deac4

SHA256
2957a2875232637e04d6782a9c68e64d599ee8cc3a4d9565898744f66a67729a

SHA512
2adb521901c5cd472ec9603950f563bfc790eddb34568e5c12fce0c8e23b9c8f8f960f8d4b64a8cacc2bd6c094dc229033a7aaca7033a3f6ee64683eeb23a3ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
28KB

MD5
38983d5d9ddb000ac559fbf506b1ef33

SHA1
e24d3de11991f9101cf5ba3ebae2e9456d222f5c

SHA256
9022d4547d0afea5720adfe6756e4d785a37c5188f2b8f2d531155ae9226a5eb

SHA512
cdef5fd493831a98b2d35f85532ba28662df920702242134912b02731e13c72c0533a6cf2a04a67bde0e81e08a6b546b9c3202585986ffeb48797c0215468c62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\bookmarkbackups\bookmarks-2024-08-21_11_XTNb6hKDIUnFPREjd0+G7Q==.jsonlz4

Filesize
1012B

MD5
67b74d0e8e6f64471772e21a4c570215

SHA1
47550295454092e1a729749f718c7723a3eeb75a

SHA256
0bef1d137e3061e9d66b2e510319cd48e8f1db575fa57a231f1cb4a6406a3b91

SHA512
7bbe7b6893d1a124b18950aa542aa6c3f736c02eac7427339c2289c12d61f5a8b2fc05642a07340d578754b9ba9bda330871a894e21a915e62e0886435264dc0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\cookies.sqlite

Filesize
512KB

MD5
f29cca1eeade7b6b77b3b39edd12bc0c

SHA1
dbbc7616d0af4cca9bac60b69cfbf843ad224f8a

SHA256
999d6ac0251f32d1f03e1f0cff4d744ec03f8af436a516c769a82dadf87154fd

SHA512
a7b0858a24196b0d30236bbbda33b7ca63fca3f92c126305b4b25218d37c4106d194491d073a09dfc47795e57e6636f633582eaf336efd7247deae24246cc1a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\cookies.sqlite-wal

Filesize
512KB

MD5
dcb629339b369b7892fe893bf550d850

SHA1
01a6c9e0b117c84b6f261382c5aa9829f4d4adb0

SHA256
c5f3b5ec5c3df1e0aba505d1d75ba757d68938039828ae74478075646904de71

SHA512
d1fcc46cd522aa8035daf5b04b3c48d4de02f7acfd65ac64dd91ae0ffb43d66d2ba6ef7fe2bdadcefdfbb3bd0a1acf62f38b2a22973e76f6680b318017ecf83a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
720ef5109529a1093b3e9382c553f35f

SHA1
09141b05a186b7d8555976c350900a03a86e2b15

SHA256
59b5923d17adad62e36bad92e853aba1bca99e3d0401dc7874fcd056043d30b3

SHA512
3eb30113df99ce7ea7ca01daadbca909585d7b30251aa62266b20843571009fe0c30f0096ef6946488c08e87a097399ab52ce59ff0428248c187e903d64c400d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
42KB

MD5
d25e1ae62ab29e049dda6d9db83ea65b

SHA1
81e6ca14c980a80ab2250ff83de36524d4cd6991

SHA256
b86d78f2bacb5aed04c5b1049b02408505ef1df8e8a5b20a973deba4718cbc81

SHA512
d46017423310733ec91c07679115722e00a4308c1f35cf5edd25775e4d091adbb53925eb67ccaffe0ac7bbd18116b2649416888ae61451dc562b39f1a1addf7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
40KB

MD5
b9ee8653010c2abe0f73d11e6f390349

SHA1
bc1d20b74c4cc41f055fa05ed7b1d5c44ee28e51

SHA256
f3cd79ad3bbd3884b1dad0ead15056d5a03e0baba21bc1f8fe1f2f2e3df872dc

SHA512
67348a73b677f1c1cdc871254330db9d2fdb312a951e5ff0583063553f7db1da8dd6ffc7ffc8fb0da4de44a8927d3252c0491597e8b9874aa4d0d6293720080a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
41KB

MD5
f3c12ab550d25a1d6a5882ae5879b58c

SHA1
b5b4eb9c73f40f343c6972f9306cc184eeeef6bf

SHA256
fb84b5f5e45ad97d7ffbcd4d10e5fc4cb6a26cbfaee8d61eebfe5286edd17e34

SHA512
24cd27670059e35390e43cc5203ac834bb85d7baea7b2262d2350db03335d72ad80aecd5e46af7d54eb5e3f8b462f73ab4267d541dae00c76a5ddf617fd895e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
331ce8d36c42bcfc17072484dabe1f3f

SHA1
5533d8c6707476764c2188b2c059c60f1f036475

SHA256
0fb9b01230e86ea57de4701b686691514e93dc5b14c410f581835a33501f2916

SHA512
0c9e5b73f1c363b5fa04daf7282ec84b6a546639803de8cd33b503bb17e3b8def0f4b487eac54c719b6ef46fe35d1d87dcaebe40cc587b2cbff2fafee38779a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
41KB

MD5
d65f345d856f6e33cf3662d37aa78170

SHA1
e7f1d8de6ca9f979e1b2455bb3263269f51236cf

SHA256
2667388ffe45336425882b4680b1a0359dc6b2a085739428b3185f21cf4180f4

SHA512
56b07c6b0b3f8f69f74d8fdd3f11aedf741eadbbd39a4de0b1cbf6a1f7041381d166d6e4e9388d6e83ac72a044b841e31505f9d382e26952771f39343e008e31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5cdfb5eb0a0018306822968c418c3399

SHA1
4f1d8cab5b493f43061b6e0c1a340d34db913648

SHA256
05f0ab382e8adccb7cbecf48613d7be8a280c5e6148f3ce1e903fa22b091b3cd

SHA512
f8e11f4ea96fcc7951492b9c20ab7bfa39e13213cb5722a239668ebcab3d0a06899925701b26dc53c33e3467f4287bc9743b7e77fc600256c60998e244f102b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
7309b8cfb2ab4a7a0716a0835e75aae6

SHA1
540f58ce47a4b839f0a6a99d42ad0b99e59ffeae

SHA256
ca7f787aded3adb60264406900a092ad15b4dab68dd552fcaf73ba27b7c078dc

SHA512
21350d539646c8f931e5841956976da834f485c2174564b9b00163668e45dfe929b8664da94dd603651fc6be941314aa2ab5134c49d7819d2c728390daad6b09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
aa847dddfcc78a8501cc9d535dc7013f

SHA1
95fbd096413d0c9dfca5287d89868c03ec8e10ef

SHA256
c7384cab79980823d86eee35ee96285423a83d480403a255c64dedd3a9cca468

SHA512
ea333f68b38bdfd48e8adf6beb46faea2cc03d8ff9855faa06d39888e57fcd0a0d4e514a21608f6990d6adbe561a0b870cc7424425140cdf37bcb1f4691d5f6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\0ca1eee0-cfdc-4986-a822-6d75fa5cd70a

Filesize
671B

MD5
8336f4c88190caf4a6a98216aaab2802

SHA1
04bb0bd9e516ba6e6c78737edded789f049009ef

SHA256
a634d458305e8a0efab001ee7927520a68b466dd6de9e9c287d07ddb6bb6d633

SHA512
84255d19c2492fd0ec5c0f0fa46c3732e0144d8751b8cf7787659f9a878efd4c5d66315f06d69e071cbe48ed8e8e289b634f868f4e43d3e925dcde32aeec3782

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\2662f149-3719-4c67-a3d8-4d2e9ed3f4d6

Filesize
982B

MD5
d3474a67e7b5e032f0606b0cd42dc192

SHA1
6ef4bbac4a6178be80f3339c45c48d55f6896cf6

SHA256
2d96446e11167e4ff30c6fa82c4541b8c94684fc7f683b13ac3435240943e859

SHA512
e4bded7600d1de2c3f249cb2323c84588909af39cdc3f16eeb518d2a5be27cd98376edf5670d216b13f3e80e6d01451f0d519c0f91ad86633a0e529d4e7b11cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\bdfb52ed-a313-4f3e-b3ea-6cf99f40bf25

Filesize
25KB

MD5
bd2fd81207f7a25fa0c0f52591215f01

SHA1
7c322a5fed2b5513eaa27d87e8657f5f9cbaf689

SHA256
2f6fefad63d6ff4b2ee28ba408b37b734ea40d1ae8d1282a06d61cb8dc733c1b

SHA512
404db3bb26bec6eacad6d2e473d891fa601440df5c833b10367ed247061b0b912411a727ade0090fbeb7c14a8878cf359d28867f8ea521ad08604899c67e3a85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\downloads.json

Filesize
828B

MD5
9692389251d8719938e94b83b75534a1

SHA1
825c674e13a7c243a183b91f80747eddcab8f2f0

SHA256
c9bcc580e7b37f7c98eacbe4f7f824be596583ce426f2e1cda85d84419e998fe

SHA512
08fd50eac95dc4b5e4799f317f80ed06a5f8c592a1b3d91d81e065180c6d18742124c014ecaa03371ac9635bc96d3ed1d7e47db9303515daf69a549d4e685f57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

Filesize
11KB

MD5
b45fd44b7b9fe8a1ce93fdef8feacc31

SHA1
0783740921ce953195cd72873bb1441f809157d5

SHA256
a458222df0d9c8bdb4cd619af9657f5c0c3e517547b860b735fa4cecaab7caf1

SHA512
aef0847ec3f85ec5eff1ff609067b08b1e75b9f02f89e11234068d8bfc9dfa4094787fa3cde707f3a808f3178e8c3648bc4766f5576e3d98c3a046aa91a43398

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

Filesize
11KB

MD5
9a162b0c502814ca23ec42c47ba399bd

SHA1
33cee87360e213414e7e1da162b7e2fd29c48973

SHA256
1667c6fc7d2fcfae35d852791ad2e1708af8ce24ff633d93c53bd69f48ac20b8

SHA512
6eb1d701e5b679184849dbe8ff134a734bc92019cd8d5593f31553d0fa293f2bd00e53e19a9304d36bc40a0d0e1da29479b3a229c0472686aafbd36b5e5debd4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

Filesize
13KB

MD5
88cbff648805d3da8685b37417161690

SHA1
19ee5918ac3c37f03e622ec7a2fa52b36ea86f95

SHA256
5b2208365f6acccd9bf635e11bfc25b48bf6a174e2468fbd9fbbc10e71f887db

SHA512
a229d6c04e16efdf72ad351ba8ecb13996c5b34639e333ed1bdf25a8dbe90ae27887a4ce171934424cc61f93783080263516fef940ce0c174b2ea804c47a4f44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

Filesize
13KB

MD5
44820f477a5a31068dd217f164a9f96b

SHA1
59134412c8ea8ef2529cbd842f927ce6b3bcdbeb

SHA256
b1bc7f37a98671e099ce4587853677a5e098dfa3e49b056d6d689b6a21800f98

SHA512
32feb552156e4fbe951eec28062610404fefd4bcb17529e5f5588506f806dc49df7aa7d85082de91274b777682cd8b2ef19c152c99e887ae47e1168b8247bf18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs.js

Filesize
10KB

MD5
e5ac4db55eb6d022bd390b215f00990a

SHA1
e2b75b56d49ba783b32c36d6b5550a8ed24cd2eb

SHA256
f4eec190006fca04053b339c4ac698571280a5ea3748a9b1ad6006ab0607484b

SHA512
e9e2bab9b45ab2cc19700211b78a21edbe9911af22447960bd44a15c11c1bcbae74e7341e27dde8f6fcff0e96be0a3b6266bbc0855802357a7e8235e27d563f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
811a7cac987cd542ea08f385a3ab96b5

SHA1
1df1214c3a2eff4f600c1e970ea5d1f9ba8a0f25

SHA256
3f47d91b2383a22eac5efe26fb73aa6c73318b18c4136bb1f157cb42db9b4674

SHA512
741ed187fc72b0e7bd6a61d34938460df6b834451633989ec80e1feb71848be3f6bec5887a6c303039ac0cbac08046032d7f677a1f4e84e0581056ba7a86c0de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
ce379c251cb82fb965121230c923f3b7

SHA1
f8811577cbf3f2324d7392b50de82007f413b7c9

SHA256
b81a736abb560690cad820e37df4f0d9860f1f9db2eab7b4aadf5d3ae37bb2f7

SHA512
c394b1f16db6c7ef113c1b322e62e8f9e35b9368a9b266759a9d26603d4540aa495c3eab506195bb5d040234c6d5c7120efec0fd2376bd4d80d53ed49dfe6d17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
9b0c2aae3c8cb25abf18b017367457ac

SHA1
484d9285902ec7574fc42e00a36cd5bc871a66d3

SHA256
9d8c8d685c62e91ce99121045e389907b83984e980f8a00b64fbff51d8e21cb4

SHA512
ef1a70c6240f7475af1f86afa915c52497a35b33c906fba3c8079efda24f087a3d7fd7b4c30a81ec112245c8c0ce2f75cec6ae72db0b6a34d1f8b5ff326717b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
576KB

MD5
06cc55cf6950b58bc5d5073c09d1cd6e

SHA1
b6f3148363618aab8c246dd0cc8d92aee958f7e3

SHA256
17c2f4a33719d690cf20808c78f1e21801bfdd761bad64330f4ec0f5b9cd48ab

SHA512
65a4976370e6fd57a1fb8e0321574ffd98378261daf691b290bc2dd212fa951c0ab0797fb0671c6ddf68653eaf88d4e8974e2a894e69ed02b43ac022caeceac2

Download Submit
C:\Users\Admin\Downloads\CCleaner 5.89.9401 all editions\CCleaner 5.89.9401 all editions\BlockHost .bat

Filesize
2KB

MD5
dfd971376c0e302444063d09f0611480

SHA1
f788277396d60cf859a41aad3f4be98d9ed3d654

SHA256
70b9fad492d4a8dac2c74ddcc5c841a72dd13c33e4b76ad9f629e7462c9ca15d

SHA512
3fe8f99353d6c9f027191484e50eba250bc356909a59fd80ef5a5e6b8ce270020bd42bf956240bbd398fcf011dc57ba709eb49a54b83a0554463cd08c5392eb6

Download Submit
C:\Users\Admin\Downloads\itf5Vkpr.exe.part

Filesize
15KB

MD5
b9abd1c8f7b07b381dd5df18acf65b8a

SHA1
d90fe33a7e3389a4561b95e1aed9dcae86c85965

SHA256
9e90310565ed46192e5ff2a593ee4fe0a445da10af1d62c711feb746af3ad975

SHA512
dfb19996cd9c422943217ef24579f0c345c7fc82b1425b3186d32f8e71aa03f5e8f57c6da271e29221aaecc2bec6c0233c7376c43545a03920649bbce11c5c93

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c62d323d446ba4574291abed0fdf0f91

SHA1
63d2ebeb0e573b28387d0cfd0efcc10470f0c1f9

SHA256
6ae651f5a1c17dcb0de7d4597b010c8af58496db6ec1e7dc165c495d72238776

SHA512
3211e96f32af3df82cc7623c6feae64d65d0ad762d005d533418e95e711f8c7c6cce17d48c12633ab89c9f95eab99437d720666bd99a183429327551a9b2b809

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
067a5864acf4592252b1459d7e8bca41

SHA1
2f653c832eafad8fd713cd12cba2a214b5e35123

SHA256
6a91f48b5487141cb427ee2317995c83ea951ca592fb1b5a2f6ebb85e36da7ed

SHA512
5b6548d400218e5cd5f1d06870e4975747f87062cedd441aa6ad1883087dc4f1658c28a3686e49494dcb594a2fada686b653fe032005124d5b9b8422e022be49

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c45342418ebf5bd86e0a85d0a2a70d46

SHA1
36fab6ad35943de229636cd2a72d7223f14696c8

SHA256
1b9665d24dad1de8c24e8b6cc4a44a23182b2af9972eeb3fcb76cb59c2e534f7

SHA512
617717213fb698d874825d4dcb224086b75a4fe662d6d49d23b233731e8e4e7455224fa171960b0b780d19f7c14213957d96cf1b654f517a70e4cee2526b49e8

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
eadb320605259344cac7db7b42d353f1

SHA1
8baa6fdcf8eb55dc849f22cb6f10759174c7a466

SHA256
9f7a5f648ea3181b042343f8c19ab72508bb0ac078620a988947bb872d52c218

SHA512
475d3a2788588ae70d5b4387999c578ba7ecbb4d1166fdbbdc4a433176bc658809fa327c42861f64949c1e4a9b9e9b5e69973d0919526015ba758f60774dbb2a

Download Submit
memory/4736-1591-0x00000000058D0000-0x00000000058D8000-memory.dmp

Filesize
32KB

Download
memory/4736-1590-0x0000000005C20000-0x0000000005C28000-memory.dmp

Filesize
32KB

Download
memory/4736-1617-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4736-1613-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/4736-1610-0x0000000005BE0000-0x0000000005BE8000-memory.dmp

Filesize
32KB

Download
memory/4736-1608-0x0000000005900000-0x0000000005908000-memory.dmp

Filesize
32KB

Download
memory/4736-1600-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4736-1597-0x00000000058C0000-0x00000000058C8000-memory.dmp

Filesize
32KB

Download
memory/4736-1566-0x0000000003850000-0x0000000003860000-memory.dmp

Filesize
64KB

Download
memory/4736-1594-0x00000000058D0000-0x00000000058D8000-memory.dmp

Filesize
32KB

Download
memory/4736-1592-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/4736-1558-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download