Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:366514
Start time:13:07:49
Joe Sandbox Product:Cloud
Start date:18.09.2017
Overall analysis duration:0h 14m 32s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:CCleaner.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • VBA Instrumentation enabled
  • JavaScript Instrumentation enabled
Detection:MAL
Classification:mal72.evad.spyw.winEXE@1/11@2/5
HCA Information:Failed
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Sleeps bigger than 20000ms are automatically reduced to 500ms
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Max analysis timeout: 600s exceeded, the analysis took too long
  • Exclude process from analysis (whitelisted): WmiApSrv.exe, WMIADAP.exe, dllhost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Collider Navigation

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: CCleaner.exevirustotal: 8/64 detections McAfee-GW-Edition: Artemis!Trojan, Paloalto: generic.ml, McAfee: Artemis!EF694B89AD7A, Qihoo-360: Trojan.Generic, Tencent: Win32.Trojan.Gen.Anvr, Ikarus: Win32.Outbreak, Malwarebytes: Trojan.Nyetya, ClamAV: Win.Trojan.Floxif-6336251-0Perma Link

E-Banking Fraud:

barindex
Drops certificate files (DER)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_000E22CB InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpAddRequestHeadersA,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,LocalAlloc,InternetQueryDataAvailable,LocalAlloc,memcpy,InternetReadFile,LocalFree,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_000E22CB
Downloads filesShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GNNUVO51\app_cc_pro_trialkey[1].htm
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /verify/?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=FEB2-8J35-8PDX-HZIY-N8IC-Q332-9Y73-E5HP-9XTW HTTP/1.1User-Agent: Mozilla/4.0 (CCleaner, 5.33.6162)Connection: Keep-AliveCache-Control: no-cacheHost: license.piriform.com
Found strings which match to known social media urlsShow sources
Source: CCleaner.exeString found in binary or memory: Error %d - %sPNG1100COMBOBOX%I64d&cc%dccteccbeFreeccproProfessionalTechnicianMozilla/4.0 (CCleaner, %s)BusinessBRANDINGCCleanerThank you for purchasing CCleaner Professional.Piriform CCleaner ActivationYour upgrade is complete.PNG101COMBOBOX0&%d%I64dccbeccccproccteTechnicianFreeBusinessProfessionalCCleanerMozilla/4.0 (CCleaner, %s)CCleanerBRANDING%s%s - %s*.piriform.com0||mail.google.comlogin.live.comgoogle.com/accountswww.google.com/accountswww.google.comgoogle.comwebmail.earthlink.netaccounts.google.commail.yahoo.commail.netscape.comwebmail.aol.comyahoo.comfastmail.fmmy.screenname.aol.commail.rumail.lycos.comovi.com/services/signinauth.me.comwww.mail.lycos.comlogin.comcast.netmy.screenname.aol.commail.aol.comscreenname.aol.comicloud.comfacebook.comaol.com0twitter.comPNGEVENTS_WINDOW_MESSAGE equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: Facebook Metro equals www.facebook.com (Facebook)
Source: CCleaner.exeString found in binary or memory: Intelligent Cookie Scan'Intelligently scan for cookies to keep?pThis will allow CCleaner to keep your persistent logins for websites, such as GMail, Outlook.com and Yahoo Mail. equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: This will allow CCleaner to keep your persistent logins for websites, such as Hotmail, GMail and Yahoo Mail equals www.hotmail.com (Hotmail)
Source: CCleaner.exeString found in binary or memory: This will allow CCleaner to keep your persistent logins for websites, such as Hotmail, GMail and Yahoo Mail equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: Twitter Metro equals www.twitter.com (Twitter)
Source: CCleaner.exeString found in binary or memory: Yahoo Messenger equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: Yahoo Toolbar equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: [Facebook Metro] equals www.facebook.com (Facebook)
Source: CCleaner.exeString found in binary or memory: [Twitter Metro] equals www.twitter.com (Twitter)
Source: CCleaner.exeString found in binary or memory: [Yahoo Messenger] equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: [Yahoo Toolbar] equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: CCleaner.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.piriform.com
Urls found in memory or binary dataShow sources
Source: CCleaner.exeString found in binary or memory: ftp://license.piriform.com/verify/?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=cj9t-j7cu-spnv-gwmb-wbec&mk=f
Source: CCleaner.exeString found in binary or memory: http://
Source: CCleaner.exeString found in binary or memory: http://.
Source: CCleaner.exeString found in binary or memory: http://.domstore:http://domstore:https://:hstsdomstore:https://:hpkp:hsts:hpkppng101&0combobox%i64d%
Source: CCleaner.exeString found in binary or memory: http://.domstore:http://domstore:https://:hstsdomstore:https://:hpkp:hsts:hpkppngremoveselfrecursecu
Source: CCleaner.exeString found in binary or memory: http://.domstore:http://domstore:https://:hstsdomstore:https://:hsts:hpkp:hpkp101combobox0&%d%i64dta
Source: CCleaner.exeString found in binary or memory: http://.domstore:http://domstore:https://:hstsdomstore:https://:hsts:hpkp:hpkppng1100combobox&%i64d%
Source: CCleaner.exeString found in binary or memory: http://c
Source: CCleaner.exeString found in binary or memory: http://crash-reports.piriform.com/submitproductnameversionerror
Source: CCleaner.exeString found in binary or memory: http://crl.com
Source: CCleaner.exeString found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: CCleaner.exeString found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: CCleaner.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: CCleaner.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: CCleaner.exeString found in binary or memory: http://crl.globalsign.com/gs/gsorg
Source: CCleaner.exeString found in binary or memory: http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl0
Source: CCleaner.exeString found in binary or memory: http://crl.globalsign.net/root.crl0=
Source: CCleaner.exeString found in binary or memory: http://crl.globalsignj
Source: CCleaner.exeString found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: CCleaner.exeString found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: CCleaner.exeString found in binary or memory: http://crl.thawte.com/thawtetimestampingca.crl0
Source: CCleaner.exeString found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: CCleaner.exeString found in binary or memory: http://crt.comod
Source: CCleaner.exeString found in binary or memory: http://crt.comodoca.com/
Source: CCleaner.exeString found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: CCleaner.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: CCleaner.exeString found in binary or memory: http://domstore:http://
Source: CCleaner.exeString found in binary or memory: http://domstore:http://domstore:https://domstore:https://:hsts:hsts:hpkp:hpkppngrecurseremoveselfcus
Source: CCleaner.exeString found in binary or memory: http://domstore:https://domstore:http://:hstsdomstore:https://:hpkp:hsts:hpkppng101combobox0&%d%i64d
Source: CCleaner.exeString found in binary or memory: http://domstore:https://domstore:http://:hstsdomstore:https://:hpkp:hsts:hpkppng10combobox10%i64d%d&
Source: CCleaner.exeString found in binary or memory: http://java.com/
Source: CCleaner.exe, verify[1].htm.0.drString found in binary or memory: http://license.piriform.com/verify/?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=cj9t-j7cu-sp
Source: CCleaner.exeString found in binary or memory: http://license.piriform.com/verify/?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=cj9t-j7cu-spnv-gwmb-wbec&mk=
Source: CCleaner.exeString found in binary or memory: http://ocs
Source: CCleaner.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: CCleaner.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: CCleaner.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: CCleaner.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: CCleaner.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: CCleaner.exeString found in binary or memory: http://ocsp.entrust.net03
Source: CCleaner.exeString found in binary or memory: http://ocsp.entrust.net0d
Source: ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr1/mewwsjbimeywrdajbgurdgmcgguabbs3v7w2naf4fimtjpdjkg6%2bmggqmqquyhtm
Source: CCleaner.exeString found in binary or memory: http://ocsp.globalsign.com/rootr10
Source: CCleaner.exeString found in binary or memory: http://ocsp.globalsign.com/rootr1http://crl.globalsign.net/root.crl4i
Source: CCleaner.exeString found in binary or memory: http://ocsp.thawte.com0
Source: CCleaner.exeString found in binary or memory: http://ocsp2.globalsign.com/gsorganizationvalsha2g20v
Source: CCleaner.exeString found in binary or memory: http://piriform.com/go/app_cc_license_agreement
Source: CCleaner.exeString found in binary or memory: http://piriform.com/go/app_cc_privacy_policy
Source: CCleaner.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: CCleaner.exeString found in binary or memory: http://s.symcd.com06
Source: CCleaner.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: CCleaner.exeString found in binary or memory: http://s2.symcb.com0
Source: CCleaner.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsorganizationvals
Source: CCleaner.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsorganizationvalsh
Source: CCleaner.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt0?
Source: CCleaner.exeString found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: CCleaner.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: CCleaner.exeString found in binary or memory: http://sv.symcd.com0&
Source: CCleaner.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: CCleaner.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: CCleaner.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: CCleaner.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: CCleaner.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: CCleaner.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: CCleaner.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: CCleaner.exeString found in binary or memory: http://virtual_check_changed_window_message#httponly_.
Source: CCleaner.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: CCleaner.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/auto
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/ccleaner
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/ccleaner/update
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_helpnllnxgqz
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_icon
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_icon?a=0&v=5.33.6162&l=1033
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_pear
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_pear?a=0&v=5.33.6162&l=1033
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_title
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_home_title?a=0&v=5.33.6162&l=1033
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_lock_purchase
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_privacy_policy?a=%s&v=%s&l=%sthe
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_reg_purchase
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_reg_renew
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_social_facebook
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_social_googleplus
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_social_twitter
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_social_youtube
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/go/app_cc_tracking
Source: CCleaner.exeString found in binary or memory: http://www.piriform.com/inapp/notifications
Source: CCleaner.exeString found in binary or memory: http://www.piriform.comhttp://www.piriform.com/ccleanerhttp://www.piriform.com/go/app_cc_home_helpht
Source: CCleaner.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: CCleaner.exeString found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: CCleaner.exeString found in binary or memory: http://www.symauth.com/cps0(
Source: CCleaner.exeString found in binary or memory: http://www.symauth.com/rpa00
Source: CCleaner.exeString found in binary or memory: http://www.usertrust.com1
Source: CCleaner.exe, verify[1].htm.0.drString found in binary or memory: https://
Source: CCleaner.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: CCleaner.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: CCleaner.exeString found in binary or memory: https://d.symcb.com/rpa0.
Source: CCleaner.exeString found in binary or memory: https://domstore:http://
Source: CCleaner.exeString found in binary or memory: https://domstore:http://:hsts:hstsdomstore:https://:hpkp:hpkppng
Source: CCleaner.exeString found in binary or memory: https://domstore:http://domstore:http://:hstsdomstore:https://:hpkp:hpkp:hstswinregwinappwinsyscclea
Source: CCleaner.exeString found in binary or memory: https://domstore:https://:hsts:hpkppng1&%i64d%d100comboboxfreetechnicianprofessionalbusinessccccbecc
Source: CCleaner.exeString found in binary or memory: https://domstore:https://domstore:http://:hpkp:hsts:hsts:hpkppng101&0combobox%i64d%ddisplaynamesoftw
Source: CCleaner.exeString found in binary or memory: https://http://urlsize_kb
Source: CCleaner.exeString found in binary or memory: https://license.piriform.com/
Source: CCleaner.exeString found in binary or memory: https://license.piriform.com/activate
Source: CCleaner.exeString found in binary or memory: https://license.piriform.com/t
Source: CCleaner.exeString found in binary or memory: https://license.piriform.com/update
Source: CCleaner.exeString found in binary or memory: https://license.piriform.com/verify
Source: CCleaner.exeString found in binary or memory: https://license.piriform.com/verify?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=cj9t-j7cu-spnv-gwmb-wbec&mk=
Source: CCleaner.exeString found in binary or memory: https://secure.comodo.co
Source: CCleaner.exeString found in binary or memory: https://secure.comodo.com/cps0
Source: CCleaner.exe, ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C0.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: CCleaner.exeString found in binary or memory: https://www.globalsign.com/repository/03
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_be_trialkeya
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_get_update
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_inapp_tls_cart
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_pro_trialkey
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_pro_trialkey0
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_pro_trialkeyq
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/go/app_cc_reg_purchase
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/inapp/ccshop
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/j
Source: CCleaner.exeString found in binary or memory: https://www.piriform.com/r
Source: CCleaner.exeString found in binary or memory: https://www.ssllabs.com/ssltest/viewmyclient.htmlenter
Source: CCleaner.exeString found in binary or memory: https://www.vyt
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49241
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49244
Source: unknownNetwork traffic detected: HTTP traffic on port 49244 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49241 -> 443
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /verify/?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=FEB2-8J35-8PDX-HZIY-N8IC-Q332-9Y73-E5HP-9XTW HTTP/1.1User-Agent: Mozilla/4.0 (CCleaner, 5.33.6162)Connection: Keep-AliveCache-Control: no-cacheHost: license.piriform.com

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite-wal
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite-wal
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite-shm
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite-shm
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_USERS\Software\Globalscape\CuteFTP 9
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 8 Professional
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_LOCAL_MACHINE\SOFTWARE\GPSoftware\Directory Opus
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Globalscape\CuteFTP 9
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_USERS\Software\SmartFTP
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 7 Home
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 7 Professional
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: HKEY_LOCAL_MACHINE\SOFTWARE\GlobalSCAPE\CuteFTP 8 Home

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_000E1E2A LoadLibraryA,GetProcAddress,GetModuleFileNameExA,CloseHandle,0_2_000E1E2A
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_01285506 push ecx; ret 0_2_01285519

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft

System Summary:

barindex
Reads internet explorer settingsShow sources
Source: C:\Users\user\Desktop\CCleaner.exeKey opened: HKEY_USERS\Software\Microsoft\Internet Explorer\Settings
Executable creates window controls seldom found in malwareShow sources
Source: C:\Users\user\Desktop\CCleaner.exeWindow found: window name: SysTabControl32
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\CCleaner.exeKey opened: HKEY_USERS\Software\Microsoft\Office\8.0\Common
PE file has a big code sizeShow sources
Source: CCleaner.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
PE file has a valid certificateShow sources
Source: CCleaner.exeStatic PE information: certificate valid
Submission file is bigger than most known malware samplesShow sources
Source: CCleaner.exeStatic file information: File size 7680216 > 1048576
PE file has a big raw sectionShow sources
Source: CCleaner.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x334e00
Source: CCleaner.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x288200
PE file imports many functionsShow sources
Source: CCleaner.exeStatic PE information: More than 200 imports for KERNEL32.dll
PE file contains a mix of data directories often seen in goodwareShow sources
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: CCleaner.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: CCleaner.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: s:\workspace\ccleaner\branches\v5.33\bin\CCleaner\Release\CCleaner.pdb source: CCleaner.exe
PE file contains a valid data directory to section mappingShow sources
Source: CCleaner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CCleaner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CCleaner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CCleaner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CCleaner.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Classification labelShow sources
Source: classification engineClassification label: mal72.evad.spyw.winEXE@1/11@2/5
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_000E203A GetCurrentProcess,OpenProcessToken,time,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,0_2_000E203A
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\tmp.edb
PE file has an executable .text section and no other executable sectionShow sources
Source: CCleaner.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeWMI Queries: IWbemServices::ExecQuery - SELECT UniqueId,ProcessorId,Name,Manufacturer FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\CCleaner.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
SQL strings found in memory and binary dataShow sources
Source: CCleaner.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: CCleaner.exeBinary or memory string: select url from snapshots;select url from sites;select url from favorites;
Source: CCleaner.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: CCleaner.exeBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: CCleaner.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: CCleaner.exeBinary or memory string: select * from meta where key='last_compatible_version';origin_bound_certsselect host_key, creation_utc from cookies;valueautofillselect host, creation_time from channel_id;channel_idselect origin, creation_time from origin_bound_certs;SELECT pair_id, date_created FROM autofill_dates;SELECT pair_id FROM autofill;autofill_datesSELECT name, value, value_lower, count FROM autofill;SELECT origin_url, action_url, username_element, username_value, password_element, password_value, submit_element, signon_realm, ssl_valid, preferred, date_created, blacklisted_by_user, scheme FROM logins;loginsSELECT url_hash, password_value, date_created FROM ie7_logins;ie7_loginsselect host from HostQuotaTable;HostQuotaTableselect origin from OriginInfoTable;OriginInfoTableselect show_in_default_list, safe_for_autoreplace from keywords;keywordsselect favicon_id from urls;urlsfavorites.dbstash.dbbookmarks.dbBookmarksPRAGMA table_info(%s)%s\QuotaManager%s\Origin Bound Certs%s\cookiesselect host_key,creation_utc, name, value, encrypted_v
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: CCleaner.exeVirustotal: hash found
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\CCleaner.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32
Creates mutexesShow sources
Source: C:\Users\user\Desktop\CCleaner.exeMutant created: \Sessions\1\BaseNamedObjects\Piriform_CCleaner_PreventSecondInstance
Source: C:\Users\user\Desktop\CCleaner.exeMutant created: \Sessions\1\BaseNamedObjects\Piriform_CCleaner_SystemTrayIconActive
PE file contains executable resources (Code or Archives)Show sources
Source: CCleaner.exeStatic PE information: Resource name: BRANDING type: ump; PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Source: CCleaner.exeStatic PE information: Resource name: RT_STRING type: ump; Hitachi SH big-endian COFF object, not stripped
Source: CCleaner.exeStatic PE information: Resource name: RT_STRING type: ump; Hitachi SH big-endian COFF object, not stripped
PE file contains strange resourcesShow sources
Source: CCleaner.exeStatic PE information: Resource name: RT_BITMAP type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: CCleaner.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\CCleaner.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\CCleaner.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\CCleaner.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: CCleaner.exeBinary or memory string: OriginalFilenamebranding.dll\ vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenamewinhttp.dll.muij% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenamewship6.dll.muij% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenameKernelbasej% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenameuser32j% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs CCleaner.exe
Source: CCleaner.exeBinary or memory string: OriginalFilenamebranding.dll\ vs CCleaner.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: dwmapi.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: msimg32.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: sspicli.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: esent.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: atlthunk.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: secur32.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: webio.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: dnsapi.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: duser.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: dui70.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: linkinfo.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: ntshrui.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: srvcli.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: nlaapi.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: cscapi.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: slc.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: cryptsp.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: rpcrtremote.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: credssp.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: ncrypt.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: bcrypt.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: gpapi.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: cryptnet.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: sensapi.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: winhttp.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: webio.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\CCleaner.exeSection loaded: ntdsapi.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: CCleaner.exeBinary or memory string: %s|%d|%I64d|%d|%d0|%s|%d|%d|%d|%s|%I64d|%d||%d|||LMN|%d||Shell_TrayWndLMN
Source: CCleaner.exeBinary or memory string: t@VIRTUAL_CHECK_CHANGED_WINDOW_MESSAGECookie:#HttpOnly_.DOMStore:http://DOMStore:https://DOMStore:http://:HSTSDOMStore:https://:HPKP:HSTS:HPKPPNG101COMBOBOX0&%d%I64dSoftware\Microsoft\Installer\ProductsInstaller\ProductsProductNameSOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\PackagesSoftware\Microsoft\Windows\CurrentVersion\UninstallDisplayName{*}[CC][CC]*CredFreeCredDeleteWAdvapi32CredEnumerateWAdvapi32_NF_Advapi32UserDataSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible CacheDOMStoreSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache%LocalAppData%CachePath%LocalLowAppData%Microsoft\Internet Explorer\DOMStore%LocalAppData%%AppData%Microsoft\Internet Explorer\DOMStore%AppData%Packages\windows_ie_ac_001\AC\Microsoft\Internet Explorer\DOMStoreMicrosoft\Internet Explorer\UserDataTaskbarSetProgressStateccbeSoftware\Microsoft\Internet Explorer\DOMStorageMicrosoft\Internet Explorer\UserData\LowTaskba
Source: CCleaner.exeBinary or memory string: Progman
Source: CCleaner.exeBinary or memory string: @VIRTUAL_CHECK_CHANGED_WINDOW_MESSAGECookie:#HttpOnly_.DOMStore:http://DOMStore:https://DOMStore:http://:HSTSDOMStore:https://:HPKP:HSTS:HPKPPNG101COMBOBOX0&%d%I64dSoftware\Microsoft\Installer\ProductsInstaller\ProductsProductNameSOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\PackagesSoftware\Microsoft\Windows\CurrentVersion\UninstallDisplayName{*}[CC][CC]*CredFreeCredDeleteWAdvapi32CredEnumerateWAdvapi32_NF_Advapi32UserDataSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible CacheDOMStoreSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache%LocalAppData%CachePath%LocalLowAppData%Microsoft\Internet Explorer\DOMStore%LocalAppData%%AppData%Microsoft\Internet Explorer\DOMStore%AppData%Packages\windows_ie_ac_001\AC\Microsoft\Internet Explorer\DOMStoreMicrosoft\Internet Explorer\UserDataTaskbarSetProgressStateccbeSoftware\Microsoft\Internet Explorer\DOMStorageMicrosoft\Internet Explorer\UserData\LowTaskbar
Source: CCleaner.exeBinary or memory string: Program Manager
Source: CCleaner.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_01284811 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_01284811
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_0128FCD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0128FCD8
Checks for debuggers (devices)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Windows\system32\en-US\filemgmt.dll.mui
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Windows\system32\filemgmt.dll
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\CCleaner.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_0128FCD8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0128FCD8
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_000E1E2A LoadLibraryA,GetProcAddress,GetModuleFileNameExA,CloseHandle,0_2_000E1E2A
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_012A1699 mov eax, dword ptr fs:[00000030h]0_2_012A1699

Malware Analysis System Evasion:

barindex
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\CCleaner.exeProcess information queried: ProcessInformation
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user
Source: C:\Users\user\Desktop\CCleaner.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\CCleaner.exe TID: 3696Thread sleep time: -1080000s >= -60s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeWMI Queries: IWbemServices::ExecQuery - SELECT UniqueId,ProcessorId,Name,Manufacturer FROM Win32_Processor
Found evasive API chain checking for user administrative privilegesShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_0-1489
Found evasive API chains implementing implicit delay functionalityShow sources
Source: C:\Users\user\Desktop\CCleaner.exeImplicit delay: IcmpCreateFile, DecisionNode, Sleep, timegraph_0-1534
Source: C:\Users\user\Desktop\CCleaner.exeImplicit delay: IcmpCreateFile, DecisionNode, IcmpSendEcho, timegraph_0-1534
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeWMI Queries: IWbemServices::ExecQuery - SELECT Manufacturer,SMBIOSBIOSVersion,IdentificationCode,SerialNumber,ReleaseDate,Version FROM Win32_BIOS
Source: C:\Users\user\Desktop\CCleaner.exeWMI Queries: IWbemServices::ExecQuery - SELECT Model,Manufacturer,Name,SerialNumber FROM Win32_BaseBoard
Query firmware table information (likely to detect VMs)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeSystem information queried: FirmwareTableInformation

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CCleaner.exeProcess information set: NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: CCleaner.exeBinary or memory string: DetectFile1=%ProgramFiles%\Malwarebytes' Anti-Malware\mbam.exe
Source: CCleaner.exeBinary or memory string: DetectFile2=%ProgramFiles%\Malwarebytes Anti-Malware\mbam.exe

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_0128556B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0128556B
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\CCleaner.exeCode function: 0_2_000E1DCB GetVersionExA,OpenProcess,0_2_000E1DCB
Queries information about the installed CPU (vendor, model number etc)Show sources
Source: C:\Users\user\Desktop\CCleaner.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the installation date of WindowsShow sources
Source: C:\Users\user\Desktop\CCleaner.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\tmp.edb VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\Users\user\Desktop\CCleaner.exe VolumeInformation
Source: C:\Users\user\Desktop\CCleaner.exeQueries volume information: C:\ VolumeInformation

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 366514 Sample:  CCleaner.exe Startdate:  18/09/2017 Architecture:  WINDOWS Score:  72 0 CCleaner.exe 46 24 main->0      started     13110reducedSig Signatures exceeded maximum capacity for this level. 3 signatures have been hidden. 13110sig Found evasive API chain checking for user administrative privileges 13100sig Found evasive API chains implementing implicit delay functionality 6690sig Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) d1e170640 www.piriform.com 151.101.0.64, 443 GARRItalianacademicandresearchnetwork United States d1e168144 www.piriform.com d1e168203 license.piriform.com 0->13110reducedSig 0->13110sig 0->13100sig 0->6690sig 0->d1e170640 0->d1e168144 0->d1e168203 process0 dnsIp0 signatures0 fileCreated0

Simulations

Behavior and APIs

TimeTypeDescription
13:09:51API Interceptor257x Sleep call for process: CCleaner.exe modified from: 60000ms to: 500ms

Antivirus Detection

Initial Sample

SourceRatioCloudLink
CCleaner.exe8/64virustotalBrowse

Dropped Files

No Antivirus matches

Domains

SourceRatioCloudLink
license.piriform.com0/65virustotalBrowse
www.piriform.com0/64virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

Dropped Files

No context

Screenshot

windows-stand

Startup

  • system is w7_1
  • CCleaner.exe (PID: 3564 cmdline: 'C:\Users\user\Desktop\CCleaner.exe' MD5: EF694B89AD7ADDB9A16BB6F26F1EFAF7)
  • cleanup

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
File Type:data
MD5:D6DDA253119D6EB44B3E75B842EA1F7B
SHA1:1E16EA0864EB514D2B7D95732D13355C2F0170C7
SHA-256:939BF747896A65E194BEEF5DE19440195EE7011AC913119C4769D76FD2A49633
SHA-512:FE1162E924F273DD7389339C148709A1A378CABB60BD6CA56014D918A6C680A66A8C0A77D04523519C14B30D458B9D1F6CB2A2FD7566CF3FEEDA1AA61434AC04
Malicious:false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
File Type:data
MD5:440FECA9AC94F23147C135C0A42FC2B8
SHA1:100E18BCF50EBA015139EEF1430384671675F0CC
SHA-256:B12702BDF9E6C4079A61B59BFFFB9DAB98158EF311413C5AE4119B9B0CBBE4FF
SHA-512:0E8D74D547EC0356310EAB0ACC006AE1BFE9FF652A87DB10743ECE55E1F0241090DB15EE7C1B1A65A94EC32943EE4DD6BD8947E8C937972FBC490E7175B5B6B1
Malicious:false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
File Type:data
MD5:8DAEC6ACB93EF4EFC4ADAD82A7C52A53
SHA1:0B5F0BE5802F30FEC6D63DB41169695E5411D34D
SHA-256:0C6EE58844B9C55C9280A0B1CF7ABE6FB4E9A25A27B643BD567F3DC77B1DA9BE
SHA-512:C200E8CB2A008BDCBECD1E459A550742C6249643751C1092B88CF03A2E7E19F43A3955607F8CB129BC0C95464CDBC39D62DE71C7183E8D16C5A38F78EC8D97F2
Malicious:false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3HOVZAYJ\verify[1].htm
File Type:HTML document text
MD5:AE779293FB50BB3A4F1B5BAAD6B169BF
SHA1:CC23694C1FC7968B066A5BBE0BF476BEEEC116DB
SHA-256:3EEF8B8C0D839C57EB645FD23D69F9EAFCF5EA3725DA817FCDA8079FEF2AB70C
SHA-512:9A9C08C623852D8BFCCE8C664B9DE20D69B30B6CFBE524EAF9BC9055D388B02E96829BE5346D231FAFFEEC1B7C7246B23765F9C37C49AAD97DBE6982E8DBEC4D
Malicious:false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GNNUVO51\app_cc_pro_trialkey[1].htm
File Type:ASCII text, with no line terminators
MD5:4ACA4C7925AEEE3811270ADC068F1D94
SHA1:9B5F502C4F8FD9DDC7C3DC46C60E8295A5FD46CE
SHA-256:07D064338089968431DCC1FE0E7731E9234B2E34CE5D41E86EA39E856779041C
SHA-512:159D5FB689CF6AD99F8DC4BD62262552530AD57B273E54BEBC451D8CAB2F46206C56C898E8FB84AC4FEAC377B40F1E2CACE6DCD680BA515633B8C9F6AE860EC5
Malicious:false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JBDEVYJT\verify[1].htm
File Type:ASCII text, with no line terminators
MD5:CB3C33CB1B4C2F896E5E2AA679863353
SHA1:E98F44FAC2F456400817C078317B5CF5ECC2DFB4
SHA-256:0CEA2F106C7FE143C88BC40965ECF4EF7B053069C324ACFD153B5F8E468596C3
SHA-512:16573FEE0ECF715F4BF4785EA2745EAFF6160CBE82A4EA159685B100D7A38855E5BEDE4B0F587D3629D61D74F2E16CC0E87CBBDD14EA404BED825D2B94E40B13
Malicious:false
C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk
File Type:empty
MD5:D41D8CD98F00B204E9800998ECF8427E
SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:false
C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log
File Type:data
MD5:815D2DACA17A524EEAB05509DFC864AC
SHA1:F0B211AB631D74F0735490B0A82921D586F02407
SHA-256:C4314C6866333276BCAFE5B41A23C9426A9680A033BED7F3802502549824DB9C
SHA-512:C5152BE6FDCB3E93499BE4726B772359833240922E35798A050C92ECB3A26637E3A556A8386B776FE7E9DC58735846FF380BF65995EAD75AAA37422172622F65
Malicious:false
C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
File Type:empty
MD5:D41D8CD98F00B204E9800998ECF8427E
SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:false
C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\tmp.edb
File Type:data
MD5:43D08676A4A805C10B226AF80778309E
SHA1:B6837783B1D1938F9A0E779EE595D984D94B1FD4
SHA-256:D30F03CD91DB0B29C0CE564FB79A5EC33141ACFF0F21CA52564FE66ADE4056F1
SHA-512:BB5D7D2FA8508A23ED92F8358B0D0F032B7DBA5662EFDAC06F402CAFED32DFEDB85F4BACBE24728168D3EBBC7E4E5DD21A35CF30BCCF9474E67BE0CDA2CA30A5
Malicious:false
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PXYHVQSA28XX47ICN0BK.temp
File Type:data
MD5:EC08A88EE039E4960C2083389B442C41
SHA1:5DC1EE714864EA5ECA0D7298429D6C7B09BD55D3
SHA-256:07E0D7057ADF679019643C20114C443353B47DD87EABE17001E955C20601329E
SHA-512:985313784FC6D4EB1471E5BF3C943F86F10FA1DC3DA27495B68AE85D039F064F1FF10202C7A02DC0764FF6F2104A1318C35959D9E47B3D296CB101D74CECEB6B
Malicious:false

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus Detection
license.piriform.com151.101.0.64truefalse0/65, virustotal, Browse
www.piriform.com151.101.0.64truefalse0/64, virustotal, Browse

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
23.34.203.27United States
577BellCanadafalse
8.8.8.8United States
15169GoogleIncfalse
192.168.1.16unknown
unknownunknownfalse
23.34.197.163United States
577BellCanadafalse
151.101.0.64United States
137GARRItalianacademicandresearchnetworkfalse

Static File Info

General

File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.30%
  • Windows ActiveX control (116523/4) 1.15%
  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
  • Com Scriptlet (9000/0) 0.09%
  • Generic Win/DOS Executable (2004/3) 0.02%
File name:CCleaner.exe
File size:7680216
MD5:ef694b89ad7addb9a16bb6f26f1efaf7
SHA1:8983a49172af96178458266f93d65fa193eaaef2
SHA256:6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
SHA512:73b55632babc25a1194cf2df91a0480f35960a407c676024b095c408906fc747bb0aac8b62354f426a0e733c9877b1b3638cfd860c9803979b07994ff938235e
File Content Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$...........B..PB..PB..P../PT..P..-P...P..,Pb..Py..QX..PY.tPC..P...QK..Py..Qg..P...QF..Py..Q...PK.]PL..PK.ZP@..PK.MPY..PB..P...P...Q/..

File Icon

Static PE Info

General

Entrypoint:0x4d4dfd
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5982EBF9 [Thu Aug 03 09:25:13 2017 UTC]
TLS Callbacks:0x4d12d0
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:0a2846d08c140716112b3f476b4f75f8

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 8/12/2015 2:00:00 AM 10/11/2018 1:59:59 AM
Subject Chain
  • CN=Piriform Ltd, O=Piriform Ltd, L=London, S=London, C=GB
Version:3
Thumbprint:F4BDA9EFA31EF4A8FA3B6BB0BE13862D7B8ED9B0
Serial:4B48B27C8224FE37B17A6A2ED7A81C9F

Entrypoint Preview

Instruction
call 10CD243Eh
jmp 10CD1B63h
push 00888E80h
call dword ptr [00736410h]
ret
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 10CD119Fh
jmp 10CD1CB0h
mov ecx, dword ptr [ebp-14h]
xor ecx, ebp
call 10CD118Eh
jmp 10CD1C9Fh
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0082E088h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0082E088h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x429b380x104.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x6910000x288188.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x74fe000x32d8.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC0x91a0000x3f72c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x3a13500x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x3a13a40x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x33aae00x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x3360000xa68.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4291d40x160.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeEntropyXored PEZLIB ComplexityFile TypeCharacteristics
.text0x10000x334d010x334e00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x3360000xf75260xf7600False0.27573703575ump; data4.55320749929IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x42e0000x25f4cc0x5a800unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids0x68e0000x11d40x1200False0.384982638889ump; ACB archive data4.11345994361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls0x6900000x90x200False0.033203125ump; data0.0203931352361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x6910000x2881880x288200unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x91a0000x3f72c0x3f800False0.472617802657ump; data6.53156734598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
AFX_DIALOG_LAYOUT0x7c56e80x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x7c56f00x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x7c56f80x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x7c57080x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x7c57000x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x7c57400x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x7c57100x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x7c57180x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x7c57200x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x7c57300x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x7c57280x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x7c57380x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x69fde00x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x69fde80x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x69fdf00x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x69fdf80x2ump; dataEnglishGreat Britain
AFX_DIALOG_LAYOUT0x69fe000x2ump; dataEnglishGreat Britain
BRANDING0x7d84580xd4d8ump; PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bitEnglishGreat Britain
INI0x6a05100x47fcump; ISO-8859 English text, with CRLF line terminatorsEnglishUnited States
INI0x69fe080x701ump; ISO-8859 English text, with CRLF line terminatorsEnglishUnited States
INI0x6a4d100x2cfe5ump; ISO-8859 English text, with CRLF, LF line terminatorsEnglishUnited States
PNG0x840c500x18fump; PNG image, 19 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x840de00x238ump; PNG image, 19 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8410180x5059ump; PNG image, 205 x 45, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8602d80x219ump; PNG image, 19 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8604f80x258ump; PNG image, 19 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8848880x203ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8858d00x358ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8874900x153ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8880780x34aump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x889c080x2c6ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8900a80x114eump; PNG image, 49 x 46, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8911f80x18a8ump; PNG image, 61 x 57, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x892aa00x1e62ump; PNG image, 73 x 69, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8949080x30a5ump; PNG image, 98 x 92, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8979b00x475dump; PNG image, 122 x 115, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x87c8000x6328ump; PNG image, 206 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x882b280x608ump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8831300x801ump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8839380x782ump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8840c00x7c3ump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8607500x3f16ump; PNG image, 490 x 270, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8646680x7b96ump; PNG image, 205 x 257, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8cacd80x27feump; PNG image, 768 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d09900x13dump; PNG image, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d0ad00x167ump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d0c380x182ump; PNG image, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d0dc00x197ump; PNG image, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d0f580x213ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x885c280x41dump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8860480x4fbump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8865480x6b0ump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x886bf80x896ump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8875e80x21eump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8878080x253ump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x887a600x275ump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x887cd80x39eump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x884a900x286ump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x884d180x2efump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8850080x3eeump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8853f80x4d2ump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8883c80x410ump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8887d80x51cump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x888cf80x6d1ump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8893d00x832ump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x889ed00x3a9ump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88a2800x43dump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88a6c00x5bbump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88ac800x71cump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d3ed80x1f4ump; PNG image, 18 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d40d00x266ump; PNG image, 23 x 23, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d43380x2c9ump; PNG image, 28 x 28, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d46080x386ump; PNG image, 37 x 37, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d49900x470ump; PNG image, 46 x 46, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88b3a00x10dump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88b4b00x1efump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88b6a00x1baump; PNG image, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88b8600x165ump; PNG image, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88b9c80x20bump; PNG image, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88bbd80x10dump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88bce80x1e0ump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88bec80x17dump; PNG image, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88c0480x165ump; PNG image, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88c1b00x20eump; PNG image, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88c3c00xf3ump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88c4b80xfaump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88c5b80x119ump; PNG image, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88c6d80x14bump; PNG image, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88c8280x17eump; PNG image, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88c9a80xefump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88ca980xfeump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88cb980x11aump; PNG image, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88ccb80x14fump; PNG image, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88ce080x181ump; PNG image, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88cf900x105ump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88d0980x115ump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88d1b00x122ump; PNG image, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88d2d80x16cump; PNG image, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88d4480x1a1ump; PNG image, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88d5f00x103ump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88d6f80x118ump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88d8100x126ump; PNG image, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88d9380x16fump; PNG image, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88daa80x1a5ump; PNG image, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88dc500xdeump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88dd300xe9ump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88de200xf0ump; PNG image, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88df100x138ump; PNG image, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88e0480x16aump; PNG image, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88e1b80xdcump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88e2980xe8ump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88e3800xf2ump; PNG image, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88e4780x13dump; PNG image, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88e5b80x16fump; PNG image, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d1ef00x1b7ump; PNG image, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d20a80x21cump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d22c80x279ump; PNG image, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d25480x310ump; PNG image, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d28580x3bcump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x89d6900x386ump; PNG image, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x89da180x4c2ump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x89dee00x665ump; PNG image, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x89e5480x998ump; PNG image, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x89eee00xd0fump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8cd4d80x2b0ump; PNG image, 32 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8cd7880x3c5ump; PNG image, 42 x 21, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8cdb500x4a3ump; PNG image, 52 x 26, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8cdff80x5d7ump; PNG image, 63 x 31, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ce5d00x715ump; PNG image, 84 x 42, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8bbc780x5e2ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8bc2600x6f5ump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8bc9580x7cbump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8bd1280xa5fump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8bdb880xcfaump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8be8880x7c6ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8bf0500x7a2ump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8bf7f80xa9eump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8c02980x11ecump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8c14880x176eump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8c2bf80x823ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8c34200xa2cump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8c3e500xc07ump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8c4a580x102fump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8c5a880x125fump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8c6ce80x6b6ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8c73a00x8b7ump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8c7c580xafcump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8c87580x110eump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8c98680x146aump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ba9580x109ump; PNG image, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8baa680x464ump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8baed00x462ump; PNG image, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8bb3380x479ump; PNG image, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8bb7b80x4b9ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8303880x6dcump; PNG image, 24 x 23, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x830a680x939ump; PNG image, 30 x 29, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8313a80xb1fump; PNG image, 36 x 34, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x831ec80x1151ump; PNG image, 48 x 46, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8330200x17beump; PNG image, 60 x 57, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x83fe880x7a9ump; PNG image, 68 x 22, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8406380x122ump; PNG image, 9 x 8, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8407600x103ump; PNG image, 9 x 8, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8408680x146ump; PNG image, 14 x 14, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8409b00x134ump; PNG image, 14 x 14, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x840ae80x164ump; PNG image, 14 x 14, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8b9c580x1c6ump; PNG image, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8b9e200x21dump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ba0400x26fump; PNG image, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ba2b00x2f4ump; PNG image, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ba5a80x3adump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x7e59300x1524ump; PNG image, 64 x 60, 8-bit/color RGB, non-interlacedEnglishGreat Britain
PNG0x7e6e580x1d78ump; PNG image, 80 x 75, 8-bit/color RGB, non-interlacedEnglishGreat Britain
PNG0x7e8bd00x27c8ump; PNG image, 96 x 90, 8-bit/color RGB, non-interlacedEnglishGreat Britain
PNG0x7eb3980x3a7aump; PNG image, 128 x 120, 8-bit/color RGB, non-interlacedEnglishGreat Britain
PNG0x7eee180x51f4ump; PNG image, 160 x 150, 8-bit/color RGB, non-interlacedEnglishGreat Britain
PNG0x7f40100x3946ump; PNG image, 120 x 113, 8-bit/color RGB, non-interlacedEnglishGreat Britain
PNG0x7f79580x4aadump; PNG image, 150 x 141, 8-bit/color RGB, non-interlacedEnglishGreat Britain
PNG0x7fc4080x6301ump; PNG image, 180 x 169, 8-bit/color RGB, non-interlacedEnglishGreat Britain
PNG0x8027100xaa7bump; PNG image, 240 x 226, 8-bit/color RGB, non-interlacedEnglishGreat Britain
PNG0x80d1900xcc64ump; PNG image, 300 x 282, 8-bit/color RGB, non-interlacedEnglishGreat Britain
PNG0x8347e00x107fump; PNG image, 48 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8358600x157dump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x836de00x1dc2ump; PNG image, 72 x 72, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x838ba80x2facump; PNG image, 96 x 96, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x83bb580x432cump; PNG image, 120 x 120, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88e7280x102ump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88e8300x1b6ump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88e9e80x16cump; PNG image, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88eb580x170ump; PNG image, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88ecc80x201ump; PNG image, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88eed00xf6ump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88efc80xffump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88f0c80x118ump; PNG image, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88f1e00x14fump; PNG image, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88f3300x182ump; PNG image, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88f4b80xddump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88f5980xe9ump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88f6880xf3ump; PNG image, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88f7800x13eump; PNG image, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88f8c00x16fump; PNG image, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88fa300x112ump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88fb480x119ump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88fc680x127ump; PNG image, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88fd900x170ump; PNG image, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x88ff000x1a6ump; PNG image, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x89fbf00xc6ump; PNG image, 9 x 8, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x89fcb80xfdump; PNG image, 11 x 10, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x89fdb80x121ump; PNG image, 13 x 12, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x89fee00xedump; PNG image, 18 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x89ffd00x115ump; PNG image, 22 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a00e80xc5ump; PNG image, 9 x 8, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a01b00xfaump; PNG image, 11 x 10, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a02b00xddump; PNG image, 13 x 12, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a03900x14aump; PNG image, 18 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a04e00x128ump; PNG image, 22 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a06080xc0ump; PNG image, 8 x 9, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a06c80xcbump; PNG image, 10 x 11, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a07980x116ump; PNG image, 12 x 13, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a08b00xebump; PNG image, 16 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a09a00x11bump; PNG image, 20 x 22, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a0ac00xbeump; PNG image, 8 x 9, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a0b800xd0ump; PNG image, 10 x 11, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a0c500xdcump; PNG image, 12 x 13, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a0d300xe8ump; PNG image, 16 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a0e180xffump; PNG image, 20 x 22, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a0f180xbcump; PNG image, 8 x 9, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a0fd80xcbump; PNG image, 10 x 11, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a10a80x112ump; PNG image, 12 x 13, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a11c00xefump; PNG image, 16 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a12b00x119ump; PNG image, 20 x 22, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a13d00xbfump; PNG image, 8 x 9, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a14900xcfump; PNG image, 10 x 11, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a15600xdeump; PNG image, 12 x 13, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a16400xecump; PNG image, 16 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a17300xfaump; PNG image, 20 x 22, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a18300xbeump; PNG image, 9 x 8, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a18f00xc8ump; PNG image, 11 x 10, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8a19b80xbda3ump; PNG image, 13 x 12, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ad7600xe8ump; PNG image, 18 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ad8480x109ump; PNG image, 22 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ad9580xceump; PNG image, 9 x 8, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ada280xcaump; PNG image, 11 x 10, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8adaf80xf6ump; PNG image, 13 x 12, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8adbf00xeeump; PNG image, 18 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8adce00xbf71ump; PNG image, 22 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d11700x12dump; PNG image, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d12a00x13aump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d13e00x161ump; PNG image, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d15480x18aump; PNG image, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d16d80x1caump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d18a80xffump; PNG image, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d19a80x11bump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d1ac80x135ump; PNG image, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d1c000x160ump; PNG image, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d1d600x18cump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d5a200xf6ump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d5b180xcdump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d5be80x10cump; PNG image, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d5cf80x240ump; PNG image, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x86c2000x27dump; PNG image, 26 x 21, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d6b680x39cump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d6f080x717ump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d76200x7e5ump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d7e080x937ump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d87400xa5eump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d91a00x4a5ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d96480x7f5ump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d9e400x8f0ump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8da7300xabfump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8db1f00xcb7ump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8dbea80x438ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8dc2e00x7afump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8dca900x87fump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8dd3100xa53ump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ddd680xc5fump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8de9c80x796ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8df1600xbeeump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8dfd500xda8ump; PNG image, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e0af80x114bump; PNG image, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e1c480x14d6ump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e31200x7faump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e39200x8e2ump; PNG image, 62 x 62, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e42080xa08ump; PNG image, 75 x 75, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e4c100xc4fump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e58600xf37ump; PNG image, 125 x 125, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8cece80x325ump; PNG image, 32 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8cf0100x472ump; PNG image, 42 x 21, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8cf4880x55fump; PNG image, 52 x 26, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8cf9e80x6aeump; PNG image, 63 x 31, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d00980x8f3ump; PNG image, 84 x 42, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x819df80x1a01ump; PNG image, 73 x 66, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x81b8000x26c0ump; PNG image, 91 x 83, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x81dec00x32efump; PNG image, 110 x 99, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8211b00x47e5ump; PNG image, 146 x 132, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8259980x6c67ump; PNG image, 183 x 165, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d5f380xf4ump; PNG image, 10 x 10, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d60300x119ump; PNG image, 13 x 13, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d61500x124ump; PNG image, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d62780x152ump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d63d00x176ump; PNG image, 25 x 25, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d65480xf7ump; PNG image, 10 x 10, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d66400x11eump; PNG image, 13 x 13, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d67600x12fump; PNG image, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d68900x151ump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d69e80x17eump; PNG image, 25 x 25, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8460780x2b6cump; PNG image, 214 x 57, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x848be80x3956ump; PNG image, 268 x 71, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x84c5400x4745ump; PNG image, 321 x 86, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x850c880x66afump; PNG image, 428 x 114, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8573380x8fa0ump; PNG image, 535 x 143, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e67980x19cump; PNG image, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e69380x228ump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e6b600x24dump; PNG image, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e6db00x2c4ump; PNG image, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e70780x376ump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e73f00x902ump; PNG image, 74 x 74, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e7cf80xdc6ump; PNG image, 93 x 93, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e8ac00xf45ump; PNG image, 111 x 111, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8e9a080x1358ump; PNG image, 148 x 148, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ead600x19e1ump; PNG image, 185 x 185, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ec7480x932ump; PNG image, 74 x 74, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ed0800xdb4ump; PNG image, 93 x 93, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8ede380xef9ump; PNG image, 111 x 111, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8eed380x13b3ump; PNG image, 148 x 148, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8f00f00x1948ump; PNG image, 185 x 185, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8f1a380x862ump; PNG image, 74 x 74, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8f22a00xcacump; PNG image, 93 x 93, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8f2f500xd74ump; PNG image, 111 x 111, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8f3cc80x1204ump; PNG image, 148 x 148, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8f4ed00x1702ump; PNG image, 185 x 185, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8f65d80xaf4ump; PNG image, 74 x 74, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8f70d00xfbaump; PNG image, 93 x 93, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8f80900x11a2ump; PNG image, 111 x 111, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8f92380x17d0ump; PNG image, 148 x 148, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8faa080x1e5eump; PNG image, 185 x 185, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8fc8680x908ump; PNG image, 74 x 74, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8fd1700xdb7ump; PNG image, 93 x 93, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8fdf280x1027ump; PNG image, 111 x 111, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8fef500x14edump; PNG image, 148 x 148, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x9004400x1baeump; PNG image, 185 x 185, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x901ff00x96eump; PNG image, 74 x 74, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x9029600xe36ump; PNG image, 93 x 93, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x9037980x10aeump; PNG image, 111 x 111, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x9048480x1615ump; PNG image, 148 x 148, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x905e600x1d12ump; PNG image, 185 x 185, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x907b780x99eump; PNG image, 74 x 74, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x9085180xe83ump; PNG image, 93 x 93, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x9093a00xfb9ump; PNG image, 111 x 111, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x90a3600x1507ump; PNG image, 148 x 148, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x90b8680x1ab5ump; PNG image, 185 x 185, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x90d3200x945ump; PNG image, 74 x 74, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x90dc680xdb2ump; PNG image, 93 x 93, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x90ea200xf25ump; PNG image, 111 x 111, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x90f9480x13c9ump; PNG image, 148 x 148, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x910d180x193bump; PNG image, 185 x 185, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x86c4800x77dump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x86cc000xc2bump; PNG image, 63 x 63, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x86d8300xc36ump; PNG image, 75 x 75, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x86e4680x108bump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x86f4f80x17baump; PNG image, 125 x 125, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x870cb80x4dfump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8711980x80cump; PNG image, 63 x 63, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8719a80x78cump; PNG image, 75 x 75, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8721380xa87ump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x872bc00xe76ump; PNG image, 125 x 125, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x873a380x69aump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8740d80xa0cump; PNG image, 63 x 63, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x874ae80xa0bump; PNG image, 75 x 75, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8754f80xdd4ump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8762d00x12fdump; PNG image, 125 x 125, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8775d00x8dcump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x877eb00xdbbump; PNG image, 63 x 63, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x878c700xd9cump; PNG image, 75 x 75, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x879a100x13c3ump; PNG image, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x87add80x1a21ump; PNG image, 125 x 125, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d2c180xaaump; PNG image, 10 x 11, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d2cc80xf3ump; PNG image, 13 x 14, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d2dc00xefump; PNG image, 15 x 17, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d2eb00xfaump; PNG image, 20 x 22, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d2fb00x140ump; PNG image, 25 x 28, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x9126580x24dump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x9128a80x293ump; PNG image, 25 x 25, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x912b400x330ump; PNG image, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x912e700x4bfump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x9133300x6a8ump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d30f00x1a4ump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d32980x236ump; PNG image, 25 x 25, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d34d00x263ump; PNG image, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d37380x33bump; PNG image, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d3a780x45dump; PNG image, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x9139d80x8ecump; PNG image, 62 x 62, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x9142c80xcecump; PNG image, 78 x 78, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x914fb80xd9dump; PNG image, 93 x 93, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x915d580x1387ump; PNG image, 124 x 124, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x9170e00x1847ump; PNG image, 155 x 155, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d4e000xd4ump; PNG image, 10 x 10, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d4ed80xfbump; PNG image, 13 x 13, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d4fd80x11fump; PNG image, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d50f80x137ump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d52300x161ump; PNG image, 25 x 25, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d53980x107ump; PNG image, 10 x 10, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d54a00x122ump; PNG image, 13 x 13, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d55c80x148ump; PNG image, 15 x 15, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d57100x16bump; PNG image, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x8d58800x19aump; PNG image, 25 x 25, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x89c1100x9baump; PNG image, 37 x 47, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x82c6000x34dump; PNG image, 126 x 14, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x82c9500xa99ump; PNG image, 157 x 17, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x82d3f00xc30ump; PNG image, 189 x 21, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x82e0200xe60ump; PNG image, 252 x 28, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x82ee800x1506ump; PNG image, 315 x 35, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
PNG0x89cad00xbbeump; PNG image, 37 x 47, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
RT_BITMAP0x6dd8c80x6804ump; dataEnglishGreat Britain
RT_BITMAP0x7658e00x5c28ump; dataEnglishGreat Britain
RT_BITMAP0x76b5080x8fe8ump; dataEnglishGreat Britain
RT_BITMAP0x7744f00xcf28ump; dataEnglishGreat Britain
RT_BITMAP0x7814180x17028ump; dataEnglishGreat Britain
RT_BITMAP0x7984400x23f28ump; dataEnglishGreat Britain
RT_BITMAP0x6e40d00x9ea4ump; dataEnglishGreat Britain
RT_BITMAP0x6edf780xe0c4ump; dataEnglishGreat Britain
RT_BITMAP0x6fc0400x19f98ump; dataEnglishGreat Britain
RT_BITMAP0x715fd80x27a18ump; dataEnglishGreat Britain
RT_BITMAP0x7476180x2028ump; dataEnglishGreat Britain
RT_BITMAP0x7496400x3228ump; dataEnglishGreat Britain
RT_BITMAP0x74c8680x4828ump; dataEnglishGreat Britain
RT_BITMAP0x7510900x8028ump; dataEnglishGreat Britain
RT_BITMAP0x7590b80xc828ump; dataEnglishGreat Britain
RT_BITMAP0x73d9f00xab8ump; dataEnglishGreat Britain
RT_BITMAP0x73e4a80x1028ump; dataEnglishGreat Britain
RT_BITMAP0x73f4d00x16b8ump; dataEnglishGreat Britain
RT_BITMAP0x740b880x2a68ump; dataEnglishGreat Britain
RT_BITMAP0x7435f00x4028ump; dataEnglishGreat Britain
RT_BITMAP0x69ddb80x2028ump; GLS_BINARY_LSB_FIRSTEnglishGreat Britain
RT_BITMAP0x698e780x1028ump; dataEnglishCanada
RT_ICON0x7c57480x8a8ump; dataEnglishGreat Britain
RT_ICON0x7c5ff00x568ump; GLS_BINARY_LSB_FIRSTEnglishGreat Britain
RT_ICON0x7c65580xcd63ump; PNG image, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
RT_ICON0x7d32c00x25a8ump; dataEnglishGreat Britain
RT_ICON0x7d58680x10a8ump; dataEnglishGreat Britain
RT_ICON0x7d69100x468ump; GLS_BINARY_LSB_FIRSTEnglishGreat Britain
RT_ICON0x7d6dd80x468ump; GLS_BINARY_LSB_FIRSTEnglishGreat Britain
RT_ICON0x7d72580x468ump; GLS_BINARY_LSB_FIRSTEnglishGreat Britain
RT_ICON0x7d76d80x468ump; GLS_BINARY_LSB_FIRSTEnglishGreat Britain
RT_ICON0x7d7b580x468ump; GLS_BINARY_LSB_FIRSTEnglishGreat Britain
RT_ICON0x7d7fd80x468ump; GLS_BINARY_LSB_FIRSTEnglishGreat Britain
RT_MENU0x7c51580x5eump; dataEnglishGreat Britain
RT_MENU0x7c4d380x13cump; dataEnglishGreat Britain
RT_MENU0x7c50180x8eump; dataEnglishGreat Britain
RT_MENU0x7c53d80x1aaump; dataEnglishGreat Britain
RT_MENU0x7c4e780xdaump; dataEnglishGreat Britain
RT_MENU0x7c51b80x164ump; dataEnglishGreat Britain
RT_MENU0x7c4f580xbeump; dataEnglishGreat Britain
RT_MENU0x7c50a80xaeump; dataEnglishGreat Britain
RT_MENU0x7c53200xb8ump; dataEnglishGreat Britain
RT_DIALOG0x7bda400x278ump; dataEnglishGreat Britain
RT_DIALOG0x7c0f080xe8ump; dataEnglishGreat Britain
RT_DIALOG0x7bdd980x1c8ump; dataEnglishGreat Britain
RT_DIALOG0x7bdf600x1e0ump; dataEnglishGreat Britain
RT_DIALOG0x7be1400x1acump; dataEnglishGreat Britain
RT_DIALOG0x7be2f00x200ump; dataEnglishGreat Britain
RT_DIALOG0x7be4f00x1e4ump; dataEnglishGreat Britain
RT_DIALOG0x7be6d80x33cump; dataEnglishGreat Britain
RT_DIALOG0x7bea180x734ump; dataEnglishGreat Britain
RT_DIALOG0x7bcc080x1a4ump; dataEnglishGreat Britain
RT_DIALOG0x7bcdb00x1ceump; dataEnglishGreat Britain
RT_DIALOG0x7bcf800x4e4ump; dataEnglishGreat Britain
RT_DIALOG0x7bd4680x57eump; dataEnglishGreat Britain
RT_DIALOG0x7bd9e80x54ump; dataEnglishGreat Britain
RT_DIALOG0x7bf1500xe0ump; dataEnglishGreat Britain
RT_DIALOG0x7bf2300x29aump; dataEnglishGreat Britain
RT_DIALOG0x7bdcb80xdcump; dataEnglishGreat Britain
RT_DIALOG0x7bf4d00x70ump; dataEnglishGreat Britain
RT_DIALOG0x7bf5400x1ceump; dataEnglishGreat Britain
RT_DIALOG0x7bf7100x180ump; dataEnglishGreat Britain
RT_DIALOG0x7bf8900x230ump; dataEnglishGreat Britain
RT_DIALOG0x7bfac00xc4ump; dataEnglishGreat Britain
RT_DIALOG0x7bfb880x14cump; dataEnglishGreat Britain
RT_DIALOG0x7bfcd80x462ump; dataEnglishGreat Britain
RT_DIALOG0x7c01400x468ump; dataEnglishGreat Britain
RT_DIALOG0x7c05a80x224ump; dataEnglishGreat Britain
RT_DIALOG0x7c07d00x286ump; dataEnglishGreat Britain
RT_DIALOG0x7c0d200x1e8ump; dataEnglishGreat Britain
RT_DIALOG0x7c0ff00xc8ump; dataEnglishGreat Britain
RT_DIALOG0x7c10b80x938ump; dataEnglishGreat Britain
RT_DIALOG0x7c19f00x462ump; dataEnglishGreat Britain
RT_DIALOG0x7c22c00x48aump; dataEnglishGreat Britain
RT_DIALOG0x7c2b600x2dcump; dataEnglishGreat Britain
RT_DIALOG0x7c27500x336ump; dataEnglishGreat Britain
RT_DIALOG0x7c1e580x462ump; dataEnglishGreat Britain
RT_DIALOG0x7c2e400xd6ump; dataEnglishGreat Britain
RT_DIALOG0x7c2f180x37cump; dataEnglishGreat Britain
RT_DIALOG0x7c2a880xd4ump; dataEnglishGreat Britain
RT_DIALOG0x7c0a580x2c8ump; dataEnglishGreat Britain
RT_DIALOG0x7c32980x1a2ump; dataEnglishGreat Britain
RT_DIALOG0x7c34400x186ump; dataEnglishGreat Britain
RT_DIALOG0x7c35c80x3b4ump; dataEnglishGreat Britain
RT_DIALOG0x7c39800x38aump; dataEnglishGreat Britain
RT_DIALOG0x7c3d100x49cump; dataEnglishGreat Britain
RT_DIALOG0x7c41b00x188ump; dataEnglishGreat Britain
RT_DIALOG0x7c43380x260ump; dataEnglishGreat Britain
RT_DIALOG0x7c45980x154ump; dataEnglishGreat Britain
RT_DIALOG0x7c46f00x1b6ump; dataEnglishGreat Britain
RT_DIALOG0x7c48a80xfcump; dataEnglishGreat Britain
RT_DIALOG0x699ea00x3c8ump; dataEnglishGreat Britain
RT_DIALOG0x69a2680x428ump; dataEnglishGreat Britain
RT_DIALOG0x69a8d80x92ump; dataEnglishGreat Britain
RT_DIALOG0x69a9700x39cump; dataEnglishGreat Britain
RT_DIALOG0x69a6900x248ump; dataEnglishGreat Britain
RT_DIALOG0x69ad100x51cump; dataEnglishGreat Britain
RT_DIALOG0x69b2300x558ump; dataEnglishGreat Britain
RT_DIALOG0x69b7880x4feump; dataEnglishGreat Britain
RT_DIALOG0x69c1b80x544ump; dataEnglishGreat Britain
RT_DIALOG0x69c7000x454ump; dataEnglishGreat Britain
RT_DIALOG0x69cb580x29cump; dataEnglishGreat Britain
RT_DIALOG0x69bc880x530ump; dataEnglishGreat Britain
RT_DIALOG0x69cdf80x342ump; dataEnglishGreat Britain
RT_DIALOG0x69d1400x390ump; dataEnglishGreat Britain
RT_DIALOG0x69d4d00x476ump; dataEnglishGreat Britain
RT_DIALOG0x69d9480x46cump; dataEnglishGreat Britain
RT_DIALOG0x6989600x514ump; dataEnglishGreat Britain
RT_DIALOG0x7bc3680x248ump; dataEnglishGreat Britain
RT_DIALOG0x7bc8e80x1dcump; dataEnglishGreat Britain
RT_DIALOG0x7bcb080xfcump; dataEnglishGreat Britain
RT_DIALOG0x7bcac80x40ump; dataEnglishGreat Britain
RT_DIALOG0x7bc5b00x334ump; dataEnglishGreat Britain
RT_STRING0x6d20980x66ump; dataEnglishGreat Britain
RT_STRING0x6d1cf80x3a0ump; dataEnglishGreat Britain
RT_STRING0x6d21000x1caump; dataEnglishGreat Britain
RT_STRING0x6d22d00x11eump; dataEnglishGreat Britain
RT_STRING0x6d23f00x10eump; PCX ver. 2.5 image dataEnglishGreat Britain
RT_STRING0x6d25000xccump; dataEnglishGreat Britain
RT_STRING0x6d25d00x10eump; dataEnglishGreat Britain
RT_STRING0x6d26e00x64ump; dataEnglishGreat Britain
RT_STRING0x6d27480x8cump; dataEnglishGreat Britain
RT_STRING0x6d27d80x90ump; dataEnglishGreat Britain
RT_STRING0x6d28680x3e6ump; dataEnglishGreat Britain
RT_STRING0x6d2c500x200ump; dataEnglishGreat Britain
RT_STRING0x6d2e500xe4ump; dataEnglishGreat Britain
RT_STRING0x6d2f380x40ump; dataEnglishGreat Britain
RT_STRING0x6d2f780xe2ump; dataEnglishGreat Britain
RT_STRING0x6d30600x30aump; dataEnglishGreat Britain
RT_STRING0x6d33700x4eump; dataEnglishGreat Britain
RT_STRING0x6d33c00x54ump; dataEnglishGreat Britain
RT_STRING0x6d34180x2ceump; dataEnglishGreat Britain
RT_STRING0x6d36e80x1ceump; dataEnglishGreat Britain
RT_STRING0x6d38b80x2dcump; dataEnglishGreat Britain
RT_STRING0x6d3b980x48aump; dataEnglishGreat Britain
RT_STRING0x6d40280x466ump; dataEnglishGreat Britain
RT_STRING0x6d44900x45eump; dataEnglishGreat Britain
RT_STRING0x6d48f00x16aump; dataEnglishGreat Britain
RT_STRING0x6d4a600x36eump; dataEnglishGreat Britain
RT_STRING0x6d4dd00x244ump; dataEnglishGreat Britain
RT_STRING0x6d53500x30ump; dataEnglishGreat Britain
RT_STRING0x6d53800x84ump; dataEnglishGreat Britain
RT_STRING0x6d50180x160ump; dataEnglishGreat Britain
RT_STRING0x6d51780x1d4ump; dataEnglishGreat Britain
RT_STRING0x6d54080xc4ump; dataEnglishGreat Britain
RT_STRING0x6d54d00x120ump; dataEnglishGreat Britain
RT_STRING0x6d55f00x8eump; dataEnglishGreat Britain
RT_STRING0x6d56800x240ump; dataEnglishGreat Britain
RT_STRING0x6d58c00x3e2ump; Sendmail frozen configuration - version rEnglishGreat Britain
RT_STRING0x6d5ca80x390ump; dataEnglishGreat Britain
RT_STRING0x6d60380x17eump; dataEnglishGreat Britain
RT_STRING0x6d61b80x220ump; dataEnglishGreat Britain
RT_STRING0x6d63d80x134ump; dataEnglishGreat Britain
RT_STRING0x6d65100x3baump; DBase 3 index fileEnglishGreat Britain
RT_STRING0x6d68d00x90ump; dataEnglishGreat Britain
RT_STRING0x6d69600x37eump; dataEnglishGreat Britain
RT_STRING0x6d6ce00x1caump; dataEnglishGreat Britain
RT_STRING0x6d6eb00x24cump; DBase 3 index fileEnglishGreat Britain
RT_STRING0x6d71000x7eump; dataEnglishGreat Britain
RT_STRING0x6d71800x128ump; dataEnglishGreat Britain
RT_STRING0x6d72a80x162ump; dataEnglishGreat Britain
RT_STRING0x6d74100x3e8ump; Hitachi SH big-endian COFF object, not strippedEnglishGreat Britain
RT_STRING0x6d77f80x344ump; AmigaOS bitmap fontEnglishGreat Britain
RT_STRING0x6d7b400xa8ump; dataEnglishGreat Britain
RT_STRING0x6d7be80x1c8ump; dataEnglishGreat Britain
RT_STRING0x6d7db00xfcump; DBase 3 data file (7929953 records)EnglishGreat Britain
RT_STRING0x6d7eb00x2b2ump; dataEnglishGreat Britain
RT_STRING0x6d81680x196ump; dataEnglishGreat Britain
RT_STRING0x6d83000x7cump; dataEnglishGreat Britain
RT_STRING0x6d83800x5eump; dataEnglishGreat Britain
RT_STRING0x6d83e00x82ump; dataEnglishGreat Britain
RT_STRING0x6d84680x84ump; dataEnglishGreat Britain
RT_STRING0x6d84f00x32cump; dataEnglishGreat Britain
RT_STRING0x6d88200x178ump; dataEnglishGreat Britain
RT_STRING0x6d89980x2c8ump; dataEnglishGreat Britain
RT_STRING0x6d8c600xe2ump; AmigaOS bitmap fontEnglishGreat Britain
RT_STRING0x6d8d480x138ump; dataEnglishGreat Britain
RT_STRING0x6d8e800x46ump; dataEnglishGreat Britain
RT_STRING0x6d8ec80xfcump; DBase 3 index fileEnglishGreat Britain
RT_STRING0x6d8fc80x416ump; dataEnglishGreat Britain
RT_STRING0x6d93e00x26ump; DBase 3 data file (4456531 records)EnglishGreat Britain
RT_STRING0x6d94080x192ump; dataEnglishGreat Britain
RT_STRING0x6d95a00x126ump; dataEnglishGreat Britain
RT_STRING0x6d96c80x31eump; dataEnglishGreat Britain
RT_STRING0x6d99e80x80ump; dataEnglishGreat Britain
RT_STRING0x6d9a680x9aump; dataEnglishGreat Britain
RT_STRING0x6d9b080x5cump; dataEnglishGreat Britain
RT_STRING0x6d9b680xaeump; dataEnglishGreat Britain
RT_STRING0x6d9c180x6cump; dataEnglishGreat Britain
RT_STRING0x6d9c880x11cump; dataEnglishGreat Britain
RT_STRING0x6d9da80x238ump; dataEnglishGreat Britain
RT_STRING0x6d9fe00x16aump; dataEnglishGreat Britain
RT_STRING0x6da1500x19cump; PCX ver. 2.5 image dataEnglishGreat Britain
RT_STRING0x6da2f00x5cump; dataEnglishGreat Britain
RT_STRING0x6da3500x6a0ump; dataEnglishGreat Britain
RT_STRING0x6da9f00x5cump; dataEnglishGreat Britain
RT_STRING0x6daa500x1e8ump; dataEnglishGreat Britain
RT_STRING0x6dac380x58ump; dataEnglishGreat Britain
RT_STRING0x6dac900x1e0ump; dataEnglishGreat Britain
RT_STRING0x6dae700x22aump; dataEnglishGreat Britain
RT_STRING0x6db0a00x672ump; dataEnglishGreat Britain
RT_STRING0x6db7180xdb8ump; dataEnglishGreat Britain
RT_STRING0x6dc4d00x108ump; dataEnglishGreat Britain
RT_STRING0x6dc5d80x14aump; dataEnglishGreat Britain
RT_STRING0x6dc7280x276ump; Hitachi SH big-endian COFF object, not strippedEnglishGreat Britain
RT_STRING0x6dc9a00x186ump; dataEnglishGreat Britain
RT_STRING0x6dcb280x3c6ump; Sendmail frozen configuration - version EnglishGreat Britain
RT_STRING0x6dcef00x44eump; dataEnglishGreat Britain
RT_STRING0x6dd3400x444ump; dataEnglishGreat Britain
RT_STRING0x6dd7880x13aump; dataEnglishGreat Britain
RT_ACCELERATOR0x7c49a80x70ump; dataEnglishGreat Britain
RT_GROUP_ICON0x7d6d780x5aump; MS Windows icon resource - 6 icons, 32x32, 256-colorsEnglishGreat Britain
RT_GROUP_ICON0x7d72400x14ump; MS Windows icon resource - 1 iconEnglishGreat Britain
RT_GROUP_ICON0x7d76c00x14ump; MS Windows icon resource - 1 iconEnglishGreat Britain
RT_GROUP_ICON0x7d7b400x14ump; MS Windows icon resource - 1 iconEnglishGreat Britain
RT_GROUP_ICON0x7d7fc00x14ump; MS Windows icon resource - 1 iconEnglishGreat Britain
RT_GROUP_ICON0x7d84400x14ump; MS Windows icon resource - 1 iconEnglishGreat Britain
RT_VERSION0x7c4a180x31cump; dataEnglishGreat Britain
RT_MANIFEST0x9189280x85bump; XML document textEnglishUnited States
None0x7c55880xaaump; dataEnglishGreat Britain
None0x7c56380xaaump; dataEnglishGreat Britain

Imports

DLLImport
RPCRT4.dllUuidFromStringA
KERNEL32.dllGetLocaleInfoW, GetNumberFormatW, GetDateFormatW, GetTimeFormatW, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, GetFileInformationByHandle, GetModuleFileNameA, OutputDebugStringA, DeviceIoControl, FindFirstFileW, FindClose, MoveFileW, GetDiskFreeSpaceW, GetVolumeInformationW, SetFilePointerEx, SetEndOfFile, GetFileAttributesExW, SetFileTime, RemoveDirectoryW, CreateDirectoryW, GetDriveTypeW, GetCompressedFileSizeW, BackupRead, BackupSeek, lstrcmpA, GetFullPathNameW, FindNextFileW, WritePrivateProfileStringW, GetShortPathNameW, FileTimeToLocalFileTime, GetPrivateProfileSectionW, GetPrivateProfileSectionNamesW, GetUserDefaultLangID, lstrcpyW, ExpandEnvironmentStringsW, GetEnvironmentVariableW, SetFileAttributesW, GetTempPathW, GetTempFileNameW, CopyFileW, IsBadStringPtrW, GetTickCount, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, LoadLibraryA, MoveFileExW, SetProcessWorkingSetSize, GetComputerNameW, LocalAlloc, LocalLock, LocalUnlock, CreateTimerQueue, UnregisterWaitEx, QueryDepthSList, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, SwitchToThread, SignalObjectAndWait, VerifyVersionInfoW, VerSetConditionMask, GlobalMemoryStatus, GetVersionExA, WaitNamedPipeW, TransactNamedPipe, DuplicateHandle, WaitForMultipleObjects, SetNamedPipeHandleState, SetUnhandledExceptionFilter, VirtualQueryEx, CreateSemaphoreW, CreateThread, TerminateThread, ReleaseSemaphore, LockFileEx, CreateFileMappingA, UnlockFile, HeapCompact, DeleteFileA, CreateFileA, FlushViewOfFile, GetFileAttributesA, GetDiskFreeSpaceA, GetTempPathA, HeapValidate, UnlockFileEx, GetFullPathNameA, LockFile, InterlockedCompareExchange, TryEnterCriticalSection, GetThreadTimes, ReadConsoleW, SetStdHandle, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, FindFirstFileExW, GetOEMCP, IsValidCodePage, GetConsoleMode, GetConsoleCP, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLogicalDrives, GetACP, WriteConsoleW, GetFileType, GetStdHandle, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, RtlUnwind, InterlockedFlushSList, HeapCreate, UnhandledExceptionFilter, AreFileApisANSI, FormatMessageA, CreateWaitableTimerA, SetWaitableTimer, WaitForMultipleObjectsEx, WaitForSingleObjectEx, GetModuleHandleA, OpenEventA, GetCPInfo, GetStringTypeW, LCMapStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, IsProcessorFeaturePresent, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, OutputDebugStringW, IsDebuggerPresent, LoadLibraryExA, VirtualProtect, RtlCaptureContext, GetSystemTime, OpenThread, VirtualQuery, FlushInstructionCache, GetCurrentProcessId, GetThreadContext, VirtualProtectEx, GetSystemInfo, GetThreadPriority, GetCurrentThread, ResumeThread, SuspendThread, InitializeCriticalSection, SetThreadPriority, VirtualAlloc, VirtualFree, GlobalHandle, lstrcmpW, GetDiskFreeSpaceExW, GetWindowsDirectoryW, GetProcessTimes, GetCurrentProcess, FileTimeToSystemTime, GetLongPathNameW, SetFilePointer, ReadFile, GetFileSize, CompareFileTime, SystemTimeToFileTime, GetLocalTime, CompareStringW, GetVersion, GetPrivateProfileStringW, DeleteFileW, LocalFree, FormatMessageW, MulDiv, SetCurrentDirectoryW, GetCurrentDirectoryW, QueryPerformanceCounter, QueryPerformanceFrequency, GetCommandLineW, CreateProcessW, GetStartupInfoW, LoadLibraryW, GetSystemDirectoryW, SetErrorMode, InterlockedIncrement, InterlockedDecrement, LoadLibraryExW, lstrcmpiW, FreeLibrary, lstrlenW, GetVersionExW, WriteFile, FlushFileBuffers, GetFileAttributesW, WideCharToMultiByte, CreateMutexW, GetProcAddress, MultiByteToWideChar, GetModuleFileNameW, GetCurrentThreadId, SetLastError, GetModuleHandleW, CreateEventA, CloseHandle, HeapAlloc, HeapFree, GetProcessHeap, GetSystemTimeAsFileTime, GlobalAlloc, GlobalLock, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GlobalUnlock, GlobalFree, InterlockedExchange, CreateFileW, CreateEventW, ResetEvent, SetEvent, Sleep, GetLastError, OpenProcess, TerminateProcess, WaitForSingleObject, LeaveCriticalSection, EnterCriticalSection, RaiseException, HeapReAlloc, HeapSize, HeapDestroy, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource
USER32.dllSendDlgItemMessageW, SetWindowContextHelpId, DestroyAcceleratorTable, wsprintfW, GetForegroundWindow, GetDlgItemInt, GetNextDlgTabItem, CreateDialogIndirectParamW, InvalidateRgn, CreateAcceleratorTableW, MapDialogRect, EnableScrollBar, SetScrollRange, GetScrollRange, RemovePropW, GetPropW, ShowScrollBar, DrawFrameControl, GetSystemMetrics, GetMonitorInfoW, MonitorFromWindow, GetWindowRect, SetWindowPos, GetWindowLongW, LoadBitmapW, GetWindow, GetDesktopWindow, GetClientRect, MapWindowPoints, SetWindowLongW, SendMessageW, GetDlgItem, ScreenToClient, MoveWindow, GetDC, ReleaseDC, GetWindowTextW, SetWindowTextW, IsWindow, DrawTextW, DefWindowProcW, UnregisterClassW, InvalidateRect, BeginPaint, EndPaint, GetActiveWindow, PostMessageW, SetDlgItemTextW, CloseClipboard, GetClipboardData, OpenClipboard, IsClipboardFormatAvailable, GetShellWindow, GetWindowInfo, SetMenuDefaultItem, LockWindowUpdate, PostQuitMessage, IsDialogMessageW, FindWindowExW, LoadIconW, GetComboBoxInfo, AdjustWindowRectEx, GetMenu, GetWindowPlacement, SystemParametersInfoA, DrawTextExW, GetMenuItemID, CharLowerW, CharLowerA, GetDlgItemTextW, EmptyClipboard, SetClipboardData, GetWindowThreadProcessId, WaitForInputIdle, EnumDisplaySettingsW, ExitWindowsEx, GetLastInputInfo, SendMessageTimeoutW, DestroyCursor, GetAsyncKeyState, GetNextDlgGroupItem, GetLastActivePopup, MessageBeep, DrawIcon, LoadStringW, WinHelpW, WaitMessage, GetParent, DrawEdge, DeleteMenu, SetLayeredWindowAttributes, UnhookWindowsHookEx, SetWindowsHookExW, CallNextHookEx, SetPropW, GetWindowTextLengthW, SetScrollPos, GetScrollInfo, AppendMenuW, ScrollWindowEx, SetScrollInfo, GetScrollPos, GetClassLongW, GetDialogBaseUnits, EndDialog, GetDlgCtrlID, IsZoomed, GetSystemMenu, TrackPopupMenu, SetForegroundWindow, RedrawWindow, PtInRect, TrackMouseEvent, SystemParametersInfoW, InflateRect, LoadImageW, FillRect, IsWindowEnabled, ShowWindow, ChildWindowFromPoint, IsChild, IsWindowVisible, UpdateWindow, GetSysColor, DestroyWindow, CreateDialogParamW, EnableWindow, FrameRect, CallWindowProcW, KillTimer, SetTimer, GetSysColorBrush, ClientToScreen, RegisterWindowMessageW, RegisterClassExW, GetClassInfoExW, LoadCursorW, CreateWindowExW, DestroyMenu, CopyRect, CheckDlgButton, IsDlgButtonChecked, GetClassNameW, OpenIcon, FindWindowW, EnumWindows, IsIconic, DrawFocusRect, DestroyIcon, DrawStateW, GetKeyState, GetMessagePos, InsertMenuW, SetCursorPos, SetRectEmpty, DialogBoxParamW, GetCursorPos, CreatePopupMenu, MsgWaitForMultipleObjects, IsWindowUnicode, GetMessageA, DispatchMessageA, EnableMenuItem, BringWindowToTop, GetFocus, GetWindowDC, OffsetRect, MessageBoxW, PeekMessageW, GetMessageW, TranslateMessage, DispatchMessageW, RegisterClassW, GetClassInfoW, CharNextW, SetCursor, ReleaseCapture, WindowFromPoint, SetCapture, GetCapture, SetRect, SetFocus
GDI32.dllSetTextColor, CreateFontIndirectW, SetDIBColorTable, GetStockObject, SaveDC, RestoreDC, TextOutW, CreateSolidBrush, CreateBitmap, CreatePatternBrush, GetClipBox, GetTextExtentPoint32W, GetTextMetricsW, ExtTextOutW, CombineRgn, CreateRectRgnIndirect, GetTextColor, GetBkColor, SetBkMode, GetDeviceCaps, BitBlt, DeleteObject, CreateCompatibleDC, CreateCompatibleBitmap, SetViewportOrgEx, SelectObject, DeleteDC, SetBkColor, ExcludeClipRect, GetObjectW, PatBlt, CreateDIBSection, Rectangle, CreatePen, StretchBlt, CreateRectRgn, CreateDCW, SelectClipRgn, MoveToEx, LineTo, Ellipse, PolylineTo, UnrealizeObject, StrokeAndFillPath, EndPath, BeginPath, GetClipRgn, GetDIBColorTable
COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dllGetLengthSid, CryptReleaseContext, CryptAcquireContextA, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptAcquireContextW, ConvertSidToStringSidW, CloseEventLog, ClearEventLogW, OpenEventLogW, LookupPrivilegeNameW, RegUnLoadKeyW, RegLoadKeyW, RegNotifyChangeKeyValue, GetUserNameW, LookupAccountNameW, CopySid, CryptGenRandom, LookupAccountSidW, EqualSid, OpenThreadToken, RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegQueryInfoKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, RegDeleteValueW, RegQueryValueExW, OpenProcessToken, GetTokenInformation, LookupPrivilegeValueW, AdjustTokenPrivileges, FreeSid, AllocateAndInitializeSid, SetEntriesInAclW, SetNamedSecurityInfoW, GetFileSecurityW, DuplicateToken, MapGenericMask, AccessCheck, RegEnumValueW, IsValidSid, GetSidIdentifierAuthority, GetSidSubAuthorityCount, GetSidSubAuthority
SHELL32.dllShellExecuteW, SHBrowseForFolderW, DragQueryFileW, DragFinish, ShellExecuteExW, Shell_NotifyIconW, SHGetSpecialFolderLocation, ExtractIconExW, SHGetFileInfoW, SHEmptyRecycleBinW, SHAddToRecentDocs, SHGetPathFromIDListW
ole32.dllStgOpenStorageEx, StgIsStorageFile, CoInitializeEx, PropVariantClear, CoSetProxyBlanket, OleLockRunning, StringFromGUID2, CLSIDFromString, CLSIDFromProgID, CoGetClassObject, CoInitializeSecurity, DoDragDrop, RegisterDragDrop, RevokeDragDrop, OleDuplicateData, ReleaseStgMedium, CoCreateInstance, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, OleUninitialize, OleInitialize, CreateStreamOnHGlobal, CoUninitialize, CoInitialize
OLEAUT32.dllSysFreeString, VarUI4FromStr, SysAllocString, VariantClear, VariantInit, SysStringLen, LoadRegTypeLib, LoadTypeLib, SysAllocStringLen, DispCallFunc, OleCreateFontIndirect, VarBstrFromR8, VarBstrFromI4, VariantChangeType, VariantTimeToSystemTime
SHLWAPI.dllPathIsDirectoryEmptyW, PathRemoveExtensionA, PathAddExtensionW, PathRemoveExtensionW, PathStripToRootW, PathSkipRootW, PathRemoveBackslashW, PathCombineW, PathCompactPathW, PathIsDirectoryW, PathRemoveFileSpecW, PathAppendW, PathFileExistsW, PathMatchSpecW, StrRetToStrW, PathFindExtensionW, PathUnquoteSpacesW, PathRemoveArgsW, PathStripPathW, SHStrDupW, PathIsURLW, PathCreateFromUrlW, PathStripPathA, PathIsUNCW, PathIsRelativeW, PathFindFileNameW, PathGetDriveNumberW
COMCTL32.dllImageList_Add, ImageList_Create, _TrackMouseEvent, ImageList_Remove, ImageList_GetImageCount, ImageList_GetIcon, ImageList_ReplaceIcon, ImageList_SetIconSize, ImageList_Duplicate, ImageList_GetIconSize, ImageList_Draw, ImageList_Destroy, InitCommonControlsEx, ImageList_LoadImageW
gdiplus.dllGdipCreateBitmapFromFile, GdipDrawLine, GdipFillRectangle, GdipCreateHatchBrush, GdipDrawRectangleI, GdipDeletePen, GdipCreatePen1, GdipSetSmoothingMode, GdipCreateFromHDC, GdipFillRectangleI, GdipCreateSolidFill, GdipCloneBrush, GdipDeleteBrush, GdiplusStartup, GdiplusShutdown, GdipCreateBitmapFromStream, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImagePaletteSize, GdipGetImagePalette, GdipBitmapLockBits, GdipBitmapUnlockBits, GdipCreateBitmapFromScan0, GdipCloneImage, GdipAlloc, GdipFree, GdipDisposeImage, GdipGetImageGraphicsContext, GdipDeleteGraphics, GdipDrawImageI

Version Infos

DescriptionData
LegalCopyrightCopyright 2005-2017 Piriform Ltd
InternalNameccleaner
FileVersion5, 33, 00, 6162
CompanyNamePiriform Ltd
CommentsCCleaner
ProductNameCCleaner
ProductVersion5, 33, 00, 6162
FileDescriptionCCleaner
OriginalFilenameccleaner.exe
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishGreat Britain
EnglishUnited States
EnglishCanada

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 18, 2017 13:10:12.650120974 MESZ5761853192.168.1.168.8.8.8
Sep 18, 2017 13:10:12.840764999 MESZ53576188.8.8.8192.168.1.16
Sep 18, 2017 13:10:12.877826929 MESZ49241443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:12.877909899 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:10:12.878027916 MESZ49241443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:12.890875101 MESZ49241443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:12.890937090 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:10:12.972112894 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:10:12.972258091 MESZ49241443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:12.979221106 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:10:12.979239941 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:10:12.979259014 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:10:12.979358912 MESZ49241443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:12.993659973 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:10:12.993680000 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:10:12.993819952 MESZ49241443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:13.010098934 MESZ49241443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:13.010139942 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:10:13.096743107 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:10:13.096847057 MESZ49241443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:13.422096014 MESZ5512053192.168.1.168.8.8.8
Sep 18, 2017 13:10:13.550033092 MESZ53551208.8.8.8192.168.1.16
Sep 18, 2017 13:10:13.560333014 MESZ5588553192.168.1.168.8.8.8
Sep 18, 2017 13:10:13.691201925 MESZ53558858.8.8.8192.168.1.16
Sep 18, 2017 13:10:14.077543974 MESZ6222853192.168.1.168.8.8.8
Sep 18, 2017 13:10:14.248826981 MESZ53622288.8.8.8192.168.1.16
Sep 18, 2017 13:10:14.270484924 MESZ6030453192.168.1.168.8.8.8
Sep 18, 2017 13:10:14.375883102 MESZ53603048.8.8.8192.168.1.16
Sep 18, 2017 13:10:14.515922070 MESZ49241443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:14.515949965 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:10:14.578507900 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:10:14.578632116 MESZ49241443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:14.707798958 MESZ5051853192.168.1.168.8.8.8
Sep 18, 2017 13:10:14.901252985 MESZ53505188.8.8.8192.168.1.16
Sep 18, 2017 13:10:14.903940916 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:14.904002905 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:14.904103994 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:14.905411005 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:14.905452013 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.022217989 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.022378922 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.055221081 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.055257082 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.055274010 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.055358887 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.061346054 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.061438084 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.068511009 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.068526983 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.068617105 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.083308935 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.083337069 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.147872925 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.147980928 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.205301046 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.205332994 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.418435097 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.418687105 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.422755957 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.422785044 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.422797918 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.423022985 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.430670977 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.430695057 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.430901051 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.439291954 MESZ4924680192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.439347029 MESZ8049246151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.439466000 MESZ4924680192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.440088987 MESZ4924680192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.440118074 MESZ8049246151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.673459053 MESZ8049246151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.673732996 MESZ4924680192.168.1.16151.101.0.64
Sep 18, 2017 13:10:15.754657030 MESZ8049246151.101.0.64192.168.1.16
Sep 18, 2017 13:10:15.754843950 MESZ4924680192.168.1.16151.101.0.64
Sep 18, 2017 13:10:52.812395096 MESZ4923980192.168.1.1623.34.203.27
Sep 18, 2017 13:10:52.812526941 MESZ4924080192.168.1.1623.34.203.27
Sep 18, 2017 13:12:12.515746117 MESZ4924680192.168.1.16151.101.0.64
Sep 18, 2017 13:12:12.515906096 MESZ8049246151.101.0.64192.168.1.16
Sep 18, 2017 13:12:12.516462088 MESZ4924680192.168.1.16151.101.0.64
Sep 18, 2017 13:12:12.516772985 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:12:12.516891003 MESZ44349244151.101.0.64192.168.1.16
Sep 18, 2017 13:12:12.517116070 MESZ49241443192.168.1.16151.101.0.64
Sep 18, 2017 13:12:12.517185926 MESZ44349241151.101.0.64192.168.1.16
Sep 18, 2017 13:12:12.517190933 MESZ49244443192.168.1.16151.101.0.64
Sep 18, 2017 13:12:12.517524958 MESZ49241443192.168.1.16151.101.0.64
Sep 18, 2017 13:17:55.246320009 MESZ4923780192.168.1.1623.34.203.27
Sep 18, 2017 13:17:55.246450901 MESZ4923880192.168.1.1623.34.197.163

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 18, 2017 13:10:12.650120974 MESZ5761853192.168.1.168.8.8.8
Sep 18, 2017 13:10:12.840764999 MESZ53576188.8.8.8192.168.1.16
Sep 18, 2017 13:10:13.422096014 MESZ5512053192.168.1.168.8.8.8
Sep 18, 2017 13:10:13.550033092 MESZ53551208.8.8.8192.168.1.16
Sep 18, 2017 13:10:13.560333014 MESZ5588553192.168.1.168.8.8.8
Sep 18, 2017 13:10:13.691201925 MESZ53558858.8.8.8192.168.1.16
Sep 18, 2017 13:10:14.077543974 MESZ6222853192.168.1.168.8.8.8
Sep 18, 2017 13:10:14.248826981 MESZ53622288.8.8.8192.168.1.16
Sep 18, 2017 13:10:14.270484924 MESZ6030453192.168.1.168.8.8.8
Sep 18, 2017 13:10:14.375883102 MESZ53603048.8.8.8192.168.1.16
Sep 18, 2017 13:10:14.707798958 MESZ5051853192.168.1.168.8.8.8
Sep 18, 2017 13:10:14.901252985 MESZ53505188.8.8.8192.168.1.16

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Sep 18, 2017 13:10:12.650120974 MESZ192.168.1.168.8.8.80x3c1aStandard query (0)www.piriform.comA (IP address)IN (0x0001)
Sep 18, 2017 13:10:14.707798958 MESZ192.168.1.168.8.8.80x558aStandard query (0)license.piriform.comA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Sep 18, 2017 13:10:12.840764999 MESZ8.8.8.8192.168.1.160x3c1aNo error (0)www.piriform.com151.101.0.64A (IP address)IN (0x0001)
Sep 18, 2017 13:10:14.901252985 MESZ8.8.8.8192.168.1.160x558aNo error (0)license.piriform.com151.101.0.64A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • license.piriform.com

HTTP Packets

TimestampSource PortDest PortSource IPDest IPHeaderTotal Bytes Transfered (KB)
Sep 18, 2017 13:10:15.440088987 MESZ4924680192.168.1.16151.101.0.64GET /verify/?p=ccpro&c=cc&cv=5.33.6162&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=FEB2-8J35-8PDX-HZIY-N8IC-Q332-9Y73-E5HP-9XTW HTTP/1.1
User-Agent: Mozilla/4.0 (CCleaner, 5.33.6162)
Connection: Keep-Alive
Cache-Control: no-cache
Host: license.piriform.com
28
Sep 18, 2017 13:10:15.673459053 MESZ8049246151.101.0.64192.168.1.16HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: PFLicense=5cm23t2xfr2ygudpjhkitoza; path=/; HttpOnly
X-Powered-By: ASP.NET
Via: 1.1 varnish
Fastly-Debug-Digest: 66340b4b85e6c64f0fdce3bf5a480c7f88e3c7b00f4cf0bb636f18547472c494
Content-Length: 17
Accept-Ranges: bytes
Date: Mon, 18 Sep 2017 11:10:15 GMT
Via: 1.1 varnish
Age: 0
Connection: keep-alive
X-Served-By: cache-jfk8141-JFK, cache-lcy1141-LCY
X-Cache: MISS,
Data Raw:
Data Ascii:
29
Sep 18, 2017 13:10:15.754657030 MESZ8049246151.101.0.64192.168.1.16Data Raw: 49 53 53 0d 0a 58 2d 43 61 63 68 65 2d 48 69 74 73 3a 20 30 2c 20 30 0d 0a 58 2d 54 69 6d 65 72 3a 20 53 31 35 30 35 37 33 33 30 31 36 2e 35 31 32 31 31 39 2c 56 53 30 2c 56 45 31 31 36 0d 0a 0d 0a 24 24 24 7c 45 52 52 4f 52 30 7c 31 34 7c 24 24
Data Ascii: ISSX-Cache-Hits: 0, 0X-Timer: S1505733016.512119,VS0,VE116$$$|ERROR0|14|$$$
29

HTTPS Packets

TimestampSource PortDest PortSource IPDest IPSubjectIssuerNot BeforeNot AfterRaw
Sep 18, 2017 13:10:12.979259014 MESZ44349241151.101.0.64192.168.1.16CN=f.ssl.fastly.net, O="Fastly, Inc.", L=San Francisco, ST=California, C=USCN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BEFri Sep 08 20:53:07 CEST 2017Mon Sep 03 21:23:44 CEST 2018[[ Version: V3 Subject: CN=f.ssl.fastly.net, O="Fastly, Inc.", L=San Francisco, ST=California, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 21206705149499206797616234431691774100272389381679802159957645394685916649427944368937687197945680464939525188459454875830379108803574343196571398951497589131569579800434435633547969768447700882640641910178951371489995706666363023457617777414222006104418816890690107896851034689428604895246888653189390474062707331926927517053396072682649273692773085235411335026457857552279193731971752518565900655681378226883197904039493482435978017650419600023075683700930344749016051121888310657629953747738516192497642072540327874037079582254649174606746470145819864057919951411978711761631174292850773278786575964014772482215117 public exponent: 65537 Validity: [From: Fri Sep 08 20:53:07 CEST 2017, To: Mon Sep 03 21:23:44 CEST 2018] Issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE SerialNumber: [ 5227977d 19bf5711 04d045a1]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp2.globalsign.com/gsorganizationvalsha2g2]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 96 DE 61 F1 BD 1C 16 29 53 1C C0 CC 7D 3B 83 00 ..a....)S....;..0010: 40 E6 1A 7C @...]][3]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.4146.1.20][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 26 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 6C .&https://www.gl0010: 6F 62 61 6C 73 69 67 6E 2E 63 6F 6D 2F 72 65 70 obalsign.com/rep0020: 6F 73 69 74 6F 72 79 2F ository/]] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: f.ssl.fastly.net DNSName: *.500px.com DNSName: *.adis.ws DNSName: *.adroll.com DNSName: *.beacon.fastlydns.net DNSName: *.bleacherreport.net DNSName: *.britishcouncil.org DNSName: *.businessinsider.com DNSName: *.catchpoint.com DNSName: *.cooladata.com DNSName: *.discogs.com DNSName: *.disq.us DNSName: *.dotabuff.com DNSName: *.e3expo.com DNSName: *.fastly-debug.com DNSName: *.fetlife.com DNSName: *.format-assets.com DNSName: *.format-staging.com DNSName: *.lsops.org DNSName: *.new.livestream.com DNSName: *.nr-data.net DNSName: *.nydailynews.com DNSName: *.piriform.com DNSName: *.romwod.com DNSName: *.services.disqus.com DNSName: *.shakr.com DNSName: *.smartmember.com DNSName: *.thisisinsider.com DNSName: *.thoughtbot.com DNSName: *.vimeo-staging.com DNSName: assets.listia.com DNSName: businessinsider.com DNSName: cdn1.leadcommerce.com DNSName: content.thinkzoom.com DNSName: creditcards.offers.com DNSName: disq.us DNSName: dotabuff.com DNSName: e3expo.com DNSName: f-jsv2.harveynichols.com DNSName: f-mediav2.harveynichols.com DNSName: f-skinv2.harveynichols.com DNSName: fast.appcues.com DNSName: fastly-debug.com DNSName: fetlife.com DNSName: format-staging.com DNSName: format.com DNSName: gems.secretcdn.net DNSName: kredo.com DNSName: nydailynews.com DNSName: piriform.com DNSName: projects.fivethirtyeight.com DNSName: projects.propublica.org DNSName: romwod.com DNSName: rubytogether.org DNSName: sfdc.fastly.com DNSName: smokeping.app.secretcdn.net DNSName: static.flocabulary.com DNSName: status-dev.banksimple.com DNSName: thoughtbot.com DNSName: thoughtbot.se DNSName: top.secretcdn.net DNSName: vimeo-staging.com DNSName: www-dev.banksimple.com DNSName: www.creativeedge.com DNSName: www.gokudos.com DNSName: www.kredo.com][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 77 3D 2B F9 76 8F C1 EA 9B E6 04 2C 1D C7 AD 4B w=+.v......,...K0010: CB 83 F6 0E ....]]] Algorithm: [SHA256withRSA] Signature:0000: 1D C9 7E 27 C4 8E 22 6C F6 CC AF F9 0D 5A EC 7F ...'.."l.....Z..0010: A9 D9 D2 EF 11 71 44 2B 86 4F 1B 98 C3 31 EC 2A .....qD+.O...1.*0020: 84 B5 D1 12 0D 96 02 45 B1 82 B1 35 0E 75 5F CA .......E...5.u_.0030: 7C BC C6 B0 04 9E A8 09 85 81 11 32 05 EA BB AF ...........2....0040: AC 4F ED FC 09 3C 49 AD 32 82 D0 7D F8 58 51 1F .O...<I.2....XQ.0050: 48 6A 2A 7A 65 4D 7E 64 0B 10 E3 C2 57 3E D4 D7 Hj*zeM.d....W>..0060: 7B 57 37 A9 59 57 0D 5E F3 A3 6E FC 22 C4 6E DB .W7.YW.^..n.".n.0070: 91 63 39 93 5D 92 DF 79 91 56 D1 80 56 3B A4 E2 .c9.]..y.V..V;..0080: C5 BB 83 74 39 FC 19 2C C9 A1 8D A2 5B CD 01 D1 ...t9..,....[...0090: 55 9B 40 57 A5 B0 63 2E F3 14 F9 C4 83 DA 1A 74 U.@W..c........t00A0: BF 12 EE 1D 80 E2 40 A4 8E 87 56 BC 02 35 F4 10 ......@...V..5..00B0: C6 7E FF FA 00 01 B7 E9 A9 99 52 57 39 82 76 6F ..........RW9.vo00C0: 91 1C 1A E3 F4 4D 45 87 A3 32 98 6D 6B 82 66 05 .....ME..2.mk.f.00D0: 14 77 72 B7 61 34 CC 1F 7F BB C0 0A 77 51 32 B2 .wr.a4......wQ2.00E0: DA C1 6C 81 6D 16 2E 2C 0C DB 8F 11 A8 07 3B 93 ..l.m..,......;.00F0: 1A FC A0 9D B0 FF 52 B4 BE B9 6A 6E 7A 24 99 73 ......R...jnz$.s]
Sep 18, 2017 13:10:12.979259014 MESZ44349241151.101.0.64192.168.1.16CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BECN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEThu Feb 20 11:00:00 CET 2014Tue Feb 20 11:00:00 CET 2024[[ Version: V3 Subject: CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 25128534854946729689874225426937401505000881204706872255627098498474475295641403147428295231173090028665490451781016201369028386293751105000607980749389164896950295472415799544200821826598281622670047877476444380361331431510582219613042406283138772574077178828514459453291208108705648245160199047848714530696719439161049181407350831720090579906068909416515809757315311589912849752912945272005465192109502201681085714022553142452002065884519487869175097916258424515352321964381962068601310395827347949688386139631202235593096601000028863153912492627308071474449386570163993017908691119484112907211941619220357798802161 public exponent: 65537 Validity: [From: Thu Feb 20 11:00:00 CET 2014, To: Tue Feb 20 11:00:00 CET 2024] Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE SerialNumber: [ 04000000 0001444e f04247]Certificate Extensions: 7[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.globalsign.com/rootr1]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 60 7B 66 1A 45 0D 97 CA 89 50 2F 7D 04 CD 34 A8 `.f.E....P/...4.0010: FF FC FD 4B ...K]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.globalsign.net/root.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 26 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 6C .&https://www.gl0010: 6F 62 61 6C 73 69 67 6E 2E 63 6F 6D 2F 72 65 70 obalsign.com/rep0020: 6F 73 69 74 6F 72 79 2F ository/]] ]][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][7]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 96 DE 61 F1 BD 1C 16 29 53 1C C0 CC 7D 3B 83 00 ..a....)S....;..0010: 40 E6 1A 7C @...]]] Algorithm: [SHA256withRSA] Signature:0000: 46 2A EE 5E BD AE 01 60 37 31 11 86 71 74 B6 46 F*.^...`71..qt.F0010: 49 C8 10 16 FE 2F 62 23 17 AB 1F 87 F8 82 ED CA I..../b#........0020: DF 0E 2C DF 64 75 8E E5 18 72 A7 8C 3A 8B C9 AC ..,.du...r..:...0030: A5 77 50 F7 EF 9E A4 E0 A0 8F 14 57 A3 2A 5F EC .wP........W.*_.0040: 7E 6D 10 E6 BA 8D B0 08 87 76 0E 4C B2 D9 51 BB .m.......v.L..Q.0050: 11 02 F2 5C DD 1C BD F3 55 96 0F D4 06 C0 FC E2 ...\....U.......0060: 23 8A 24 70 D3 BB F0 79 1A A7 61 70 83 8A AF 06 #.$p...y..ap....0070: C5 20 D8 A1 63 D0 6C AE 4F 32 D7 AE 7C 18 45 75 . ..c.l.O2....Eu0080: 05 29 77 DF 42 40 64 64 86 BE 2A 76 09 31 6F 1D .)w.B@dd..*v.1o.0090: 24 F4 99 D0 85 FE F2 21 08 F9 C6 F6 F1 D0 59 ED $......!......Y.00A0: D6 56 3C 08 28 03 67 BA F0 F9 F1 90 16 47 AE 67 .V<.(.g......G.g00B0: E6 BC 80 48 E9 42 76 34 97 55 69 24 0E 83 D6 A0 ...H.Bv4.Ui$....00C0: 2D B4 F5 F3 79 8A 49 28 74 1A 41 A1 C2 D3 24 88 -...y.I(t.A...$.00D0: 35 30 60 94 17 B4 E1 04 22 31 3D 3B 2F 17 06 B2 50`....."1=;/...00E0: B8 9D 86 2B 5A 69 EF 83 F5 4B C4 AA B4 2A F8 7C ...+Zi...K...*..00F0: A1 B1 85 94 8C F4 0C 87 0C F4 AC 40 F8 59 49 98 ...........@.YI.]
Sep 18, 2017 13:10:15.061346054 MESZ44349244151.101.0.64192.168.1.16CN=f.ssl.fastly.net, O="Fastly, Inc.", L=San Francisco, ST=California, C=USCN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BEFri Sep 08 20:53:07 CEST 2017Mon Sep 03 21:23:44 CEST 2018[[ Version: V3 Subject: CN=f.ssl.fastly.net, O="Fastly, Inc.", L=San Francisco, ST=California, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 21206705149499206797616234431691774100272389381679802159957645394685916649427944368937687197945680464939525188459454875830379108803574343196571398951497589131569579800434435633547969768447700882640641910178951371489995706666363023457617777414222006104418816890690107896851034689428604895246888653189390474062707331926927517053396072682649273692773085235411335026457857552279193731971752518565900655681378226883197904039493482435978017650419600023075683700930344749016051121888310657629953747738516192497642072540327874037079582254649174606746470145819864057919951411978711761631174292850773278786575964014772482215117 public exponent: 65537 Validity: [From: Fri Sep 08 20:53:07 CEST 2017, To: Mon Sep 03 21:23:44 CEST 2018] Issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE SerialNumber: [ 5227977d 19bf5711 04d045a1]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp2.globalsign.com/gsorganizationvalsha2g2]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 96 DE 61 F1 BD 1C 16 29 53 1C C0 CC 7D 3B 83 00 ..a....)S....;..0010: 40 E6 1A 7C @...]][3]: ObjectId: 2.5.29.19 Criticality=falseBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.4146.1.20][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 26 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 6C .&https://www.gl0010: 6F 62 61 6C 73 69 67 6E 2E 63 6F 6D 2F 72 65 70 obalsign.com/rep0020: 6F 73 69 74 6F 72 79 2F ository/]] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: f.ssl.fastly.net DNSName: *.500px.com DNSName: *.adis.ws DNSName: *.adroll.com DNSName: *.beacon.fastlydns.net DNSName: *.bleacherreport.net DNSName: *.britishcouncil.org DNSName: *.businessinsider.com DNSName: *.catchpoint.com DNSName: *.cooladata.com DNSName: *.discogs.com DNSName: *.disq.us DNSName: *.dotabuff.com DNSName: *.e3expo.com DNSName: *.fastly-debug.com DNSName: *.fetlife.com DNSName: *.format-assets.com DNSName: *.format-staging.com DNSName: *.lsops.org DNSName: *.new.livestream.com DNSName: *.nr-data.net DNSName: *.nydailynews.com DNSName: *.piriform.com DNSName: *.romwod.com DNSName: *.services.disqus.com DNSName: *.shakr.com DNSName: *.smartmember.com DNSName: *.thisisinsider.com DNSName: *.thoughtbot.com DNSName: *.vimeo-staging.com DNSName: assets.listia.com DNSName: businessinsider.com DNSName: cdn1.leadcommerce.com DNSName: content.thinkzoom.com DNSName: creditcards.offers.com DNSName: disq.us DNSName: dotabuff.com DNSName: e3expo.com DNSName: f-jsv2.harveynichols.com DNSName: f-mediav2.harveynichols.com DNSName: f-skinv2.harveynichols.com DNSName: fast.appcues.com DNSName: fastly-debug.com DNSName: fetlife.com DNSName: format-staging.com DNSName: format.com DNSName: gems.secretcdn.net DNSName: kredo.com DNSName: nydailynews.com DNSName: piriform.com DNSName: projects.fivethirtyeight.com DNSName: projects.propublica.org DNSName: romwod.com DNSName: rubytogether.org DNSName: sfdc.fastly.com DNSName: smokeping.app.secretcdn.net DNSName: static.flocabulary.com DNSName: status-dev.banksimple.com DNSName: thoughtbot.com DNSName: thoughtbot.se DNSName: top.secretcdn.net DNSName: vimeo-staging.com DNSName: www-dev.banksimple.com DNSName: www.creativeedge.com DNSName: www.gokudos.com DNSName: www.kredo.com][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 77 3D 2B F9 76 8F C1 EA 9B E6 04 2C 1D C7 AD 4B w=+.v......,...K0010: CB 83 F6 0E ....]]] Algorithm: [SHA256withRSA] Signature:0000: 1D C9 7E 27 C4 8E 22 6C F6 CC AF F9 0D 5A EC 7F ...'.."l.....Z..0010: A9 D9 D2 EF 11 71 44 2B 86 4F 1B 98 C3 31 EC 2A .....qD+.O...1.*0020: 84 B5 D1 12 0D 96 02 45 B1 82 B1 35 0E 75 5F CA .......E...5.u_.0030: 7C BC C6 B0 04 9E A8 09 85 81 11 32 05 EA BB AF ...........2....0040: AC 4F ED FC 09 3C 49 AD 32 82 D0 7D F8 58 51 1F .O...<I.2....XQ.0050: 48 6A 2A 7A 65 4D 7E 64 0B 10 E3 C2 57 3E D4 D7 Hj*zeM.d....W>..0060: 7B 57 37 A9 59 57 0D 5E F3 A3 6E FC 22 C4 6E DB .W7.YW.^..n.".n.0070: 91 63 39 93 5D 92 DF 79 91 56 D1 80 56 3B A4 E2 .c9.]..y.V..V;..0080: C5 BB 83 74 39 FC 19 2C C9 A1 8D A2 5B CD 01 D1 ...t9..,....[...0090: 55 9B 40 57 A5 B0 63 2E F3 14 F9 C4 83 DA 1A 74 U.@W..c........t00A0: BF 12 EE 1D 80 E2 40 A4 8E 87 56 BC 02 35 F4 10 ......@...V..5..00B0: C6 7E FF FA 00 01 B7 E9 A9 99 52 57 39 82 76 6F ..........RW9.vo00C0: 91 1C 1A E3 F4 4D 45 87 A3 32 98 6D 6B 82 66 05 .....ME..2.mk.f.00D0: 14 77 72 B7 61 34 CC 1F 7F BB C0 0A 77 51 32 B2 .wr.a4......wQ2.00E0: DA C1 6C 81 6D 16 2E 2C 0C DB 8F 11 A8 07 3B 93 ..l.m..,......;.00F0: 1A FC A0 9D B0 FF 52 B4 BE B9 6A 6E 7A 24 99 73 ......R...jnz$.s]
Sep 18, 2017 13:10:15.061346054 MESZ44349244151.101.0.64192.168.1.16CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BECN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEThu Feb 20 11:00:00 CET 2014Tue Feb 20 11:00:00 CET 2024[[ Version: V3 Subject: CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 25128534854946729689874225426937401505000881204706872255627098498474475295641403147428295231173090028665490451781016201369028386293751105000607980749389164896950295472415799544200821826598281622670047877476444380361331431510582219613042406283138772574077178828514459453291208108705648245160199047848714530696719439161049181407350831720090579906068909416515809757315311589912849752912945272005465192109502201681085714022553142452002065884519487869175097916258424515352321964381962068601310395827347949688386139631202235593096601000028863153912492627308071474449386570163993017908691119484112907211941619220357798802161 public exponent: 65537 Validity: [From: Thu Feb 20 11:00:00 CET 2014, To: Tue Feb 20 11:00:00 CET 2024] Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE SerialNumber: [ 04000000 0001444e f04247]Certificate Extensions: 7[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.globalsign.com/rootr1]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 60 7B 66 1A 45 0D 97 CA 89 50 2F 7D 04 CD 34 A8 `.f.E....P/...4.0010: FF FC FD 4B ...K]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.globalsign.net/root.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 26 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 6C .&https://www.gl0010: 6F 62 61 6C 73 69 67 6E 2E 63 6F 6D 2F 72 65 70 obalsign.com/rep0020: 6F 73 69 74 6F 72 79 2F ository/]] ]][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][7]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 96 DE 61 F1 BD 1C 16 29 53 1C C0 CC 7D 3B 83 00 ..a....)S....;..0010: 40 E6 1A 7C @...]]] Algorithm: [SHA256withRSA] Signature:0000: 46 2A EE 5E BD AE 01 60 37 31 11 86 71 74 B6 46 F*.^...`71..qt.F0010: 49 C8 10 16 FE 2F 62 23 17 AB 1F 87 F8 82 ED CA I..../b#........0020: DF 0E 2C DF 64 75 8E E5 18 72 A7 8C 3A 8B C9 AC ..,.du...r..:...0030: A5 77 50 F7 EF 9E A4 E0 A0 8F 14 57 A3 2A 5F EC .wP........W.*_.0040: 7E 6D 10 E6 BA 8D B0 08 87 76 0E 4C B2 D9 51 BB .m.......v.L..Q.0050: 11 02 F2 5C DD 1C BD F3 55 96 0F D4 06 C0 FC E2 ...\....U.......0060: 23 8A 24 70 D3 BB F0 79 1A A7 61 70 83 8A AF 06 #.$p...y..ap....0070: C5 20 D8 A1 63 D0 6C AE 4F 32 D7 AE 7C 18 45 75 . ..c.l.O2....Eu0080: 05 29 77 DF 42 40 64 64 86 BE 2A 76 09 31 6F 1D .)w.B@dd..*v.1o.0090: 24 F4 99 D0 85 FE F2 21 08 F9 C6 F6 F1 D0 59 ED $......!......Y.00A0: D6 56 3C 08 28 03 67 BA F0 F9 F1 90 16 47 AE 67 .V<.(.g......G.g00B0: E6 BC 80 48 E9 42 76 34 97 55 69 24 0E 83 D6 A0 ...H.Bv4.Ui$....00C0: 2D B4 F5 F3 79 8A 49 28 74 1A 41 A1 C2 D3 24 88 -...y.I(t.A...$.00D0: 35 30 60 94 17 B4 E1 04 22 31 3D 3B 2F 17 06 B2 50`....."1=;/...00E0: B8 9D 86 2B 5A 69 EF 83 F5 4B C4 AA B4 2A F8 7C ...+Zi...K...*..00F0: A1 B1 85 94 8C F4 0C 87 0C F4 AC 40 F8 59 49 98 ...........@.YI.]

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Start time:13:09:49
Start date:18/09/2017
Path:C:\Users\user\Desktop\CCleaner.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\CCleaner.exe'
Imagebase:0x75860000
File size:7680216 bytes
MD5 hash:EF694B89AD7ADDB9A16BB6F26F1EFAF7
Programmed in:C, C++ or other language

Disassembly

Code Analysis

Reset < >

    Execution Graph

    Execution Coverage:10.4%
    Dynamic/Decrypted Code Coverage:23.9%
    Signature Coverage:8.6%
    Total number of Nodes:581
    Total number of Limit Nodes:6

    Graph

    %3 1475 e10e0 1476 e1112 CreateThread CloseHandle 1475->1476 1477 e10e5 1475->1477 1478 e1123 1476->1478 1479 e27b9 1476->1479 1477->1476 1477->1478 1482 e252e time 1479->1482 1534 e24d7 IcmpCreateFile 1482->1534 1485 e2561 time 1538 e1677 1485->1538 1486 e257c GetFileAttributesA 1488 e256d 1488->1486 1489 e2572 IsUserAnAdmin 1488->1489 1489->1486 1490 e2583 1489->1490 1542 e203a 1490->1542 1498 e25c6 GetComputerNameA GetComputerNameExA 1567 e1a7c LocalAlloc GetAdaptersInfo 1498->1567 1500 e25f3 1573 e1b09 1500->1573 1502 e2601 1503 e1b09 7 API calls 1502->1503 1505 e2615 1502->1505 1503->1505 1587 e1f69 1505->1587 1506 e2622 1507 e2647 LocalAlloc 1506->1507 1593 e121d 1507->1593 1509 e2671 WSAStartup 1595 e1869 1509->1595 1511 e268b 1599 e2109 1511->1599 1513 e26a2 1603 e22cb InternetOpenA 1513->1603 1516 e26e2 LocalFree 1624 e1722 1516->1624 1520 e26f9 1521 e27aa LocalFree 1520->1521 1527 e272d VirtualAlloc 1520->1527 1533 e2791 LocalFree 1520->1533 1521->1486 1522 e2109 2 API calls 1523 e26cf 1522->1523 1525 e22cb 16 API calls 1523->1525 1526 e26d7 1525->1526 1620 e17c0 1526->1620 1530 e2757 1527->1530 1531 e2774 VirtualFree 1530->1531 1532 e1722 SHSetValueA 1531->1532 1532->1533 1533->1521 1535 e251e Sleep 1534->1535 1536 e24f0 IcmpSendEcho IcmpCloseHandle 1534->1536 1537 e252b time 1535->1537 1536->1537 1537->1485 1537->1486 1539 e16ce 1538->1539 1540 e16d8 SHGetValueA 1539->1540 1541 e1716 1540->1541 1541->1488 1541->1541 1628 e1129 1542->1628 1544 e2087 GetCurrentProcess OpenProcessToken 1545 e20a0 LookupPrivilegeValueA 1544->1545 1546 e2105 LocalAlloc 1544->1546 1547 e20c2 1545->1547 1549 e20ba 1545->1549 1551 e1566 1546->1551 1547->1547 1548 e20c8 AdjustTokenPrivileges 1547->1548 1548->1549 1550 e20f9 CloseHandle 1548->1550 1549->1550 1550->1546 1552 e15c0 1551->1552 1553 e15ca SHGetValueA 1552->1553 1554 e1602 GetCurrentProcess 1553->1554 1555 e1616 6 API calls 1553->1555 1556 e1927 1554->1556 1555->1554 1557 e196b 1556->1557 1558 e19a1 LoadLibraryA 1557->1558 1559 e19be 1558->1559 1560 e19dd 1559->1560 1561 e19c9 GetProcAddress 1559->1561 1562 e19fd VirtualAlloc 1560->1562 1561->1560 1563 e1129 1562->1563 1564 e1a47 memcpy 1563->1564 1565 e1a5c 1564->1565 1565->1565 1566 e1a65 VirtualFree 1565->1566 1566->1498 1568 e1ab8 GetAdaptersInfo 1567->1568 1569 e1aa8 LocalFree LocalAlloc 1567->1569 1570 e1ac6 1568->1570 1571 e1af8 LocalFree 1568->1571 1569->1568 1570->1571 1572 e1ad8 memcpy 1570->1572 1571->1500 1572->1570 1572->1571 1574 e1129 1573->1574 1575 e1ba9 RegOpenKeyExA 1574->1575 1576 e1bde 1575->1576 1577 e1bec 1575->1577 1576->1502 1576->1576 1578 e1c8c SHEnumKeyExA 1577->1578 1579 e1cb7 1578->1579 1584 e1d8b RegCloseKey 1578->1584 1580 e1cbd SHGetValueA 1579->1580 1581 e1cff SHGetValueA 1580->1581 1582 e1ce7 lstrcmpi 1580->1582 1583 e1d66 SHEnumKeyExA 1581->1583 1585 e1d32 1581->1585 1582->1581 1582->1583 1583->1580 1583->1584 1584->1576 1585->1583 1591 e1f89 1587->1591 1589 e1fc8 strlen 1589->1591 1592 e1fe2 strlen 1589->1592 1590 e202a 1590->1506 1591->1589 1591->1590 1630 e1e2a 1591->1630 1592->1591 1594 e122e 1593->1594 1594->1509 1596 e18c0 1595->1596 1597 e18ca SHGetValueA 1596->1597 1598 e1908 1597->1598 1598->1511 1600 e1129 1599->1600 1601 e213d memcpy sprintf 1600->1601 1602 e217a 1601->1602 1602->1513 1602->1602 1604 e2303 InternetConnectA 1603->1604 1607 e22fc 1603->1607 1605 e24b5 InternetCloseHandle 1604->1605 1606 e2324 1604->1606 1605->1607 1608 e2356 HttpOpenRequestA 1606->1608 1607->1516 1616 e2227 1607->1616 1609 e24ab InternetCloseHandle 1608->1609 1610 e2388 1608->1610 1609->1605 1611 e23dc HttpAddRequestHeadersA InternetQueryOptionA InternetSetOptionA HttpSendRequestA 1610->1611 1612 e24a4 InternetCloseHandle 1611->1612 1613 e242c LocalAlloc 1611->1613 1612->1609 1614 e243b InternetQueryDataAvailable 1613->1614 1614->1612 1615 e2452 LocalAlloc memcpy InternetReadFile LocalFree 1614->1615 1615->1614 1642 e21b9 1616->1642 1619 e224f 1619->1516 1619->1522 1621 e1813 1620->1621 1622 e182f SHSetValueA 1621->1622 1623 e1860 1622->1623 1623->1516 1625 e1775 1624->1625 1626 e177f SHSetValueA 1625->1626 1627 e17b7 1626->1627 1627->1520 1629 e1136 1628->1629 1629->1544 1629->1629 1639 e1dcb GetVersionExA 1630->1639 1632 e1e50 1633 e1e67 1632->1633 1634 e1f41 GetModuleFileNameExA 1632->1634 1635 e1e56 1632->1635 1637 e1ef2 LoadLibraryA GetProcAddress 1633->1637 1638 e1f1d CloseHandle 1634->1638 1635->1591 1637->1638 1638->1635 1640 e1e1a OpenProcess 1639->1640 1641 e1e18 1639->1641 1640->1632 1641->1640 1643 e21e1 1642->1643 1647 e2186 GetLocalTime 1643->1647 1645 e21e6 srand rand rand rand sprintf 1646 e221b gethostbyname 1645->1646 1646->1619 1647->1645 2175 1284dfd 2178 128556b 2175->2178 2177 1284e02 2177->2177 2179 128559b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2178->2179 2180 128558e 2178->2180 2181 1285592 2179->2181 2180->2179 2180->2181 2181->2177 2182 135d14d 2183 135d153 WaitForSingleObject 2182->2183 2183->2183 2184 135d165 2183->2184 2185 135d19e 2184->2185 2188 135cd77 2184->2188 2189 135cd83 2188->2189 2190 135cd9c 2189->2190 2191 135cda9 GetCurrentProcess 2189->2191 2194 135cda7 ReleaseSemaphore 2189->2194 2195 135ea13 2190->2195 2200 135cb09 2191->2200 2194->2183 2196 135ea1c 2195->2196 2197 135ea20 GetCurrentThreadId 2195->2197 2196->2194 2198 135ea39 2197->2198 2210 135e813 ResetEvent 2198->2210 2201 135cb3d CreateFileW 2200->2201 2202 135ccf4 2200->2202 2201->2202 2204 135cb64 GetCurrentThreadId 2201->2204 2203 12842fc 5 API calls 2202->2203 2205 135cd08 2203->2205 2206 135cbc6 2204->2206 2205->2194 2207 135cbea VirtualQueryEx 2206->2207 2208 135cc09 2206->2208 2207->2208 2209 135cce5 CloseHandle 2208->2209 2209->2202 2211 135e82c SetEvent 2210->2211 2212 135e828 2210->2212 2211->2212 2213 135e839 WaitForMultipleObjects 2211->2213 2212->2196 2213->2212 1648 129859a 1649 12985a6 1648->1649 1650 12985ad GetLastError ExitThread 1649->1650 1651 12985ba 1649->1651 1662 12aa494 GetLastError 1651->1662 1653 12985bf 1682 12ab285 1653->1682 1656 12985d5 1688 1298773 1656->1688 1663 12aa4b0 1662->1663 1664 12aa4aa 1662->1664 1667 12aa4ff SetLastError 1663->1667 1705 12a7beb 1663->1705 1728 12aaaad 1664->1728 1667->1653 1669 12aa4ca 1735 12a8ab5 1669->1735 1673 12aa4d0 1675 12aa50b SetLastError 1673->1675 1674 12aa4e6 1748 12aa306 1674->1748 1712 12a83e4 1675->1712 1679 12a8ab5 20 API calls 1681 12aa4f8 1679->1681 1681->1667 1681->1675 1683 12ab2aa 1682->1683 1686 12ab2a0 1682->1686 1684 12aa7bb 5 API calls 1683->1684 1684->1686 1685 12842fc 5 API calls 1687 12985ca 1685->1687 1686->1685 1687->1656 1695 12aafd1 1687->1695 2120 129864e 1688->2120 1691 12aa494 39 API calls 1692 129878c 1691->1692 2137 12aa621 1692->2137 1696 12aa7bb 5 API calls 1695->1696 1697 12aaff8 1696->1697 1698 12842fc 5 API calls 1697->1698 1699 12ab01d 1698->1699 1699->1656 1700 12a8f1e 1701 12aa518 20 API calls 1700->1701 1704 12a8f35 1701->1704 1702 12842fc 5 API calls 1703 1298608 1702->1703 1704->1702 1710 12a7bf8 1705->1710 1706 12a7c38 1758 128ffab 1706->1758 1707 12a7c23 RtlAllocateHeap 1709 12a7c36 1707->1709 1707->1710 1709->1669 1741 12aab03 1709->1741 1710->1706 1710->1707 1753 12a9cb2 1710->1753 1799 12add51 1712->1799 1715 12a83fe IsProcessorFeaturePresent 1718 12a8409 1715->1718 1716 12a841c 1802 12a17b5 1716->1802 1832 128fcd8 1718->1832 1719 12a83f4 1719->1715 1719->1716 1958 12aa7bb 1728->1958 1731 12aaaec TlsGetValue 1732 12aaae0 1731->1732 1733 12842fc 5 API calls 1732->1733 1734 12aaafd 1733->1734 1734->1663 1736 12a8ae9 1735->1736 1737 12a8ac0 HeapFree 1735->1737 1736->1673 1737->1736 1738 12a8ad5 1737->1738 1739 128ffab 18 API calls 1738->1739 1740 12a8adb GetLastError 1739->1740 1740->1736 1742 12aa7bb 5 API calls 1741->1742 1743 12aab2a 1742->1743 1744 12aab45 TlsSetValue 1743->1744 1745 12aab39 1743->1745 1744->1745 1746 12842fc 5 API calls 1745->1746 1747 12aa4df 1746->1747 1747->1669 1747->1674 1972 12aa2de 1748->1972 1761 12a9cf6 1753->1761 1755 12a9cc8 1767 12842fc 1755->1767 1757 12a9cf2 1757->1710 1780 12aa518 GetLastError 1758->1780 1762 12a9d02 1761->1762 1774 12a7b7a EnterCriticalSection 1762->1774 1764 12a9d0d 1775 12a9d3f 1764->1775 1766 12a9d34 1766->1755 1768 1284305 1767->1768 1769 1284307 IsProcessorFeaturePresent 1767->1769 1768->1757 1771 128484d 1769->1771 1779 1284811 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1771->1779 1773 1284930 1773->1757 1774->1764 1778 12a7bc2 LeaveCriticalSection 1775->1778 1777 12a9d46 1777->1766 1778->1777 1779->1773 1781 12aa537 1780->1781 1782 12aa531 1780->1782 1784 12a7beb 17 API calls 1781->1784 1785 12aa58e SetLastError 1781->1785 1783 12aaaad 11 API calls 1782->1783 1783->1781 1786 12aa549 1784->1786 1788 128ffb0 1785->1788 1787 12aa551 1786->1787 1789 12aab03 11 API calls 1786->1789 1791 12a8ab5 17 API calls 1787->1791 1788->1709 1790 12aa566 1789->1790 1790->1787 1792 12aa56d 1790->1792 1793 12aa557 1791->1793 1794 12aa306 17 API calls 1792->1794 1795 12aa585 SetLastError 1793->1795 1796 12aa578 1794->1796 1795->1788 1797 12a8ab5 17 API calls 1796->1797 1798 12aa57e 1797->1798 1798->1785 1798->1795 1838 12adcbf 1799->1838 1852 12a1580 1802->1852 1805 12addac 1806 12addb8 1805->1806 1807 12adde5 1806->1807 1808 12aa518 20 API calls 1806->1808 1812 12adddf 1806->1812 1818 12ade5d 1807->1818 1933 12a7b7a EnterCriticalSection 1807->1933 1808->1812 1809 12ade31 1810 128ffab 20 API calls 1809->1810 1811 12ade36 1810->1811 1930 128fea2 1811->1930 1812->1807 1812->1809 1823 12ade14 1812->1823 1813 12bc8f9 5 API calls 1815 12adfb3 1813->1815 1815->1719 1817 12adebc 1829 12adee7 1817->1829 1935 12adda3 1817->1935 1818->1817 1820 12adeb4 1818->1820 1818->1829 1934 12a7bc2 LeaveCriticalSection 1818->1934 1822 12a17b5 28 API calls 1820->1822 1822->1817 1823->1813 1827 12aa494 39 API calls 1830 12adf4a 1827->1830 1828 12adda3 39 API calls 1828->1829 1938 12adf6c 1829->1938 1830->1823 1831 12aa494 39 API calls 1830->1831 1831->1823 1833 128fcf4 1832->1833 1834 128fd20 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1833->1834 1836 128fdf1 1834->1836 1835 12842fc 5 API calls 1837 128fe0f 1835->1837 1836->1835 1837->1716 1841 12adc65 1838->1841 1840 12a83e9 1840->1719 1840->1805 1842 12adc71 1841->1842 1847 12a7b7a EnterCriticalSection 1842->1847 1844 12adc7f 1848 12adcb3 1844->1848 1846 12adca6 1846->1840 1847->1844 1851 12a7bc2 LeaveCriticalSection 1848->1851 1850 12adcbd 1850->1846 1851->1850 1854 12a158c 1852->1854 1853 12a15a5 1885 12a7b7a EnterCriticalSection 1853->1885 1854->1853 1876 12a16da GetModuleHandleW 1854->1876 1858 12a159c 1878 12a171e GetModuleHandleExW 1858->1878 1859 12a164a 1893 12a168a 1859->1893 1862 12a1621 1867 12a1639 1862->1867 1889 12a9ead 1862->1889 1865 12a1667 1896 12a1699 1865->1896 1866 12a1693 1904 12bc8f9 1866->1904 1871 12a9ead 5 API calls 1867->1871 1870 12a15ac 1870->1859 1870->1862 1886 12a9b0b 1870->1886 1871->1859 1877 12a1598 1876->1877 1877->1853 1877->1858 1879 12a1748 GetProcAddress 1878->1879 1882 12a175d 1878->1882 1879->1882 1880 12a1771 FreeLibrary 1881 12a177a 1880->1881 1883 12842fc 5 API calls 1881->1883 1882->1880 1882->1881 1884 12a15a4 1883->1884 1884->1853 1885->1870 1907 12a9844 1886->1907 1890 12a9edc 1889->1890 1891 12842fc 5 API calls 1890->1891 1892 12a9f05 1891->1892 1892->1867 1929 12a7bc2 LeaveCriticalSection 1893->1929 1895 12a1663 1895->1865 1895->1866 1897 12ab285 10 API calls 1896->1897 1898 12a16a3 1897->1898 1899 12a16c7 1898->1899 1900 12a16a7 GetPEB 1898->1900 1901 12a171e 8 API calls 1899->1901 1900->1899 1902 12a16b7 GetCurrentProcess TerminateProcess 1900->1902 1903 12a16cf ExitProcess 1901->1903 1902->1899 1905 12842fc 5 API calls 1904->1905 1906 12bc904 1905->1906 1906->1906 1910 12a97f3 1907->1910 1909 12a9868 1909->1862 1911 12a97ff 1910->1911 1918 12a7b7a EnterCriticalSection 1911->1918 1913 12a980d 1919 12a9894 1913->1919 1917 12a982b 1917->1909 1918->1913 1920 12a98bc 1919->1920 1921 12a98b4 1919->1921 1920->1921 1924 12a8ab5 20 API calls 1920->1924 1922 12842fc 5 API calls 1921->1922 1923 12a981a 1922->1923 1925 12a9838 1923->1925 1924->1921 1928 12a7bc2 LeaveCriticalSection 1925->1928 1927 12a9842 1927->1917 1928->1927 1929->1895 1942 128fe27 1930->1942 1932 128feae 1932->1823 1933->1818 1934->1820 1936 12aa494 39 API calls 1935->1936 1937 12adda8 1936->1937 1937->1828 1939 12adf72 1938->1939 1941 12adf3b 1938->1941 1957 12a7bc2 LeaveCriticalSection 1939->1957 1941->1823 1941->1827 1941->1830 1943 12aa518 20 API calls 1942->1943 1944 128fe3d 1943->1944 1945 128fe9c 1944->1945 1949 128fe4b 1944->1949 1953 128fecf IsProcessorFeaturePresent 1945->1953 1947 128fea1 1948 128fe27 26 API calls 1947->1948 1950 128feae 1948->1950 1951 12842fc 5 API calls 1949->1951 1950->1932 1952 128fe72 1951->1952 1952->1932 1954 128feda 1953->1954 1955 128fcd8 8 API calls 1954->1955 1956 128feef GetCurrentProcess TerminateProcess 1955->1956 1956->1947 1957->1941 1959 12aa7eb 1958->1959 1960 12aa7e7 1958->1960 1959->1731 1959->1732 1960->1959 1963 12aa80b 1960->1963 1965 12aa857 1960->1965 1962 12aa817 GetProcAddress 1964 12aa827 1962->1964 1963->1959 1963->1962 1964->1959 1966 12aa878 LoadLibraryExW 1965->1966 1967 12aa86d 1965->1967 1968 12aa8ad 1966->1968 1969 12aa895 GetLastError 1966->1969 1967->1960 1968->1967 1971 12aa8c4 FreeLibrary 1968->1971 1969->1968 1970 12aa8a0 LoadLibraryExW 1969->1970 1970->1968 1971->1967 1978 12aa21e 1972->1978 1974 12aa302 1975 12aa28e 1974->1975 1989 12aa122 1975->1989 1977 12aa2b2 1977->1679 1979 12aa22a 1978->1979 1984 12a7b7a EnterCriticalSection 1979->1984 1981 12aa234 1985 12aa25a 1981->1985 1983 12aa252 1983->1974 1984->1981 1988 12a7bc2 LeaveCriticalSection 1985->1988 1987 12aa264 1987->1983 1988->1987 1990 12aa12e 1989->1990 1997 12a7b7a EnterCriticalSection 1990->1997 1992 12aa138 1998 12aa449 1992->1998 1994 12aa150 2002 12aa166 1994->2002 1996 12aa15e 1996->1977 1997->1992 1999 12aa458 1998->1999 2000 12aa47f 1998->2000 1999->2000 2005 12b0d72 1999->2005 2000->1994 2119 12a7bc2 LeaveCriticalSection 2002->2119 2004 12aa170 2004->1996 2007 12b0df2 2005->2007 2009 12b0d88 2005->2009 2010 12a8ab5 20 API calls 2007->2010 2032 12b0e40 2007->2032 2008 12b0e4e 2017 12b0eae 2008->2017 2029 12a8ab5 20 API calls 2008->2029 2009->2007 2014 12a8ab5 20 API calls 2009->2014 2016 12b0dbb 2009->2016 2011 12b0e14 2010->2011 2012 12a8ab5 20 API calls 2011->2012 2015 12b0e27 2012->2015 2013 12a8ab5 20 API calls 2018 12b0de7 2013->2018 2019 12b0db0 2014->2019 2021 12a8ab5 20 API calls 2015->2021 2020 12a8ab5 20 API calls 2016->2020 2031 12b0ddd 2016->2031 2022 12a8ab5 20 API calls 2017->2022 2023 12a8ab5 20 API calls 2018->2023 2033 12b007d 2019->2033 2026 12b0dd2 2020->2026 2025 12b0e35 2021->2025 2030 12b0eb4 2022->2030 2023->2007 2028 12a8ab5 20 API calls 2025->2028 2061 12b0537 2026->2061 2028->2032 2029->2008 2030->2000 2031->2013 2073 12b0ee5 2032->2073 2035 12b008e 2033->2035 2060 12b0177 2033->2060 2034 12b009f 2036 12b00b1 2034->2036 2038 12a8ab5 20 API calls 2034->2038 2035->2034 2037 12a8ab5 20 API calls 2035->2037 2039 12b00c3 2036->2039 2040 12a8ab5 20 API calls 2036->2040 2037->2034 2038->2036 2041 12b00d5 2039->2041 2042 12a8ab5 20 API calls 2039->2042 2040->2039 2043 12b00e7 2041->2043 2045 12a8ab5 20 API calls 2041->2045 2042->2041 2044 12b00f9 2043->2044 2046 12a8ab5 20 API calls 2043->2046 2047 12a8ab5 20 API calls 2044->2047 2050 12b010b 2044->2050 2045->2043 2046->2044 2047->2050 2048 12b012f 2051 12b0141 2048->2051 2054 12a8ab5 20 API calls 2048->2054 2049 12a8ab5 20 API calls 2053 12b011d 2049->2053 2050->2049 2050->2053 2055 12b0153 2051->2055 2057 12a8ab5 20 API calls 2051->2057 2052 12a8ab5 20 API calls 2052->2048 2053->2048 2053->2052 2054->2051 2056 12b0165 2055->2056 2058 12a8ab5 20 API calls 2055->2058 2059 12a8ab5 20 API calls 2056->2059 2056->2060 2057->2055 2058->2056 2059->2060 2060->2016 2062 12b059c 2061->2062 2063 12b0544 2061->2063 2062->2031 2064 12a8ab5 20 API calls 2063->2064 2065 12b0554 2063->2065 2064->2065 2066 12a8ab5 20 API calls 2065->2066 2068 12b0566 2065->2068 2066->2068 2067 12a8ab5 20 API calls 2070 12b0578 2067->2070 2068->2067 2068->2070 2069 12a8ab5 20 API calls 2072 12b058a 2069->2072 2070->2069 2070->2072 2071 12a8ab5 20 API calls 2071->2062 2072->2062 2072->2071 2074 12b0ef2 2073->2074 2078 12b0f10 2073->2078 2074->2078 2079 12b0a75 2074->2079 2077 12a8ab5 20 API calls 2077->2078 2078->2008 2080 12b0a86 2079->2080 2081 12b0b53 2079->2081 2115 12b07bc 2080->2115 2081->2077 2084 12b07bc 20 API calls 2085 12b0a99 2084->2085 2086 12b07bc 20 API calls 2085->2086 2087 12b0aa4 2086->2087 2088 12b07bc 20 API calls 2087->2088 2089 12b0aaf 2088->2089 2090 12b07bc 20 API calls 2089->2090 2091 12b0abd 2090->2091 2092 12a8ab5 20 API calls 2091->2092 2093 12b0ac8 2092->2093 2094 12a8ab5 20 API calls 2093->2094 2095 12b0ad3 2094->2095 2096 12a8ab5 20 API calls 2095->2096 2097 12b0ade 2096->2097 2098 12b07bc 20 API calls 2097->2098 2099 12b0aec 2098->2099 2100 12b07bc 20 API calls 2099->2100 2101 12b0afa 2100->2101 2102 12b07bc 20 API calls 2101->2102 2103 12b0b0b 2102->2103 2104 12b07bc 20 API calls 2103->2104 2105 12b0b19 2104->2105 2106 12b07bc 20 API calls 2105->2106 2107 12b0b27 2106->2107 2108 12a8ab5 20 API calls 2107->2108 2109 12b0b32 2108->2109 2110 12a8ab5 20 API calls 2109->2110 2111 12b0b3d 2110->2111 2112 12a8ab5 20 API calls 2111->2112 2113 12b0b48 2112->2113 2114 12a8ab5 20 API calls 2113->2114 2114->2081 2116 12b07f3 2115->2116 2117 12b07e3 2115->2117 2116->2084 2117->2116 2118 12a8ab5 20 API calls 2117->2118 2118->2117 2119->2004 2121 12aa518 20 API calls 2120->2121 2122 1298659 2121->2122 2123 129865d ExitThread 2122->2123 2124 129867b 2122->2124 2141 12ab023 2122->2141 2125 129868e 2124->2125 2127 1298687 CloseHandle 2124->2127 2125->2123 2128 129869a FreeLibraryAndExitThread 2125->2128 2127->2125 2129 12a7beb 20 API calls 2128->2129 2130 12986b5 2129->2130 2131 12a8ab5 20 API calls 2130->2131 2132 12986be 2131->2132 2133 12986c5 GetModuleHandleExW 2132->2133 2134 12986dd 2132->2134 2133->2134 2146 1298617 2134->2146 2138 12985f7 2137->2138 2139 12aa634 2137->2139 2138->1700 2139->2138 2154 12b0fbf 2139->2154 2142 12aa7bb 5 API calls 2141->2142 2144 12ab04a 2142->2144 2143 12842fc 5 API calls 2145 12ab068 2143->2145 2144->2143 2145->2124 2147 1298624 2146->2147 2153 1298648 2146->2153 2148 129862a CloseHandle 2147->2148 2149 1298633 2147->2149 2148->2149 2150 1298639 FreeLibrary 2149->2150 2151 1298642 2149->2151 2150->2151 2152 12a8ab5 20 API calls 2151->2152 2152->2153 2153->1691 2155 12b0fcb 2154->2155 2156 12aa494 39 API calls 2155->2156 2157 12b0fd4 2156->2157 2161 12b1022 2157->2161 2166 12a7b7a EnterCriticalSection 2157->2166 2159 12b0ff2 2167 12b1036 2159->2167 2161->2138 2165 12a83e4 39 API calls 2165->2161 2166->2159 2168 12b1006 2167->2168 2169 12b1044 2167->2169 2171 12b1025 2168->2171 2169->2168 2170 12b0d72 20 API calls 2169->2170 2170->2168 2174 12a7bc2 LeaveCriticalSection 2171->2174 2173 12b1019 2173->2161 2173->2165 2174->2173

    Executed Functions

    APIs
    • time.MSVCRT ref: 000E2543
      • Part of subcall function 000E24D7: IcmpCreateFile.IPHLPAPI ref: 000E24E1
      • Part of subcall function 000E24D7: IcmpSendEcho.IPHLPAPI(00000000,000000E0,?,00000010,00000000,?,0000002C,?), ref: 000E2511
      • Part of subcall function 000E24D7: IcmpCloseHandle.IPHLPAPI(00000000), ref: 000E2517
      • Part of subcall function 000E24D7: Sleep.KERNEL32(?,7683F708), ref: 000E2525
    • time.MSVCRT ref: 000E2554
    • time.MSVCRT ref: 000E2562
      • Part of subcall function 000E1677: SHGetValueA.SHLWAPI(80000002,40BF4706,?,?,00000000,?), ref: 000E1705
    • IsUserAnAdmin.SHELL32 ref: 000E2572
      • Part of subcall function 000E203A: GetCurrentProcess.KERNEL32(00000028,000E2588,00000000,00000000), ref: 000E208F
      • Part of subcall function 000E203A: OpenProcessToken.ADVAPI32(00000000), ref: 000E2096
      • Part of subcall function 000E203A: LookupPrivilegeValueA.ADVAPI32(00000000,71BD6D06,?), ref: 000E20AA
      • Part of subcall function 000E203A: AdjustTokenPrivileges.ADVAPI32(000E2588,00000000,?,00000010,00000000,00000000), ref: 000E20ED
      • Part of subcall function 000E203A: CloseHandle.KERNEL32(000E2588), ref: 000E20FC
    • LocalAlloc.KERNEL32(00000040,00010000), ref: 000E2591
      • Part of subcall function 000E1566: SHGetValueA.SHLWAPI(80000002,40BF4706,?,?,000E259E,?), ref: 000E15F7
      • Part of subcall function 000E1566: GetTickCount.KERNEL32(00000040,?,00000000,00000000), ref: 000E161D
      • Part of subcall function 000E1566: srand.MSVCRT ref: 000E1620
      • Part of subcall function 000E1566: rand.MSVCRT ref: 000E162D
      • Part of subcall function 000E1566: rand.MSVCRT ref: 000E1634
      • Part of subcall function 000E1566: GetTickCount.KERNEL32 ref: 000E163C
      • Part of subcall function 000E1566: SHSetValueA.SHLWAPI(80000002,40BF4706,?,00000004,000E259E,00000004), ref: 000E1657
    • GetCurrentProcess.KERNEL32 ref: 000E25B2
      • Part of subcall function 000E1927: LoadLibraryA.KERNEL32(7A8B6D3E), ref: 000E19AB
      • Part of subcall function 000E1927: GetProcAddress.KERNEL32(00000000,7BAE7B1C,?,?,?,00000000), ref: 000E19D1
      • Part of subcall function 000E19FD: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,00000040,00000000,00000000,?,?,?,?,?,?,000E25C6,00000000), ref: 000E1A11
      • Part of subcall function 000E19FD: memcpy.MSVCRT ref: 000E1A4E
      • Part of subcall function 000E19FD: VirtualFree.KERNEL32(00000000,00001000,00004000), ref: 000E1A6F
    • GetComputerNameA.KERNEL32(00000008,?), ref: 000E25D4
    • GetComputerNameExA.KERNEL32(00000002,00000048,?), ref: 000E25E7
      • Part of subcall function 000E1A7C: LocalAlloc.KERNEL32(00000040,00000280,00000040,00000000,00000000,?,?,?,000E25F3,00000000), ref: 000E1A92
      • Part of subcall function 000E1A7C: GetAdaptersInfo.IPHLPAPI(00000000,00000000), ref: 000E1A9E
      • Part of subcall function 000E1A7C: LocalFree.KERNEL32(00000000,?,?,?,000E25F3,00000000), ref: 000E1AA9
      • Part of subcall function 000E1A7C: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,000E25F3,00000000), ref: 000E1AB4
      • Part of subcall function 000E1A7C: GetAdaptersInfo.IPHLPAPI(00000000,00000000), ref: 000E1ABD
      • Part of subcall function 000E1A7C: memcpy.MSVCRT ref: 000E1AE2
      • Part of subcall function 000E1A7C: LocalFree.KERNEL32(00000000,00000000,00000000,?,?,?,000E25F3,00000000), ref: 000E1AF9
      • Part of subcall function 000E1B09: RegOpenKeyExA.ADVAPI32(80000002,40BF4706,00000000,-00000009,00000000,00000040,00000000), ref: 000E1BCE
      • Part of subcall function 000E1B09: SHEnumKeyExA.SHLWAPI(00000000,00000000,?,?), ref: 000E1CA9
      • Part of subcall function 000E1B09: SHGetValueA.SHLWAPI(00000000,?,789B7D05,000E2601,?,00000000), ref: 000E1CDD
      • Part of subcall function 000E1B09: lstrcmpi.KERNEL32(?,669A6118), ref: 000E1CF5
      • Part of subcall function 000E1B09: SHGetValueA.SHLWAPI(00000000,?,648A6111,000E2601,?,00000000), ref: 000E1D28
      • Part of subcall function 000E1B09: SHEnumKeyExA.SHLWAPI(00000000,00000000,?,?), ref: 000E1D7D
      • Part of subcall function 000E1B09: RegCloseKey.ADVAPI32(00000000,?,?,?,?,00000000), ref: 000E1DBE
      • Part of subcall function 000E1F69: strlen.MSVCRT ref: 000E1FCF
      • Part of subcall function 000E1F69: strlen.MSVCRT ref: 000E1FE9
    • LocalAlloc.KERNEL32(00000040,-00000100,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000E2655
    • WSAStartup.WS2_32(00000202,?), ref: 000E2680
      • Part of subcall function 000E1869: SHGetValueA.SHLWAPI(80000002,40BF4706,?,?,00000000,?), ref: 000E18F7
      • Part of subcall function 000E2109: memcpy.MSVCRT ref: 000E2147
      • Part of subcall function 000E2109: sprintf.MSVCRT ref: 000E216A
      • Part of subcall function 000E22CB: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000E22EF
      • Part of subcall function 000E22CB: InternetConnectA.WININET(00000000,?,000001BB,00000000,00000000,00000003,00000000,00000001), ref: 000E2313
      • Part of subcall function 000E22CB: HttpOpenRequestA.WININET(000E26AA,?,0000002F,?,00000000,00000000,00880000,00000001), ref: 000E2375
      • Part of subcall function 000E22CB: HttpAddRequestHeadersA.WININET(00000000,608A671D,000000FF,A0000000), ref: 000E23ED
      • Part of subcall function 000E22CB: InternetQueryOptionA.WININET(00000000,0000001F,?,00000004), ref: 000E23FE
      • Part of subcall function 000E22CB: InternetSetOptionA.WININET(00000000,0000001F,00003380,00000004), ref: 000E2413
      • Part of subcall function 000E22CB: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,000E26AA), ref: 000E2422
      • Part of subcall function 000E22CB: LocalAlloc.KERNEL32(00000040,00000408), ref: 000E2433
      • Part of subcall function 000E22CB: InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 000E2445
      • Part of subcall function 000E22CB: InternetCloseHandle.WININET(00000000), ref: 000E24A5
      • Part of subcall function 000E22CB: InternetCloseHandle.WININET(000E26AA), ref: 000E24AE
      • Part of subcall function 000E22CB: InternetCloseHandle.WININET(?), ref: 000E24B8
    • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000E27AB
      • Part of subcall function 000E2227: gethostbyname.WS2_32(00000000), ref: 000E223E
      • Part of subcall function 000E22CB: LocalAlloc.KERNEL32(00000040,?), ref: 000E2460
      • Part of subcall function 000E22CB: memcpy.MSVCRT ref: 000E2472
      • Part of subcall function 000E22CB: InternetReadFile.WININET(00003380,?,?,00000000), ref: 000E248B
      • Part of subcall function 000E22CB: LocalFree.KERNEL32(00000000), ref: 000E2499
      • Part of subcall function 000E17C0: SHSetValueA.SHLWAPI(80000002,40BF4706,000E26E1,00000004,?,00000004), ref: 000E184A
    • LocalFree.KERNEL32(?,00000000,?,?), ref: 000E26E5
      • Part of subcall function 000E1722: SHSetValueA.SHLWAPI(80000002,40BF4706,?,00000004,000E26F9,00000004), ref: 000E17A1
    • VirtualAlloc.KERNEL32(00000000,-00040000,00001000,00000040), ref: 000E273B
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 000E277D
    • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000E27A4
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd
    C-Code - Quality: 74%
    			E0129864E(void* __ecx, long _a4) {
    				intOrPtr _v0;
    				void* _v9;
    				void* __esi;
    				struct HINSTANCE__* _t12;
    				void* _t13;
    				void* _t22;
    				intOrPtr _t24;
    				intOrPtr _t25;
    				intOrPtr* _t26;
    
    				_t22 = __ecx;
    				_t12 = E012AA518(__ecx);
    				if(_t12 == 0) {
    					L1:
    					ExitThread(_a4);
    				}
    				_t25 =  *((intOrPtr*)(_t12 + 0x360));
    				if(_t25 == 0) {
    					goto L1;
    				}
    				_t33 =  *((char*)(_t25 + 0x10));
    				if( *((char*)(_t25 + 0x10)) != 0) {
    					E012AB023(__ecx, _t25, _t33);
    				}
    				_t13 =  *(_t25 + 8);
    				if(_t13 != 0xffffffff && _t13 != 0) {
    					CloseHandle(_t13);
    				}
    				_t12 =  *(_t25 + 0xc);
    				if(_t12 == 0xffffffff || _t12 == 0) {
    					goto L1;
    				}
    				FreeLibraryAndExitThread(_t12, _a4); // executed
    				asm("int3");
    				_push(_t22);
    				_push(_t25);
    				_t26 = E012A7BEB(_t22, 1, 0x14);
    				E012A8AB5(0);
    				if(_t26 != 0) {
    					_t24 = _v0;
    					 *(_t26 + 4) = _a4;
    					_t10 = _t26 + 0xc; // 0xc
    					 *_t26 = _t24;
    					__imp__GetModuleHandleExW(4, _t24, _t10);
    				}
    				E01298617(0);
    				return _t26;
    			}












    0x0129864e
    0x01298654
    0x0129865b
    0x0129865d
    0x01298660
    0x01298660
    0x01298666
    0x0129866e
    0x00000000
    0x00000000
    0x01298670
    0x01298674
    0x01298676
    0x01298676
    0x0129867b
    0x01298681
    0x01298688
    0x01298688
    0x0129868e
    0x01298694
    0x00000000
    0x00000000
    0x0129869e
    0x012986a4
    0x012986aa
    0x012986ab
    0x012986b7
    0x012986b9
    0x012986c3
    0x012986c8
    0x012986cb
    0x012986ce
    0x012986d5
    0x012986d7
    0x012986d7
    0x012986e2
    0x012986ed

    APIs
      • Part of subcall function 012AA518: GetLastError.KERNEL32(?,?,?,0128FFB0,012A7C3D,?,012AA4C2,00000001,00000364,?,012985BF,0159D2A8,00000010), ref: 012AA51D
      • Part of subcall function 012AA518: SetLastError.KERNEL32(00000000), ref: 012AA586
      • Part of subcall function 012AA518: SetLastError.KERNEL32(00000000), ref: 012AA58F
    • ExitThread.KERNEL32 ref: 01298660
    • CloseHandle.KERNEL32(?), ref: 01298688
    • FreeLibraryAndExitThread.KERNEL32(?,?,?,?,01298780,?,?,012985F7,00000000), ref: 0129869E
      • Part of subcall function 012A7BEB: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,012AA4C2,00000001,00000364,?,012985BF,0159D2A8,00000010), ref: 012A7C2C
      • Part of subcall function 012A8AB5: HeapFree.KERNEL32(00000000,00000000), ref: 012A8ACB
      • Part of subcall function 012A8AB5: GetLastError.KERNEL32(?,?,012B07EA,?,00000000,?,00000000,?,012B0A8E,?,00000007,?,?,012B0F0A,?,?), ref: 012A8ADD
    • GetModuleHandleExW.KERNEL32(00000004,?,0000000C), ref: 012986D7
      • Part of subcall function 01298617: CloseHandle.KERNEL32(EC8B55FF), ref: 0129862D
      • Part of subcall function 01298617: FreeLibrary.KERNEL32(7D835151,00000000,?,012986E7,00000000), ref: 0129863C
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    C-Code - Quality: 95%
    			E012AA857(signed int _a4) {
    				signed int _t9;
    				void* _t10;
    				void* _t13;
    				signed int _t15;
    				WCHAR* _t22;
    				signed int _t24;
    				signed int* _t25;
    				void* _t27;
    
    				_t9 = _a4;
    				_t25 = 0x1639358 + _t9 * 4;
    				_t24 =  *_t25;
    				if(_t24 == 0) {
    					_t22 =  *(0x14eda30 + _t9 * 4);
    					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
    					_t27 = _t10;
    					if(_t27 != 0) {
    						L8:
    						 *_t25 = _t27;
    						if( *_t25 != 0) {
    							FreeLibrary(_t27);
    						}
    						_t13 = _t27;
    						L11:
    						return _t13;
    					}
    					_t15 = GetLastError();
    					if(_t15 != 0x57) {
    						_t27 = 0;
    					} else {
    						_t15 = LoadLibraryExW(_t22, _t27, _t27);
    						_t27 = _t15;
    					}
    					if(_t27 != 0) {
    						goto L8;
    					} else {
    						 *_t25 = _t15 | 0xffffffff;
    						_t13 = 0;
    						goto L11;
    					}
    				}
    				_t4 = _t24 + 1; // 0xb23b131b
    				asm("sbb eax, eax");
    				return  ~_t4 & _t24;
    			}











    0x012aa85c
    0x012aa860
    0x012aa867
    0x012aa86b
    0x012aa879
    0x012aa889
    0x012aa88f
    0x012aa893
    0x012aa8bc
    0x012aa8be
    0x012aa8c2
    0x012aa8c5
    0x012aa8c5
    0x012aa8cb
    0x012aa8cd
    0x00000000
    0x012aa8ce
    0x012aa895
    0x012aa89e
    0x012aa8ad
    0x012aa8a0
    0x012aa8a3
    0x012aa8a9
    0x012aa8a9
    0x012aa8b1
    0x00000000
    0x012aa8b3
    0x012aa8b6
    0x012aa8b8
    0x00000000
    0x012aa8b8
    0x012aa8b1
    0x012aa86d
    0x012aa872
    0x00000000

    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,012AA7FE,?,00000000,00000000,00000000,?,012AAB2A,00000006,FlsSetValue), ref: 012AA889
    • GetLastError.KERNEL32(?,012AA7FE,?,00000000,00000000,00000000,?,012AAB2A,00000006,FlsSetValue,014EDF10,014EDF18,00000000,00000364,?,012AA566), ref: 012AA895
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,012AA7FE,?,00000000,00000000,00000000,?,012AAB2A,00000006,FlsSetValue,014EDF10,014EDF18,00000000), ref: 012AA8A3
    • FreeLibrary.KERNEL32(00000000,?,012AA7FE,?,00000000,00000000,00000000,?,012AAB2A,00000006,FlsSetValue,014EDF10,014EDF18,00000000,00000364), ref: 012AA8C5
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    APIs
    • IcmpCreateFile.IPHLPAPI ref: 000E24E1
    • IcmpSendEcho.IPHLPAPI(00000000,000000E0,?,00000010,00000000,?,0000002C,?), ref: 000E2511
    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 000E2517
    • Sleep.KERNEL32(?,7683F708), ref: 000E2525
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd
    C-Code - Quality: 88%
    			E012A83E4(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi) {
    				long _v0;
    				void* _t4;
    				void* _t7;
    				void* _t9;
    				void* _t14;
    				intOrPtr _t17;
    				long _t18;
    				void* _t23;
    
    				_t17 = __esi;
    				_t16 = __edi;
    				_t15 = __edx;
    				_t13 = __ebx;
    				_t4 = E012ADD51();
    				_t24 = _t4;
    				if(_t4 != 0) {
    					E012ADDAC(__ebx, __edx, __edi, __esi, _t24);
    					_t14 = 0x16;
    				}
    				if(( *0x15e0b78 & 0x00000002) != 0) {
    					if(IsProcessorFeaturePresent(0x17) != 0) {
    						_t14 = 7;
    						asm("int 0x29");
    					}
    					E0128FCD8(_t13, _t15, _t16, _t17, 3, 0x40000015, 1);
    					_t23 = _t23 + 0xc;
    				}
    				E012A17B5(3);
    				asm("int3");
    				_push(_t17);
    				_t18 = _v0;
    				if(_t18 > 0xffffffe0) {
    					L14:
    					 *((intOrPtr*)(E0128FFAB())) = 0xc;
    					_t7 = 0;
    					__eflags = 0;
    				} else {
    					if(_t18 == 0) {
    						_t18 = _t18 + 1;
    					}
    					while(1) {
    						_t7 = RtlAllocateHeap( *0x1639744, 0, _t18); // executed
    						if(_t7 != 0) {
    							break;
    						}
    						__eflags = E012AA088();
    						if(__eflags == 0) {
    							goto L14;
    						} else {
    							_t9 = E012A9CB2(_t13, _t14, _t16, _t18, __eflags, _t18);
    							_pop(_t14);
    							__eflags = _t9;
    							if(_t9 == 0) {
    								goto L14;
    							} else {
    								continue;
    							}
    						}
    						goto L15;
    					}
    				}
    				L15:
    				return _t7;
    			}











    0x012a83e4
    0x012a83e4
    0x012a83e4
    0x012a83e4
    0x012a83e4
    0x012a83e9
    0x012a83eb
    0x012a83ef
    0x012a83f4
    0x012a83f4
    0x012a83fc
    0x012a8407
    0x012a840b
    0x012a840c
    0x012a840c
    0x012a8417
    0x012a841c
    0x012a841c
    0x012a8421
    0x012a8426
    0x012a842c
    0x012a842d
    0x012a8433
    0x012a8465
    0x012a846a
    0x012a8470
    0x012a8470
    0x012a8435
    0x012a8437
    0x012a8439
    0x012a8439
    0x012a8450
    0x012a8459
    0x012a8461
    0x00000000
    0x00000000
    0x012a8441
    0x012a8443
    0x00000000
    0x012a8445
    0x012a8446
    0x012a844b
    0x012a844c
    0x012a844e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x012a844e
    0x00000000
    0x012a8443
    0x012a8463
    0x012a8472
    0x012a8474

    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 012A8400
      • Part of subcall function 0128FCD8: IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0128FDD0
      • Part of subcall function 0128FCD8: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0128FDDA
      • Part of subcall function 0128FCD8: UnhandledExceptionFilter.KERNEL32(?), ref: 0128FDE7
    • RtlAllocateHeap.NTDLL(00000000,00000003,00000000,?,00000003,012AA517), ref: 012A8459
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    APIs
    • CreateThread.KERNEL32 ref: 000E1116
    • CloseHandle.KERNEL32(00000000), ref: 000E111D
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd
    C-Code - Quality: 48%
    			E0129859A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
    				void* _t11;
    				void* _t13;
    				signed int _t18;
    				void* _t23;
    				intOrPtr* _t30;
    				void* _t33;
    
    				_t28 = __edx;
    				_t23 = __ecx;
    				_t22 = __ebx;
    				_push(0x10);
    				_push(0x159d2a8);
    				E012BC8B0(__ebx, __edx, __edi, __esi);
    				_t30 =  *((intOrPtr*)(_t33 + 8));
    				if(_t30 == 0) {
    					ExitThread(GetLastError());
    				}
    				 *((intOrPtr*)(E012AA494(__ebx, _t23, __edx) + 0x360)) = _t30;
    				_t11 = E012AB285(_t23, __esi); // executed
    				_t36 = _t11;
    				if(_t11 != 0) {
    					_t18 = E012AAFD1(_t23, __esi, _t36, 1);
    					asm("sbb al, al");
    					 *((char*)(_t30 + 0x10)) =  ~_t18 + 1;
    				}
    				 *(_t33 - 4) =  *(_t33 - 4) & 0x00000000;
    				 *0x14e6a68( *((intOrPtr*)(_t30 + 4))); // executed
    				_t13 =  *((intOrPtr*)( *_t30))(); // executed
    				_push(_t13); // executed
    				E01298773(_t22,  *_t30, _t28); // executed
    				 *((intOrPtr*)(_t33 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t33 - 0x14))))));
    				return E012A8F1E(_t22,  *((intOrPtr*)(_t33 - 0x14)), _t30,  *_t30,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t33 - 0x14)))))),  *((intOrPtr*)(_t33 - 0x14)));
    			}









    0x0129859a
    0x0129859a
    0x0129859a
    0x0129859a
    0x0129859c
    0x012985a1
    0x012985a6
    0x012985ab
    0x012985b4
    0x012985b4
    0x012985bf
    0x012985c5
    0x012985ca
    0x012985cc
    0x012985d0
    0x012985d7
    0x012985db
    0x012985db
    0x012985de
    0x012985e9
    0x012985ef
    0x012985f1
    0x012985f2
    0x012985fe
    0x0129860a

    APIs
    • GetLastError.KERNEL32(0159D2A8,00000010), ref: 012985AD
    • ExitThread.KERNEL32 ref: 012985B4
      • Part of subcall function 012AA494: GetLastError.KERNEL32(?,?,012985BF,0159D2A8,00000010), ref: 012AA498
      • Part of subcall function 012AA494: SetLastError.KERNEL32(00000000), ref: 012AA500
      • Part of subcall function 012AA494: SetLastError.KERNEL32(00000000), ref: 012AA50C
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    C-Code - Quality: 100%
    			E012A8AB5(void* _a4) {
    				int _t3;
    				intOrPtr* _t4;
    				intOrPtr _t6;
    
    				if(_a4 != 0) {
    					_t3 = HeapFree( *0x1639744, 0, _a4); // executed
    					if(_t3 == 0) {
    						_t4 = E0128FFAB();
    						_t6 = E0128FF32(GetLastError());
    						 *_t4 = _t6;
    						return _t6;
    					}
    				}
    				return _t3;
    			}






    0x012a8abe
    0x012a8acb
    0x012a8ad3
    0x012a8ad6
    0x012a8ae4
    0x012a8aea
    0x00000000
    0x012a8aec
    0x012a8ad3
    0x012a8aee

    APIs
    • HeapFree.KERNEL32(00000000,00000000), ref: 012A8ACB
    • GetLastError.KERNEL32(?,?,012B07EA,?,00000000,?,00000000,?,012B0A8E,?,00000007,?,?,012B0F0A,?,?), ref: 012A8ADD
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    C-Code - Quality: 90%
    			E012AA7BB(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
    				struct HINSTANCE__* _t13;
    				signed int* _t20;
    				signed int _t27;
    				signed int _t28;
    				signed int _t29;
    				signed int _t33;
    				intOrPtr* _t34;
    
    				_t20 = 0x16393a8 + _a4 * 4;
    				_t27 =  *0x15de088; // 0xb23b131a
    				_t29 = _t28 | 0xffffffff;
    				_t33 = _t27 ^  *_t20;
    				asm("ror esi, cl");
    				if(_t33 == _t29) {
    					L14:
    					return 0;
    				}
    				if(_t33 == 0) {
    					_t34 = _a12;
    					if(_t34 == _a16) {
    						L7:
    						_t13 = 0;
    						L8:
    						if(_t13 == 0) {
    							L13:
    							_push(0x20);
    							asm("ror edi, cl");
    							 *_t20 = _t29 ^ _t27;
    							goto L14;
    						}
    						_t33 = GetProcAddress(_t13, _a8);
    						if(_t33 == 0) {
    							_t27 =  *0x15de088; // 0xb23b131a
    							goto L13;
    						}
    						 *_t20 = E01289AA4(_t33);
    						goto L2;
    					} else {
    						goto L4;
    					}
    					while(1) {
    						L4:
    						_t13 = E012AA857( *_t34); // executed
    						if(_t13 != 0) {
    							break;
    						}
    						_t34 = _t34 + 4;
    						if(_t34 != _a16) {
    							continue;
    						}
    						_t27 =  *0x15de088; // 0xb23b131a
    						goto L7;
    					}
    					_t27 =  *0x15de088; // 0xb23b131a
    					goto L8;
    				}
    				L2:
    				return _t33;
    			}










    0x012aa7c6
    0x012aa7cf
    0x012aa7d5
    0x012aa7df
    0x012aa7e1
    0x012aa7e5
    0x012aa850
    0x00000000
    0x012aa850
    0x012aa7e9
    0x012aa7ef
    0x012aa7f5
    0x012aa811
    0x012aa811
    0x012aa813
    0x012aa815
    0x012aa840
    0x012aa842
    0x012aa84a
    0x012aa84e
    0x00000000
    0x012aa84e
    0x012aa821
    0x012aa825
    0x012aa83a
    0x00000000
    0x012aa83a
    0x012aa82e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x012aa7f7
    0x012aa7f7
    0x012aa7f9
    0x012aa801
    0x00000000
    0x00000000
    0x012aa803
    0x012aa809
    0x00000000
    0x00000000
    0x012aa80b
    0x00000000
    0x012aa80b
    0x012aa832
    0x00000000
    0x012aa832
    0x012aa7eb
    0x00000000

    APIs
    • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,012AAB2A,00000006,FlsSetValue,014EDF10,014EDF18,00000000,00000364,?,012AA566,00000000), ref: 012AA81B
      • Part of subcall function 012AA857: LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,012AA7FE,?,00000000,00000000,00000000,?,012AAB2A,00000006,FlsSetValue), ref: 012AA889
      • Part of subcall function 012AA857: GetLastError.KERNEL32(?,012AA7FE,?,00000000,00000000,00000000,?,012AAB2A,00000006,FlsSetValue,014EDF10,014EDF18,00000000,00000364,?,012AA566), ref: 012AA895
      • Part of subcall function 012AA857: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,012AA7FE,?,00000000,00000000,00000000,?,012AAB2A,00000006,FlsSetValue,014EDF10,014EDF18,00000000), ref: 012AA8A3
      • Part of subcall function 012AA857: FreeLibrary.KERNEL32(00000000,?,012AA7FE,?,00000000,00000000,00000000,?,012AAB2A,00000006,FlsSetValue,014EDF10,014EDF18,00000000,00000364), ref: 012AA8C5
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    C-Code - Quality: 95%
    			E012A7BEB(void* __ecx, signed int _a4, signed int _a8) {
    				void* __esi;
    				void* _t8;
    				void* _t12;
    				signed int _t13;
    				void* _t15;
    				void* _t16;
    				void* _t19;
    				signed int _t20;
    				long _t21;
    
    				_t16 = __ecx;
    				_t20 = _a4;
    				if(_t20 == 0) {
    					L2:
    					_t21 = _t20 * _a8;
    					if(_t21 == 0) {
    						_t21 = _t21 + 1;
    					}
    					while(1) {
    						_t8 = RtlAllocateHeap( *0x1639744, 8, _t21); // executed
    						if(_t8 != 0) {
    							break;
    						}
    						__eflags = E012AA088();
    						if(__eflags == 0) {
    							L8:
    							 *((intOrPtr*)(E0128FFAB())) = 0xc;
    							__eflags = 0;
    							return 0;
    						}
    						_t12 = E012A9CB2(_t15, _t16, _t19, _t21, __eflags, _t21);
    						_pop(_t16);
    						__eflags = _t12;
    						if(_t12 == 0) {
    							goto L8;
    						}
    					}
    					return _t8;
    				}
    				_t13 = 0xffffffe0;
    				if(_t13 / _t20 < _a8) {
    					goto L8;
    				}
    				goto L2;
    			}












    0x012a7beb
    0x012a7bf1
    0x012a7bf6
    0x012a7c04
    0x012a7c04
    0x012a7c0a
    0x012a7c0c
    0x012a7c0c
    0x012a7c23
    0x012a7c2c
    0x012a7c34
    0x00000000
    0x00000000
    0x012a7c14
    0x012a7c16
    0x012a7c38
    0x012a7c3d
    0x012a7c43
    0x00000000
    0x012a7c43
    0x012a7c19
    0x012a7c1e
    0x012a7c1f
    0x012a7c21
    0x00000000
    0x00000000
    0x012a7c21
    0x00000000
    0x012a7c23
    0x012a7bfc
    0x012a7c02
    0x00000000
    0x00000000
    0x00000000

    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,012AA4C2,00000001,00000364,?,012985BF,0159D2A8,00000010), ref: 012A7C2C
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    APIs
      • Part of subcall function 000E252E: time.MSVCRT ref: 000E2543
      • Part of subcall function 000E252E: time.MSVCRT ref: 000E2554
      • Part of subcall function 000E252E: time.MSVCRT ref: 000E2562
      • Part of subcall function 000E252E: IsUserAnAdmin.SHELL32 ref: 000E2572
      • Part of subcall function 000E252E: LocalAlloc.KERNEL32(00000040,00010000), ref: 000E2591
      • Part of subcall function 000E252E: GetCurrentProcess.KERNEL32 ref: 000E25B2
      • Part of subcall function 000E252E: GetComputerNameA.KERNEL32(00000008,?), ref: 000E25D4
      • Part of subcall function 000E252E: GetComputerNameExA.KERNEL32(00000002,00000048,?), ref: 000E25E7
      • Part of subcall function 000E252E: LocalAlloc.KERNEL32(00000040,-00000100,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000E2655
      • Part of subcall function 000E252E: WSAStartup.WS2_32(00000202,?), ref: 000E2680
      • Part of subcall function 000E252E: LocalFree.KERNEL32(?,00000000,?,?), ref: 000E26E5
      • Part of subcall function 000E252E: VirtualAlloc.KERNEL32(00000000,-00040000,00001000,00000040), ref: 000E273B
      • Part of subcall function 000E252E: VirtualFree.KERNEL32(?,00000000,00008000), ref: 000E277D
      • Part of subcall function 000E252E: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000E27A4
      • Part of subcall function 000E252E: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000E27AB
    • GetFileAttributesA.KERNEL32(?), ref: 000E27C6
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd

    Non-executed Functions

    APIs
    • InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000E22EF
    • InternetConnectA.WININET(00000000,?,000001BB,00000000,00000000,00000003,00000000,00000001), ref: 000E2313
    • HttpOpenRequestA.WININET(000E26AA,?,0000002F,?,00000000,00000000,00880000,00000001), ref: 000E2375
    • HttpAddRequestHeadersA.WININET(00000000,608A671D,000000FF,A0000000), ref: 000E23ED
    • InternetQueryOptionA.WININET(00000000,0000001F,?,00000004), ref: 000E23FE
    • InternetSetOptionA.WININET(00000000,0000001F,00003380,00000004), ref: 000E2413
    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,000E26AA), ref: 000E2422
    • LocalAlloc.KERNEL32(00000040,00000408), ref: 000E2433
    • InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 000E2445
    • LocalAlloc.KERNEL32(00000040,?), ref: 000E2460
    • memcpy.MSVCRT ref: 000E2472
    • InternetReadFile.WININET(00003380,?,?,00000000), ref: 000E248B
    • LocalFree.KERNEL32(00000000), ref: 000E2499
    • InternetCloseHandle.WININET(00000000), ref: 000E24A5
    • InternetCloseHandle.WININET(000E26AA), ref: 000E24AE
    • InternetCloseHandle.WININET(?), ref: 000E24B8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd
    APIs
      • Part of subcall function 000E1DCB: GetVersionExA.KERNEL32(?,00000000), ref: 000E1DF3
      • Part of subcall function 000E1DCB: OpenProcess.KERNEL32(-0000040B,00000000,00000000), ref: 000E1E20
    • LoadLibraryA.KERNEL32(7A8B6D3E), ref: 000E1F03
    • GetProcAddress.KERNEL32(00000000), ref: 000E1F0A
    • GetModuleFileNameExA.PSAPI(00000000,00000000,00000104,00000104,?,?,00000000,00000000), ref: 000E1F49
    • CloseHandle.KERNEL32(00000000), ref: 000E1F5A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd
    APIs
    • GetCurrentProcess.KERNEL32(00000028,000E2588,00000000,00000000), ref: 000E208F
    • OpenProcessToken.ADVAPI32(00000000), ref: 000E2096
    • LookupPrivilegeValueA.ADVAPI32(00000000,71BD6D06,?), ref: 000E20AA
    • AdjustTokenPrivileges.ADVAPI32(000E2588,00000000,?,00000010,00000000,00000000), ref: 000E20ED
    • CloseHandle.KERNEL32(000E2588), ref: 000E20FC
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd
    C-Code - Quality: 100%
    			E0128556B() {
    				signed int _v8;
    				struct _FILETIME _v16;
    				signed int _v20;
    				union _LARGE_INTEGER _v24;
    				signed int _t21;
    				signed int _t29;
    				signed int _t32;
    				signed int _t36;
    
    				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
    				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
    				_t21 =  *0x15de088; // 0xb23b131a
    				if(_t21 == 0xbb40e64e || (0xffff0000 & _t21) == 0) {
    					GetSystemTimeAsFileTime( &_v16);
    					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
    					_v8 = _v8 ^ GetCurrentThreadId();
    					_v8 = _v8 ^ GetCurrentProcessId();
    					QueryPerformanceCounter( &_v24);
    					_t29 =  &_v8;
    					_t36 = _v20 ^ _v24.LowPart ^ _v8 ^ _t29;
    					if(_t36 != 0xbb40e64e) {
    						if((0xffff0000 & _t36) == 0) {
    							_t29 = (_t36 | 0x00004711) << 0x10;
    							_t36 = _t36 | _t29;
    						}
    					} else {
    						_t36 = 0xbb40e64f;
    					}
    					 *0x15de088 = _t36;
    					 *0x15de084 =  !_t36;
    					return _t29;
    				} else {
    					_t32 =  !_t21;
    					 *0x15de084 = _t32;
    					return _t32;
    				}
    			}











    0x01285571
    0x01285575
    0x01285579
    0x0128558c
    0x0128559f
    0x012855ab
    0x012855b4
    0x012855bd
    0x012855c4
    0x012855cd
    0x012855d6
    0x012855da
    0x012855e5
    0x012855ee
    0x012855f1
    0x012855f1
    0x012855dc
    0x012855dc
    0x012855dc
    0x012855f3
    0x012855fb
    0x00000000
    0x01285592
    0x01285592
    0x01285594
    0x00000000
    0x01285594

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0128559F
    • GetCurrentThreadId.KERNEL32 ref: 012855AE
    • GetCurrentProcessId.KERNEL32 ref: 012855B7
    • QueryPerformanceCounter.KERNEL32(?), ref: 012855C4
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    C-Code - Quality: 100%
    			E01284811(struct _EXCEPTION_POINTERS* _a4) {
    
    				SetUnhandledExceptionFilter(0);
    				UnhandledExceptionFilter(_a4);
    				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
    			}



    0x01284816
    0x0128481f
    0x01284838

    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01284816
    • UnhandledExceptionFilter.KERNEL32(01284930), ref: 0128481F
    • GetCurrentProcess.KERNEL32(C0000409,?,01284930,014EAAD4), ref: 0128482A
    • TerminateProcess.KERNEL32(00000000,?,01284930,014EAAD4), ref: 01284831
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    C-Code - Quality: 74%
    			E0128FCD8(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
    				char _v0;
    				signed int _v8;
    				intOrPtr _v524;
    				intOrPtr _v528;
    				void* _v532;
    				intOrPtr _v536;
    				char _v540;
    				intOrPtr _v544;
    				intOrPtr _v548;
    				intOrPtr _v552;
    				intOrPtr _v556;
    				intOrPtr _v560;
    				intOrPtr _v564;
    				intOrPtr _v568;
    				intOrPtr _v572;
    				intOrPtr _v576;
    				intOrPtr _v580;
    				intOrPtr _v584;
    				char _v724;
    				intOrPtr _v792;
    				intOrPtr _v800;
    				char _v804;
    				struct _EXCEPTION_POINTERS _v812;
    				signed int _t40;
    				char* _t47;
    				char* _t49;
    				intOrPtr _t61;
    				intOrPtr _t62;
    				intOrPtr _t66;
    				intOrPtr _t67;
    				int _t68;
    				intOrPtr _t70;
    				signed int _t72;
    				signed int _t74;
    
    				_t70 = __esi;
    				_t67 = __edi;
    				_t66 = __edx;
    				_t61 = __ebx;
    				_t72 = _t74;
    				_t40 =  *0x15de088; // 0xb23b131a
    				_t41 = _t40 ^ _t72;
    				_v8 = _t40 ^ _t72;
    				_push(__edi);
    				if(_a4 != 0xffffffff) {
    					_push(_a4);
    					E0128530D(_t41);
    					_pop(_t62);
    				}
    				E01287810(_t67,  &_v804, 0, 0x50);
    				E01287810(_t67,  &_v724, 0, 0x2cc);
    				_v812.ExceptionRecord =  &_v804;
    				_t47 =  &_v724;
    				_v812.ContextRecord = _t47;
    				_v548 = _t47;
    				_v552 = _t62;
    				_v556 = _t66;
    				_v560 = _t61;
    				_v564 = _t70;
    				_v568 = _t67;
    				_v524 = ss;
    				_v536 = cs;
    				_v572 = ds;
    				_v576 = es;
    				_v580 = fs;
    				_v584 = gs;
    				asm("pushfd");
    				_pop( *_t22);
    				_v540 = _v0;
    				_t49 =  &_v0;
    				_v528 = _t49;
    				_v724 = 0x10001;
    				_v544 =  *((intOrPtr*)(_t49 - 4));
    				_v804 = _a8;
    				_v800 = _a12;
    				_v792 = _v0;
    				_t68 = IsDebuggerPresent();
    				SetUnhandledExceptionFilter(0);
    				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
    					_push(_a4);
    					E0128530D(_t57);
    				}
    				return E012842FC(_v8 ^ _t72);
    			}





































    0x0128fcd8
    0x0128fcd8
    0x0128fcd8
    0x0128fcd8
    0x0128fcdb
    0x0128fce3
    0x0128fce8
    0x0128fcea
    0x0128fcf1
    0x0128fcf2
    0x0128fcf4
    0x0128fcf7
    0x0128fcfc
    0x0128fcfc
    0x0128fd08
    0x0128fd1b
    0x0128fd29
    0x0128fd2f
    0x0128fd35
    0x0128fd3b
    0x0128fd41
    0x0128fd47
    0x0128fd4d
    0x0128fd53
    0x0128fd59
    0x0128fd5f
    0x0128fd66
    0x0128fd6d
    0x0128fd74
    0x0128fd7b
    0x0128fd82
    0x0128fd89
    0x0128fd8a
    0x0128fd93
    0x0128fd99
    0x0128fd9c
    0x0128fda2
    0x0128fdaf
    0x0128fdb8
    0x0128fdc1
    0x0128fdca
    0x0128fdd8
    0x0128fdda
    0x0128fdef
    0x0128fdfb
    0x0128fdfe
    0x0128fe03
    0x0128fe12

    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0128FDD0
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0128FDDA
    • UnhandledExceptionFilter.KERNEL32(?), ref: 0128FDE7
      • Part of subcall function 012842FC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 01284844
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    C-Code - Quality: 100%
    			E012A1699(int _a4) {
    				void* _t14;
    				void* _t16;
    
    				if(E012AB285(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
    					TerminateProcess(GetCurrentProcess(), _a4);
    				}
    				E012A171E(_t14, _t16, _a4);
    				ExitProcess(_a4);
    			}





    0x012a16a5
    0x012a16c1
    0x012a16c1
    0x012a16ca
    0x012a16d3

    APIs
    • GetCurrentProcess.KERNEL32(00000003,?,012A166F,00000003,0159D2E8,0000000C,012A17C6,00000003,00000002,00000000,?,012A8426,00000003), ref: 012A16BA
    • TerminateProcess.KERNEL32(00000000,?,012A166F,00000003,0159D2E8,0000000C,012A17C6,00000003,00000002,00000000,?,012A8426,00000003), ref: 012A16C1
      • Part of subcall function 012A171E: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,012A16CF,00000003,?,012A166F,00000003,0159D2E8,0000000C,012A17C6,00000003,00000002), ref: 012A173E
      • Part of subcall function 012A171E: GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,012A16CF,00000003,?,012A166F,00000003,0159D2E8,0000000C,012A17C6,00000003,00000002), ref: 012A1751
      • Part of subcall function 012A171E: FreeLibrary.KERNEL32(00000000,?,?,?,012A16CF,00000003,?,012A166F,00000003,0159D2E8,0000000C,012A17C6,00000003,00000002,00000000), ref: 012A1774
    • ExitProcess.KERNEL32 ref: 012A16D3
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    APIs
    • GetVersionExA.KERNEL32(?,00000000), ref: 000E1DF3
    • OpenProcess.KERNEL32(-0000040B,00000000,00000000), ref: 000E1E20
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd
    APIs
    • RegOpenKeyExA.ADVAPI32(80000002,40BF4706,00000000,-00000009,00000000,00000040,00000000), ref: 000E1BCE
    • SHEnumKeyExA.SHLWAPI(00000000,00000000,?,?), ref: 000E1CA9
    • SHGetValueA.SHLWAPI(00000000,?,789B7D05,000E2601,?,00000000), ref: 000E1CDD
    • lstrcmpi.KERNEL32(?,669A6118), ref: 000E1CF5
    • SHGetValueA.SHLWAPI(00000000,?,648A6111,000E2601,?,00000000), ref: 000E1D28
    • SHEnumKeyExA.SHLWAPI(00000000,00000000,?,?), ref: 000E1D7D
    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,00000000), ref: 000E1DBE
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd
    APIs
    • SHGetValueA.SHLWAPI(80000002,40BF4706,?,?,000E259E,?), ref: 000E15F7
    • GetTickCount.KERNEL32(00000040,?,00000000,00000000), ref: 000E161D
    • srand.MSVCRT ref: 000E1620
    • rand.MSVCRT ref: 000E162D
    • rand.MSVCRT ref: 000E1634
    • GetTickCount.KERNEL32 ref: 000E163C
    • SHSetValueA.SHLWAPI(80000002,40BF4706,?,00000004,000E259E,00000004), ref: 000E1657
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd
    APIs
    • LocalAlloc.KERNEL32(00000040,00000280,00000040,00000000,00000000,?,?,?,000E25F3,00000000), ref: 000E1A92
    • GetAdaptersInfo.IPHLPAPI(00000000,00000000), ref: 000E1A9E
    • LocalFree.KERNEL32(00000000,?,?,?,000E25F3,00000000), ref: 000E1AA9
    • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,000E25F3,00000000), ref: 000E1AB4
    • GetAdaptersInfo.IPHLPAPI(00000000,00000000), ref: 000E1ABD
    • memcpy.MSVCRT ref: 000E1AE2
    • LocalFree.KERNEL32(00000000,00000000,00000000,?,?,?,000E25F3,00000000), ref: 000E1AF9
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,012A16CF,00000003,?,012A166F,00000003,0159D2E8,0000000C,012A17C6,00000003,00000002), ref: 012A173E
    • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,012A16CF,00000003,?,012A166F,00000003,0159D2E8,0000000C,012A17C6,00000003,00000002), ref: 012A1751
    • FreeLibrary.KERNEL32(00000000,?,?,?,012A16CF,00000003,?,012A166F,00000003,0159D2E8,0000000C,012A17C6,00000003,00000002,00000000), ref: 012A1774
      • Part of subcall function 012842FC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 01284844
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd
    C-Code - Quality: 83%
    			E0135CB09(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __ebp, char _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
    				signed int _v4;
    				char _v16;
    				struct _MEMORY_BASIC_INFORMATION _v44;
    				char _v68;
    				long _v72;
    				intOrPtr _v76;
    				char _v80;
    				char* _v84;
    				char _v88;
    				intOrPtr _v92;
    				char* _v96;
    				long _v100;
    				intOrPtr _v104;
    				char _v108;
    				void* _v112;
    				void* _v116;
    				void* _v120;
    				intOrPtr _v124;
    				signed int _t72;
    				signed int _t80;
    				intOrPtr* _t81;
    				signed int _t90;
    				void* _t97;
    				intOrPtr _t100;
    				signed int _t101;
    				void* _t103;
    				void* _t104;
    				signed int _t109;
    				signed int _t110;
    				intOrPtr* _t111;
    				void* _t118;
    				void* _t120;
    				intOrPtr _t123;
    				void* _t125;
    				void* _t128;
    				void* _t129;
    				void* _t130;
    				void* _t133;
    				intOrPtr _t135;
    				signed int _t136;
    				void* _t144;
    				void* _t146;
    
    				_t72 =  *0x15de088; // 0xb23b131a
    				_v4 = _t72 ^ _t136;
    				_t135 = _a8;
    				_t103 = 0;
    				_t133 = __ecx;
    				_v112 = _a16;
    				if( *((intOrPtr*)(__ecx + 0x68)) != 0) {
    					_t128 = CreateFileW( *(__ecx + 0x60), 0x40000000, 0, 0, 1, 0x80, 0);
    					_v120 = _t128;
    					if(_t128 != 0xffffffff) {
    						_v80 = _a4;
    						_v76 = _t135;
    						_v72 = 0;
    						_v100 = 0;
    						_v96 =  &_v68;
    						_v16 = 3;
    						GetCurrentThreadId();
    						_t109 = _v100;
    						_t80 = _t109 * 0xc;
    						_t110 = _t109 + 1;
    						_v100 = _t110;
    						 *((intOrPtr*)(_t136 + _t80 + 0x54)) =  &_v16;
    						_t123 = _a12;
    						 *((intOrPtr*)(_t136 + _t80 + 0x4c)) = 0x47670001;
    						 *((intOrPtr*)(_t136 + _t80 + 0x50)) = 0xc;
    						if(_t123 != 0) {
    							_t101 = _t110 * 0xc;
    							_v100 = _t110 + 1;
    							 *((intOrPtr*)(_t136 + _t101 + 0x4c)) = 0x47670002;
    							 *((intOrPtr*)(_t136 + _t101 + 0x50)) = 0x308;
    							 *((intOrPtr*)(_t136 + _t101 + 0x54)) = _t123;
    						}
    						if(_t135 != 0) {
    							_t129 =  *(_a4 + 0xb8);
    							if(VirtualQueryEx(_v112, _t129,  &_v44, 0x1c) != 0 && _v44.State == 0x1000) {
    								_t118 = _t129 + 0xffffff80;
    								_v116 = _t118;
    								asm("adc eax, 0xffffffff");
    								_v124 = _t103;
    								_t97 = _v44.BaseAddress;
    								asm("cdq");
    								_v92 = _t123;
    								_t144 = _t123 - _v124;
    								if(_t144 > 0 || _t144 >= 0 && _t97 >= _t118) {
    									_v116 = _t97;
    									_v124 = _t123;
    								}
    								_t125 = _v44.RegionSize + _t97;
    								asm("adc ecx, [esp+0x34]");
    								_t130 = _t129 + 0x80;
    								asm("adc eax, ebx");
    								_t146 = 0 - _t103;
    								if(_t146 > 0 || _t146 >= 0 && _t125 >= _t130) {
    									_t125 = _t130;
    								}
    								_t120 = _v116;
    								_t100 =  *((intOrPtr*)( *((intOrPtr*)(_t133 + 0xc0))));
    								 *(_t100 + 8) = _t120;
    								 *((intOrPtr*)(_t100 + 0xc)) = _v124;
    								 *((intOrPtr*)(_t100 + 0x10)) = _t125 - _t120;
    							}
    							_t128 = _v120;
    						}
    						_t111 =  *((intOrPtr*)(_t133 + 0xc0));
    						_v108 = _t103;
    						_v104 = _t103;
    						_t81 =  *_t111;
    						_v108 = _t81;
    						_v104 = _t111;
    						if(( *(_t81 + 8) |  *(_t81 + 0xc)) == 0) {
    							_v108 =  *_t81;
    						}
    						_t104 = _v112;
    						_v84 =  &_v108;
    						_v88 = 0x135cd11;
    						_t86 =  ==  ? 0 :  &_v80;
    						_t90 =  ~( *((intOrPtr*)(_t133 + 0x68))(_t104, L0135D39E(_t104, _t133), 0, _t128,  *((intOrPtr*)(_t133 + 0x6c)),  ==  ? 0 :  &_v80,  &_v100,  &_v88) - 1);
    						asm("sbb al, al");
    						_t70 = _t90 + 1; // 0x0
    						_t103 = _t70;
    						CloseHandle(_t128);
    					}
    				}
    				return E012842FC(_v4 ^ _t136);
    			}













































    0x0135cb0f
    0x0135cb16
    0x0135cb23
    0x0135cb2a
    0x0135cb2d
    0x0135cb2f
    0x0135cb37
    0x0135cb55
    0x0135cb57
    0x0135cb5e
    0x0135cb6f
    0x0135cb73
    0x0135cb77
    0x0135cb7b
    0x0135cb7f
    0x0135cb83
    0x0135cb8e
    0x0135cb94
    0x0135cb9f
    0x0135cba2
    0x0135cba3
    0x0135cba7
    0x0135cbab
    0x0135cbb2
    0x0135cbba
    0x0135cbc4
    0x0135cbc6
    0x0135cbca
    0x0135cbce
    0x0135cbd6
    0x0135cbde
    0x0135cbde
    0x0135cbe4
    0x0135cbef
    0x0135cc07
    0x0135cc17
    0x0135cc1a
    0x0135cc1e
    0x0135cc21
    0x0135cc25
    0x0135cc29
    0x0135cc2a
    0x0135cc2e
    0x0135cc32
    0x0135cc3a
    0x0135cc3e
    0x0135cc3e
    0x0135cc48
    0x0135cc4c
    0x0135cc50
    0x0135cc56
    0x0135cc58
    0x0135cc5a
    0x0135cc62
    0x0135cc62
    0x0135cc6a
    0x0135cc74
    0x0135cc76
    0x0135cc79
    0x0135cc7c
    0x0135cc7c
    0x0135cc7f
    0x0135cc7f
    0x0135cc83
    0x0135cc89
    0x0135cc8d
    0x0135cc91
    0x0135cc93
    0x0135cc97
    0x0135cca1
    0x0135cca5
    0x0135cca5
    0x0135cca9
    0x0135ccb1
    0x0135ccbb
    0x0135cccf
    0x0135cce6
    0x0135cce9
    0x0135cceb
    0x0135cceb
    0x0135ccee
    0x0135ccee
    0x0135cb5e
    0x0135cd0e

    APIs
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000), ref: 0135CB4F
    • GetCurrentThreadId.KERNEL32 ref: 0135CB8E
    • VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0135CBFF
    • CloseHandle.KERNEL32(00000000), ref: 0135CCEE
      • Part of subcall function 012842FC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 01284844
    Memory Dump Source
    • Source File: 00000000.00000002.1465012476.011B1000.00000020.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000000.00000002.1465003750.011B0000.00000002.sdmp
    • Associated: 00000000.00000002.1465132394.014E6000.00000002.sdmp
    • Associated: 00000000.00000002.1465181990.015DE000.00000004.sdmp
    • Associated: 00000000.00000002.1465191048.015E2000.00000008.sdmp
    • Associated: 00000000.00000002.1465201632.01606000.00000004.sdmp
    • Associated: 00000000.00000002.1465209861.01607000.00000008.sdmp
    • Associated: 00000000.00000002.1465218290.0160B000.00000004.sdmp
    • Associated: 00000000.00000002.1465226323.0160E000.00000008.sdmp
    • Associated: 00000000.00000002.1465239736.01638000.00000004.sdmp
    • Associated: 00000000.00000002.1465479876.0183E000.00000002.sdmp
    • Associated: 00000000.00000002.1465493193.01840000.00000008.sdmp
    • Associated: 00000000.00000002.1465506208.01841000.00000002.sdmp
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_11b0000_CCleaner.jbxd
    APIs
    • LoadLibraryA.KERNEL32(7A8B6D3E), ref: 000E19AB
    • GetProcAddress.KERNEL32(00000000,7BAE7B1C,?,?,?,00000000), ref: 000E19D1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1464850931.000E0000.00000040.sdmp, Offset: 000E0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e0000_CCleaner.jbxd