General Info

File name

PCclear_Eng_mini.exe

Full analysis
https://app.any.run/tasks/d437bf9d-3c01-4398-bb90-8d44fb41a76d
Verdict
Malicious activity
Analysis date
2/10/2019, 21:13:13
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

loader

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

b41541e6a56a4b091855938cefc8b0f0

SHA1

8006b2728d05eab4c5d6dc0bb3b115ddc1e2eaa7

SHA256

d4c48762f128436fed18b9c714e55bf7360802127efb233ad31ec4b0f7f649b1

SSDEEP

384:ph8qCjcowiUJTIWIC0pc36+6rD5uH3XGJH3R1Dn/EMkudSGqoVU:fMw1JTYhCXXIXvr/JjAGx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Downloads executable files from the Internet
  • PCclear_Eng_mini.exe (PID: 2980)
Application was dropped or rewritten from another process
  • pcclear_active.exe (PID: 2272)
  • pcclear_active.exe (PID: 3660)
Changes the autorun value in the registry
  • pcclear_active.exe (PID: 2272)
Loads dropped or rewritten executable
  • pcclear_active.exe (PID: 2272)
Creates files in the Windows directory
  • PCclear_Eng_mini.exe (PID: 2980)
Executable content was dropped or overwritten
  • pcclear_active.exe (PID: 2272)
  • PCclear_Eng_mini.exe (PID: 2980)
Starts CMD.EXE for commands execution
  • pcclear_active.exe (PID: 2272)
Creates files in the user directory
  • pcclear_active.exe (PID: 2272)
Creates files in the program directory
  • pcclear_active.exe (PID: 2272)
Check for Java to be installed
  • iexplore.exe (PID: 3500)
Creates a software uninstall entry
  • pcclear_active.exe (PID: 2272)
Removes files from Windows directory
  • cmd.exe (PID: 3564)
Application launched itself
  • iexplore.exe (PID: 3500)
Changes internet zones settings
  • iexplore.exe (PID: 3500)
Application was crashed
  • PCclear_Eng_mini.exe (PID: 2980)
Reads Internet Cache Settings
  • iexplore.exe (PID: 1728)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2007:09:15 05:59:15+02:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
12288
InitializedDataSize:
16384
UninitializedDataSize:
null
EntryPoint:
0x3532
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
1.0.0.1
ProductVersionNumber:
1.0.0.1
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Korean
CharacterSet:
Unicode
CompanyName:
null
FileDescription:
PCclear_Eng_mini MFC 응용 프로그램
FileVersion:
1, 0, 0, 1
InternalName:
PCclear_Eng_mini
LegalCopyright:
Copyright (C) 2007
LegalTrademarks:
null
OriginalFileName:
PCclear_Eng_mini.EXE
ProductName:
PCclear_Eng_mini 응용 프로그램
ProductVersion:
1, 0, 0, 1
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
15-Sep-2007 03:59:15
Detected languages
Korean - Korea
CompanyName:
null
FileDescription:
PCclear_Eng_mini MFC 응용 프로그램
FileVersion:
1, 0, 0, 1
InternalName:
PCclear_Eng_mini
LegalCopyright:
Copyright (C) 2007
LegalTrademarks:
null
OriginalFilename:
PCclear_Eng_mini.EXE
ProductName:
PCclear_Eng_mini 응용 프로그램
ProductVersion:
1, 0, 0, 1
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000E8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
4
Time date stamp:
15-Sep-2007 03:59:15
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00002985 0x00003000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 5.59331
.rdata 0x00004000 0x00001042 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 3.07453
.data 0x00006000 0x000007A8 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.06396
.rsrc 0x00007000 0x00000960 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 2.24918
Resources
1

2

102

128

Imports
    WININET.dll

    MFC42.DLL

    MSVCRT.dll

    KERNEL32.dll

    USER32.dll

    ADVAPI32.dll

    SHELL32.dll

    urlmon.dll

Exports

    No exports.

Screenshots

Processes

Total processes
44
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

+
download and start download and start start pcclear_eng_mini.exe pcclear_active.exe no specs pcclear_active.exe iexplore.exe iexplore.exe no specs iexplore.exe no specs cmd.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2980
CMD
"C:\Users\admin\Desktop\PCclear_Eng_mini.exe"
Path
C:\Users\admin\Desktop\PCclear_Eng_mini.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
PCclear_Eng_mini MFC 응용 프로그램
Version
1, 0, 0, 1
Modules
Image
c:\users\admin\desktop\pcclear_eng_mini.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\odbcint.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\temp\pcclear_active.exe
c:\windows\system32\mpr.dll

PID
3660
CMD
"C:\WINDOWS\Temp\pcclear_active.exe"
Path
C:\WINDOWS\Temp\pcclear_active.exe
Indicators
No indicators
Parent process
PCclear_Eng_mini.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
Version
Modules
Image
c:\windows\temp\pcclear_active.exe
c:\systemroot\system32\ntdll.dll

PID
2272
CMD
"C:\WINDOWS\Temp\pcclear_active.exe"
Path
C:\WINDOWS\Temp\pcclear_active.exe
Indicators
Parent process
PCclear_Eng_mini.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\temp\pcclear_active.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\users\admin\appdata\local\temp\nsh280c.tmp\nsisos.dll
c:\windows\system32\crtdll.dll
c:\users\admin\appdata\local\temp\nsh280c.tmp\textreplace.dll
c:\users\admin\appdata\local\temp\nsh280c.tmp\killprocdll.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\local\temp\nsh280c.tmp\dllwaitforkillprogram.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\odbcint.dll
c:\users\admin\appdata\local\temp\nsh280c.tmp\iefunctions.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\users\admin\appdata\local\temp\nsh280c.tmp\dllwebcount.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\users\admin\appdata\local\temp\nsh280c.tmp\selfdelete.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\pcclear_plus\pcclear_plus.exe
c:\program files\pcclear_plus\uninstall.exe
c:\windows\system32\netutils.dll

PID
3500
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\url.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\linkinfo.dll

PID
1728
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3500 CREDAT:79873
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll

PID
2348
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3500 CREDAT:145409
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll

PID
3564
CMD
cmd /c \DelUS.bat
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
pcclear_active.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Registry activity

Total events
616
Read events
513
Write events
103
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5}
Compatibility Flags
1024
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\intmedia\activex_Eng
activex_pid
)
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PCclear_Eng_mini_RASAPI32
EnableFileTracing
0
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PCclear_Eng_mini_RASAPI32
EnableConsoleTracing
0
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PCclear_Eng_mini_RASAPI32
FileTracingMask
4294901760
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PCclear_Eng_mini_RASAPI32
ConsoleTracingMask
4294901760
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PCclear_Eng_mini_RASAPI32
MaxFileSize
1048576
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PCclear_Eng_mini_RASAPI32
FileDirectory
%windir%\tracing
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PCclear_Eng_mini_RASMANCS
EnableFileTracing
0
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PCclear_Eng_mini_RASMANCS
EnableConsoleTracing
0
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PCclear_Eng_mini_RASMANCS
FileTracingMask
4294901760
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PCclear_Eng_mini_RASMANCS
ConsoleTracingMask
4294901760
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PCclear_Eng_mini_RASMANCS
MaxFileSize
1048576
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PCclear_Eng_mini_RASMANCS
FileDirectory
%windir%\tracing
2980
PCclear_Eng_mini.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2980
PCclear_Eng_mini.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2980
PCclear_Eng_mini.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2980
PCclear_Eng_mini.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\intmedia\activex_Eng
Install
installed
2980
PCclear_Eng_mini.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5}
install
installed
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\PCClear_Plus_Global
Install_Dir
C:\Program Files\PCClear_Plus
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PCClear_Plus
"C:\Program Files\PCClear_Plus\PCClear_Plus.exe" /shide
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCClear_Plus
DisplayName
PCClear_Plus
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCClear_Plus
UninstallString
"C:\Program Files\PCClear_Plus\Uninstall.exe"
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5}
Compatibility Flags
1024
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\PCClearPlus
ver
20071011
2272
pcclear_active.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
PCClear_Plus
"C:\Program Files\PCClear_Plus\PCClear_Plus.exe" /shide
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pcclear_active_RASAPI32
EnableFileTracing
0
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pcclear_active_RASAPI32
EnableConsoleTracing
0
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pcclear_active_RASAPI32
FileTracingMask
4294901760
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pcclear_active_RASAPI32
ConsoleTracingMask
4294901760
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pcclear_active_RASAPI32
MaxFileSize
1048576
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pcclear_active_RASAPI32
FileDirectory
%windir%\tracing
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pcclear_active_RASMANCS
EnableFileTracing
0
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pcclear_active_RASMANCS
EnableConsoleTracing
0
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pcclear_active_RASMANCS
FileTracingMask
4294901760
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pcclear_active_RASMANCS
ConsoleTracingMask
4294901760
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pcclear_active_RASMANCS
MaxFileSize
1048576
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\pcclear_active_RASMANCS
FileDirectory
%windir%\tracing
2272
pcclear_active.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2272
pcclear_active.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006B000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2272
pcclear_active.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2272
pcclear_active.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2272
pcclear_active.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter
52
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive
{724D38A5-2D70-11E9-BAD8-5254004A04AF}
0
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307020000000A0014000E0014001A01
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307020000000A0014000E0014001A01
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
3500
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3600000036000000560300008E020000
1728
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
1728
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
1728
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307020000000A0014000E001400B601
1728
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
19
1728
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
1728
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
1728
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307020000000A0014000E001400E501
1728
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
52
1728
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
1728
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
1728
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307020000000A0014000E0014009102
1728
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
44
1728
iexplore.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-500\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
deployment.modified.timestamp
1535457888987
1728
iexplore.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-500\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
deployment.roaming.profile
false
1728
iexplore.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-500\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
deployment.version
8
1728
iexplore.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-500\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
deployment.expired.version
11.92.2
1728
iexplore.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-500\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
deployment.browser.path
C:\Program Files\Internet Explorer\iexplore.exe
2348
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2348
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
4
2348
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307020000000A0014000E0016004302
2348
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
27
2348
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2348
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
4
2348
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307020000000A0014000E0016009102
2348
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
55
2348
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2348
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
4
2348
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307020000000A0014000E001600C002
2348
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
46

Files activity

Executable files
24
Suspicious files
41
Text files
13
Unknown types
15

Dropped files

PID
Process
Filename
Type
2980
PCclear_Eng_mini.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\PCClearPlus_active[1].exe
executable
MD5: 85b84272eac48a2c4dc52f8426fb7e5e
SHA256: 378acdc6c2d43759a1828b5aafa6f3c1641b250de22bee62d2c459d40916ae87
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\PCClear_Plus.exe
executable
MD5: 2ffb0bc9089a283cd01bae6dd4168826
SHA256: d86098dbf01e099d0d34e1cf900383fc03e350148aeda9a2471a864feb4f4383
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\Pcpupk.dll
executable
MD5: 088396c6c4cdab9b3d312b79bdb63b00
SHA256: 80864b1840741effe65f808effaf6057fc20ad4c7e01d5204a832b834bb39abf
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\PCClearPlusET.dll
executable
MD5: 1fce7c8b12f01cf552afaf6f83ef9462
SHA256: bff8fb218858921c5c2516ab7a8b5b41740786f994f6e6bc797b270c79fe05ae
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\PCclear_Plus_Update.exe
executable
MD5: 71eff967a59c07c72aa0009c679f7706
SHA256: 43721b70b2de44b3fef1c188d51d5a9013e7877a8cffc67ec608c4dcfdb118ad
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\PCClear_Plus_EI.dll
executable
MD5: 717ad4fc17e3741a27d5bfd0e5bd2994
SHA256: 7a67edc525c54ee7a77209465c20c45fd0afcdb024bb883082bb15163ca2abe1
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\Uninstall.exe
executable
MD5: 239e26664aa55a15c8094c34f540387b
SHA256: bdcf8266a7550f8e52cc079ce86d6a3e56b38f6bf274408e8a871e0d6d27dd81
2272
pcclear_active.exe
C:\Users\admin\AppData\Local\Temp\nsh280C.tmp\KillProcDLL.dll
executable
MD5: 6958016193a066833556992077bad4fe
SHA256: f38c669c87f2a73768a27a01622690997e9d93d5ca3830b349bd24c3ff9f8d2e
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\msvcp60.dll
executable
MD5: 04ad4bc3f3829cbb5fa4d2cc9c2c824b
SHA256: 0a88f818a57006d9907675d9ed801dc758b095af0b5542238fe84de63a1d7f4e
2272
pcclear_active.exe
C:\Users\admin\AppData\Local\Temp\nsh280C.tmp\textreplace.dll
executable
MD5: 72d1177bad86f4df8eaee2a8afe50e6f
SHA256: c058f4439617bdb2019c90abd9920070a23f751b9349051d0744280cd5d9c5d7
2272
pcclear_active.exe
C:\Users\admin\AppData\Local\Temp\nsh280C.tmp\IEFunctions.dll
executable
MD5: 9701818d39318145dd164794ef3a3846
SHA256: 3122b0413f74e88518cfd1b9c6e18435dd326ca177a2374b6405df78f43e776a
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\PCClear_Plus_EH.dll
executable
MD5: 3a01c957888289518947b7e0108b5d0d
SHA256: 1c857001eef2666c1f387b7a8de774905ef954e048ecfe981d7ff4a334e1dd28
2272
pcclear_active.exe
C:\Users\admin\AppData\Local\Temp\nsh280C.tmp\nsisos.dll
executable
MD5: 69806691d649ef1c8703fd9e29231d44
SHA256: ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\PCClear_Plus_EF.dll
executable
MD5: 4ea5211cb0ea015bf395903aecdc3f6d
SHA256: 65e11534647ab4b72ddee07041d903dd9a841c4c0111419662ddf83260a04da4
2272
pcclear_active.exe
C:\Users\admin\AppData\Local\Temp\nsh280C.tmp\DLLWebCount.dll
executable
MD5: 4deb2c6f2cd1db4b3ed0950c3c442861
SHA256: cc51e034c91d3fe9ffe1dbfc79d6e5682e9f0e57ba21392706575819198cb1c0
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\PCClear_Plus_EA.dll
executable
MD5: 73d045fcf56b1c7f418dfade81513940
SHA256: 6a93a06927a4129ba558055afa8d8bd04dbd780b4ba9ee07488769edfb87ea29
2980
PCclear_Eng_mini.exe
C:\WINDOWS\Temp\pcclear_active.exe
executable
MD5: 85b84272eac48a2c4dc52f8426fb7e5e
SHA256: 378acdc6c2d43759a1828b5aafa6f3c1641b250de22bee62d2c459d40916ae87
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\PCClear_Plus_R.exe
executable
MD5: be2f89f9f3cc5b4110defeb3e5ff4ee8
SHA256: 9c9dfb023f03f5bf5a7fdd46977c8c5a337ca3939d88e93b9f96a90bd1c804c2
2272
pcclear_active.exe
C:\Users\admin\AppData\Local\Temp\nsh280C.tmp\SelfDelete.dll
executable
MD5: 7bf1bd7661385621c7908e36958f582e
SHA256: c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\PCClear_Plus_ET.dll
executable
MD5: 46bad73386cb576e7d7b3527aae40d60
SHA256: b48fe568bdaf3c8b2a57701009e072b2a63adfcc5ca2316a3249cb8fa7d2505b
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\PCClear_Plus_ER.dll
executable
MD5: df3d28b639204ec22bcdeb7672694a99
SHA256: e56faa28155d2ee2374fbe568fc47cc6434ed110a44ee96dd8be3e7170fd1bfd
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\PCClear_Plus_EU.exe
executable
MD5: 4e21ac87fceccdefb51b8114743cd981
SHA256: b0567ab70a04bfb99a2ae458f53bc439ac46cabb01d06c29b6f75739c54b69bc
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\PCClear_Plus_VI.dll
executable
MD5: 9fda2bda378b9d450c02f220767826a0
SHA256: 7c7eef74f2a5abe1c066f592b376a98f595d9acf962ca885a1b69857a029aed1
2272
pcclear_active.exe
C:\Users\admin\AppData\Local\Temp\nsh280C.tmp\DLLWaitForKillProgram.dll
executable
MD5: 9c4b8ec42d89f7557bfd90798ce52787
SHA256: ed52bdad7b383a179b9b0e21fefdda2d72695c5263a815d5e1e0bfac6c718548
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi020.ads
binary
MD5: e1723be03a190e70bf47f72cec67b7f9
SHA256: 2aa7c2ad994be4e6ddcbafd984996d0b7aee13bb36f300b81a03236709b86150
3500
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3500
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{724D38A6-2D70-11E9-BAD8-5254004A04AF}.dat
binary
MD5: ba7078acc7ddca5e18931d06cd10cc86
SHA256: e63b7fe572d458679970348cf4cae7085cbce30fe1a0d4d3c579133f4a4e7ebf
3500
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF1B60D96360C0CF90.TMP
––
MD5:  ––
SHA256:  ––
2272
pcclear_active.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\inst_act[1].htm
––
MD5:  ––
SHA256:  ––
3500
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
3500
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\favicon[1].ico
––
MD5:  ––
SHA256:  ––
2272
pcclear_active.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PCClear_Plus.lnk
lnk
MD5: bb70ad5de9661bdaf3cb4060e7ec0d36
SHA256: d599f56edb5b4b014f7b515983b958e78673917cd4b8d38dc5e338bfb8147fd2
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\partner.ini
text
MD5: 4123b77745ca1d5878f7d77ef3c8f978
SHA256: 569818543f5aab71aeb4812ed6471f276c801c2eedd688d4457d8e9809adfee1
2272
pcclear_active.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PCClear_Plus.lnk
lnk
MD5: bb70ad5de9661bdaf3cb4060e7ec0d36
SHA256: d599f56edb5b4b014f7b515983b958e78673917cd4b8d38dc5e338bfb8147fd2
2272
pcclear_active.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\PCClear_Plus.lnk
lnk
MD5: 8d54c9f480c174a76cc0fd93dc2f8857
SHA256: 5a645f7ba3cec3bdda163ac8c1f6962a8bfc2e8f0fdc594c1afbd9928df40b37
2272
pcclear_active.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCClear_Plus\Uninstall PCClear_plus.lnk
lnk
MD5: 69492d93b61ad7fb22ef58d18674f252
SHA256: 2ec81900bd9a2a3b0daf8eb8f7b1f0044542401604a049891fcb3e11cd1d2a48
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\xndb.ads
text
MD5: b4b8bbb64660e959dfa030fa31e4c2b6
SHA256: 52172fcc6138f6e8e47bb983c552dddb7167e5fe07da72b23c6c65cafd076e95
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\xdb.ads
text
MD5: 9d7076af8d7d514965dad5bb6b4be42f
SHA256: f6f4f719315e5906219186945f74f120c4b6829c80b9a782aa570877c07a7196
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\xcdb.ads
text
MD5: e786384eb39321f0dd167f62c02474a6
SHA256: 73e7e0898fa0a55d88cecf06f2ab67b67722e0109cda1d87b5cad145b0f11624
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vidx.ads
binary
MD5: 002d0b967db77bfd4e77a68d8097e45b
SHA256: 1c712c34c1504aa3c4f436486f3470b63f50e524d4dd2561d8a6c50cebca139e
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vidb.ads
binary
MD5: ff6aa835e8dc3e5979e996891ba98765
SHA256: 679db5ffa297207ed03944951d21efc0c6a8ae142d1c0ea93e7232b6b8fcbcd6
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi033.ads
binary
MD5: 661a11c1a8749c9b741f7cecf6267921
SHA256: afcdd8fce2656de25a4424f1e3a275fd22814aa724b475b0bdd7049cb166f76f
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi032.ads
binary
MD5: bb84db9037b9d74be2aa723a3190aee2
SHA256: ab28dca2c0fdb33154aaa61f88a3a165531cef43b04d9ee5adf9265f867480a9
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi031.ads
binary
MD5: 612a9ae361e8ed840928e7ee5fe2c2f0
SHA256: 06e21d23940525f5856564306b3e670535c858c665640e697226fa6f79edacc0
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi030.ads
binary
MD5: 5f48fdfbb54c46be80692ce782b89897
SHA256: 483bc2c4ad7771ea51f5788ec49639ef76f78101960a13eefb2b7324e982dbc9
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi026.ads
binary
MD5: 52287b122d23f3ed7159755e8bc23ed3
SHA256: 5ed334fb23e21c8b89370190d1a319cde9ce0c7a2532a5e5e2b261d42f64193e
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi027.ads
binary
MD5: 88777020db1981c50ceba2d36d7b15ab
SHA256: 7219f201721338bcc2b55631fc74379886af7e966296573b4b8ad2a1157bcc56
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi025.ads
binary
MD5: 93af0f2192357e9367950602ca7281c3
SHA256: 01febd1f3d9e246f663125402e818d95fff7de29936e6ccb45fd300c7cfcd7cc
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi029.ads
binary
MD5: 2c2990d29f15528dc37839c6f04f0ba1
SHA256: 5d6d8d2897a25bd1bcc6f0ce46e7d3129ce7adff4770efa20d965a0b81bd92c4
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi028.ads
binary
MD5: 29f8d0f09d57953740b66941c03eac4f
SHA256: cede7037045787dbb9a7e972b2bc171aa5d6d8fc0d10ef58b376bd26f5ca3e00
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi019.ads
binary
MD5: 2b05f0f885118c6b9c13478abadb597c
SHA256: a4476567a3e702648ec8b1f4e932608126af7ecfa2e5cd26135ca2ab5cf00b4e
2980
PCclear_Eng_mini.exe
C:\Windows\Temp\mclear_Eng.ini
text
MD5: e5f56a56e00081373ee1916244541264
SHA256: 1ec488a40be13d11f56e553a26c65cb2fdda085882f8cc8c642b95ac47c675c3
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi023.ads
binary
MD5: 9bb6962b53c7e7f22105d2e6d9e54fb3
SHA256: 1822910ab52690025462e03ee9c7a84be19cb8a9721b0050a91a196f39c13e9b
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi021.ads
binary
MD5: fa0ce4dacf667c2b78d69a9eeeceb58b
SHA256: 716c133e1e119c4c488a6d6711f659359a6b1b019634ea7155e7e685fe5d099d
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi024.ads
binary
MD5: a064b8fc96cde9dae6022cffa91e7316
SHA256: a05a4ddc51338ece8d0f7878149b87ccf5106a91d4a92e8e693d6078118f112d
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi022.ads
binary
MD5: 7839c126fcc471f01ee0cf530dc92949
SHA256: 949489e594c29ed6966a45223c1178b982885126499e24808bc8b8fe4f127e3c
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi018.ads
binary
MD5: ee106ffd1db40b1bb5e22c9e90e958e7
SHA256: 18242b3ae2a4a35d1e13e2af02c159526ad6db076457a9e3011edd74d316f688
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi014.ads
binary
MD5: b43592e6e6a080409563df2044754550
SHA256: 01d0653125b533298c9f3b6fd47d4d2baa350bad8393f5af51ae7089159993e7
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi016.ads
binary
MD5: 2646630d3bbb2e7410e2e149c8c6a02a
SHA256: d8d6811b11fd13c11e52be8099be9f59a208d8ca53e9a8a0728509e724cecceb
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi015.ads
binary
MD5: 10ba2c2d07d76632a1368c70304aac40
SHA256: 8faa098bdb451077424e17ccf2522a03c358b6f2759ea7917a0c43aede1c3d6e
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi017.ads
binary
MD5: 64097a91079973330f612c9d2dd18bfc
SHA256: 4e8a05bc725ca58ce29e499e0614b5c919c23867a4fc407802dd6c348b32d172
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi013.ads
binary
MD5: 3b42fbf7fc4a64a582f399cd72c68b8e
SHA256: be3ce95eda8c90749bd719213ed9d84de72b2bdd2c74c61a8d89c1589744255d
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi010.ads
binary
MD5: 1f0309c098d6f0743a315ef3cf0b23ef
SHA256: 64a830d5e92a6c5644b012385838f2bb4798918b23b312ac6eff74d6ce3d5f0c
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi012.ads
binary
MD5: 431e31a2f6c287041302f57d168cba10
SHA256: 6c0f4419e35239597f8c05d620e0e32b72f6e6c4a461f0e69f7ba057c318c2f1
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi008.ads
binary
MD5: 0cc75b2258a3a331cab62794d6a538b5
SHA256: 3eeaf14239cf238cfe8fb8d08d104e99ab13b2c4261d6db406a51d944d92a691
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi009.ads
binary
MD5: f6639c21a720c11300a9307f8d6ea862
SHA256: 91b97d4329c9c424de810713b1959cabe6362c1254f3bd0cf3e7a5c333beb452
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi011.ads
binary
MD5: 484bdec011bff768a5af6dd798582ffb
SHA256: efe38587cbe92270e971cc51e6541d3749af65c784fbefaf33d58f40df44d3c3
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi005.ads
binary
MD5: 4dd2a99dcea60bdb38bea9c0bf3f1a0c
SHA256: d7c0cbb4920969a2faf3ed926b481f23a03ffdc717e539a78a267bed9e5c77b8
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi004.ads
binary
MD5: 860d6b752b5b611e8dffdadb3927bbc3
SHA256: f9c42beaf673682ef2aaec9245f7d518a64cc7d31bfcc39c54c5d28cd28eaf5d
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi006.ads
binary
MD5: 67d38b51f1ca714d90bc5d726d393f97
SHA256: 64aa687d161000755f1b878fc15cc10ad5bbb2e51d5b1d1b34ab4e5081c872c6
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi003.ads
binary
MD5: 36c6cad613394983540d429db957849c
SHA256: 433061be8ae4cc48a628ab265a625dd27d4dda0cec2f58b60671b2874b3b8e63
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi007.ads
binary
MD5: 2a5400cc0d5b3953311e175216cc5344
SHA256: ab54c9585f9c658b08dcec705d82033cab951557ec7d3f813d28f419877cc2b9
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi001.ads
binary
MD5: 75bb8ff6369ef1098165dfd64be9c366
SHA256: cdb65d71f6f8b8131bb8f8e0c7caee2af8c8b79a59789524ceb8d284b2ea4525
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\addb.ads
binary
MD5: 05f4b3530813068f05125097b0c4fc95
SHA256: ef58862ebae8e586e74b2b4760444bd02189c09757dae323ceec88cd3782bc7b
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\adpdb.ads
binary
MD5: 2d0420cd0bc3a5341236e73ef894f661
SHA256: 44874636d6b99373cf5c1145bfd2b10bf7388c5dd43e8210e5a7bf3bf5f82f9a
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\vi002.ads
binary
MD5: 693cfecce3d164c3380c79c131dcd13b
SHA256: a8562e005158901de3cb94d226ac99ad1dac5d78e5d27d0429776156bc07c45a
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\tdb.ads
binary
MD5: e38a1a89bde7811dd62d23dee4e7c940
SHA256: 1355c0079b3f6ba838c5798308f6a6348f3784e849bc74f3628db8f63fd698da
2272
pcclear_active.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCClear_Plus\PCClear_Plus.lnk
lnk
MD5: 5da16220727c0df4b32e8f7922fb923d
SHA256: 39ffd79c5bb48e29e89beb7b4651952304dd116f5b23bc7aeecdea2445b264eb
3500
iexplore.exe
C:\Users\Administrator\NTUSER.DAT
hiv
MD5: 89730d127636716f6e27bdd03ea478f5
SHA256: abdfb933cd18c736efff8452c6dc08eae7c442df84a260ba4a79281dda61230e
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\Version.dat
ini
MD5: 682566ad21fd042ecfb69c1f7e01296f
SHA256: 62f06453f7456ff6e1a35cb4a645de7a5213b1d51d3e785041b68bfe1c277f76
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\adcrdb.ads
binary
MD5: e3f13788faa99e6e9d364592f20b2241
SHA256: 0b1a5d1643353e04f0472dda7a778b80ea9a5867b5e0ce66ffcdf64dcd98503b
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\acbdb.ads
text
MD5: 91958f2445ae79bf2fee8569a42e3700
SHA256: 7ff80af35453fb5a11e5ce7b9c2a8b8f869b02d64a9b9c1e80f897e623dc99a3
3500
iexplore.exe
C:\Users\Administrator\NTUSER.DAT.LOG1
log
MD5: 6a231f973a2b556aa2a7d49117bfdabf
SHA256: f15cc606846f369ca5ec99bff5488ca3b9548198f1f29f2796d7e2f348eca9f2
3500
iexplore.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
log
MD5: 6b0baf20c722a55fb0bf247658565689
SHA256: 7dd36ca0d385297f1edbe61dfe1cfdfd252d1d03d8b54929a04ea50af8afc9fd
3500
iexplore.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
hiv
MD5: 2564e05ee300513fbf9428f320fc1d77
SHA256: d289bbdf6194a750a81390b669f27923182aa236c8f243ddb9f6f047e50af234
3500
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{724D38A5-2D70-11E9-BAD8-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
3500
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF42ADF728C3FB923E.TMP
––
MD5:  ––
SHA256:  ––
1728
iexplore.exe
C:\Users\admin\AppData\Local\Temp\JavaDeployReg.log
text
MD5: 546d05546b5fe570393e2265f33f6e45
SHA256: 0afab65bb03773968359165ea0854c777b9342212e2b22929ec6165f530d327a
2348
iexplore.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
hiv
MD5: dd3c18fa8ba30265a84b5477c8d8ebe8
SHA256: c1ba06d2c38d5aac73a497df5c352b1bdcf857258cadc3c631f58e88c33401f1
2348
iexplore.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
log
MD5: 783fe3a6666afbea25e738046fbdf56b
SHA256: 112ab8a80513d683f315866895753914fc8b036d9ed4242c2244d4b490b5035b
1728
iexplore.exe
C:\Users\Administrator\NTUSER.DAT
hiv
MD5: 291f187be27ec155021c31b768fa06fb
SHA256: 1a7f93b26f74160bc9c9046d7caf71df9277098ab44aeb349ceb4381958cbcb7
1728
iexplore.exe
C:\Users\Administrator\NTUSER.DAT.LOG1
log
MD5: 25d4a7e8fdaafcf8188e213d3ff477e5
SHA256: a156c0f5fb624052180c100d6137218bd5166a3bc896698849cec7ce4e8496d3
2272
pcclear_active.exe
C:\Program Files\PCClear_Plus\Config.dat
text
MD5: d4ac28cbcc1a850b0ea57cbabe8502d1
SHA256: 72a427968af29d6f41ebf02278518adea0ab12ce09107162d098ddfea450f37b
2272
pcclear_active.exe
C:\DelUS.bat
text
MD5: 185df0c62c5f79a37eaf381da28d31ef
SHA256: e1df08c38368e81368dfe44c4d7f9adb432479d35b75b7082f6ea85e3d774c2c
3500
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{724D38A8-2D70-11E9-BAD8-5254004A04AF}.dat
binary
MD5: a805349a6a5ad26ecc4df3df0830cd7d
SHA256: aa044eac80c6ff08470577e6e76bd3982416b73da3cdba30cbacea79e1b04107
3500
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFA4FF99461B31725A.TMP
––
MD5:  ––
SHA256:  ––
2272
pcclear_active.exe
C:\Users\Administrator\Desktop\PCClear_Plus.lnk
lnk
MD5: a1e37446c902a6da40616cacfc830268
SHA256: 9c1cbffe9bf20a24eabb2651c56bbcacb9c2fa64db38c4dd720c98a06ac43af9
2272
pcclear_active.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\adexp[1].php
––
MD5:  ––
SHA256:  ––
3500
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
3500
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
2980
PCclear_Eng_mini.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\mclear_Eng[1].htm
text
MD5: e5f56a56e00081373ee1916244541264
SHA256: 1ec488a40be13d11f56e553a26c65cb2fdda085882f8cc8c642b95ac47c675c3
2272
pcclear_active.exe
C:\Users\admin\Desktop\PCClear_Plus.lnk
lnk
MD5: a1e37446c902a6da40616cacfc830268
SHA256: 9c1cbffe9bf20a24eabb2651c56bbcacb9c2fa64db38c4dd720c98a06ac43af9

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
6
TCP/UDP connections
5
DNS requests
5
Threats
1

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2980 PCclear_Eng_mini.exe GET 200 114.108.160.134:80 http://global.pcclear.com/active/mclear_Eng.php?pid=) KR
text
unknown
2980 PCclear_Eng_mini.exe GET 200 210.112.11.142:80 http://down.pcclear.com/active/PCClearPlus_active.exe KR
executable
suspicious
3500 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
2272 pcclear_active.exe GET 200 114.108.160.134:80 http://nac.pcclear.com/app/pcceng/inst_act.php?pid= KR
text
unknown
3500 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
2272 pcclear_active.exe GET 200 199.191.50.184:80 http://log.onmuz.com/logonmuz/adexp.php?bpid=pcceng&bnum=pcceng_inst&pid=pcceng_ VG
html
unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2980 PCclear_Eng_mini.exe 114.108.160.134:80 LG DACOM Corporation KR unknown
2980 PCclear_Eng_mini.exe 210.112.11.142:80 Sejong Telecom KR suspicious
3500 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
2272 pcclear_active.exe 114.108.160.134:80 LG DACOM Corporation KR unknown
2272 pcclear_active.exe 199.191.50.184:80 Confluence Networks Inc VG unknown

DNS requests

Domain IP Reputation
global.pcclear.com 114.108.160.134
unknown
down.pcclear.com 210.112.11.142
suspicious
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
nac.pcclear.com 114.108.160.134
unknown
log.onmuz.com 199.191.50.184
unknown

Threats

PID Process Class Message
2980 PCclear_Eng_mini.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP

Debug output strings

No debug info.