hxxps://mega[.]nz/file/dVo31I6A#ZcoYTJffHohVB1U_0hsI9YLAngdsrLuGvKbj8jJkFh4

Analysis

max time kernel
589s
max time network
632s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/dVo31I6A#ZcoYTJffHohVB1U_0hsI9YLAngdsrLuGvKbj8jJkFh4

Score

8^/10

bootkit discovery exploit persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 4 IoCs

Processes:

attrib.exeattrib.execmd.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 6 IoCs

Processes:

ChromeRecovery.execcsetup600pro.exeCCleaner64.exeCCUpdate.exeCCUpdate.exepatch.exe

pid process

2908 ChromeRecovery.exe
2848 ccsetup600pro.exe
2116 CCleaner64.exe
2344 CCUpdate.exe
2644 CCUpdate.exe
2476 patch.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2432 takeown.exe
2968 icacls.exe
3044 takeown.exe
2804 icacls.exe

pid	process
2908	ChromeRecovery.exe
2848	ccsetup600pro.exe
2116	CCleaner64.exe
2344	CCUpdate.exe
2644	CCUpdate.exe
2476	patch.exe

pid	process
2432	takeown.exe
2968	icacls.exe
3044	takeown.exe
2804	icacls.exe

Loads dropped DLL 38 IoCs

Processes:

ccsetup600pro.exeCCUpdate.exeCCleaner64.exeCCUpdate.exepatch.exe

pid	process
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2344	CCUpdate.exe
2344	CCUpdate.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2344	CCUpdate.exe
2644	CCUpdate.exe
2644	CCUpdate.exe
2644	CCUpdate.exe
2644	CCUpdate.exe
2644	CCUpdate.exe
2116	CCleaner64.exe
2476	patch.exe
2476	patch.exe
2476	patch.exe
2476	patch.exe
1256
1256
1256
1256

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2432 takeown.exe
2968 icacls.exe
3044 takeown.exe
2804 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2432	takeown.exe
2968	icacls.exe
3044	takeown.exe
2804	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CCUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ccleaner_update_helper = "C:\\Program Files\\CCleaner\\ccleaner_update_helper.exe"	CCUpdate.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

ccsetup600pro.exeCCUpdate.exeCCUpdate.exeCCleaner64.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ccsetup600pro.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Drops file in Program Files directory 64 IoCs

Processes:

ccsetup600pro.exeCCUpdate.exeelevation_service.exeCCleaner64.exe

description	ioc	process
File created	C:\Program Files\CCleaner\Lang\lang-1031.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1055.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1060.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1053.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1067.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1104.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleanerDU.dll	ccsetup600pro.exe
File opened for modification	C:\Program Files\CCleaner\Setup\40464f87-6511-43e0-8535-b00302ec27c8\ccleaner_update_helper.exe	CCUpdate.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2856_255527352\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\CCleaner\branding.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\autotrial.dat	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1051.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Setup\a9c005c0-a031-4239-a48d-dae9fce074bf.xml	CCUpdate.exe
File opened for modification	C:\Program Files\CCleaner\Setup\40464f87-6511-43e0-8535-b00302ec27c8\update.xml	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1027.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1038.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1044.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1054.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1062.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-5146.dll	ccsetup600pro.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2856_255527352\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2856_255527352\manifest.json	elevation_service.exe
File created	C:\Program Files\CCleaner\Lang\lang-1026.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1066.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2074.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Setup\40464f87-6511-43e0-8535-b00302ec27c8\ccleaner_update_helper.exe	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1030.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1042.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1043.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1068.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1081.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1102.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1110.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2052.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1028.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1050.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1065.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Setup\d7fe43a0-d3a4-4c81-919b-3383a4ca2ab5.cab	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1040.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1048.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1059.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.exe	ccsetup600pro.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2856_255527352\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\CCleaner\CCleaner.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleaner64.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Setup\83c9da23-5ae3-4b81-b75b-065ef0db9b33.dll	CCUpdate.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2856_255527352\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\CCleaner\Lang\lang-1032.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2070.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1045.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1109.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Setup\40464f87-6511-43e0-8535-b00302ec27c8\update.xml	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1052.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1056.dll	ccsetup600pro.exe
File opened for modification	C:\Program Files\CCleaner\ccleaner_update_helper.exe	CCUpdate.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2856_255527352\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\CCleaner\Lang\lang-1046.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1049.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1034.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Setup\8144eb64-e714-4daf-a462-d3f606410a8a.ini	CCUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccsetup600pro.exeCCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup600pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup600pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup600pro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1992 timeout.exe
2092 timeout.exe
2932 timeout.exe

pid	process
1992	timeout.exe
2092	timeout.exe
2932	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

ccsetup600pro.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup600pro.exe

Modifies registry class 28 IoCs

Processes:

ccsetup600pro.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Piriform	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Software\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	ccsetup600pro.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ccsetup600pro.exeCCleaner64.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	ccsetup600pro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	ccsetup600pro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	ccsetup600pro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	ccsetup600pro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	ccsetup600pro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ccsetup600pro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.execcsetup600pro.exeCCleaner64.exe

pid	process
668	chrome.exe
1920	chrome.exe
1920	chrome.exe
2312	chrome.exe
1920	chrome.exe
1920	chrome.exe
2548	chrome.exe
2684	chrome.exe
2896	chrome.exe
3044	chrome.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2848	ccsetup600pro.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe
2116	CCleaner64.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

AUDIODG.EXE7zG.exe7zG.exeAUDIODG.EXE7zG.exe7zG.execcsetup600pro.exeCCUpdate.exeCCUpdate.exe

description	pid	process
Token: 33	2060	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2060	AUDIODG.EXE
Token: 33	2060	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2060	AUDIODG.EXE
Token: SeRestorePrivilege	1960	7zG.exe
Token: 35	1960	7zG.exe
Token: SeSecurityPrivilege	1960	7zG.exe
Token: SeSecurityPrivilege	1960	7zG.exe
Token: SeRestorePrivilege	2288	7zG.exe
Token: 35	2288	7zG.exe
Token: SeSecurityPrivilege	2288	7zG.exe
Token: SeSecurityPrivilege	2288	7zG.exe
Token: 33	2316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2316	AUDIODG.EXE
Token: 33	2316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2316	AUDIODG.EXE
Token: SeRestorePrivilege	952	7zG.exe
Token: 35	952	7zG.exe
Token: SeSecurityPrivilege	952	7zG.exe
Token: SeSecurityPrivilege	952	7zG.exe
Token: SeRestorePrivilege	1972	7zG.exe
Token: 35	1972	7zG.exe
Token: SeSecurityPrivilege	1972	7zG.exe
Token: SeSecurityPrivilege	1972	7zG.exe
Token: SeManageVolumePrivilege	2848	ccsetup600pro.exe
Token: SeManageVolumePrivilege	2848	ccsetup600pro.exe
Token: SeRestorePrivilege	2848	ccsetup600pro.exe
Token: SeShutdownPrivilege	2344	CCUpdate.exe
Token: SeShutdownPrivilege	2644	CCUpdate.exe

Suspicious use of FindShellTrayWindow 55 IoCs

Processes:

chrome.exe7zG.exe7zG.exe7zG.exe7zG.exe

pid	process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1960	7zG.exe
2288	7zG.exe
952	7zG.exe
1972	7zG.exe
1920	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

chrome.exe

pid	process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

ccsetup600pro.exe

pid process

2848 ccsetup600pro.exe
2848 ccsetup600pro.exe
2848 ccsetup600pro.exe
2848 ccsetup600pro.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1920 wrote to memory of 1688	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1688	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1688	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 924	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 668	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 668	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 668	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 520	1920	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2964 attrib.exe
984 attrib.exe
1928 attrib.exe

pid	process
2964	attrib.exe
984	attrib.exe
1928	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/dVo31I6A#ZcoYTJffHohVB1U_0hsI9YLAngdsrLuGvKbj8jJkFh4
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70e4f50,0x7fef70e4f60,0x7fef70e4f70
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
2⤵
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1248 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1720 /prefetch:8
2⤵
PID:520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
2⤵
PID:580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
2⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3300 /prefetch:2
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3732 /prefetch:8
2⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1536 /prefetch:8
2⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3964 /prefetch:8
2⤵
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3288 /prefetch:8
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2660 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3188 /prefetch:8
2⤵
PID:2556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:8
2⤵
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2676 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4208 /prefetch:8
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4000 /prefetch:8
2⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3244 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:1
2⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1096,5290234288885743244,9826370098102604153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=900 /prefetch:8
2⤵
PID:864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x190
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2856

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2856_255527352\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2856_255527352\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={aad4ee46-9309-4314-99e4-c16972f380d6} --system
2⤵
- Executes dropped EXE
PID:2908

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\" -spe -an -ai#7zMap30702:178:7zEvent25192
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1960

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\" -spe -an -ai#7zMap1934:178:7zEvent8646
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2288

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\zip password 123
1⤵
- Modifies registry class
PID:2140

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\" -spe -an -ai#7zMap29676:178:7zEvent22734
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:952

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\" -spe -an -ai#7zMap28430:190:7zEvent10866
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1972

C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe
"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Program Files\CCleaner\CCUpdate.exe
"C:\Program Files\CCleaner\CCUpdate.exe" /reg
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Program Files\CCleaner\CCUpdate.exe
CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\83c9da23-5ae3-4b81-b75b-065ef0db9b33.dll"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\BlockerKeyVerificator.cmd"
1⤵
PID:2572

C:\Windows\system32\fltMC.exe
fltmc
2⤵
PID:2720

C:\Windows\system32\timeout.exe
timeout -1
2⤵
- Delays execution with timeout.exe
PID:1992

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\drivers\etc\hosts" /a
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2432

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\drivers\etc\hosts" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2968

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\System32\drivers\etc\hosts"
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2964

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\BlockerKeyVerificator.cmd" "
1⤵
- Drops file in Drivers directory
PID:2896

C:\Windows\system32\fltMC.exe
fltmc
2⤵
PID:3052

C:\Windows\system32\timeout.exe
timeout -1
2⤵
- Delays execution with timeout.exe
PID:2092

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\drivers\etc\hosts" /a
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3044

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\drivers\etc\hosts" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2804

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\System32\drivers\etc\hosts"
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:984

C:\Windows\system32\find.exe
FIND /C /I "# Piriform Blocker Key Verificator" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1552

C:\Windows\system32\find.exe
FIND /C /I "license.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1976

C:\Windows\system32\find.exe
FIND /C /I "www.license.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:2768

C:\Windows\system32\find.exe
FIND /C /I "speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:2776

C:\Windows\system32\find.exe
FIND /C /I "www.speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:2764

C:\Windows\system32\find.exe
FIND /C /I "recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1020

C:\Windows\system32\find.exe
FIND /C /I "www.recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:2120

C:\Windows\system32\find.exe
FIND /C /I "defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1904

C:\Windows\system32\find.exe
FIND /C /I "www.defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:2024

C:\Windows\system32\find.exe
FIND /C /I "ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:2036

C:\Windows\system32\find.exe
FIND /C /I "www.ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1348

C:\Windows\system32\find.exe
FIND /C /I "license-api.ccleaner.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1068

C:\Windows\system32\attrib.exe
attrib +h +r +s "C:\Windows\system32\drivers\etc\hosts"
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1928

C:\Windows\system32\timeout.exe
timeout -1
2⤵
- Delays execution with timeout.exe
PID:2932

C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\patch.exe
"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\patch.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
C:\Program Files\CCleaner\CCleaner.exe
Filesize
29.5MB

MD5
7fde833f40f09bdaef889aa5d9378d2c

SHA1
61c9d7c79d51a4b35801d4306106fd50a0131b61

SHA256
11f1899608c861ced170456ab16a5e1aaa88b95d87d8d9e7ff1fd4251873892d

SHA512
551032a3a1213b340a1a250a286d24a1856c86256deb747398b5c8cfecc46a06720669ffb4732f904238dbb2fed9269a7f9080f39f55ad31d4729129dbe21084

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2856_255527352\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
839bdefc68b8e969328b28252aa4bf38

SHA1
43487919e688496f8f545e866c381666f48b6520

SHA256
1ddc18fca8744178b3886c5f794a887a63e7d03ae3f5d348775673a4b2dacc50

SHA512
8d374d4b4b5282247bb8b6a792abd93daf8be924880802fad1b151101f5955868243dcc28b2096a329af76d2871646248a0ec8b378b285d5badcdb982ff6e09d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b1a348fdb1c109d1e5421896cba2192b

SHA1
7ec1ea09a3c6466ff5cdf3727502fae8d808ac9c

SHA256
db4e0717123e965d689f8d4ab025bc9f99fde3ac9f4ddb8617005c07a280c45f

SHA512
1537c3ef4742d7861c7cb2b77f40c482dd5b022a0a7cd92d4d10786e569381f346a358ad5d4c7f0ac635cc3a65ee619e2ed68414affa324030a8ca725425e86b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\QuotaManager
Filesize
52KB

MD5
b3d277b91e15166c56499f099d8b6654

SHA1
8a3a696b8324f6cf33c6fb689608794eb672b52d

SHA256
4a5bcdef6ffff4b2bbea0a38bc163e360cca8d47149ce199957ebfeceff0d0e3

SHA512
86041bf83837c480cb4aaa0140964532a921ee58c5a075534b11dd9dad87a3f53e3940d8c463753223c5aaae0d8fd35db4b0f0a3358b978010eaf4916cd7e04c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cookies
Filesize
20KB

MD5
c9ff4d198abfb9c5efaaa63c1a44ea10

SHA1
ae4e99ebc176484dbc6ec392b2c2c16786bc3637

SHA256
48c398866599810d43e9d437d22a7d4c7337dd98bdc3cfde0c0845fb7c255a0c

SHA512
7b955901d6897428b159d46b949876716931e744f33127629314718de83a158d3185ae20ea3bfd6a7998fb814b78f6c7aff99d00d5404921968e793609e1eb5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual.zip
Filesize
46.5MB

MD5
c4f6b7208dd86c37e3e914e1355ee128

SHA1
2d6243373836f27a2f90ede02bd1b18c5a72c970

SHA256
e61e4307479b59fff371109891bea3b99b1a59c35cc6aae6b70eb067fac28a19

SHA512
afe5a37f46549d727d5ab7ae9ec7e03aa9b9d533f17835ae3bdf0469434f04a9652da6a236caf61a831363b6d3e28058229151d22bb8b36114e6c3f46b00058f

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe
Filesize
46.5MB

MD5
9a991c5bc89c23008a67f5e419348f61

SHA1
3c16710b775648009d371e8315d2f1e4dbf3e157

SHA256
67da9a2829a99e9392817d1b7092d77b7416d4b1c1581a8ecea1c53a6d8060b6

SHA512
f5d47c9175aee4b3948af9f781a490b84f0ebf30d94d93c3192dc57ad7cdd52d9221f3ebe647cc2de40aaf8ac2f74aec6e6e1f19c3cfceb8f770836d565feb50

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe
Filesize
46.5MB

MD5
9a991c5bc89c23008a67f5e419348f61

SHA1
3c16710b775648009d371e8315d2f1e4dbf3e157

SHA256
67da9a2829a99e9392817d1b7092d77b7416d4b1c1581a8ecea1c53a6d8060b6

SHA512
f5d47c9175aee4b3948af9f781a490b84f0ebf30d94d93c3192dc57ad7cdd52d9221f3ebe647cc2de40aaf8ac2f74aec6e6e1f19c3cfceb8f770836d565feb50

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe
Filesize
46.5MB

MD5
9a991c5bc89c23008a67f5e419348f61

SHA1
3c16710b775648009d371e8315d2f1e4dbf3e157

SHA256
67da9a2829a99e9392817d1b7092d77b7416d4b1c1581a8ecea1c53a6d8060b6

SHA512
f5d47c9175aee4b3948af9f781a490b84f0ebf30d94d93c3192dc57ad7cdd52d9221f3ebe647cc2de40aaf8ac2f74aec6e6e1f19c3cfceb8f770836d565feb50

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch.rar
Filesize
134KB

MD5
1b1fd9c8825b9c3cd8269ee9cfb72aca

SHA1
7fb86f3dd9a71d5f9a0135d52dcb3065684432a3

SHA256
4a87829442191f740651898de24561796fb9ab097666a1a039ee818516ec754b

SHA512
19a38e6af805b45db87c8b3e19c9fcb4f5b8c63d73a8b3b93fe1306716f89646817a706daeebef6739dee4a5095af0a3b3bc34d166a1189f462283eae7790816

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch.rar
Filesize
134KB

MD5
1b1fd9c8825b9c3cd8269ee9cfb72aca

SHA1
7fb86f3dd9a71d5f9a0135d52dcb3065684432a3

SHA256
4a87829442191f740651898de24561796fb9ab097666a1a039ee818516ec754b

SHA512
19a38e6af805b45db87c8b3e19c9fcb4f5b8c63d73a8b3b93fe1306716f89646817a706daeebef6739dee4a5095af0a3b3bc34d166a1189f462283eae7790816

Download Submit
\??\pipe\crashpad_1920_ZGJHRIVYPVWTUFEH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
\Program Files\CCleaner\CCleaner.exe
Filesize
29.5MB

MD5
7fde833f40f09bdaef889aa5d9378d2c

SHA1
61c9d7c79d51a4b35801d4306106fd50a0131b61

SHA256
11f1899608c861ced170456ab16a5e1aaa88b95d87d8d9e7ff1fd4251873892d

SHA512
551032a3a1213b340a1a250a286d24a1856c86256deb747398b5c8cfecc46a06720669ffb4732f904238dbb2fed9269a7f9080f39f55ad31d4729129dbe21084

Download Submit
\Program Files\CCleaner\CCleaner.exe
Filesize
29.5MB

MD5
7fde833f40f09bdaef889aa5d9378d2c

SHA1
61c9d7c79d51a4b35801d4306106fd50a0131b61

SHA256
11f1899608c861ced170456ab16a5e1aaa88b95d87d8d9e7ff1fd4251873892d

SHA512
551032a3a1213b340a1a250a286d24a1856c86256deb747398b5c8cfecc46a06720669ffb4732f904238dbb2fed9269a7f9080f39f55ad31d4729129dbe21084

Download Submit
\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\ButtonEvent.dll
Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\System.dll
Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\System.dll
Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\UserInfo.dll
Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\inetc.dll
Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\p\ServiceUninstaller.dll
Filesize
216KB

MD5
336be1527375fb853b4e7c99a1bbcf8f

SHA1
10f125650507dda84e49e350897a3b36258e2e69

SHA256
37a3290799e3e6650996af1c40e29b779840f9010d4d40dd7ee1cada337668e7

SHA512
eadeafdef2fd4d0baa8a8868805e0cd68e48a4bd73e4212a2c671c719d84d5198179e99df86edf1dc300f0a6a546fde2f9525dbd5d19b26ca04056bbfcbe9dbe

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\p\pfBL.dll
Filesize
10.4MB

MD5
8ee717b1ec6d2a35cc822bbefaaf4869

SHA1
dcec8360fb20c736b31b5aa45f895cc0195ffde1

SHA256
459d1a6e88410bdb8f286fb0001ecff79ab87b9555e9266d3cfeb391b1f32077

SHA512
9b8762999cf5c86491f058a26c4f7505f03096cf2674b95db6c713e9d55ca24dbd33b283590ce0a037150870ce5b7f0b2630244e424cb1b630f884626e509e64

Download Submit
\Users\Admin\AppData\Local\Temp\nsw4222.tmp\ui\pfUI.dll
Filesize
14.8MB

MD5
8c8ea8e14bfe3ed07b8cd258a7cea642

SHA1
88f18522dc53cf35abbd4d5fe45e55c367ea74db

SHA256
9b29d3a555f66aa4ca156216653a657250732eecee4134ba5a2f4a46a8c7835a

SHA512
b8671c803621fcaab92add6229863fb56862cd7e0d6051ddbee3240fdd7bf68651f67faae81275e1d948988b52352fc2c1ae3369e04c15f9f9d0899bfa8af1d4

Download Submit
memory/984-165-0x0000000000000000-mapping.dmp

Download
memory/1020-171-0x0000000000000000-mapping.dmp

Download
memory/1068-177-0x0000000000000000-mapping.dmp

Download
memory/1348-176-0x0000000000000000-mapping.dmp

Download
memory/1552-166-0x0000000000000000-mapping.dmp

Download
memory/1904-173-0x0000000000000000-mapping.dmp

Download
memory/1928-178-0x0000000000000000-mapping.dmp

Download
memory/1960-59-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1976-167-0x0000000000000000-mapping.dmp

Download
memory/1992-157-0x0000000000000000-mapping.dmp

Download
memory/2024-174-0x0000000000000000-mapping.dmp

Download
memory/2036-175-0x0000000000000000-mapping.dmp

Download
memory/2092-162-0x0000000000000000-mapping.dmp

Download
memory/2116-139-0x0000000000000000-mapping.dmp

Download
memory/2120-172-0x0000000000000000-mapping.dmp

Download
memory/2344-142-0x0000000000000000-mapping.dmp

Download
memory/2432-158-0x0000000000000000-mapping.dmp

Download
memory/2476-181-0x0000000074F50000-0x0000000074F76000-memory.dmp

Filesize
152KB

Download
memory/2644-154-0x0000000000000000-mapping.dmp

Download
memory/2720-156-0x0000000000000000-mapping.dmp

Download
memory/2764-170-0x0000000000000000-mapping.dmp

Download
memory/2768-168-0x0000000000000000-mapping.dmp

Download
memory/2776-169-0x0000000000000000-mapping.dmp

Download
memory/2804-164-0x0000000000000000-mapping.dmp

Download
memory/2848-84-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/2848-78-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/2908-58-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/2908-56-0x0000000000000000-mapping.dmp

Download
memory/2932-179-0x0000000000000000-mapping.dmp

Download
memory/2964-160-0x0000000000000000-mapping.dmp

Download
memory/2968-159-0x0000000000000000-mapping.dmp

Download
memory/3044-163-0x0000000000000000-mapping.dmp

Download
memory/3052-161-0x0000000000000000-mapping.dmp

Download