General Info

File name

3.exe

Full analysis
https://app.any.run/tasks/2aa79186-d1cc-42f2-b50b-b360b5d14877
Verdict
Malicious activity
Analysis date
3/14/2019, 14:43:48
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

28bbce9643fe16ba8aa219d67b06f91d

SHA1

b6ac3a2deada8db7f7ced7a32fc2e9468c0b6266

SHA256

4f0b66034a053a747c9be93d97d4e53e0bcea2cf92994bd46f4427c9f79b5b3b

SSDEEP

3072:9liUPXC8k1nJrX+fNTBf+N8SxWvXcEiH+k:9zBkLL2NTBGCemJnk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads the Task Scheduler COM API
  • CCleaner.exe (PID: 3364)
  • CCleaner.exe (PID: 2728)
Changes the autorun value in the registry
  • CCleaner.exe (PID: 3364)
Actions looks like stealing of personal data
  • CCleaner.exe (PID: 3364)
  • CCleaner.exe (PID: 2908)
Reads Internet Cache Settings
  • CCleaner.exe (PID: 2908)
Removes files from Windows directory
  • CCleaner.exe (PID: 2908)
Reads internet explorer settings
  • CCleaner.exe (PID: 3364)
  • CCleaner.exe (PID: 2908)
Low-level read access rights to disk partition
  • CCleaner.exe (PID: 2908)
Executable content was dropped or overwritten
  • 3.exe (PID: 2860)
Reads the cookies of Google Chrome
  • CCleaner.exe (PID: 2908)
Application launched itself
  • CCleaner.exe (PID: 2908)
Reads the cookies of Mozilla Firefox
  • CCleaner.exe (PID: 2908)
Creates files in the user directory
  • CCleaner.exe (PID: 2908)
  • 3.exe (PID: 2860)
Starts CMD.EXE for commands execution
  • 3.exe (PID: 2860)
Reads settings of System Certificates
  • CCleaner.exe (PID: 2908)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (41%)
.exe
|   Win64 Executable (generic) (36.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.6%)
.exe
|   Win32 Executable (generic) (5.9%)
.exe
|   Win16/32 Executable Delphi generic (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:02:01 21:18:00+01:00
PEType:
PE32
LinkerVersion:
2.5
CodeSize:
67584
InitializedDataSize:
52224
UninitializedDataSize:
null
EntryPoint:
0x1000
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
01-Feb-2018 20:18:00
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
01-Feb-2018 20:18:00
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.code 0x00001000 0x000037F0 0x00003800 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 5.61236
.text 0x00005000 0x0000CFA2 0x0000D000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.58582
.rdata 0x00012000 0x000033A0 0x00003400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.11024
.data 0x00016000 0x00001724 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.93674
.rsrc 0x00018000 0x00008510 0x00008600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.97091
Resources
1

213E4B4F54AE4F4186D0C15C492CD3CC79BA41D2

3D1F5A1768FF03094B7205C1F656F770

7581988FF961F569E508D38D15734EBACD17187B

7EA50BB2E6EED45D1812A9C4223909DE

C58CFDC25974411E881FF4BAA34E8B07

DBC1F5D2E2

Imports
    MSVCRT.dll

    KERNEL32.dll

    USER32.DLL

    GDI32.DLL

    COMCTL32.DLL

    SHELL32.DLL

    WINMM.DLL

    OLE32.DLL

    SHLWAPI.DLL

Exports

    No exports.

Screenshots

Processes

Total processes
39
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start 3.exe cmd.exe no specs timeout.exe no specs ccleaner.exe no specs ccleaner.exe ccleaner.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2860
CMD
"C:\Users\admin\AppData\Local\Temp\3.exe"
Path
C:\Users\admin\AppData\Local\Temp\3.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
3992
CMD
"C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\E2D2.tmp\E2D3.tmp\E2D4.bat C:\Users\admin\AppData\Local\Temp\3.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
3.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\timeout.exe

PID
2644
CMD
TIMEOUT /T 1 /NOBREAK
Path
C:\Windows\system32\timeout.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
timeout - pauses command processing
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2728
CMD
"C:\Program Files\CCleaner\CCleaner.exe"
Path
C:\Program Files\CCleaner\CCleaner.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Piriform Ltd
Description
CCleaner
Version
5, 35, 0, 6210
Modules
Image
c:\program files\ccleaner\ccleaner.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\esent.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\winsta.dll

PID
2908
CMD
"C:\Program Files\CCleaner\CCleaner.exe" /uac
Path
C:\Program Files\CCleaner\CCleaner.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Piriform Ltd
Description
CCleaner
Version
5, 35, 0, 6210
Modules
Image
c:\program files\ccleaner\ccleaner.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\esent.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mlang.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\oobefldr.dll

PID
3364
CMD
"C:\Program Files\CCleaner\CCleaner.exe" /monitor
Path
C:\Program Files\CCleaner\CCleaner.exe
Indicators
Parent process
CCleaner.exe
User
admin
Integrity Level
HIGH
Version:
Company
Piriform Ltd
Description
CCleaner
Version
5, 35, 0, 6210
Modules
Image
c:\program files\ccleaner\ccleaner.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\esent.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

Registry activity

Total events
999
Read events
758
Write events
225
Delete events
16

Modification events

PID
Process
Operation
Key
Name
Value
2860
3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2860
3.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
WipeFreeSpaceDrives
C:\
2908
CCleaner.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
CookiesToSave
*.piriform.com|facebook.com|google.com
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
RunICS
0
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
NewVersion
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
UpdateKey
03/14/2019 01:44:49 PM
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
NewVersion
5.55.7108
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CachePrefix
:2019031420190315:
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CacheLimit
8192
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CacheOptions
11
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CacheRepair
0
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018082720180903
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018090920180910
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
2908
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
25B2EB196CDAD401
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pem
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\pem
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
2908
CCleaner.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\oobefldr.dll,-1102
Go online to make setting up your computer easier and learn more about Windows 7.
2908
CCleaner.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\oobefldr.dll,-1122
Change your desktop background, window color, sounds, and screen saver.
2908
CCleaner.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\oobefldr.dll,-1142
Transfer your files and settings from another computer.
2908
CCleaner.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\oobefldr.dll,-1162
Share files and printers with other computers in your home.
2908
CCleaner.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\oobefldr.dll,-1182
Choose when you want User Account Control (UAC) to notify you about changes to your computer.
2908
CCleaner.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\oobefldr.dll,-1202
Go online to get Windows Live Essentials to communicate, share, and publish online.
2908
CCleaner.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\oobefldr.dll,-1222
Configure Windows to back up your photos, music, and other files automatically.
2908
CCleaner.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\oobefldr.dll,-1242
Create user accounts for other people who will use this computer.
2908
CCleaner.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%systemroot%\system32\oobefldr.dll,-1262
Make text and other items on your screen larger or smaller.
2908
CCleaner.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Microsoft Management Console\Recent File List
3364
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
Monitoring
1
3364
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CCleaner Monitoring
"C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
3364
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
SystemMonitoring
1
3364
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
NewVersionNotification
1
3364
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
NewVersionNotification
0
3364
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
LastMonitoringShowNewVersion
5.55.7108|03/14/2019 01:44:49 PM
3364
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
LastMonitoringNotificationTime
03/14/2019 01:44:49 PM
3364
CCleaner.exe
write
HKEY_CURRENT_USER\Software\Piriform\CCleaner
LMN
2|3|0|0|0|0|4|0|0|0||||

Files activity

Executable files
1
Suspicious files
32
Text files
2
Unknown types
10

Dropped files

PID
Process
Filename
Type
2860
3.exe
C:\Users\admin\AppData\Roaming\;
executable
MD5: ba50580ee89422ad9e77d3dc8f8ab5b0
SHA256: 3355ba4c1596126a04f5d37f18ddefa02ca8aff836b6f7d4eaa5a2f240a52957
2860
3.exe
C:\Users\admin\AppData\Local\Temp\E2D2.tmp\E2D3.tmp\E2D4.bat
text
MD5: 2c1e0b82fc9ae79afee93b0b7b262762
SHA256: c6fa02a8249ba660c6ba5ac2fe4fda8d5dbca6a2da9eff28c0a37b9ec89d8613
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs
sqlite
MD5: 93c3d6ec198d6eaa173305b875504d82
SHA256: bb33e3ed5db5ff760ac53b84383685281f4dff11f3eb6c274270599112deec1b
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\QuotaManager
sqlite
MD5: 90b92cfd42f6bd8e187a02082a33d899
SHA256: 15fafd4b3d96592aa1c8fc23662322a6d2bfdede693dad82af66b92cf63ea23a
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs-journal
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\cookies
sqlite
MD5: 97904c4f8596858c1f72b11fe691bbaa
SHA256: e7ba736294221948bdcef166ef44abafb742d510cca3087161241f5d43f1cfe5
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\cookies-journal
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Favicons
sqlite
MD5: 13e29f1194c2cb37f0498ae486c3f226
SHA256: 242e59039e7a5011299b6bc09a1f36e4d4d4d2402fa70f92955063d6ce2b25af
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat
binary
MD5: 373b34540b8d4056abf794e8f2c0c603
SHA256: d6114ae2795d68677cc1aff1a5bed02cb5ef3969563f26fd3681f9a44fd0be4d
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Opera\Opera\pstorage\psindex.dat
xml
MD5: 87d7d99e78333991f9c6e2dae35d4515
SHA256: 019e073b1add58817582781720c8c35071cb2e5acda113e6fc5ff7322adc609f
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite-shm
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite-shm
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite-shm
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite-wal
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite
sqlite
MD5: 003ca0b26dfafc68a32989a0b1fd69f6
SHA256: d7906a8f8d31177e1a48341158747e05e5681349839774bb47534165b47e3795
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite-wal
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Temp\etilqs_goEAMGcpUkHLdJR
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Temp\etilqs_Zod9kP4mGdzBhXE
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ed7a5cc3cca8d52a.customDestinations-ms~RF21a40f.TMP
binary
MD5: 2b5f9ce995344bb68849651d813667e6
SHA256: 048919bd7df179676dbc837dd4df7bd20bc7e8ba0f39cf799259c0a7420c394a
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ed7a5cc3cca8d52a.customDestinations-ms
binary
MD5: 2b5f9ce995344bb68849651d813667e6
SHA256: 048919bd7df179676dbc837dd4df7bd20bc7e8ba0f39cf799259c0a7420c394a
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms~RF21a3ff.TMP
binary
MD5: 0718412c5ad48fd11c883a2c7545e4ac
SHA256: 04317b698501aa39534a9063d6153df5a137f350d9ec83ba04bf98574744a9f0
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms
binary
MD5: 0718412c5ad48fd11c883a2c7545e4ac
SHA256: 04317b698501aa39534a9063d6153df5a137f350d9ec83ba04bf98574744a9f0
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF21a40f.TMP
binary
MD5: 2bd65786a630760fca601091fdb50176
SHA256: 5c7b76a0d84d609b67540c9a4ed525a2541632ef02559b23b8d82f4dcf5742bb
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 2bd65786a630760fca601091fdb50176
SHA256: 5c7b76a0d84d609b67540c9a4ed525a2541632ef02559b23b8d82f4dcf5742bb
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D86U6RYC3WZY6YZP86HD.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\05WVNES3Z2NHHYPSPPUL.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\be71009ff8bb02a2.customDestinations-ms
binary
MD5: 30506f4e97f405d0b4a52377213b62b6
SHA256: 8f7bc8d09268c30218af462d7925f3601213e9236baa6b9b42ff8ab3ffa32961
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\838cc06828272270.customDestinations-ms~RF21a3ff.TMP
binary
MD5: 2470b9c4840417e24071a880c63fe2a2
SHA256: e4658d6dae6dccedaebaeacb6cbccf646e08f688be6a4bd935cc082aaa7598b8
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\be71009ff8bb02a2.customDestinations-ms~RF21a3ff.TMP
binary
MD5: 30506f4e97f405d0b4a52377213b62b6
SHA256: 8f7bc8d09268c30218af462d7925f3601213e9236baa6b9b42ff8ab3ffa32961
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\838cc06828272270.customDestinations-ms
binary
MD5: 2470b9c4840417e24071a880c63fe2a2
SHA256: e4658d6dae6dccedaebaeacb6cbccf646e08f688be6a4bd935cc082aaa7598b8
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FSAQNBCHQZWKC4J1MS7O.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KC3M8E52OBUMQ9G8FSYP.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UBK3FXVMDHJRIDDUHQ47.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74ea779831912e30.customDestinations-ms
binary
MD5: b7ffda67478fc4b6a9e491f297d2b1fd
SHA256: 241d12654f0a03a7b4ada0dc0ecf3570ac712697ef7724db74270809e6365a32
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF21a3f0.TMP
binary
MD5: 2d41705f6d4aa8ac89042d963b022c87
SHA256: dfea2487535d2b680b21ce5eaf50594510c9111982c770ee68e3fbf4670949c3
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms
binary
MD5: ba1a6d21faea6e6ee85e4ce8a58cb6e9
SHA256: 8bf94529b94945e0afda11a5ae165b0b180a749c24aa5909038ae55fe77d4236
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms~RF21a3f0.TMP
binary
MD5: ba1a6d21faea6e6ee85e4ce8a58cb6e9
SHA256: 8bf94529b94945e0afda11a5ae165b0b180a749c24aa5909038ae55fe77d4236
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
binary
MD5: 2d41705f6d4aa8ac89042d963b022c87
SHA256: dfea2487535d2b680b21ce5eaf50594510c9111982c770ee68e3fbf4670949c3
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74ea779831912e30.customDestinations-ms~RF21a3f0.TMP
binary
MD5: b7ffda67478fc4b6a9e491f297d2b1fd
SHA256: 241d12654f0a03a7b4ada0dc0ecf3570ac712697ef7724db74270809e6365a32
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\121TDOJSZLX7N7B7W19B.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLQTOQIX24OYVRUXSBWT.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1Q8YOWKOOCZDI8FAF6SW.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF21a3c1.TMP
binary
MD5: f574e70dd272ab421355cafb4dbb33f1
SHA256: 5d2549b63411173f7768415522cca0d79e0f4c546bea33c7b2386e0adb8b6690
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
binary
MD5: f574e70dd272ab421355cafb4dbb33f1
SHA256: 5d2549b63411173f7768415522cca0d79e0f4c546bea33c7b2386e0adb8b6690
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF21a3c1.TMP
binary
MD5: 4d52243d2d5c00150afd5ef8770ca507
SHA256: 4cd400921c4212d25b9212bcb099c764b4e7e370c962cf2e2ad1d5b32ad310d4
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms
binary
MD5: 4d52243d2d5c00150afd5ef8770ca507
SHA256: 4cd400921c4212d25b9212bcb099c764b4e7e370c962cf2e2ad1d5b32ad310d4
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CTU8MRAZ7T5F5RNXA4P3.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DNV5SUNFG0V8KGP86L9H.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1573807221713e71.customDestinations-ms~RF21a3b1.TMP
binary
MD5: 5915ec01bd2dc5e8b058b88460654a43
SHA256: d4a06d46f1920c058d2eaa45f328c8d16a2dcc01ea8e0e70cee494ac505747de
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1573807221713e71.customDestinations-ms
binary
MD5: 5915ec01bd2dc5e8b058b88460654a43
SHA256: d4a06d46f1920c058d2eaa45f328c8d16a2dcc01ea8e0e70cee494ac505747de
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\16ec093b8f51508f.automaticDestinations-ms
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\7e4dca80246863e3.automaticDestinations-ms
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SECFXRZX5KC6P9BTXQW4.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmA3A7.tmp
binary
MD5: 78819c9316325f5e4712089dc13073aa
SHA256: da0270c0ec0f696e1a9ec0739c83f305ecd798273097a740a15a9ad4312c0f99
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmA3A3.tmp
binary
MD5: 7928a8deea5e589349b1df5dcb5baf81
SHA256: b124332c318729216053009f45242bb0961203359e723cad413ab7c0cc0b11d6
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmA3A5.tmp
binary
MD5: b623140136560adaf3786e262c01676f
SHA256: ee3e1212dbd47e058e30b119a92f853d3962558065fa3065ad5c1d47654c4140
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmA3A4.tmp
binary
MD5: 350ac26665b88e3b2ec367f268fec5b7
SHA256: e4ab7612a46b262122617e72c3e9bfb01310d3c8ed5b0c89eb7668ba5980258d
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmA3A6.tmp
binary
MD5: 2034995f0bbaa16db835b462eb78152a
SHA256: 62ce260f5e10fc17bf63faafa39912febf61d20fad51cc11606a295801743799
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmA3A2.tmp
binary
MD5: e35b6bc0a60d750e0a80b024247ce044
SHA256: 0fb9f685978f709c4fff44be0961408411d0ad9945f9a19a3c1e31173a1ba165
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\low\index.dat
dat
MD5: 551215eaa944e93b13c4e0f3b2acfaf9
SHA256: ad7d924c4363ef293bc7cf85f9acab24c32efbeb9471d71f55ec00bffaf003d6
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315\index.dat
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
dat
MD5: a90c54bf4da725ec1eee1d0c2e18c2ca
SHA256: ec1a782e42337b1e15d38fb855971e6c775a9f670b8160eb0f878907e2c6d82b
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
dat
MD5: 3c821cff5b7b757c7ccef6e8a14876ad
SHA256: eb5102b2ef76edc632d919f533464255534bf723bf53858c5a0ce72170eb3fec
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ed7a5cc3cca8d52a.customDestinations-ms~RF219b26.TMP
binary
MD5: 9c3eb1a379e6c25915e1993178687d13
SHA256: cefcdbd5cc642924f4277231a2f33a72d0a0d173d75938233d78b91e8c17f69f
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FP2BSGGW2D10V13Q4W9P.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ed7a5cc3cca8d52a.customDestinations-ms~RF219615.TMP
binary
MD5: 9c3eb1a379e6c25915e1993178687d13
SHA256: cefcdbd5cc642924f4277231a2f33a72d0a0d173d75938233d78b91e8c17f69f
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TY7BTB0XTCZ21FSFDHWJ.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ed7a5cc3cca8d52a.customDestinations-ms
binary
MD5: 9c3eb1a379e6c25915e1993178687d13
SHA256: cefcdbd5cc642924f4277231a2f33a72d0a0d173d75938233d78b91e8c17f69f
2908
CCleaner.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IFM8WBRQ6LYGGAQWIHGR.temp
––
MD5:  ––
SHA256:  ––
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\History
sqlite
MD5: dc5fb96126ac72857be9b9805a7f074e
SHA256: 170af5d1d5905e694e9ae3223f2d92f0f9bf6435cfde892b118820218d9430fb
2908
CCleaner.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\History-journal
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2908 CCleaner.exe GET 301 151.101.0.64:80 http://www.piriform.com/auto?a=0&p=cc&v=5.35.6210&l=1033&lk=&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-VJCA&o=6.1W3&au=1&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gu=00000000-0000-4000-8000-d6f7f2be5127 US
––
––
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2908 CCleaner.exe 151.101.0.64:80 Fastly US whitelisted
2908 CCleaner.exe 151.101.0.64:443 Fastly US whitelisted
2908 CCleaner.exe 151.101.2.202:443 Fastly US unknown

DNS requests

Domain IP Reputation
www.piriform.com 151.101.0.64
151.101.64.64
151.101.128.64
151.101.192.64
whitelisted
www.ccleaner.com 151.101.2.202
151.101.66.202
151.101.130.202
151.101.194.202
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.