Windows Analysis Report
SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe

Overview

General Information

Sample name: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe
Analysis ID: 1430961
MD5: 199e8896119bd3fc3850e9b19eb98ab2
SHA1: b20795b8b98641cd1f3f79767ca2479d81af2a7e
SHA256: 36c6dceee32c61fa35e3d2bc6699ca7d6fc0eee903f82876e1e1049d4b52e600
Tags: exe
Infos:

Detection

Score: 28
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Multi AV Scanner detection for submitted file
Monitors registry run keys for changes
Tries to harvest and steal browser information (history, passwords, etc)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Drops PE files
Enables security privileges
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Steals Internet Explorer cookies
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Virustotal: Detection: 7% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C00A56D __EH_prolog3_catch_GS,GetTempPathW,CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertFindCertificateInStore,CertGetNameStringW,CertGetNameStringW,LocalAlloc,CertGetNameStringW,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose, 4_2_6C00A56D
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: -----BEGIN PUBLIC KEY----- 4_2_6C036BC0
Source: PCCleaner.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Uses 32bit PE files
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 116.203.251.147:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 116.203.251.147:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 116.203.251.147:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.239.199.80:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.1.116:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.239.32.21:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 116.203.251.147:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.1.116:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: o[11][FILE]C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb`a source: PCCleaner.exe, 00000004.00000002.2983811248.0000000002B46000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Local\Microsoft Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /httpapi HTTP/1.1Host: api.playanext.comAccept: */*Content-Length: 419Content-Type: application/x-www-form-urlencodedData Raw: 61 70 69 5f 6b 65 79 3d 65 38 4f 46 67 6c 50 6c 55 77 61 55 51 59 67 39 6b 68 48 52 38 39 78 39 46 72 45 31 66 37 6d 31 33 38 37 68 51 45 49 6a 26 65 76 65 6e 74 3d 25 35 62 25 37 62 25 32 32 65 76 65 6e 74 5f 70 72 6f 70 65 72 74 69 65 73 25 32 32 25 33 61 25 37 62 25 32 32 64 69 73 74 72 69 62 75 74 6f 72 25 32 32 25 33 61 25 32 32 25 32 32 25 32 63 25 32 32 64 69 73 74 72 69 62 75 74 6f 72 5f 70 72 6f 64 75 63 74 25 32 32 25 33 61 25 32 32 25 32 32 25 32 63 25 32 32 6d 65 74 68 6f 64 5f 75 73 65 64 25 32 32 25 33 61 25 32 32 49 6e 69 74 69 61 6c 69 7a 65 25 32 32 25 32 63 25 32 32 6f 66 66 65 72 5f 70 72 6f 64 75 63 74 25 32 32 25 33 61 25 32 32 25 32 32 25 32 63 25 32 32 73 6f 75 72 63 65 25 32 32 25 33 61 25 32 32 50 6c 61 79 61 53 44 4b 25 32 30 43 25 32 62 25 32 62 25 32 30 76 31 2e 37 2e 33 25 32 32 25 32 63 25 32 32 75 73 65 72 5f 63 6f 75 6e 74 72 79 25 32 32 25 33 61 25 32 32 25 32 32 25 37 64 25 32 63 25 32 32 65 76 65 6e 74 5f 74 79 70 65 25 32 32 25 33 61 25 32 32 63 70 70 5f 73 64 6b 5f 73 74 61 72 74 75 70 25 32 32 25 32 63 25 32 32 69 70 25 32 32 25 33 61 25 32 32 25 32 34 72 65 6d 6f 74 65 25 32 32 25 32 63 25 32 32 73 65 73 73 69 6f 6e 5f 69 64 25 32 32 25 33 61 31 37 31 33 39 36 30 30 36 32 30 31 39 25 37 64 25 35 64 Data Ascii: api_key=e8OFglPlUwaUQYg9khHR89x9FrE1f7m1387hQEIj&event=%5b%7b%22event_properties%22%3a%7b%22distributor%22%3a%22%22%2c%22distributor_product%22%3a%22%22%2c%22method_used%22%3a%22Initialize%22%2c%22offer_product%22%3a%22%22%2c%22source%22%3a%22PlayaSDK%20C%2b%2b%20v1.7.3%22%2c%22user_country%22%3a%22%22%7d%2c%22event_type%22%3a%22cpp_sdk_startup%22%2c%22ip%22%3a%22%24remote%22%2c%22session_id%22%3a1713960062019%7d%5d
Source: global traffic HTTP traffic detected: POST /httpapi HTTP/1.1Host: api.playanext.comAccept: */*Content-Length: 685Content-Type: application/x-www-form-urlencodedData Raw: 61 70 69 5f 6b 65 79 3d 65 38 4f 46 67 6c 50 6c 55 77 61 55 51 59 67 39 6b 68 48 52 38 39 78 39 46 72 45 31 66 37 6d 31 33 38 37 68 51 45 49 6a 26 65 76 65 6e 74 3d 25 35 62 25 37 62 25 32 32 65 76 65 6e 74 5f 70 72 6f 70 65 72 74 69 65 73 25 32 32 25 33 61 25 37 62 25 32 32 64 69 73 74 72 69 62 75 74 6f 72 25 32 32 25 33 61 25 32 32 25 32 32 25 32 63 25 32 32 64 69 73 74 72 69 62 75 74 6f 72 5f 70 72 6f 64 75 63 74 25 32 32 25 33 61 25 32 32 25 32 32 25 32 63 25 32 32 65 72 72 6f 72 5f 63 6f 64 65 25 32 32 25 33 61 25 32 32 4f 46 46 45 52 5f 41 50 49 5f 46 41 49 4c 55 52 45 25 32 32 25 32 63 25 32 32 65 72 72 6f 72 5f 64 65 73 63 72 69 70 74 69 6f 6e 25 32 32 25 33 61 25 32 32 43 6f 64 65 25 33 61 25 32 30 33 35 25 33 62 25 32 30 45 72 72 6f 72 25 32 30 73 74 72 69 6e 67 25 33 61 25 32 30 73 63 68 61 6e 6e 65 6c 25 33 61 25 32 30 6e 65 78 74 25 32 30 49 6e 69 74 69 61 6c 69 7a 65 53 65 63 75 72 69 74 79 43 6f 6e 74 65 78 74 25 32 30 66 61 69 6c 65 64 25 33 61 25 32 30 55 6e 6b 6e 6f 77 6e 25 32 30 65 72 72 6f 72 25 32 30 25 32 38 30 78 38 30 30 39 32 30 31 32 25 32 39 25 32 30 2d 25 32 30 54 68 65 25 32 30 72 65 76 6f 63 61 74 69 6f 6e 25 32 30 66 75 6e 63 74 69 6f 6e 25 32 30 77 61 73 25 32 30 75 6e 61 62 6c 65 25 32 30 74 6f 25 32 30 63 68 65 63 6b 25 32 30 72 65 76 6f 63 61 74 69 6f 6e 25 32 30 66 6f 72 25 32 30 74 68 65 25 32 30 63 65 72 74 69 66 69 63 61 74 65 2e 25 32 32 25 32 63 25 32 32 6f 66 66 65 72 5f 70 72 6f 64 75 63 74 25 32 32 25 33 61 25 32 32 25 32 32 25 32 63 25 32 32 73 6f 75 72 63 65 25 32 32 25 33 61 25 32 32 50 6c 61 79 61 53 44 4b 25 32 30 43 25 32 62 25 32 62 25 32 30 76 31 2e 37 2e 33 25 32 32 25 32 63 25 32 32 75 73 65 72 5f 63 6f 75 6e 74 72 79 25 32 32 25 33 61 25 32 32 25 32 32 25 37 64 25 32 63 25 32 32 65 76 65 6e 74 5f 74 79 70 65 25 32 32 25 33 61 25 32 32 65 72 72 6f 72 25 32 32 25 32 63 25 32 32 69 70 25 32 32 25 33 61 25 32 32 25 32 34 72 65 6d 6f 74 65 25 32 32 25 32 63 25 32 32 73 65 73 73 69 6f 6e 5f 69 64 25 32 32 25 33 61 31 37 31 33 39 36 30 30 36 32 30 31 39 25 37 64 25 35 64 Data Ascii: api_key=e8OFglPlUwaUQYg9khHR89x9FrE1f7m1387hQEIj&event=%5b%7b%22event_properties%22%3a%7b%22distributor%22%3a%22%22%2c%22distributor_product%22%3a%22%22%2c%22error_code%22%3a%22OFFER_API_FAILURE%22%2c%22error_description%22%3a%22Code%3a%2035%3b%20Error%20string%3a%20schannel%3a%20next%20InitializeSecurityContext%20failed%3a%20Unknown%20error%20%280x80092012%29%20-%20The%20revocation%20function%20was%20unable%20to%20check%20revocation%20for%20the%20certificate.%22%2c%22offer_product%22%3a%22%22%2c%22source%22%3a%22PlayaSDK%20C%2b%2b%20v1.7.3%22%2c%22user_country%22%3a%22%22%7d%2c%22event_type%22%3a%22error%22%2c%22ip%22%3a%22%24remote%22%2c%22session_id%22%3a1713960062019%7d%5d
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /pc-cleaner/install HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8User-Agent: Mozilla/5.0 (Windows; U)Host: pchelpsoft.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /pc-cleaner/install HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows; U)Connection: Keep-AliveCache-Control: no-cacheHost: www.pchelpsoft.com
Source: global traffic HTTP traffic detected: POST /desktop/install_complete HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (compatible; Indy Library)Content-Length: 147Host: cloud.pchelpsoft.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C04ADA0 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket, 4_2_6C04ADA0
Source: global traffic HTTP traffic detected: GET /debug.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: collect.avqtools.com
Source: global traffic HTTP traffic detected: GET /pc-cleaner/install HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8User-Agent: Mozilla/5.0 (Windows; U)Host: pchelpsoft.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /pc-cleaner/install HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows; U)Connection: Keep-AliveCache-Control: no-cacheHost: www.pchelpsoft.com
Source: global traffic HTTP traffic detected: GET /api/tracking/pccleaner?downloadedDate=2024-04-24T10%3A30%3A06.678Z HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: partner-tracking.lavasoft.com
Source: global traffic HTTP traffic detected: GET /images/build-phone-banners/phone_activation.png HTTP/1.1Connection: Keep-AliveUser-Agent: Embarcadero URI Client/1.0Host: www.pchelpsoft.com
Source: unknown DNS traffic detected: queries for: collect.avqtools.com
Source: unknown HTTP traffic detected: POST /api/collect HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: Embarcadero URI Client/1.0Content-Length: 353Host: collect.avqtools.com
Source: PCCleaner.exe, PCCleaner.exe, 00000004.00000003.1904735980.0000000007A61000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000002.2979938210.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000003.1904735980.0000000007A6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://api.playanext.com/httpapi
Source: PCCleaner.exe, 00000004.00000003.1904735980.0000000007A6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://api.playanext.com/httpapib%22distributor%22%3a%22%22%2c%
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cdn.pchelpsoft.com/pchelpsoft/Driver_Updater_CS.exe?mkey1=PH_CRS_PCC_TO_DU_DL&cmp=CROSSELL
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1801420220.000000000246F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cdn.pchelpsoft.com/pchelpsoft/Driver_Updater_CS.exe?mkey1=PH_CRS_PCC_TO_DU_DL&cmp=CROSSELLtmp
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FE33000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000027D7000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FE33000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000027D7000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FE33000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000027D7000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000002.1808516635.000000000018D000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FE33000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000027D7000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FE33000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000027D7000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FE33000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000027D7000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FE33000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000027D7000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FE33000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000027D7000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FE33000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000027D7000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FE33000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000027D7000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FE33000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000027D7000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1726439925.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1812491495.0000000002268000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1801420220.00000000023DB000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.dk-soft.org/
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.google.com/search?q=
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, PCCNotifications.exe, 00000003.00000002.2982821753.00000000026A0000.00000004.00001000.00020000.00000000.sdmp, PCCNotifications.exe, 00000003.00000000.1783577234.000000000079F000.00000020.00000001.01000000.00000007.sdmp, PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.indyproject.org/
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.playanext.com/U
Source: PCCleaner.exe, 00000004.00000002.2994873685.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com:443
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1796393048.00000000037C1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cloud.pchelpsoft.com/desktop/install_complete
Source: PCCNotifications.exe, 00000003.00000002.2979751952.00000000009D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://collect.avqtools.com/
Source: PCCNotifications.exe, 00000003.00000002.2979751952.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://collect.avqtools.com/2
Source: PCCNotifications.exe, 00000003.00000002.2979751952.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://collect.avqtools.com/6
Source: PCCNotifications.exe, 00000003.00000000.1783577234.0000000000401000.00000020.00000001.01000000.00000007.sdmp, PCCNotifications.exe, 00000003.00000002.2979751952.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp, PCCNotifications.exe, 00000003.00000003.2002335373.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp, PCCNotifications.exe, 00000003.00000002.2979751952.0000000000A39000.00000004.00000020.00020000.00000000.sdmp, PCCNotifications.exe, 00000003.00000003.2089622013.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp, PCCNotifications.exe, 00000003.00000002.2982183505.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://collect.avqtools.com/api/collect
Source: PCCNotifications.exe, 00000003.00000000.1783577234.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://collect.avqtools.com/api/collectU
Source: PCCNotifications.exe, 00000003.00000003.2002335373.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp, PCCNotifications.exe, 00000003.00000003.2089622013.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp, PCCNotifications.exe, 00000003.00000002.2982183505.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://collect.avqtools.com/api/collectd
Source: PCCNotifications.exe, 00000003.00000000.1783577234.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://collect.avqtools.com/api/debug?program=pchs_cleaner_v
Source: PCCNotifications.exe, 00000003.00000000.1783577234.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://collect.avqtools.com/api/debugU
Source: PCCNotifications.exe, 00000003.00000000.1783577234.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://collect.avqtools.com/debug.txt
Source: PCCNotifications.exe, 00000003.00000002.2979751952.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://collect.avqtools.com/t.co
Source: PCCleaner.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: PCCleaner.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: PCCleaner.exe String found in binary or memory: https://files.playanext.com/Installer/
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000000.1725506766.0000000000401000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://notifications.avqtools.com/clicked/
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://notifications.avqtools.com/confirmed/
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://notifications.avqtools.com/executed/
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://notifications.avqtools.com/exit-xml/PCHELPSOFT
Source: PCCNotifications.exe, 00000003.00000002.2982821753.0000000002724000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://notifications.avqtools.comaPr
Source: PCCleaner.exe, PCCleaner.exe, 00000004.00000002.2979938210.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://offers.playanext.com/offer
Source: PCCleaner.exe, 00000004.00000002.2979938210.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://offers.playanext.com/offer0
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://partner-tracking.lavasoft.com/api/tracking/pccleaner?downloadedDate=
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1801420220.00000000024FA000.00000004.00001000.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000002.3004334140.0000000007A10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.com/
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1796393048.0000000003690000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.com/company/eula/
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1801420220.00000000024D6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.com/company/eula/a
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1796393048.0000000003690000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.com/company/privacy-policy/
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1801420220.0000000002501000.00000004.00001000.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000003.1895796664.0000000007A46000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000002.2979938210.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.com/pc-cleaner/install
Source: PCCleaner.exe, 00000004.00000002.2979938210.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.com/pc-cleaner/install-
Source: PCCleaner.exe, 00000004.00000003.1895796664.0000000007A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.com/pc-cleaner/installO
Source: PCCleaner.exe, 00000004.00000002.2979938210.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.com/pc-cleaner/installU
Source: PCCleaner.exe, 00000004.00000002.2983811248.0000000002C04000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.com/rpf
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://pchelpsoft.com/support/pc-cleaner/how-to-uninstall/
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1796393048.0000000003779000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.upclick.com/clickgate/join.aspx?ref=crm.pchelpsoft.com/cleaner&ujid=20s3lABRVNE=&
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1796393048.0000000003796000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.upclick.com/clickgate/join.aspx?ref=crm.pchelpsoft.com/cleaner&ujid=2GD9HaP
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1796393048.0000000003796000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.upclick.com/clickgate/join.aspx?ref=crm.pchelpsoft.com/cleaner&ujid=epIz41GP07U=&
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1796393048.0000000003779000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pchelpsoft.upclick.com/clickgate/join.aspx?ref=crm.pchelpsoft.com/cleaner&ujid=hv6Az34OCw8=&
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://services.avanquest.com/pchelpsoft/trustedPilot_cleaner.php?data=
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1796393048.0000000003780000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=Pxo3UeCZAEo=&step=2&cmp=UNI
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=TqA1Vm9ge5o=
Source: PCCleaner.exe, 00000004.00000002.2983811248.0000000002BED000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=TqA1Vm9ge5o=&src=default_re
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1801420220.00000000024A2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=TqA1Vm9ge5o=1AJ
Source: PCCNotifications.exe, 00000003.00000002.2982821753.0000000002724000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://subscriptions.avqtools.com
Source: PCCleaner.exe, 00000004.00000002.2994873685.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://subscriptions.avqtools.com0
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1731604855.0000000003490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.pchelpsoft.com/hc/
Source: PCCleaner.exe, 00000004.00000002.2994873685.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.pchelpsoft.com/hc/0
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1801420220.00000000024F3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://support.pchelpsoft.com/hc/9QO
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://techsupport.avqtools.com/feedback
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, PCCNotifications.exe, 00000003.00000000.1783577234.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://upgrades.avqtools.com
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://upgrades.avqtools.comS
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://us.trustpilot.com/evaluate/www.pchelpsoft.com
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/pc_cleaner_router_missing_passwor
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000026E0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000000.1729489652.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.innosetup.com/
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000003.1793709581.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000002.1808516635.000000000018D000.00000004.00000010.00020000.00000000.sdmp, PCCNotifications.exe, 00000003.00000002.2979751952.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000003.1895796664.0000000007A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pchelpsoft.com/
Source: PCCleaner.exe, 00000004.00000003.1895796664.0000000007A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pchelpsoft.com/LMEM
Source: PCCleaner.exe, 00000004.00000003.1904735980.0000000007A61000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000003.1895796664.0000000007A46000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000003.1956192852.0000000007A61000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000002.3004334140.0000000007A61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pchelpsoft.com/Q
Source: PCCleaner.exe, 00000004.00000003.1904735980.0000000007A61000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000003.1895796664.0000000007A46000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000003.1956192852.0000000007A61000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000002.3004334140.0000000007A61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pchelpsoft.com/a
Source: PCCNotifications.exe, 00000003.00000002.2979751952.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pchelpsoft.com/c
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.pchelpsoft.com/company/eula/U
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.pchelpsoft.com/company/privacy-policy/
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.pchelpsoft.com/company/privacy-policy/S
Source: PCCNotifications.exe, 00000003.00000002.2979751952.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pchelpsoft.com/images/build-phone-banners/phone_activation.png
Source: PCCNotifications.exe, 00000003.00000002.2979751952.0000000000A48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pchelpsoft.com/images/build-phone-banners/phone_activation.png$
Source: PCCNotifications.exe, 00000003.00000002.2979751952.0000000000A39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pchelpsoft.com/images/build-phone-banners/phone_activation.png.co
Source: PCCNotifications.exe, 00000003.00000002.2986834032.0000000002D85000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.pchelpsoft.com/images/build-phone-banners/phone_activation.pngo
Source: PCCleaner.exe, 00000004.00000003.1904735980.0000000007A61000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000003.1895796664.0000000007A46000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000002.2979938210.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000003.1904735980.0000000007A49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pchelpsoft.com/pc-cleaner/install
Source: PCCleaner.exe, 00000004.00000002.2992112632.00000000052A5000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.pchelpsoft.com/pc-cleaner/installite
Source: PCCNotifications.exe, 00000003.00000002.2982821753.00000000026BD000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.pchelpsoft.comm/api/collectn
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000026E0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000000.1729489652.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown HTTPS traffic detected: 116.203.251.147:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 116.203.251.147:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 116.203.251.147:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.239.199.80:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.1.116:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.239.32.21:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 116.203.251.147:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.1.116:443 -> 192.168.2.4:49761 version: TLS 1.2
Detected potential crypto function
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C04C550 4_2_6C04C550
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C0B0C6C 4_2_6C0B0C6C
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C0B0D8C 4_2_6C0B0D8C
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C092DDD 4_2_6C092DDD
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C0A0AAA 4_2_6C0A0AAA
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C09EBF8 4_2_6C09EBF8
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C08E430 4_2_6C08E430
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C04E470 4_2_6C04E470
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C02E4C0 4_2_6C02E4C0
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C066020 4_2_6C066020
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C046270 4_2_6C046270
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C037F90 4_2_6C037F90
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C0A9809 4_2_6C0A9809
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C04B900 4_2_6C04B900
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C005A58 4_2_6C005A58
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C063640 4_2_6C063640
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C09300F 4_2_6C09300F
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C097050 4_2_6C097050
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C095081 4_2_6C095081
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E871E6 7_2_61E871E6
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E20012 7_2_61E20012
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E603D3 7_2_61E603D3
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E453DE 7_2_61E453DE
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E2F3B7 7_2_61E2F3B7
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E3F2D0 7_2_61E3F2D0
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E432AA 7_2_61E432AA
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E6D288 7_2_61E6D288
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7D567 7_2_61E7D567
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E4A4BF 7_2_61E4A4BF
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E83484 7_2_61E83484
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E24497 7_2_61E24497
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E81497 7_2_61E81497
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E74468 7_2_61E74468
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E897F6 7_2_61E897F6
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7F773 7_2_61E7F773
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E62749 7_2_61E62749
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E786A3 7_2_61E786A3
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E1567E 7_2_61E1567E
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E28807 7_2_61E28807
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E43816 7_2_61E43816
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E4EB85 7_2_61E4EB85
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E6FACA 7_2_61E6FACA
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E4BAB9 7_2_61E4BAB9
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E57A81 7_2_61E57A81
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E1BA5A 7_2_61E1BA5A
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E3CA3A 7_2_61E3CA3A
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E65CBE 7_2_61E65CBE
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E3DFCB 7_2_61E3DFCB
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E51FB5 7_2_61E51FB5
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E6DF66 7_2_61E6DF66
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E72F78 7_2_61E72F78
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7FEDC 7_2_61E7FEDC
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E4FEAD 7_2_61E4FEAD
Enables security privileges
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: String function: 6C08B85D appears 152 times
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: String function: 6C08B82A appears 247 times
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: String function: 6C08C350 appears 61 times
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: String function: 6C03CFE0 appears 108 times
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: String function: 6C03CF00 appears 138 times
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: String function: 6C08B5F0 appears 38 times
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-5GPCL.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
PE file contains more sections than normal
Source: is-GSPK3.tmp.1.dr Static PE information: Number of sections : 11 > 10
Source: is-BOR76.tmp.1.dr Static PE information: Number of sections : 11 > 10
Source: is-8F6BD.tmp.1.dr Static PE information: Number of sections : 11 > 10
Source: is-0OI5S.tmp.1.dr Static PE information: Number of sections : 18 > 10
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727909626.000000007FE33000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1727484855.00000000027D7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000003.1812491495.0000000002308000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe, 00000000.00000000.1725738295.00000000004C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: sus28.spyw.winEXE@8/90@8/8
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C02A460 GetLastError,FormatMessageA,___from_strstr_to_strchr,GetLastError,SetLastError, 4_2_6C02A460
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Mutant created: \Sessions\1\BaseNamedObjects\AF54E2DC-EE25-4757-87F6-A1880E22042B
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Mutant created: \Sessions\1\BaseNamedObjects\dbcc15e2c3e24edf018ffd1269d25c9a
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe File created: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: create table if not exists [dhcpnames] ([id] INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, [scanid] INTEGER NULL, [mac] TEXT NULL, [hostname] TEXT NULL, [vendorident] TEXT NULL);
Source: PCCleaner.exe, 00000004.00000003.1869204053.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'vacuum_db'.sqlite_master VALUES('index','ma-m_index','ma-m',#1,'CREATE INDEX [ma-m_index] on [ma-m] ([Pattern] desc)');
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: create table if not exists [mdns] ([id] INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, [ipid] INTEGER NULL, [query] TEXT NULL, [answer] BLOB NULL);
Source: PCCleaner.exe, 00000004.00000003.1869204053.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'vacuum_db'.sqlite_master VALUES('index','sqlite_autoindex_logins_1','logins',#4,NULL);[WSLike] TEXT NULL)F
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: create table if not exists [ports] ([id] INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, [ipid] INTEGER NULL, [port] INTEGER NULL, [protocol] INTEGER NULL, [string] TEXT NULL);
Source: PCCleaner.exe, 00000004.00000003.1869204053.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'vacuum_db'.sqlite_master VALUES('index','ma-l_index','ma-l',#1,'CREATE INDEX [ma-l_index] on [ma-l] ([Pattern] desc)');
Source: PCCleaner.exe, 00000004.00000003.1869204053.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'vacuum_db'.sqlite_master VALUES('index','ma-s_index','ma-s',#1,'CREATE INDEX [ma-s_index] on [ma-s] ([Pattern] desc)');
Source: PCCleaner.exe, 00000004.00000003.1869204053.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'vacuum_db'.sqlite_master VALUES('index','ma-m_index','ma-m',#1,'CREATE INDEX [ma-m_index] on [ma-m] ([Pattern] desc)');
Source: PCCleaner.exe, 00000004.00000003.1869204053.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'vacuum_db'.sqlite_master VALUES('index','sqlite_autoindex_passwords_1','passwords',#4,NULL);&
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: create table if not exists [vulnerability] ([id] INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, [portid] INTEGER NULL, [vultype] INTEGER NULL, [text1] TEXT NULL, [text2] TEXT NULL);U
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: create table if not exists [hosts] ([id] INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, [scanid] INTEGER NULL, [ip] TEXT NULL, [mac] TEXT NULL, [scantime] INTEGER NULL, [vultime] INTEGER NULL, [vpassed] INTEGER NULL);
Source: PCCleaner.exe, 00000004.00000003.1869204053.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'vacuum_db'.sqlite_master VALUES('index','sqlite_autoindex_passwords_1','passwords',#4,NULL);
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: create table if not exists [names] ([id] INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, [ipid] INTEGER NULL, [type] INTEGER NULL, [value] TEXT NULL);
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: insert into [resources] ([ipid], [Name], [Description], [Path], [ServerName], [Password], [ResourceType], [Special], [Temporary]) values (?, ?, ?, ?, ?, ?, ?, ?, ?);U
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: create table if not exists [scans] ([id] INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, [date] REAL NULL, [network] TEXT NULL, [win] TEXT NULL, [scantime] INTEGER NULL, [vultime] INTEGER NULL);
Source: PCCleaner.exe, 00000004.00000003.1869204053.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'vacuum_db'.sqlite_master VALUES('index','ports_index','ports',#1,'CREATE INDEX [ports_index] on [ports] ([Port] desc)');
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: create table if not exists [files] ([id] INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, [scanid] INTEGER NULL, [name] TEXT NULL, [data] TEXT NULL);
Source: PCCleaner.exe, 00000004.00000003.1869204053.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO 'vacuum_db'.sqlite_master VALUES('index','sqlite_autoindex_logins_1','logins',#4,NULL);
Source: PCCleaner.exe, 00000004.00000000.1787044665.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: create table if not exists [resources] ([id] INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, [ipid] INTEGER NULL, [Name] TEXT NULL, [Description] TEXT NULL, [Path] TEXT NULL, [ServerName] TEXT NULL,[Password] TEXT NULL, [ResourceType] INTEGER NULL, [Special] INTEGER NULL, [Temporary] INTEGER NULL, [Access] INTEGER NULL);
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Virustotal: Detection: 7%
Source: PCCleaner.exe String found in binary or memory: https://files.playanext.com/Installer/
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe "C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Process created: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp "C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp" /SL5="$20450,6944918,831488,C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process created: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe "C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process created: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe "C:\Program Files (x86)\PC Cleaner\PCCleaner" /START
Source: unknown Process created: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe "C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Process created: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp "C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp" /SL5="$20450,6944918,831488,C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process created: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe "C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process created: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe "C:\Program Files (x86)\PC Cleaner\PCCleaner" /START Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: security.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: webio.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: security.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: shunimpl.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: playasdk.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: webio.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: security.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: PC Cleaner.lnk.1.dr LNK file: ..\..\..\Program Files (x86)\PC Cleaner\PCCleaner.exe
Source: PC Cleaner.lnk0.1.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\PC Cleaner\PCCleaner.exe
Source: PC Cleaner on the Web.lnk.1.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\PC Cleaner\HomePage.url
Source: Uninstall PC Cleaner.lnk.1.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\PC Cleaner\unins000.exe
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File written: C:\Users\user\AppData\Roaming\PC Cleaner\Backup\Extensions.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Window found: window name: TMainForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Automated click: Next
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Static file information: File size 7867760 > 1048576
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: o[11][FILE]C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb`a source: PCCleaner.exe, 00000004.00000002.2983811248.0000000002B46000.00000004.00001000.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C03FC50 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,if_nametoindex,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoA,QueryPerformanceFrequency, 4_2_6C03FC50
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Static PE information: section name: .didata
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp.0.dr Static PE information: section name: .didata
Source: is-5GPCL.tmp.1.dr Static PE information: section name: .didata
Source: is-BOR76.tmp.1.dr Static PE information: section name: .didata
Source: is-GSPK3.tmp.1.dr Static PE information: section name: .didata
Source: is-0OI5S.tmp.1.dr Static PE information: section name: /4
Source: is-0OI5S.tmp.1.dr Static PE information: section name: /19
Source: is-0OI5S.tmp.1.dr Static PE information: section name: /31
Source: is-0OI5S.tmp.1.dr Static PE information: section name: /45
Source: is-0OI5S.tmp.1.dr Static PE information: section name: /57
Source: is-0OI5S.tmp.1.dr Static PE information: section name: /70
Source: is-0OI5S.tmp.1.dr Static PE information: section name: /81
Source: is-0OI5S.tmp.1.dr Static PE information: section name: /92
Source: is-8F6BD.tmp.1.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C08B80C push ecx; ret 4_2_6C08B80B
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C02DAC0 push ebx; ret 4_2_6C02DAC1
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C08B7F8 push ecx; ret 4_2_6C08B80B
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61EAC2A8 push ds; retf 7_2_61EAC2AE
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner\is-5HH89.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Users\user\AppData\Local\Temp\is-BVGJ6.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner\PCHSUninstaller.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner\sqlite3.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner\is-5GPCL.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe File created: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner\is-8F6BD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner\is-BOR76.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner\is-GSPK3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner\is-0OI5S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\Program Files (x86)\PC Cleaner\PlayaSDK.dll (copy) Jump to dropped file

Boot Survival
barindex
Monitors registry run keys for changes
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner\PC Cleaner.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner\PC Cleaner on the Web.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner\Uninstall PC Cleaner.lnk Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PC Cleaner\is-5HH89.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BVGJ6.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PC Cleaner\PCHSUninstaller.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PC Cleaner\is-8F6BD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PC Cleaner\is-0OI5S.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C0134A7 GetLocalTime followed by cmp: cmp eax, 0ch and CTI: jbe 6C0134DAh 4_2_6C0134A7
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Local\Microsoft Jump to behavior
Source: SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp, 00000001.00000002.1810074305.0000000000797000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\v
Source: PCCleaner.exe, 00000004.00000002.2997862885.0000000006319000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: vmicvss0
Source: PCCleaner.exe, 00000004.00000003.1827233560.000000000691F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 000C29VMware, Inc.
Source: PCCleaner.exe, 00000004.00000002.2997862885.000000000634C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware NAT Service195
Source: PCCleaner.exe, 00000004.00000003.1816156250.0000000003AE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 005056VMware, Inc.
Source: PCCleaner.exe, 00000004.00000003.1827233560.000000000691F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 000569VMware, Inc.
Source: PCCleaner.exe, 00000004.00000002.2994873685.0000000005B53000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dVMAuthdService=VMware Authorization Service. If you do not use VMware, this service can be disabled.]
Source: PCCNotifications.exe, 00000003.00000002.2979751952.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, PCCNotifications.exe, 00000003.00000002.2979751952.00000000009D0000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000002.2979938210.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, PCCleaner.exe, 00000004.00000003.1896530032.0000000007A37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: PCCleaner.exe, 00000004.00000002.2994873685.0000000005B53000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: dVMAuthdService=VMware Authorization Service. If you do not use VMware, this service can be disabled.2$1:
Source: PCCleaner.exe, 00000004.00000003.1816156250.0000000003AE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 001C14VMware, Inc.;
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C08C577 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6C08C577
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C03FC50 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,if_nametoindex,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoA,QueryPerformanceFrequency, 4_2_6C03FC50
Contains functionality to read the PEB
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C0A8D39 mov eax, dword ptr fs:[00000030h] 4_2_6C0A8D39
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C0A8D7D mov eax, dword ptr fs:[00000030h] 4_2_6C0A8D7D
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C09FB17 mov eax, dword ptr fs:[00000030h] 4_2_6C09FB17
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C08C577 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6C08C577
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C08BC61 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6C08BC61
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C08FF63 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6C08FF63
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E8A900 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 7_2_61E8A900
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E8A8FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 7_2_61E8A8FC
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C08C39A cpuid 4_2_6C08C39A
Contains functionality to query locales information (e.g. system language)
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_2_6C0AEC82
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: GetLocaleInfoEx, 4_2_6C08AE01
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: GetLocaleInfoW, 4_2_6C0AEED5
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_6C0AEFFB
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_6C0AE86F
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: GetLocaleInfoW, 4_2_6C0AEA6A
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: EnumSystemLocalesW, 4_2_6C0AEB11
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: EnumSystemLocalesW, 4_2_6C0AEB5C
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: EnumSystemLocalesW, 4_2_6C0AEBF7
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: GetLocaleInfoW, 4_2_6C0A3D6B
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: EnumSystemLocalesW, 4_2_6C0A37B2
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: GetLocaleInfoW, 4_2_6C0AF101
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_6C0AF1D0
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the product ID of Windows
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HLNI5.tmp\SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C078E94 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 4_2_6C078E94
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences Jump to behavior
Steals Internet Explorer cookies
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe File read: C:\Program Files (x86)\PC Cleaner\Cookies.txt Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C04ADA0 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket, 4_2_6C04ADA0
Source: C:\Program Files (x86)\PC Cleaner\PCCleaner.exe Code function: 4_2_6C03EB00 ___from_strstr_to_strchr,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, 4_2_6C03EB00
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E711C6 sqlite3_mprintf,sqlite3_prepare_v3,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 7_2_61E711C6
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7219B sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 7_2_61E7219B
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7417C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free, 7_2_61E7417C
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E8515A sqlite3_value_text,sqlite3_result_blob,strcmp,sqlite3_free,sqlite3_result_error,sqlite3_free,sqlite3_malloc,sqlite3_malloc,sqlite3_reset,sqlite3_result_error_code,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_result_blob, 7_2_61E8515A
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E880E0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free, 7_2_61E880E0
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7409C sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 7_2_61E7409C
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E293F4 sqlite3_mutex_leave,sqlite3_bind_blob, 7_2_61E293F4
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E163D4 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave, 7_2_61E163D4
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E713AC sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 7_2_61E713AC
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E8834B sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset, 7_2_61E8834B
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7633B sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 7_2_61E7633B
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7D2FE sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_column_text,sqlite3_column_bytes,sqlite3_value_text,sqlite3_value_bytes,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 7_2_61E7D2FE
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E712C4 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset, 7_2_61E712C4
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7229F sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 7_2_61E7229F
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E72220 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 7_2_61E72220
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E77206 sqlite3_bind_text,sqlite3_bind_value,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_blob_open,sqlite3_blob_write,sqlite3_blob_close, 7_2_61E77206
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E03203 sqlite3_bind_parameter_count, 7_2_61E03203
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E03215 sqlite3_bind_parameter_name, 7_2_61E03215
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E165F0 sqlite3_transfer_bindings, 7_2_61E165F0
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E295F7 sqlite3_bind_null,sqlite3_mutex_leave, 7_2_61E295F7
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E295D1 sqlite3_bind_int,sqlite3_bind_int64, 7_2_61E295D1
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E29582 sqlite3_bind_int64,sqlite3_mutex_leave, 7_2_61E29582
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E76545 sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_malloc,sqlite3_reset, 7_2_61E76545
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E2951D sqlite3_bind_double,sqlite3_mutex_leave, 7_2_61E2951D
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E294F6 sqlite3_bind_text16, 7_2_61E294F6
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E29489 sqlite3_bind_text64, 7_2_61E29489
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E83484 sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_step,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_step,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free, 7_2_61E83484
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E81497 sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_realloc,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free, 7_2_61E81497
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E29462 sqlite3_bind_text, 7_2_61E29462
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7242A sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_bind_int,sqlite3_column_int,sqlite3_bind_int,sqlite3_column_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 7_2_61E7242A
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E6C43E sqlite3_mprintf,sqlite3_bind_int, 7_2_61E6C43E
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E2941B sqlite3_bind_blob64, 7_2_61E2941B
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E297F9 sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave, 7_2_61E297F9
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E727FA sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code, 7_2_61E727FA
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E707A4 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_mprintf, 7_2_61E707A4
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7079A sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 7_2_61E7079A
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E29712 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob, 7_2_61E29712
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E726EE sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_column_type, 7_2_61E726EE
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E6C6C1 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v3,sqlite3_free,sqlite3_bind_value, 7_2_61E6C6C1
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E296A5 sqlite3_bind_zeroblob,sqlite3_mutex_leave, 7_2_61E296A5
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E29628 sqlite3_bind_pointer,sqlite3_mutex_leave, 7_2_61E29628
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E75605 sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 7_2_61E75605
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7B835 sqlite3_value_text,sqlite3_value_text,sqlite3_mprintf,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_malloc,sqlite3_finalize,sqlite3_free, 7_2_61E7B835
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E75BDB sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step, 7_2_61E75BDB
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E75B70 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step, 7_2_61E75B70
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E71B7A sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset, 7_2_61E71B7A
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E80AF2 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset, 7_2_61E80AF2
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E86D2A sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 7_2_61E86D2A
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7BD2B sqlite3_mprintf,sqlite3_bind_int,sqlite3_step,sqlite3_reset,memmove,memcmp, 7_2_61E7BD2B
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E12CD9 sqlite3_bind_parameter_index, 7_2_61E12CD9
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7EC81 memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_reset,sqlite3_reset, 7_2_61E7EC81
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E86C8E sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, 7_2_61E86C8E
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E71C0A sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 7_2_61E71C0A
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E79FE5 memcmp,sqlite3_mprintf,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free, 7_2_61E79FE5
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E80FD8 sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset, 7_2_61E80FD8
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E73F60 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset, 7_2_61E73F60
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E7FEDC sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free, 7_2_61E7FEDC
Source: C:\Program Files (x86)\PC Cleaner\PCCNotifications.exe Code function: 7_2_61E70E7C sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, 7_2_61E70E7C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430961 Sample: SecuriteInfo.com.Program.Un... Startdate: 24/04/2024 Architecture: WINDOWS Score: 28 40 www.pchelpsoft.com 2->40 42 pchelpsoft.com 2->42 44 7 other IPs or domains 2->44 50 Multi AV Scanner detection for submitted file 2->50 8 SecuriteInfo.com.Program.Unwanted.5320.27373.27791.exe 2 2->8         started        11 PCCNotifications.exe 2->11         started        signatures3 process4 file5 22 SecuriteInfo.com.P...320.27373.27791.tmp, PE32 8->22 dropped 13 SecuriteInfo.com.Program.Unwanted.5320.27373.27791.tmp 56 56 8->13         started        process6 file7 24 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->24 dropped 26 C:\...\unins000.exe (copy), PE32 13->26 dropped 28 C:\Program Files (x86)\...\sqlite3.dll (copy), PE32 13->28 dropped 30 10 other files (none is malicious) 13->30 dropped 16 PCCleaner.exe 35 39 13->16         started        20 PCCNotifications.exe 54 3 13->20         started        process8 dnsIp9 32 cloud.pchelpsoft.com 216.239.32.21, 443, 49759 GOOGLEUS United States 16->32 34 partner-tracking.lavasoft.com 104.16.148.130, 443, 49756 CLOUDFLARENETUS United States 16->34 38 5 other IPs or domains 16->38 46 Tries to harvest and steal browser information (history, passwords, etc) 16->46 36 collect.avqtools.com 116.203.251.147, 443, 49733, 49734 HETZNER-ASDE Germany 20->36 48 Monitors registry run keys for changes 20->48 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.1.116
 www.pchelpsoft.com United States
13335 CLOUDFLARENETUS false
108.138.246.21
 d1atxff5avezsq.cloudfront.net United States
16509 AMAZON-02US false
216.239.32.21
 cloud.pchelpsoft.com United States
15169 GOOGLEUS false
116.203.251.147
 collect.avqtools.com Germany
24940 HETZNER-ASDE false
104.16.148.130
 partner-tracking.lavasoft.com United States
13335 CLOUDFLARENETUS false
18.239.199.80
 b217xlnyk0.execute-api.us-west-2.amazonaws.com United States
16509 AMAZON-02US false
172.67.73.195
 pchelpsoft.com United States
13335 CLOUDFLARENETUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
cloud.pchelpsoft.com 216.239.32.21 true
d1atxff5avezsq.cloudfront.net 108.138.246.21 true
www.pchelpsoft.com 104.26.1.116 true
b217xlnyk0.execute-api.us-west-2.amazonaws.com 18.239.199.80 true
collect.avqtools.com 116.203.251.147 true
pchelpsoft.com 172.67.73.195 true
partner-tracking.lavasoft.com 104.16.148.130 true
api.playanext.com unknown unknown
offers.playanext.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cloud.pchelpsoft.com/desktop/install_complete false
    		high
    https://www.pchelpsoft.com/images/build-phone-banners/phone_activation.png false
      		high
      https://pchelpsoft.com/pc-cleaner/install false
        		high
        http://api.playanext.com/httpapi false
        • Avira URL Cloud: safe
        		 unknown
        https://partner-tracking.lavasoft.com/api/tracking/pccleaner?downloadedDate=2024-04-24T10%3A30%3A06.678Z false
          		high
          https://collect.avqtools.com/debug.txt false
          • Avira URL Cloud: safe
          		 unknown
          https://collect.avqtools.com/api/collect false
          • Avira URL Cloud: safe
          		 unknown
          https://www.pchelpsoft.com/pc-cleaner/install false
            		high