hxxps://www[.]mediafire[.]com/file/b1pf3w7m815r53m/CCleaner+Professional+Plus+6[.]27[.]kuyhAa[.]7z/file

Analysis

max time kernel
1800s
max time network
1724s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
28-08-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/b1pf3w7m815r53m/CCleaner+Professional+Plus+6.27.kuyhAa.7z/file

Score

8^/10

bootkit defense_evasion discovery exploit persistence privilege_escalation spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

attrib.execmd.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	attrib.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

2944 takeown.exe
5936 icacls.exe

pid	process
2944	takeown.exe
5936	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	CCleaner64.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 12 IoCs

Processes:

CCleanerBundle-627-Setup.execcsetup627_pro.exeCCleaner64.exeCCUpdate.exeCCUpdate.exercsetup153_pro.exerecuva64.exespsetup132_pro.exeCCleaner64.exeCCleaner64.exeCCleanerPerformanceOptimizerService.exewa_3rd_party_host_32.exe

pid	process
4828	CCleanerBundle-627-Setup.exe
4808	ccsetup627_pro.exe
2560	CCleaner64.exe
3964	CCUpdate.exe
1064	CCUpdate.exe
1832	rcsetup153_pro.exe
4876	recuva64.exe
5036	spsetup132_pro.exe
1632	CCleaner64.exe
5976	CCleaner64.exe
5176	CCleanerPerformanceOptimizerService.exe
5756	wa_3rd_party_host_32.exe

Loads dropped DLL 44 IoCs

Processes:

CCleanerBundle-627-Setup.execcsetup627_pro.exeCCleaner64.exeCCUpdate.exercsetup153_pro.exeregsvr32.exeregsvr32.exerecuva64.exespsetup132_pro.exeCCleaner_Patch22.exeCCleaner64.exeCCleaner64.exeCCleanerPerformanceOptimizerService.exe

pid	process
4828	CCleanerBundle-627-Setup.exe
4828	CCleanerBundle-627-Setup.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
1064	CCUpdate.exe
1832	rcsetup153_pro.exe
1832	rcsetup153_pro.exe
1832	rcsetup153_pro.exe
1832	rcsetup153_pro.exe
1832	rcsetup153_pro.exe
1832	rcsetup153_pro.exe
4784	regsvr32.exe
2840	regsvr32.exe
4876	recuva64.exe
4876	recuva64.exe
5036	spsetup132_pro.exe
5036	spsetup132_pro.exe
5036	spsetup132_pro.exe
5036	spsetup132_pro.exe
5036	spsetup132_pro.exe
1780	CCleaner_Patch22.exe
1632	CCleaner64.exe
1632	CCleaner64.exe
1632	CCleaner64.exe
1632	CCleaner64.exe
5976	CCleaner64.exe
5976	CCleaner64.exe
5176	CCleanerPerformanceOptimizerService.exe
5976	CCleaner64.exe
1632	CCleaner64.exe
1632	CCleaner64.exe
1632	CCleaner64.exe
1632	CCleaner64.exe
1632	CCleaner64.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

2944 takeown.exe
5936 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2944	takeown.exe
5936	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CCleaner64.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"	CCleaner64.exe

Checks for any installed AV software in registry 1 TTPs 22 IoCs

Security Software Discovery

T1518.001

Processes:

CCleanerPerformanceOptimizerService.exeCCleaner64.exeCCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	CCleanerPerformanceOptimizerService.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\avira\launcher\	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\avira\launcher\	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleanerPerformanceOptimizerService.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Writes to the Master Boot Record (MBR) 1 TTPs 8 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

CCleaner64.exeCCleanerPerformanceOptimizerService.execcsetup627_pro.exeCCUpdate.exeCCleaner64.exeCCUpdate.exercsetup153_pro.exeCCleaner64.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleanerPerformanceOptimizerService.exe
File opened for modification	\??\PhysicalDrive0	ccsetup627_pro.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	rcsetup153_pro.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe

Drops file in System32 directory 17 IoCs

Processes:

CCleaner64.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_4411de1bdd5382d9\disk.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_06bb16552d790e06\cpu.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_b2036a5d6cbf5691\umbus.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_74965e869fab271a\mshdc.PNF	CCleaner64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_91108ad24fd52958\vhdmp.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_8e5f608c0111283d\usbport.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_e15abe7d25aa2071\input.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\pci.inf_amd64_4cf9a878972c8fa1\pci.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_2272ffce58da1b4a\swenum.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e22da3cb2d7a1ed6\hdaudbus.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_e6c89cc58804e205\machine.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_72dbcbbbb0666b3f\monitor.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpi.inf_amd64_2b4e9b8ed43ceb06\acpi.PNF	CCleaner64.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_8343533b38a2a0da\cdrom.PNF	CCleaner64.exe

Drops file in Program Files directory 64 IoCs

Processes:

ccsetup627_pro.exercsetup153_pro.exeCCleaner64.exespsetup132_pro.exeCCUpdate.exeCCleaner64.exeCCleaner64.exeCCleaner_Patch22.exe

description	ioc	process
File created	C:\Program Files\CCleaner\wa_3rd_party_host_64.exe	ccsetup627_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-1034.dll	rcsetup153_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-1050.dll	rcsetup153_pro.exe
File opened for modification	C:\Program Files\CCleaner\LOG\DriverUpdEngTask.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\LOG\burger_client\8866F8A9-70C9-43A2-BFBE-EE00AA2DC417\07689a64-6cc9-4c6f-99f4-fd79a28e905d	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1036.dll	ccsetup627_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1055.dll	ccsetup627_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1109.dll	ccsetup627_pro.exe
File created	C:\Program Files\CCleaner\libwalocal.dll	ccsetup627_pro.exe
File created	C:\Program Files\Speccy\Lang\lang-1062.dll	spsetup132_pro.exe
File created	C:\Program Files\CCleaner\LOG\DriverUpdEng.log.tmp.6a8c929e-561b-4579-8752-76d5a78e758b	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\Data\usercfg.ini	CCleaner64.exe
File created	C:\Program Files\Recuva\Lang\lang-1029.dll	rcsetup153_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-5146.dll	rcsetup153_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1155.dll	ccsetup627_pro.exe
File created	C:\Program Files\Speccy\Lang\lang-1026.dll	spsetup132_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1092.dll	ccsetup627_pro.exe
File created	C:\Program Files\CCleaner\LOG\su_controller.log.tmp.46e649fd-1551-45f1-9366-0829d8334144	CCleaner64.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll	ccsetup627_pro.exe
File created	C:\Program Files\Speccy\Lang\lang-1041.dll	spsetup132_pro.exe
File created	C:\Program Files\Speccy\Lang\lang-1053.dll	spsetup132_pro.exe
File created	C:\Program Files\CCleaner\Setup\acc9028d-64f3-4ab4-b3d5-28f790412982.dll	CCUpdate.exe
File created	C:\Program Files\Recuva\Lang\lang-1052.dll	rcsetup153_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1045.dll	ccsetup627_pro.exe
File created	C:\Program Files\CCleaner\libwautils.dll	ccsetup627_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-1044.dll	rcsetup153_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-1051.dll	rcsetup153_pro.exe
File created	C:\Program Files\Speccy\Lang\lang-1058.dll	spsetup132_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-1043.dll	rcsetup153_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-9999.dll	rcsetup153_pro.exe
File created	C:\Program Files\Speccy\Speccy.exe	spsetup132_pro.exe
File created	C:\Program Files\CCleaner\LOG\su_telemetry.log.tmp.44f6f89f-ef35-4ceb-a881-02a3b3588cb9	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1086.dll	ccsetup627_pro.exe
File created	C:\Program Files\CCleaner\CCleanerDU.dll	ccsetup627_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-1048.dll	rcsetup153_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-1026.dll	rcsetup153_pro.exe
File created	C:\Program Files\Speccy\Lang\lang-5146.dll	spsetup132_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1079.dll	ccsetup627_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2074.dll	ccsetup627_pro.exe
File created	C:\Program Files\CCleaner\Setup\config.def	CCleaner64.exe
File created	C:\Program Files\Recuva\recuva64.exe	rcsetup153_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-1036.dll	rcsetup153_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-1035.dll	rcsetup153_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-1032.dll	rcsetup153_pro.exe
File created	C:\Program Files\Speccy\Lang\lang-1038.dll	spsetup132_pro.exe
File created	C:\Program Files\Speccy\Lang\lang-3098.dll	spsetup132_pro.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\Recuva\Lang\lang-1027.dll	rcsetup153_pro.exe
File created	C:\Program Files\Speccy\Lang\lang-1045.dll	spsetup132_pro.exe
File opened for modification	C:\Program Files\CCleaner\CCleaner64.exe	CCleaner_Patch22.exe
File created	C:\Program Files\CCleaner\LOG\event_manager.log.tmp.193bd52d-2ab3-4943-95dd-0ffe27051ee9	CCleaner64.exe
File opened for modification	C:\Program Files\CCleaner\LOG\su_telemetry.log	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1056.dll	ccsetup627_pro.exe
File created	C:\Program Files\Recuva\Lang\lang-1061.dll	rcsetup153_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1029.dll	ccsetup627_pro.exe
File created	C:\Program Files\Speccy\Lang\lang-1043.dll	spsetup132_pro.exe
File created	C:\Program Files\CCleaner\Data\StateHistory\InitialDUState V24_2.dat	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1093.dll	ccsetup627_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-3098.dll	ccsetup627_pro.exe
File created	C:\Program Files\Speccy\branding.dll	spsetup132_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1052.dll	ccsetup627_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1060.dll	ccsetup627_pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1065.dll	ccsetup627_pro.exe
File created	C:\Program Files\Speccy\Lang\lang-1036.dll	spsetup132_pro.exe

Drops file in Windows directory 31 IoCs

Processes:

CCleaner64.exeCCleaner64.exeCCleanerPerformanceOptimizerService.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log	CCleaner64.exe
File opened for modification	C:\Windows\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\WindowsUpdate.log	CCleaner64.exe
File opened for modification	C:\Windows\security\logs\scesetup.log	CCleaner64.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00008.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00009.log	CCleaner64.exe
File opened for modification	C:\Windows\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\PASSWD.LOG	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00007.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\TEMP	CCleanerPerformanceOptimizerService.exe
File opened for modification	C:\Windows\Debug\sammui.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	CCleaner64.exe
File created	C:\Windows\Tasks\CCleanerCrashReporting.job	CCleaner64.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	CCleaner64.exe
File opened for modification	C:\Windows\DtcInstall.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	CCleaner64.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	CCleaner64.exe
File opened for modification	C:\Windows\lsasetup.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\NetSetup.LOG	CCleaner64.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
defense_evasion privilege_escalation

Create Process with Token
T1134.002

Processes:

cmd.exe

pid process

4224 cmd.exe

pid	process
4224	cmd.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
C:\Program Files\CCleaner\CCleaner.exe	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CCUpdate.exercsetup153_pro.exeregsvr32.exeCCleaner_Patch22.exewa_3rd_party_host_32.exeCCleanerBundle-627-Setup.execcsetup627_pro.exeCCUpdate.exespsetup132_pro.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rcsetup153_pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCleaner_Patch22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wa_3rd_party_host_32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCleanerBundle-627-Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccsetup627_pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spsetup132_pro.exe

Checks SCSI registry key(s) 3 TTPs 32 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

CCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceType	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceType	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	CCleaner64.exe

Checks processor information in registry 2 TTPs 32 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exeCCleaner64.exeCCleanerPerformanceOptimizerService.exeCCleaner64.execcsetup627_pro.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleanerPerformanceOptimizerService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup627_pro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup627_pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleanerPerformanceOptimizerService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleanerPerformanceOptimizerService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleanerPerformanceOptimizerService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup627_pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleanerPerformanceOptimizerService.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2252 timeout.exe
2128 timeout.exe

pid	process
2252	timeout.exe
2128	timeout.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

ccsetup627_pro.exeCCleanerPerformanceOptimizerService.exercsetup153_pro.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner	ccsetup627_pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	ccsetup627_pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup627_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved	CCleanerPerformanceOptimizerService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ccsetup627_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva\Language = "1033"	rcsetup153_pro.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\OneDriveSetup = 020000000000000000000000	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\.DEFAULT	ccsetup627_pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-19	ccsetup627_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup627_pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva	rcsetup153_pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform	ccsetup627_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup627_pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\Recuva\Language = "1033"	rcsetup153_pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner	ccsetup627_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-20	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\Recuva	rcsetup153_pro.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva	rcsetup153_pro.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	ccsetup627_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\Recuva\Language = "1033"	rcsetup153_pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion	CCleanerPerformanceOptimizerService.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\OneDriveSetup = 020000000000000000000000	CCleanerPerformanceOptimizerService.exe

Modifies registry class 64 IoCs

Processes:

ccsetup627_pro.exeregsvr32.exespsetup132_pro.exercsetup153_pro.exeCCleanerPerformanceOptimizerService.exeOpenWith.exeCCleaner64.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	ccsetup627_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\ = "RecuvaShell 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY	spsetup132_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\shell\open\command\ = "\"C:\\Program Files\\Speccy\\Speccy64.exe\" \"%1\""	spsetup132_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\SOFTWARE\Piriform	ccsetup627_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Software\Piriform\CCleaner	ccsetup627_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL\AppID = "{80109467-DE5A-42A1-9445-7E3952C80B6E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\shell\open\command	spsetup132_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup627_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\RecuvaShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner	ccsetup627_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\SOFTWARE\Piriform\Recuva\Language = "1033"	rcsetup153_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup627_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\SOFTWARE	ccsetup627_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RecuvaShell.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\shell\ = "open"	spsetup132_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\shell\open	spsetup132_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	CCleanerPerformanceOptimizerService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E}\ = "RecuvaShell"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.speccy	spsetup132_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\shell	spsetup132_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "3aacf41f-ec41-465e-ab42-41805ee8ba3c"	CCleanerPerformanceOptimizerService.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\DefaultIcon	spsetup132_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Speccy.SPECCY\DefaultIcon\ = "C:\\Program Files\\Speccy\\Speccy64.exe,0"	spsetup132_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	ccsetup627_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Software\Piriform\Recuva	rcsetup153_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\ = "RecuvaShellExt Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	ccsetup627_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup627_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RecuvaShellExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367"	CCleaner64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup627_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	ccsetup627_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup627_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	CCleaner64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup627_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RecuvaShellExt\ = "{435E5DF5-2510-463C-B223-BDA47006D002}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	ccsetup627_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "3aacf41f-ec41-465e-ab42-41805ee8ba3c"	CCleaner64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367"	CCleanerPerformanceOptimizerService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\0\win64\ = "C:\\Program Files\\Recuva\\RecuvaShell64.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ccsetup627_pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	ccsetup627_pro.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\SOFTWARE\Piriform\CCleaner	ccsetup627_pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{80109467-DE5A-42A1-9445-7E3952C80B6E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435E5DF5-2510-463C-B223-BDA47006D002}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA6C28CD-35A7-4D30-864B-5CF44422BAD2}\1.0\HELPDIR\ = "C:\\Program Files\\Recuva"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAl/tMwQQ8gECvViRkutyOHwQAAAACAAAAAAAQZgAAAAEAACAAAAAbkQUTn1lpoeDm0FZgmkLRU9JJXQAGIak84+6LDG28MwAAAAAOgAAAAAIAACAAAABMekzjNY2bRjKGIFmvHn3VxxXNtRzCmwvluYBG2NYYnjAAAAA3jSzrVQTGr9jHPcF+DzRMoqUSgIurQSPchPASLfKbtWcnlDLJsLOtuxj76iLLePpAAAAA1IMVgDYVpbz2aD9DbFKo24r6WNzJGvhsu0cswWLKywv0NHe63JNjWV+99xgdFDQv8bdokFiLg/HynVRIOBglnQ=="	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup627_pro.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\CCleaner Professional Plus 6.27.kuyhAa.7z:Zone.Identifier firefox.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

CCleaner64.exe

pid process

1632 CCleaner64.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\CCleaner Professional Plus 6.27.kuyhAa.7z:Zone.Identifier	firefox.exe

pid	process
1632	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ccsetup627_pro.exeCCleaner64.exe

pid	process
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
4808	ccsetup627_pro.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe
2560	CCleaner64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

CCleaner64.exe

pid process

1632 CCleaner64.exe

pid	process
1632	CCleaner64.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

firefox.exe7zG.execcsetup627_pro.exeCCleaner64.exercsetup153_pro.exerecuva64.exespsetup132_pro.exeCCleaner64.exeCCleaner64.exe7zG.exewa_3rd_party_host_32.exe

description	pid	process
Token: SeDebugPrivilege	4864	firefox.exe
Token: SeDebugPrivilege	4864	firefox.exe
Token: SeDebugPrivilege	4864	firefox.exe
Token: SeDebugPrivilege	4864	firefox.exe
Token: SeDebugPrivilege	4864	firefox.exe
Token: SeDebugPrivilege	4864	firefox.exe
Token: SeDebugPrivilege	4864	firefox.exe
Token: SeDebugPrivilege	4864	firefox.exe
Token: SeDebugPrivilege	4864	firefox.exe
Token: SeRestorePrivilege	5980	7zG.exe
Token: 35	5980	7zG.exe
Token: SeSecurityPrivilege	5980	7zG.exe
Token: SeSecurityPrivilege	5980	7zG.exe
Token: SeRestorePrivilege	4808	ccsetup627_pro.exe
Token: SeDebugPrivilege	2560	CCleaner64.exe
Token: SeDebugPrivilege	4864	firefox.exe
Token: SeRestorePrivilege	1832	rcsetup153_pro.exe
Token: SeRestorePrivilege	4876	recuva64.exe
Token: SeBackupPrivilege	4876	recuva64.exe
Token: SeRestorePrivilege	4876	recuva64.exe
Token: SeBackupPrivilege	4876	recuva64.exe
Token: SeRestorePrivilege	4876	recuva64.exe
Token: SeBackupPrivilege	4876	recuva64.exe
Token: SeRestorePrivilege	4876	recuva64.exe
Token: SeBackupPrivilege	4876	recuva64.exe
Token: SeRestorePrivilege	4876	recuva64.exe
Token: SeBackupPrivilege	4876	recuva64.exe
Token: SeRestorePrivilege	4876	recuva64.exe
Token: SeBackupPrivilege	4876	recuva64.exe
Token: SeRestorePrivilege	4876	recuva64.exe
Token: SeBackupPrivilege	4876	recuva64.exe
Token: SeRestorePrivilege	4876	recuva64.exe
Token: SeBackupPrivilege	4876	recuva64.exe
Token: SeRestorePrivilege	5036	spsetup132_pro.exe
Token: SeDebugPrivilege	1632	CCleaner64.exe
Token: SeDebugPrivilege	1632	CCleaner64.exe
Token: SeTcbPrivilege	1632	CCleaner64.exe
Token: SeAssignPrimaryTokenPrivilege	1632	CCleaner64.exe
Token: SeIncreaseQuotaPrivilege	1632	CCleaner64.exe
Token: SeDebugPrivilege	1632	CCleaner64.exe
Token: SeTcbPrivilege	1632	CCleaner64.exe
Token: SeAssignPrimaryTokenPrivilege	1632	CCleaner64.exe
Token: SeIncreaseQuotaPrivilege	1632	CCleaner64.exe
Token: SeDebugPrivilege	5976	CCleaner64.exe
Token: SeShutdownPrivilege	1632	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1632	CCleaner64.exe
Token: SeShutdownPrivilege	1632	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1632	CCleaner64.exe
Token: SeRestorePrivilege	2256	7zG.exe
Token: 35	2256	7zG.exe
Token: SeSecurityPrivilege	2256	7zG.exe
Token: SeDebugPrivilege	5756	wa_3rd_party_host_32.exe
Token: SeSecurityPrivilege	2256	7zG.exe
Token: SeDebugPrivilege	4864	firefox.exe
Token: SeDebugPrivilege	4864	firefox.exe
Token: SeDebugPrivilege	4864	firefox.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

firefox.exe7zG.exeCCleaner64.exe7zG.exe

pid process

4864 firefox.exe
4864 firefox.exe
4864 firefox.exe
4864 firefox.exe
5980 7zG.exe
5976 CCleaner64.exe
2256 7zG.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

firefox.exeCCleaner64.exe

pid process

4864 firefox.exe
4864 firefox.exe
4864 firefox.exe
5976 CCleaner64.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

firefox.exeCCleanerBundle-627-Setup.execcsetup627_pro.exeCCleaner64.exeCCUpdate.exeCCUpdate.exercsetup153_pro.exerecuva64.exespsetup132_pro.exeCCleaner64.exeCCleaner64.exeOpenWith.exe

pid	process
4864	firefox.exe
4864	firefox.exe
4864	firefox.exe
4864	firefox.exe
4828	CCleanerBundle-627-Setup.exe
4808	ccsetup627_pro.exe
2560	CCleaner64.exe
3964	CCUpdate.exe
1064	CCUpdate.exe
1832	rcsetup153_pro.exe
4876	recuva64.exe
5036	spsetup132_pro.exe
1632	CCleaner64.exe
1632	CCleaner64.exe
5976	CCleaner64.exe
2944	OpenWith.exe
2944	OpenWith.exe
2944	OpenWith.exe
2944	OpenWith.exe
2944	OpenWith.exe
2944	OpenWith.exe
2944	OpenWith.exe
1632	CCleaner64.exe
1632	CCleaner64.exe
1632	CCleaner64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4156 wrote to memory of 4864	4156	firefox.exe	firefox.exe
PID 4156 wrote to memory of 4864	4156	firefox.exe	firefox.exe
PID 4156 wrote to memory of 4864	4156	firefox.exe	firefox.exe
PID 4156 wrote to memory of 4864	4156	firefox.exe	firefox.exe
PID 4156 wrote to memory of 4864	4156	firefox.exe	firefox.exe
PID 4156 wrote to memory of 4864	4156	firefox.exe	firefox.exe
PID 4156 wrote to memory of 4864	4156	firefox.exe	firefox.exe
PID 4156 wrote to memory of 4864	4156	firefox.exe	firefox.exe
PID 4156 wrote to memory of 4864	4156	firefox.exe	firefox.exe
PID 4156 wrote to memory of 4864	4156	firefox.exe	firefox.exe
PID 4156 wrote to memory of 4864	4156	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4360	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4360	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4284	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 5016	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 5016	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 5016	4864	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2768 attrib.exe
5980 attrib.exe

pid	process
2768	attrib.exe
5980	attrib.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.mediafire.com/file/b1pf3w7m815r53m/CCleaner+Professional+Plus+6.27.kuyhAa.7z/file"
1⤵
- Suspicious use of WriteProcessMemory
PID:4156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.mediafire.com/file/b1pf3w7m815r53m/CCleaner+Professional+Plus+6.27.kuyhAa.7z/file
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.0.759071129\2096403760" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20767 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a0fc8b4-c437-4c62-ba72-cee87e8a5da6} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 1776 246910d2158 gpu
3⤵
PID:4360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.1.94783617\1458536863" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21628 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13aa9145-d514-4287-95de-6024980f6e4b} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 2152 24690ff0658 socket
3⤵
PID:4284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.2.1392200256\440781584" -childID 1 -isForBrowser -prefsHandle 2768 -prefMapHandle 3012 -prefsLen 21731 -prefMapSize 233414 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b451f6d-9427-4685-b225-477edf094442} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 2988 24694defa58 tab
3⤵
PID:5016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.3.687302366\286038057" -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 3440 -prefsLen 26136 -prefMapSize 233414 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec7494ac-457a-4ae8-a465-9001ff219926} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 3500 24693ad1258 tab
3⤵
PID:708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.4.951918081\1731194017" -childID 3 -isForBrowser -prefsHandle 4948 -prefMapHandle 4944 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52bac8bc-3d1c-4dd1-8531-3fa4808ed07e} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 4960 246978ba258 tab
3⤵
PID:1992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.5.1090745151\827118764" -childID 4 -isForBrowser -prefsHandle 5064 -prefMapHandle 5068 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38c86107-5d23-4236-a33c-0a11165250a1} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 5052 246981e6158 tab
3⤵
PID:4184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.6.1093855583\1707733278" -childID 5 -isForBrowser -prefsHandle 5348 -prefMapHandle 5344 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {faf9b27c-5818-45ba-aeb9-3851ba475d31} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 5264 246981e7658 tab
3⤵
PID:336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.7.1405291459\1958116705" -parentBuildID 20221007134813 -prefsHandle 7096 -prefMapHandle 7036 -prefsLen 26195 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca9ee829-fc18-4cdc-a620-e9122681a819} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 7020 24698ceea58 rdd
3⤵
PID:2792

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.8.571441253\241649094" -childID 6 -isForBrowser -prefsHandle 9180 -prefMapHandle 9196 -prefsLen 27485 -prefMapSize 233414 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad78bff6-926f-4861-bde4-b4c193f06c59} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 9172 24697879258 tab
3⤵
PID:3144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.9.1714295996\678381222" -childID 7 -isForBrowser -prefsHandle 9156 -prefMapHandle 9144 -prefsLen 27485 -prefMapSize 233414 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd9cbc7c-f66d-4210-b20e-91fce738981f} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 9048 2469787b358 tab
3⤵
PID:5096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.10.1519511008\1501352736" -childID 8 -isForBrowser -prefsHandle 8836 -prefMapHandle 8832 -prefsLen 27485 -prefMapSize 233414 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {335daa14-0635-4cb7-81ed-b6012bd66ae4} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 8844 2469c1f9458 tab
3⤵
PID:2240

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.11.113358384\1547994701" -childID 9 -isForBrowser -prefsHandle 8792 -prefMapHandle 5068 -prefsLen 27485 -prefMapSize 233414 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec170f5a-edad-433f-a76f-67c118e19b1d} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 8648 246986d6558 tab
3⤵
PID:5188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.12.495558256\958478367" -childID 10 -isForBrowser -prefsHandle 8800 -prefMapHandle 8768 -prefsLen 27485 -prefMapSize 233414 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0970909d-3ea8-4ea1-ba26-57df40b8c228} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 8772 24698fbce58 tab
3⤵
PID:5196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.13.2006548133\836832716" -childID 11 -isForBrowser -prefsHandle 8812 -prefMapHandle 8808 -prefsLen 27485 -prefMapSize 233414 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fa29a60-18d9-4021-a42b-3d06f4657576} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 9156 24698fbe958 tab
3⤵
PID:5204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4864.14.606133348\518122972" -childID 12 -isForBrowser -prefsHandle 8104 -prefMapHandle 4960 -prefsLen 27485 -prefMapSize 233414 -jsInitHandle 1240 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53361945-6e23-400c-a612-428c9d2e86da} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" 8688 246981e5858 tab
3⤵
PID:5584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6076

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CCleaner Professional Plus 6.27.kuyhAa\" -ad -an -ai#7zMap6077:136:7zEvent26420
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5980

C:\Users\Admin\Downloads\CCleaner Professional Plus 6.27.kuyhAa\CCleaner Professional Plus 6.27.kuyhAa\CCleanerBundle-627-Setup.exe
"C:\Users\Admin\Downloads\CCleaner Professional Plus 6.27.kuyhAa\CCleaner Professional Plus 6.27.kuyhAa\CCleanerBundle-627-Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Users\Admin\AppData\Local\Temp\ccsetup627_pro.exe
C:\Users\Admin\AppData\Local\Temp\ccsetup627_pro.exe /L=1033 /AS=
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4808

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Program Files\CCleaner\CCUpdate.exe
"C:\Program Files\CCleaner\CCUpdate.exe" /reg
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3964

C:\Program Files\CCleaner\CCUpdate.exe
CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\acc9028d-64f3-4ab4-b3d5-28f790412982.dll"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Users\Admin\AppData\Local\Temp\rcsetup153_pro.exe
C:\Users\Admin\AppData\Local\Temp\rcsetup153_pro.exe /L=1033
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /I "C:\Program Files\Recuva\RecuvaShell64.dll" /s
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4784

C:\Windows\system32\regsvr32.exe
/I "C:\Program Files\Recuva\RecuvaShell64.dll" /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2840

C:\Program Files\Recuva\recuva64.exe
"C:\Program Files\Recuva\recuva64.exe" /installationComplete "bin|folders|allusers"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Users\Admin\AppData\Local\Temp\spsetup132_pro.exe
C:\Users\Admin\AppData\Local\Temp\spsetup132_pro.exe /L=1033
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Program Files\CCleaner\CCleaner_Patch22.exe
"C:\Program Files\CCleaner\CCleaner_Patch22.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1780

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /monitor
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5976

C:\Program Files\CCleaner\wa_3rd_party_host_32.exe
--pid=1632
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5756

C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe
"C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5176

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CCleaner Professional Plus 6.27.kuyhAa\CCleaner Professional Plus 6.27.kuyhAa\_Jamu cclenaer\LEER.txt
1⤵
PID:4248

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2712

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CCleaner Professional Plus 6.27.kuyhAa\CCleaner Professional Plus 6.27.kuyhAa\_Jamu cclenaer\Patch22\" -ad -an -ai#7zMap12925:262:7zEvent24951
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2256

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CCleaner Professional Plus 6.27.kuyhAa\CCleaner Professional Plus 6.27.kuyhAa\_Jamu cclenaer\Patch22\LEER.txt
1⤵
PID:3444

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CCleaner Professional Plus 6.27.kuyhAa\CCleaner Professional Plus 6.27.kuyhAa\Activation\keygen for Defraggler, Recuva, Speccy\readme.txt
1⤵
PID:1572

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CCleaner Professional Plus 6.27.kuyhAa\CCleaner Professional Plus 6.27.kuyhAa\_Jamu Defraggler, Recuva, Speccy\readme.txt
1⤵
PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\CCleaner Professional Plus 6.27.kuyhAa\CCleaner Professional Plus 6.27.kuyhAa\_Jamu cclenaer\0 - Piriform-BlockerKeyVerificator_RunAsAdministrator.cmd" "
1⤵
- Drops file in Drivers directory
- Access Token Manipulation: Create Process with Token
PID:4224

C:\Windows\system32\fltMC.exe
fltmc
2⤵
PID:4028

C:\Windows\system32\timeout.exe
timeout -1
2⤵
- Delays execution with timeout.exe
PID:2252

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\drivers\etc\hosts" /a
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2944

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\drivers\etc\hosts" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5936

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\System32\drivers\etc\hosts"
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2768

C:\Windows\system32\find.exe
FIND /C /I "# Piriform Blocker Key Verificator" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:5484

C:\Windows\system32\find.exe
FIND /C /I "license.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:6116

C:\Windows\system32\find.exe
FIND /C /I "www.license.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:2312

C:\Windows\system32\find.exe
FIND /C /I "speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:5048

C:\Windows\system32\find.exe
FIND /C /I "www.speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:4536

C:\Windows\system32\find.exe
FIND /C /I "recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:3668

C:\Windows\system32\find.exe
FIND /C /I "www.recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:5960

C:\Windows\system32\find.exe
FIND /C /I "defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:4876

C:\Windows\system32\find.exe
FIND /C /I "www.defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:5516

C:\Windows\system32\find.exe
FIND /C /I "ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1060

C:\Windows\system32\find.exe
FIND /C /I "www.ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:2116

C:\Windows\system32\find.exe
FIND /C /I "license-api.ccleaner.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:5096

C:\Windows\system32\attrib.exe
attrib +h +r +s "C:\Windows\system32\drivers\etc\hosts"
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5980

C:\Windows\system32\timeout.exe
timeout -1
2⤵
- Delays execution with timeout.exe
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCUpdate.exe

Filesize
809KB

MD5
943a4f169e9a3303ed6defc1ac3690bd

SHA1
e0bd76b866624164c10b85d37efb6474b84164df

SHA256
e531742a357907248de84b99f68ed7e8edd70e7ca918d21b24cc17ee4c128240

SHA512
da29cafdd63fd3ab3d2378fc6c2810d7579ebd6b62a4f99248458094cd2e42dc0071b83f0aee4185ca1c81139dec2991212ac383d77a737937558bbcb29d688c

Download Submit
C:\Program Files\CCleaner\CCleaner.exe

Filesize
37.3MB

MD5
01810f560b84f321ff3915022ddab99a

SHA1
7f08dbebd49233d6b8c2b98b38573b54ff9a8c88

SHA256
6178d8786aabcf14fc114a3bd53b5b09d41ba0840842d4dfb06ccd565ec01a5f

SHA512
ccc25dc7e8e49030c0bafcdd9a13e5a6b7ac78630b93ecf5a081e19f91fc0a756fd7d984051317e9862dd2a65e6e5882ff7b87dc2f74cd8c58b56aa478f4c2af

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe

Filesize
43.0MB

MD5
049c362975252b6a2d997a6b72d37bcc

SHA1
cb2766a228f5afe4a886e001fcce03ccebc2d30b

SHA256
4bdf21db063d16f7e20f59113276d1dee1cdbebcef30d42d777d9b90c7830810

SHA512
8075a71b5fe374061b675490883ba07b14c39372042779dd7f6d7498146cdc695d25a13a70fbf58f77a96b0ab962d7ba21bba67dcb8bb43320eefe736c809495

Download Submit
C:\Program Files\CCleaner\Data\DUState.dat

Filesize
142KB

MD5
1606d87da8821441368e678d42772e0c

SHA1
375ad0aee0e66aaec5a0ff7fad4035dda01f1c0d

SHA256
b7d01a172fb31b598e9c5035a6e7d95a9077dc6be692ec9806fa132fac1b3646

SHA512
810b5c0a4c27bb1ba34936dabfb793e087c34784054388e093af3309d045440974020a8c84b3264f914d568b1ce2a44c1d80504d5bdee52ed60056b414ee0970

Download Submit
C:\Program Files\CCleaner\Data\usercfg.ini

Filesize
131B

MD5
3fd7c5c84dda3f3df804339007375f95

SHA1
75233f25769297c8918647c81f6f9b3f602dcde0

SHA256
07d4ef4131122ab5b4aa604dcbf9e3fea01e26d1324ab4a64adfb85ea1cf528f

SHA512
cafc10d69aed8ba9174792f480685b99788092f97312d109888446ec685f77f80f60652913651f43aedd553d699e28424581c5f5cb09aa3ab45295c5d5135d9f

Download Submit
C:\Program Files\CCleaner\Setup\82368eef-d423-4dc6-8940-4a9526d6fcce.ini

Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Program Files\CCleaner\Setup\acc9028d-64f3-4ab4-b3d5-28f790412982.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\fae51d79-58ac-4eab-8398-0e1f407d4b40.xml

Filesize
818B

MD5
686df6eeb0550ada7cca15d5c69af7a2

SHA1
c18dd6ea557fd6b0d673f612e5be92b36bdd4938

SHA256
04c615251bdb84c1b5c6d23302d4f0236f2b8920039c33e6016f1722d5990d74

SHA512
f6e5db0701133bdb029c857e2d0b869e6b634dbbf20037b5a38187d2a99cd393cbddec2803d71075d68752e2dfcfcfe16756cfb19f4a944b1967298515e1cff3

Download Submit
C:\Program Files\CCleaner\gcapi_17248564215976.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Program Files\Recuva\RecuvaShell64.dll

Filesize
351KB

MD5
e2f0dbd601ca28818b1ba2d69f6a0268

SHA1
4d06d01fd00c3866c0cdfd6cfbcaccca849454cf

SHA256
eefd30c828bbe1948cf4fc8371889936ff7638df3041aa8fb29b18cace84ed58

SHA512
bb5b13d48f19be60f30732e93f8ca66b092c6a89a466e86bcb92e64c48abb158929f224afff413d104c440021331ade960d079b44799b4ae4b38f3507be9b4ca

Download Submit
C:\Program Files\Recuva\branding.dll

Filesize
47KB

MD5
b823a4ac4a449f7e5f08def393c0e848

SHA1
f65e00df7e852da267979882e561349fa382145b

SHA256
f51f6ac289daf6969497877023c93897165e0001eeebd82a3d92c9a12972c05e

SHA512
2d3b7d1f062b04c7673233ec83ccbc835087432b1f178e17c94dce8baf195417e2d06609c7bff63dfcb52cc449469d6d5c48b84040419cfa11a2923fceb10fb4

Download Submit
C:\Program Files\Recuva\lang\lang-1025.dll

Filesize
44KB

MD5
eb10cde435b9a6da3f32a09395b78100

SHA1
1eb5a95f2b42c3485ce9b92212baae564e77bb81

SHA256
553103410ac0e62a84699749a84044d0fae9a052054ede89c58946d1b4b4ef84

SHA512
087dbd7eee0590911b89dadb74e0cf7b7da17a9b3099558c6ae1c65cf5c10b13afb1a9fb2fb15d594aaa00049ef0a29a8401e0875c5c018056a66975f98222f6

Download Submit
C:\Program Files\Recuva\lang\lang-1026.dll

Filesize
46KB

MD5
6809a0f617400b6053673ae10a6a615d

SHA1
90eb3194b953c606cc9000f132af783c14e5ddc1

SHA256
5ad4d4f91bb9dc8d88cf94d58e021edfb81050175a449671a165c752843d7fba

SHA512
172efddad3aaee52d8610bacc239559a9c26faf4511ddf1a1a1ead513ee0c6d895a32a0cb992f76eafc46b33f6d30f5a64d6191c80a70d1da1918877c1bf6a2a

Download Submit
C:\Program Files\Recuva\lang\lang-1027.dll

Filesize
51KB

MD5
3225974a9756ab0490750c9483500670

SHA1
51915fb65c55d118e2272cc0aaff60d93a57322d

SHA256
08db680c6054834f1f237f4ddd65a4907b78735a0a894b993dd70414f03b72d8

SHA512
343fb279834ed70fd36e6a19553cbac1ae179d1609f6853ada5dd9bb25c501e855976dd43387ce85ba10ccd313f0d3d1b6e9f325a95d42c1aaea1b8eeff34522

Download Submit
C:\Program Files\Recuva\lang\lang-1028.dll

Filesize
27KB

MD5
f61b1240af766991b38ce55c3f64a3c3

SHA1
25759792f920f539c6b4997e670fe0d3129922f7

SHA256
1ba0f72b6f5a98e98db0a79a811badb961627abd10d13323069e6ff2f33a10b5

SHA512
91c569b68532ae94f6be8a54f9bc36e343aec615292b0496c740dfda4c496e8ff3ad6659a87d91d990dc5b4685ebca3232a334a70b63379be7564b465ccad9e5

Download Submit
C:\Program Files\Recuva\lang\lang-1029.dll

Filesize
46KB

MD5
c5dee9a8c8956ce48095a44a2319f84f

SHA1
c80c6516fe0b6a9752ac48f2d86d1e11f0f821fe

SHA256
594573a43c73161fce314ac65fd4857f17bbafa6def1047f4ca6af5bab55c3c2

SHA512
d934712a2400d95e1da3957a520e81e6b91aadb662d1ff9c1a7e37c4a156285f7f2b17b8204aa92aa55907e381d5f1c258be9c274e00694df4d3c325488c3d55

Download Submit
C:\Program Files\Recuva\lang\lang-1030.dll

Filesize
46KB

MD5
e0c3c20a0b7cc9cb1a1a7f54f5a9c783

SHA1
8abc3f68f535bd3f60d2e3579954565706f8331c

SHA256
17bdd7c07f75a8c0fad2200246f0973ce28fc7c23c8471017980b84d4dff4792

SHA512
3028490533f5babf4a0c58a5baec0d8578617182adee2f5ef73bae385bfd544cd08da2b898fe23f993d9d1bc8d77e1de8133f1242e9c5da7ae75bbd2d9652b9c

Download Submit
C:\Program Files\Recuva\lang\lang-1031.dll

Filesize
49KB

MD5
799436111d9e59083c6c8c2ed90e3a5f

SHA1
8b20537f910438d2353e12852b20d20f7c062213

SHA256
ee79e58f9639a430894fd19ab9c9568576eff7424fd0377293d7b27de8263cdc

SHA512
cd2b919fd1247f1fbbb8228a726b786c9565ed3cf00e8e540b5ab193ee354dd6f0316431cce6388dc28f19dd200460f362737c887bbe1beeb2386a1e77994e99

Download Submit
C:\Program Files\Recuva\lang\lang-1032.dll

Filesize
52KB

MD5
a5d360fc6a029281ae5d4173091b5886

SHA1
b0bb669d9e824714abac93c8fd5f3860985f2466

SHA256
b5e348f1299b26b6440f56852f8abfba6412e5709e4f0d7434b646ce98ad6923

SHA512
f64327298b6bb352f30d370233480fca9eaf307354842fbd20cd0db42661436b70561e18dd3d801221e2567800fb817d22fa04899d814f06c9796b7d644d8c57

Download Submit
C:\Program Files\Recuva\lang\lang-1034.dll

Filesize
52KB

MD5
fb7456f4075c6c80b48058ca0d55950b

SHA1
f036376e1fd7f2c81b144a5c800e2ef66ca834c3

SHA256
1c8ead35bdff5e2ddf0c25b4a67c6a9c1f168cfa9011efc7b34de388a140df87

SHA512
1a2fbbfd079e1193ba91577cec134cb43d66b7857161a2304f8c9ae3611b3181e3e483ad15bb0d6a75c1b0dfa01eb8f1ef001bebcf7543b61623ad65db15b807

Download Submit
C:\Program Files\Recuva\lang\lang-1035.dll

Filesize
48KB

MD5
756264acf5fe4bad1e25ebe58ff20615

SHA1
c57f573787b16df3e2754ffd2404002dd02de6a6

SHA256
7323b8815b112c7eacb27e70e5b580316e37faa526fa8d894b28d9319ead71a3

SHA512
0717be9cbf05bd00ee32d1060c9a5feaa9e776dee4492a04ed912e5ce51d9b849b85cdad6b6cd5f125eec5fe30e9face028fd5148388ba6e63c70704448d43ec

Download Submit
C:\Program Files\Recuva\lang\lang-1036.dll

Filesize
52KB

MD5
d66d7f17210acde067b2fd8885afb690

SHA1
f4684c3bd43415b06a9ed311e4625b4612c96a50

SHA256
a796f3b3a00247e677a9e02690beca32ee2c9f5e0c75f049f984adb4a9ddc21f

SHA512
89026dc166704d66ff23973480e7a4e47c3d11280075b2e4ff0b8caa4df023c30652d8b43c92fc88c7a287845413f3cb4a1435a9f4721cea7e22a1032151e43d

Download Submit
C:\Program Files\Recuva\lang\lang-1037.dll

Filesize
40KB

MD5
d6d277840fd7cccc733ff55c4aada682

SHA1
fdfcd64dcc9b948b7733638da6da16adda53b753

SHA256
1f512d2a4d405837aa6c6b83d1651aba8a05ca326342ce27d4ba09eedfc4689d

SHA512
9a6aac9236d9e8bf88906386d1dd4828a207b434fc432b27488b23394fb9aa6e8daa4d713c8d9d618ba99ca010b0aef79485b9fc9a7146c9a68f74cf4b6a729e

Download Submit
C:\Program Files\Recuva\lang\lang-1038.dll

Filesize
50KB

MD5
32e909ee432dd0610311a52a08a9a924

SHA1
4018804f5401dd05b57d8a9bb20e5238783acf58

SHA256
08e827080a67cfad4abbf3b1578b91fbe8d87ed118030956e540ddb8d20271d3

SHA512
df7a6c8215fe30475f0bbdb5ed1d1341aa9b0d81c2f9e818e99d0267e32cadececac00acb23c16c5c55e2bf64fbb4e0740a7b3696f88697aac3a9cbe894220d6

Download Submit
C:\Program Files\Recuva\lang\lang-1040.dll

Filesize
50KB

MD5
d3e1ab464bd68a462ef24284474b404e

SHA1
aa7aa05c329189354e0756d28b58918d98cd7e2b

SHA256
e3d66328438fcdc820bd42998374fcd9761f5cc571e51b8e60213bdef152c3dc

SHA512
a3881edf190f0e3cf25dc10cdfcbbea39b24697d1b370f5b57afe9e3f33e488d90dcce4d2e1bead51694d795edeefb27c3ac5a054e50fa18665badd50bd253e9

Download Submit
C:\Program Files\Recuva\lang\lang-1041.dll

Filesize
32KB

MD5
e904ea82559a1d2d9ad38993eb2e5dbe

SHA1
3aa0683e5f6f3d4655fdcd4bd412716ce642dd8e

SHA256
c4fef6137150c31b5674174d4482cc648aaedafbd49a2a14a24e0596c43eacf7

SHA512
f286d80b99957ad06672e732f299faee639a2a33df3f770683384a3c32602a7fe546651bcbc29a06423b2b73ccbacced05e31488858987c1bb54abf9dc7c03db

Download Submit
C:\Program Files\Recuva\lang\lang-1043.dll

Filesize
52KB

MD5
698c0eb1e61cad0180f24d686944c544

SHA1
a0f791f25e363d94f0d39e2799c568a14acba9ac

SHA256
6a661ba4f5c53fb02ea2b9e043d7fd7575781a535a68466fe250f9c0dda391fe

SHA512
851e09e800729fd79a55cf6bb473d6c33cf74fde4e576da8021a63ac5f44d7dea681720a2a8bf5ec4621830460d2ef99a5a19bbfe23701e5d6a66ce07e801469

Download Submit
C:\Program Files\Recuva\lang\lang-1044.dll

Filesize
46KB

MD5
b721409b2e2abbcb09c80412d9d57126

SHA1
d4bd41fd5345600f845cedabff6ab79f992c99f0

SHA256
6ae5c2195b36807024d69c9f7538f457082895031a9a107e60a8a25a6caecdd5

SHA512
1f405f8281e66e2bc925b342d02907e6d32485637d52867decd0ce7be30f762c48f02b1f858ff2589bca4a28674799f14b32414341001c39602af6b84b4262e5

Download Submit
C:\Program Files\Recuva\recuva64.exe

Filesize
7.8MB

MD5
fbc238fa96aae3fe3b9755a0f0e4e6ec

SHA1
f5dd1f3bf812622bf75961e3d1125d032fa0e3cf

SHA256
1fd90402820539b60da545a75e5e216c779b342d15d05b70e97432ddd20ecfc0

SHA512
ce2490221ed8dd15991cc815327724965159a12c53a7c18e35277c987b28f3dcf5c694e77ad01fbe637ad7214964116302adb7f678afaddb4b1e6ea89aa77b4d

Download Submit
C:\Program Files\Speccy\Speccy64.exe

Filesize
7.3MB

MD5
d41812a78894d4e47df163db19d354e6

SHA1
580a2d42799843fb213c91d730d850c5db997363

SHA256
5465297f50aa45b3d19c721259f38452b533e4569e85fef7568867303a7bc3ee

SHA512
a5957c9502cf4ba650f204808f37c116aaaec4e26fadff2db3c1e331f73c8cdf76ade248ee8a548196f4083624c2640efd5bdf4f7e85d777973a1bd6fa83f10f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
8739142dd0ec6ed74efe1a9f4d885ed8

SHA1
4496c6421e3e2b0d0593401a4bfd8d4ce4a17a1c

SHA256
2fb1ba0cb7d1bc54755406d48c90674133e60c182311f8dc30262acbd4fcb700

SHA512
b86eecc4bba486075799809bc4e559d00962369d918a96fd4523f86ce585218a4c9972d266d24c2c31619933db82ba28216c51e86c69a0a04fb5e5c1cd871070

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
dafcd10079799d74655026ac670a13bb

SHA1
f70bdb8f185c9100fd364c0d431b31d95ddbc9ad

SHA256
36e7ebf910558e7c78818a134cfb41589361b958a35eb7037112727f8e68092c

SHA512
1bc40712dcd88adf9ec2fffa094b638cc1fd6e09d5c708ea2e2899a3ef9b2a86482293648d8637c2f586743bc82e23198bc02492a0dbd93fda6b4c0bef48ebdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
012009b95a6119f696249f5d2e50c231

SHA1
58165bb2e07c32fa6c8803ff8856033090da08bb

SHA256
afc56a96aaf949adeda6eb2eed19015cb1ca09d15f15725bb073b9ddad872a4b

SHA512
bff02e4679b5f67ee386bda6ca7af45fc90476d182c549891d7cf4352c0f2f1c685f4a92ab857939d966e2e587348b3cda44811f7703fe604dfe0f24bb8a7560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
25.5MB

MD5
a6c2e62f6ab3ff87d6cb35d59a338684

SHA1
8c0c1060f36a31af77e786289bdc94dfabb5c76a

SHA256
a79e16e0cf7bcf7daf2562f02dd1fcfa1e6960a47b80dcf2143a73b58e3f6aba

SHA512
81098502dc355b05bbdadb4d46bf3a928297717cf43c9805dacbb81a47522c47995508ec080b803baf3caf1f3427d6592b5d678a6e1ef82cf071080ad35fd690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
25.5MB

MD5
c5066bfcf506666077a04c35e41043eb

SHA1
cb996fdfab82cf69d045681d2d18cae0029a158e

SHA256
50521b341d31a07e4d4136adb46f9b1112abe467bd59ddd9bc06426aa38da28e

SHA512
12f77615431ea0c8f7cde1230012c2ab43cbbc69cbcb9b463f27a4bbeb78bfdf436a237a5ee4014337f5bae816d64fb4e6b578ad314b0dbe2a06a98d77609745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
25.5MB

MD5
50c84a752849d29fdbafe0cc9fce9f46

SHA1
545f1a7d655f920d0e7f88675e14d07387a5c4c1

SHA256
e10f2f60f8e7361b3ca1608bbeba14e340e660b756ce879238df4be2e18f0662

SHA512
60ae32541575d1f290e9f4a60afe53ac6455f5255d8d1be6bd85a6163c137861096ed4a94db4434041f034ea3632f6f4074b2960c44b6658bc00e24a24bc6c18

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
46KB

MD5
aa75282f5bf2175789864fef1881d970

SHA1
0df06ba9411b4e2498f2b2ad7657e24392bead61

SHA256
50505a41c251567a315710bc29bc907186f90a9947db00fdb339acdf0d29f1d9

SHA512
42e2322c2d71f2450e165ce9099bbb637749cb3254f871fb95281e4602bc901d9851818d46819d31d025449b1d1f928df35e3817fc3c3e303885d280fcdd2273

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\10264

Filesize
15KB

MD5
44ab8a781d57e08b3b27dd30da839eee

SHA1
7a36cae9731df804ddb6273e971b33feb558b91c

SHA256
864e6e87ad3190ea84f29564612e9a4be3cf48d13bf9a4a557ef1c5d7f042326

SHA512
f2faaf4848882f43af8b226f2055902c70c37e56bbc8b15f75a457411afe5b292f7450d127aa7fea610aa841346923f6e0dc66e37cdbf693c1a4f204d991bed1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\2201D4A1B4D6CC0BE3B0765CB97EEB9982A9D881

Filesize
37KB

MD5
116dcf4927c651b0a6e88fe3e52fe346

SHA1
3feef44e591a85951ddd0860b42660256b1b3035

SHA256
863bb7a5d7f8e32f8f03ee3a0bea580bfd7b3e0f3dd1435966ddb77a1b5e5b09

SHA512
d9119a3cc416c1c61084a144c23df37a0fed442a8ffe9db3ffabcca440dad5674d8dc173412191b05e05975e05e8e170ec6846af6110bf258802c6980defbbaf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\2506BCC5D096B24D3EE30055B18F9A5FA8FEC53E

Filesize
12KB

MD5
b5af77330b387bee68f773b194bd44b5

SHA1
20770ad9c3f7d3a3bc59ce1c5d38f42d60ec91b0

SHA256
929a8b4c2166f3b7e505d012185f1063062c9cab3d754bd9d4b23edce1913947

SHA512
4f48f9e9788ab31f04d805687307c104bbdf023e89f6ba2efb3fe285b824790ccd27a391b9c1c1fe0cb75593e4acf72abe399afdd48f0a119267cc24e47632fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\655BF3A2A93E26139146DF1A34B70AAFD95900DF

Filesize
30KB

MD5
e297f3056b53d6c3077b654c5de864d1

SHA1
c1f4073b5298fc8a21ac175a5a0271314e7a1984

SHA256
ac8a53258e5864ed4a26392a3b5f7d53f923362839d3148812dcb20eb49c67dc

SHA512
d2d258c017b963e8c534a104bbb0936fd11920201dea26bfc93ee09b6f7f9de30c1c349fc5cb35c2037c2550977864ed5c1b1f398c470243d84926bd1a50669a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\87C271F4C7008A7AFF254CAE3708B2B9188FF020

Filesize
13KB

MD5
47c4cf96667e2bdbb3ef045ec9ab449c

SHA1
aa38c6aa2ce86e3db6c8af3528ddc80f1e9176ed

SHA256
c10715a941f17be301700e95a6441d69d6307f885a6ddef12dc3dc95691460a1

SHA512
0dc9a8af176940eabe2702797a5f7be80199970db9890725fb17b825872c344ed43e6dc8db7bdf774225b23ffb6ee4a6d48ee88cac7e3128216e9a252f291f4b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\90BA4A1651D6B53AD379FB246E23736139F38AEC

Filesize
7KB

MD5
99176d6c493d0fe6ed7b3bb6ace4de3e

SHA1
b379d8fbd07e5fbbdeaceb0532d0d5cb34074b88

SHA256
968777c47281df0551c51aa23498afa9b090444bfbde7faa6e46e65e541b1fbb

SHA512
7f6d30127fc6eb3dc3f25701ed3e7e55616369bbd959060d7757bff73a07886f2b1be6fb84ddbcc90db2e2f409f0699631e6043000051dd7cb4dd7812fced444

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\A210CEB15CE534A24ADBA0767A001E0E52437E40

Filesize
8KB

MD5
0069fef4b40614bbfb70fe34ef3d0a28

SHA1
23064c250437ece2ba072a6b041b8a505414c201

SHA256
8596c9fa1771b50d26b91342d9723e1b6bf4d65281fffe62ff2c7fba232e4a14

SHA512
d83f9aeb89a0a739a8e69fcc9d0f808786d700384f9bbe8d3c4df5f670eb739fd5d3457e69a052e822f9a5a7031649ad4dba7bd68160a092fb3cd2f0950deada

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\B73CC9F25D20FBDAA18B302AF1CF8316B8079DFD

Filesize
93KB

MD5
da96c885bf717e37b8a0f83e604ce8f0

SHA1
c469b28acf7f2edc97cc2dcae2e7ba500224e28a

SHA256
7db446ef4e0bbb02b8ad3ab59b05be75c2967006b099c9cea53b10b18bf7160f

SHA512
bc828fdf8b549e6adedd35be3b8f61b810d3cf62d012ae590575dfd81aa9d386cdd77c76f406b80a94945f24709c23b9b45a1e72ee144e99f40d7fdf2dd0888e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5yockqej.y2c.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aswc3ce9c3c512794a2.tmp

Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshAB5F.tmp\modern-header.bmp

Filesize
25KB

MD5
079cb79b69190ffb3a584a7344e34197

SHA1
35a450167cd54beaf5d50bd85e00858a6684c724

SHA256
ab3dea92a333e89f41bb310d5b5d5a52b80d2aedf78b0516f2b1a6a9af69b222

SHA512
cbcd40bb163bc51df0e42a2ce3565848734b8fd6065592cb90270182b7473ecba71d0623505ca2c5654c9d65e16394ac55919d4018bbefe0cb72489579593e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshAB5F.tmp\modern-wizard.bmp

Filesize
150KB

MD5
8bd95fbd159e00b9823fe8d60ccf9b50

SHA1
c55e1a485062efcae2ac4d4aa43172a0d8dc9413

SHA256
6ef238fafc028ba028eacbff28bcc670cd7213df9318f99f619ac3e2988d16f3

SHA512
1bbf9d41d3180cfddb99e300142b619ddbc225a099a43e8755aecb44000a4248a7606d04bbea3c1e65143fc488c40d30fcf9bdd418174bd821247b932977f86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshAB5F.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcsetup153_pro.exe

Filesize
7.2MB

MD5
e6e81a9f47b3efc7a18ee8de8fe96037

SHA1
5e1eb8736b468b00850b6a2bdde6b38dcb449389

SHA256
d24452335b6825b5542213e7cb03e61565b0b073fe9e480d79d8fb5b96d277e6

SHA512
40ada85ed982873b5d6e36bcc5c07a4ff9ac91727a8340168a34f720205a99760a736031f61a9279d29c4aff461697983d6426c86fd354d5e3311376a78dadea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
510f71c25daeb5c88ad26ec871cf4ec3

SHA1
10573a9bd588fb2d4c944ef3be14588e85c4de79

SHA256
c851405eb07e412e9de8a3db0edcfa317762ae887bd119974b742cc7caa53b0a

SHA512
b4125b8c4b5666f084e07e2b507df4572a0376818d8ec8ece25154e1da3359ab00b5626073ff4f3028edd21936a4c03d7dca90c0defc232a253c5ce28335d81a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
7a0d98d9dfa816ad399cee04e81f63d7

SHA1
47e898bb260885e1f5fecd27401c2194dc493d47

SHA256
38e0899e62da8d654c945f2d9999441169864cc4f6bf925f82650b032e2e2043

SHA512
6c859a9e75332c23fbfb315cf0ee70d022440fd66a7bdc21ec1ca9e24697f0ff3a773f43288ff297c6e30e00a1b8704f387dff031f7de56a7c430b001ed900ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
6d9099359fccd6de869d6ce35dcca076

SHA1
3e243182229669752f1b3fbf9fb3323069140415

SHA256
edaa1dab799a596138a9f2876866dd56d1203f3fc6e45a30385485375cab9c20

SHA512
570d0b0ad2fd7edd253c1d091c8a79aa78b1ddd51f5f77b2efed6e8c31f0de53b5a8fb3683437e167ecd9d27e5c14de520d8cc6fcd9f32b1e6f1ccfdf2acaddb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\AlternateServices-1.txt

Filesize
10KB

MD5
b8bf4bd516e4e0e0d76bf8c11ba3566f

SHA1
6b70a8404204f3b116d86a42706e6d9e2f7ac45a

SHA256
900ff7f3dd38c0ed4d7e253334b9c6028cbd21abe4ffe917088fae685d945df5

SHA512
ffd0be1ff20b5858330929e8263619d05e09065a92142fe5831b050205f522bec36862bb2892c349d3dcea37dbad473b4b3631b85fee39664c4d061c93d25839

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\AlternateServices.txt

Filesize
10KB

MD5
85744b40a268cb6732be7debb3b43e90

SHA1
b625682e280361a3f738a9ef19196c1422a55a8a

SHA256
6885f1f22e0f34eb6b41cf60932096f30a242b59b4a314bceff69e30c2a0c63f

SHA512
96218a3d24857875638573483a49397199bcb701f0356a7d3f9a5c7ebb38d2e3031fdb1f34fc69ecab20c6e24fb8cbda7191a53260687b864c08a085daf7effc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\bookmarkbackups\bookmarks-2024-08-28_11_f70S+BIHcjdozL1H+8sV3g==.jsonlz4

Filesize
953B

MD5
14e152530b0003973263fd54064ea363

SHA1
98a18c46e4980317a1f795bb0f364f02b7524f06

SHA256
98818f8d867aabab23dcf95b03d2d912fd8d6106f1bf48e1f04dc9b5af42f199

SHA512
21a75ea8970d68bac8100f499d88b38fbdd904d5217e69492f10f63c9026f43f00508fc62e059f54f82d7a1bb6c16b15f14b281c87542613ddd20893029ce664

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
03413c7a4d78267bf967d2a2bc13796c

SHA1
c06f6f61296776ac6b74a0ca804ec94dbeb5808b

SHA256
5d94c523c2a8d86953f2242c940ff80644c152232d3621833665d545d85294c8

SHA512
0182b0a21c751edc15134bd34d6d1dd25b38f1834f57408cdbbdba8001797941110faa28e47191ef04556b35e8550bde55dfe1bd25a2abf65d3367ffdd178761

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\24c3dea9-4bd2-463a-b22f-e7141d4f2a2d

Filesize
10KB

MD5
652cdf17d2f489a171af30f082bc4b58

SHA1
8b33d8cacea1c9e3faa6225ddf1d2aa26e603582

SHA256
d786ed74d592fb0d76bdcdf5b2e4c001d4e5952b657431c3784dde0281cb9907

SHA512
e8467b5b5d574ea092f8266acbf1b9b92aa25273bb146ce075654c0d8dd1b41b35c4c2a2782c8724f1a580d761144d0a6eaee942fa2f420aadb872bd41509a9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\2b34f90d-f546-4eda-944b-4c431d2de408

Filesize
746B

MD5
51a42e45256b85c6c2dbbe75b62801c1

SHA1
caea23f9c7e3db7332e2dc735b479719d7b8e68c

SHA256
d566b7a545e46f8eb70426a2af45d06a33320dbf4b295865a305ad1369791190

SHA512
a17784a489c4066982a59220e400776d68f1e8d0f3c5debeb465769a7922e40abc74abf959a5d9561139b6c3b93b335e99e58f8cc938a536adf2fc954bb6e47e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\49fd2dc0-d135-4586-b694-b5f35edac3ad

Filesize
779B

MD5
0ad738db5cf9b4bb11d4434cd4d06267

SHA1
5da93c213d816e62b306937516b7e99a7c57cf7d

SHA256
3969f6080cd080247679f41f5a0fd03b55c1c92340d34c1597f230974c913ca1

SHA512
f6d92699187a8b3f603706c2e84d55d27d4d32b7eaab137d7ad4916e1e024cbdb4d8439c1272aaaf2dd93cd205f55a99eeb75f210dc9d0eb0aa75f4f6c474a0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
7KB

MD5
c93c8989b57013f20a7a6a61511e6228

SHA1
18d707ea13a5ccd0fcc81e8c582f26ba7303253f

SHA256
df2b303f47fe3037cc3110550e78b011a0587516466692293d1f8fd728cb6b70

SHA512
d63537b39998e2451599d45324c461243aa0f359368f1f17e54ac5a09b21c09a6185e2eed7006ecd7d6dd2bd7a86126b0320a1c490bbc1e2a88e28d89424d5e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
2c2968835d1fe9e41ccc59ada9b7056b

SHA1
8084bbf61dbae3ac27bacacdff64d52547f753bb

SHA256
6c76811137613f44d7c815c10ef752adf559e4d9d650dfaf6d40dbb1aec95714

SHA512
f04978e4d9624b95d09c68acc86ba5653520551b99f350af700a6e79fa3d4c4797525e15fe20665857e7e7114bc37f126120a79c21b08c0e9a78f4bb5302cf67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
7KB

MD5
2183e2de3d5af0b8ead733744773aa72

SHA1
5359bfa1a08545c31c569b631008de3d5c0a8e1e

SHA256
a3ee7d992a0de7f703f5a4e8ebd9be1e66002f4175f608bd1e1a4dff6e7324c1

SHA512
d17bdc517872fcf017e84e846350d7cc7993c04cc4b7a23918baaba37f225691ae3a0d1e7c4c6c5d8abd01e05ebe544971a3c00605b7e6583cb29203531673ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
7KB

MD5
7c289f2322f45680d2914bcdb6faee47

SHA1
c31ae5debe04bf0a5ca898c0ca98bc6899f13bb0

SHA256
8b9b98dda24561df3457715a921ed0649eb97d7824cd12f42eadc15aed72ece2

SHA512
eaa69fa8b0da76a05a6da628da61ec91a832e0d49ba54a89ea724519ba14bf647f7be3d7e51b49d496b4abaff7ee2c0fb13086c20145b06bce8585958c6ff26d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
018b21c8c10e52d83bf5911d824709a0

SHA1
0bdb91d38377d125e6585ea6ffa59238cb89cc3a

SHA256
5a33589dd2f1022ef0235abd40b780f55c09a2a1b79b2d263b82d48f97ee0606

SHA512
565210f32f577f93552543b5741b210ff6819eb42c0599ed1e46494ab03271761c02084782ed9d6d1e5feb349229652668b234e6d4b4af5fca417607f072697a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
0356532b598211dbd4e38768e2ee25b4

SHA1
4568d71790749c3431ce0fb228ecc61aa5e2730c

SHA256
7db9c24e3c60b0b7da60a9e085b5b2c10740561c6de2044367dbeaf2a30f2acf

SHA512
3cd5b731a6a2fd6737d69c22612a164b63f24046f61cdc275c6939c62f5cb258dfd9bbaf6cdedf02e4175e7f22aa76b8e7bc197e138ae4948f25a57228b073ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
3e8c628de66b0239a319320494e16414

SHA1
51471c9e45e1e5370ccdfeeab990ee619b46a936

SHA256
caa5d514b4f09793c02a1cbb582434b51decdf45bd12799c038465a2df052dec

SHA512
278e07e612f7cc48f300a1349f898768c984981a8010753c747325064ed21589afc88cbba0483ae60fe850ba99a5e5e985ee938e9ac34568c9aff63dc2aed8b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
b15d079709fa12fbfe2cf6db01256de7

SHA1
0a1017d42fc24b663105af50a97a171938dd3d0b

SHA256
c0d42896054cd72e1f3fe2001d15f73dd0cae00c7945887120a0444e9f159b98

SHA512
00c90cacc39251e6aa1f73693ebbb878a236a50eb8eaa57a5bf938a4d3ecdf53ac9d50097be66dbdddd3dbf4be577b24767254c36cb37c0ac228d04583781723

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
1412916502ca7cd919e2679f8db93fd9

SHA1
fce2d155db7405d6fc6fb7a5b42adf93e25c4c74

SHA256
92a59329763623c0cac08dcfcd8c46c309c736326de5a25f15e3a97004200994

SHA512
4ef182e0599368dfdadd5a8a57af223546f1d99369818d9af8fcac559fb53b2785fe477bd9445d85c59a3c5de306b10eb44955916ead40f6d0d8d20daae85637

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
4c1f58aca80b52032da4ac4bee4ce462

SHA1
9ce602c07d2e23aebc8a60043c1e530197c6b04c

SHA256
84b09dcc0173819e4e0f7e70560d18b08b7588e87a1243a1331a8e8cee3ce372

SHA512
60c5f8e824fcd032d05bbc1cd356ecd3d53b7952283670ad5b06f548d1ffd330400af830c44b0400de1eb606c893af4f53b5165ba7ab7b8ab19a3bedcedfe83d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
4fd6769c2e4cb9b6563f7491d74a39b1

SHA1
da76d639fe9551c6bcb8ccef36e3487afad776bb

SHA256
1a7a7e0973901a8586cdda40b750d22cdbcc038d386924cf7c02d0f2d99f3e9f

SHA512
a1f210632f78ff3b0bb8465d5ab090ae455410d3ea935eb320d39f5d603bee70afec72b6e6fd84a9adf56e0852bed2c8dce61f5c97acd15abb9a67d54ee669e5

Download Submit
C:\Windows\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

Filesize
64B

MD5
168f03c5c241049561d93853fa2304dc

SHA1
ee086aa5bc60436a75015003cb2dd27ae57620ff

SHA256
374d172fa5910a136fd3adba14744e6f740efc9dd62e34f870ea5698e349f60e

SHA512
169897b850ad3fa154452c34b87813f31723914110bf41e711c614e18b9850d036a2083cf908286a406d45db1c4a51f3b320792672b3287cfca08e756b5ee179

Download Submit
\Program Files\CCleaner\branding.dll

Filesize
50KB

MD5
e5f8138cc87bc199a98bb484db9b4076

SHA1
4ba3693662feb8661937fb1a3fac771702f70a25

SHA256
3289901e88e38e1a9dec202e7a731d1fadf16855349a394d046107aa40c93d84

SHA512
f55e43d4ebbaed6a27631a43368bcdd2bc9aedb16d06c631af2b7be2e1a411f66a1dd52a07a2c26b0b86ac47693d63b94cbc74a75be19aa4fabc949db64c0762

Download Submit
\Users\Admin\AppData\Local\Temp\nse487A.tmp\p\InstallerHelper.dll

Filesize
3.0MB

MD5
69fe0f183fa7b8eb6c9a55cb2ff93f7a

SHA1
1f8a64ac55a031a829f1b1b695a6933ce42f7692

SHA256
4ac7b7d19ba91de4aaf02629035a44df5d346f45ec7dcf5ada2bf644265f66a0

SHA512
a153d662fdb74dec9cfed138a590f17403571e3554d99d448c50abdc04f19b2f5d35ac40808012861b2875d93d6a31871ef3efb3465893f77bdd52e66c4b6523

Download Submit
\Users\Admin\AppData\Local\Temp\nshAB5F.tmp\ButtonEvent.dll

Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
\Users\Admin\AppData\Local\Temp\nshAB5F.tmp\INetC.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
\Users\Admin\AppData\Local\Temp\nshAB5F.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
\Users\Admin\AppData\Local\Temp\nshAB5F.tmp\p\ServiceUninstaller.dll

Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
\Users\Admin\AppData\Local\Temp\nshAB5F.tmp\p\pfBL.dll

Filesize
6.0MB

MD5
5608c585d25c6f3d75762cd0a44cc153

SHA1
a9ae6ecca38b1fcfb08f7fa45a0f063fd9393828

SHA256
ed5826c816ace3bc5fdd471871a0034554773e7da20dbc0a2eac7152cc7fa260

SHA512
6e24928d93b8068f4e03d97159e7dd2ff5ea7817c37a5a06741311b0477fd54b5750451652f79cf53130efc03b9268ce5fa8922e63caf17c1d88d23200eb9867

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7078.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7078.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
memory/1632-2372-0x0000014DF3970000-0x0000014DF3978000-memory.dmp

Filesize
32KB

Download
memory/1632-2050-0x00007FF997A30000-0x00007FF997A31000-memory.dmp

Filesize
4KB

Download
memory/1632-2051-0x00007FF997A40000-0x00007FF997A41000-memory.dmp

Filesize
4KB

Download
memory/1632-2052-0x00007FF997A00000-0x00007FF997A01000-memory.dmp

Filesize
4KB

Download
memory/1632-2053-0x00007FF997A60000-0x00007FF997A61000-memory.dmp

Filesize
4KB

Download
memory/1632-2054-0x00007FF997A10000-0x00007FF997A11000-memory.dmp

Filesize
4KB

Download
memory/1632-2055-0x00007FF9946D0000-0x00007FF9946D1000-memory.dmp

Filesize
4KB

Download
memory/1632-2354-0x0000014DEB440000-0x0000014DEB450000-memory.dmp

Filesize
64KB

Download
memory/1632-2348-0x0000014DEB3E0000-0x0000014DEB3F0000-memory.dmp

Filesize
64KB

Download
memory/1632-2049-0x00007FF9979F0000-0x00007FF9979F1000-memory.dmp

Filesize
4KB

Download
memory/1632-2373-0x0000014DF3850000-0x0000014DF3858000-memory.dmp

Filesize
32KB

Download
memory/1632-2374-0x0000014DF3840000-0x0000014DF3841000-memory.dmp

Filesize
4KB

Download
memory/1632-2376-0x0000014DF3850000-0x0000014DF3858000-memory.dmp

Filesize
32KB

Download
memory/1632-2382-0x0000014DF3800000-0x0000014DF3801000-memory.dmp

Filesize
4KB

Download
memory/1632-2379-0x0000014DF3840000-0x0000014DF3848000-memory.dmp

Filesize
32KB

Download
memory/1632-2394-0x0000014DF38F0000-0x0000014DF38F8000-memory.dmp

Filesize
32KB

Download
memory/1632-2396-0x0000014DF3930000-0x0000014DF3938000-memory.dmp

Filesize
32KB

Download
memory/1632-2399-0x0000014DF3840000-0x0000014DF3841000-memory.dmp

Filesize
4KB

Download
memory/1632-2403-0x0000014DF3800000-0x0000014DF3801000-memory.dmp

Filesize
4KB

Download
memory/1632-2048-0x00007FF9979E0000-0x00007FF9979E1000-memory.dmp

Filesize
4KB

Download
memory/1780-2043-0x00000000732B0000-0x00000000732D6000-memory.dmp

Filesize
152KB

Download
memory/1780-3370-0x00000000732B0000-0x00000000732D6000-memory.dmp

Filesize
152KB

Download
memory/2560-1571-0x00007FF997A30000-0x00007FF997A31000-memory.dmp

Filesize
4KB

Download
memory/2560-1570-0x00007FF9979F0000-0x00007FF9979F1000-memory.dmp

Filesize
4KB

Download
memory/2560-1572-0x00007FF997A40000-0x00007FF997A41000-memory.dmp

Filesize
4KB

Download
memory/2560-1573-0x00007FF997A00000-0x00007FF997A01000-memory.dmp

Filesize
4KB

Download
memory/2560-1574-0x00007FF997A60000-0x00007FF997A61000-memory.dmp

Filesize
4KB

Download
memory/2560-1576-0x00007FF9946D0000-0x00007FF9946D1000-memory.dmp

Filesize
4KB

Download
memory/2560-1569-0x00007FF9979E0000-0x00007FF9979E1000-memory.dmp

Filesize
4KB

Download
memory/2560-1575-0x00007FF997A10000-0x00007FF997A11000-memory.dmp

Filesize
4KB

Download
memory/5756-3002-0x0000000008970000-0x0000000008992000-memory.dmp

Filesize
136KB

Download
memory/5756-3006-0x0000000008B90000-0x0000000008BDA000-memory.dmp

Filesize
296KB

Download
memory/5756-3001-0x0000000008A10000-0x0000000008AA4000-memory.dmp

Filesize
592KB

Download
memory/5756-2999-0x00000000088F0000-0x0000000008926000-memory.dmp

Filesize
216KB

Download
memory/5756-3003-0x0000000008AB0000-0x0000000008B16000-memory.dmp

Filesize
408KB

Download
memory/5756-3004-0x000000000A210000-0x000000000A70E000-memory.dmp

Filesize
5.0MB

Download
memory/5756-3005-0x0000000008B20000-0x0000000008B3C000-memory.dmp

Filesize
112KB

Download
memory/5756-3000-0x0000000009B90000-0x000000000A208000-memory.dmp

Filesize
6.5MB

Download
memory/5756-3009-0x000000000E130000-0x000000000E480000-memory.dmp

Filesize
3.3MB

Download
memory/5756-3018-0x000000000A880000-0x000000000A8E6000-memory.dmp

Filesize
408KB

Download
memory/5756-3019-0x000000000EA90000-0x000000000EAB2000-memory.dmp

Filesize
136KB

Download
memory/5756-3020-0x000000000EB60000-0x000000000EBAB000-memory.dmp

Filesize
300KB

Download
memory/5756-3021-0x000000000ECB0000-0x000000000ED26000-memory.dmp

Filesize
472KB

Download
memory/5756-2998-0x0000000008880000-0x000000000889A000-memory.dmp

Filesize
104KB

Download
memory/5756-2997-0x0000000008EE0000-0x0000000009508000-memory.dmp

Filesize
6.2MB

Download
memory/5756-2996-0x0000000003730000-0x000000000373A000-memory.dmp

Filesize
40KB

Download