hxxps://mega[.]nz/file/dVo31I6A#ZcoYTJffHohVB1U_0hsI9YLAngdsrLuGvKbj8jJkFh4

Analysis

max time kernel
492s
max time network
500s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/dVo31I6A#ZcoYTJffHohVB1U_0hsI9YLAngdsrLuGvKbj8jJkFh4

Score

8^/10

bootkit discovery exploit persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

attrib.execmd.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 11 IoCs

Processes:

ChromeRecovery.execcsetup600pro.exepatch.execcsetup600pro.exeCCleaner64.exeCCUpdate.exeCCUpdate.exeCCleaner64.exeCCleaner64.exepatch.exepatch.exe

pid	process
4776	ChromeRecovery.exe
4976	ccsetup600pro.exe
5008	patch.exe
176	ccsetup600pro.exe
1028	CCleaner64.exe
1504	CCUpdate.exe
1900	CCUpdate.exe
3896	CCleaner64.exe
5868	CCleaner64.exe
4340	patch.exe
5228	patch.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

2664 icacls.exe
5116 takeown.exe

pid	process
2664	icacls.exe
5116	takeown.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccsetup600pro.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ccsetup600pro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	CCleaner64.exe

Loads dropped DLL 44 IoCs

Processes:

ccsetup600pro.execcsetup600pro.exeCCleaner64.exeCCUpdate.exeCCleaner64.exeCCleaner64.exepatch.exepatch.exe

pid	process
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
1028	CCleaner64.exe
1028	CCleaner64.exe
1900	CCUpdate.exe
1028	CCleaner64.exe
3896	CCleaner64.exe
3896	CCleaner64.exe
3896	CCleaner64.exe
5868	CCleaner64.exe
5868	CCleaner64.exe
5868	CCleaner64.exe
4340	patch.exe
5228	patch.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

5116 takeown.exe
2664 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5116	takeown.exe
2664	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CCUpdate.exemsedge.exeCCleaner64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ccleaner_update_helper = "C:\\Program Files\\CCleaner\\ccleaner_update_helper.exe"	CCUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR"	CCleaner64.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1063

Processes:

CCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

CCUpdate.exeCCUpdate.exeCCleaner64.exeCCleaner64.exeCCleaner64.execcsetup600pro.execcsetup600pro.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe
File opened for modification	\??\PhysicalDrive0	ccsetup600pro.exe
File opened for modification	\??\PhysicalDrive0	ccsetup600pro.exe

Drops file in Program Files directory 64 IoCs

Processes:

ccsetup600pro.exeCCUpdate.exeelevation_service.exeCCleaner64.exesetup.exeCCleaner64.exe

description	ioc	process
File created	C:\Program Files\CCleaner\Lang\lang-1056.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1079.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1093.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Setup\63c2e771-2380-453c-ba28-2e890e8f34f9.cab	CCUpdate.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4196_533640246\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\CCleaner\Lang\lang-1037.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1110.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1041.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1066.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.exe	ccsetup600pro.exe
File opened for modification	C:\Program Files\CCleaner\Setup\68be060d-f496-4615-a1d8-7b9c4d921b15\ccleaner_update_helper.exe	CCUpdate.exe
File opened for modification	C:\Program Files\CCleaner\Setup\68be060d-f496-4615-a1d8-7b9c4d921b15\update.xml	CCUpdate.exe
File opened for modification	C:\Program Files\CCleaner\Setup\68be060d-f496-4615-a1d8-7b9c4d921b15	CCUpdate.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4196_533640246\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\CCleaner\Lang\lang-1155.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2070.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-3098.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1044.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1063.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1061.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1071.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1090.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0b4673d4-c6a8-45f2-a4a9-1a8bce7259ee.tmp	setup.exe
File created	C:\Program Files\CCleaner\Lang\lang-1028.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1034.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1102.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1062.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.dll	ccsetup600pro.exe
File opened for modification	C:\Program Files\CCleaner\ccleaner_update_helper.exe	CCUpdate.exe
File created	C:\Program Files\CCleaner\gcapi_dll.dll	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1032.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1059.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1052.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1058.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1087.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1104.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-5146.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\uninst.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1043.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1045.dll	ccsetup600pro.exe
File opened for modification	C:\Program Files\CCleaner	CCleaner64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221003073411.pma	setup.exe
File created	C:\Program Files\CCleaner\Lang\lang-1057.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Setup\68be060d-f496-4615-a1d8-7b9c4d921b15\ccleaner_update_helper.exe	CCUpdate.exe
File created	C:\Program Files\CCleaner\branding.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\autotrial.dat	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1060.dll	ccsetup600pro.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4196_533640246\manifest.json	elevation_service.exe
File created	C:\Program Files\CCleaner\CCUpdate.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleaner64.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1027.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1035.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1049.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2074.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Setup\72c3743a-0987-4f1f-9325-5a27d3f591b0.ini	CCUpdate.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4196_533640246\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4196_533640246\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\CCleaner\temp_ccupdate\ccupdate604_pro.exe	CCleaner64.exe
File created	C:\Program Files\CCleaner\Lang\lang-1040.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1042.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1046.dll	ccsetup600pro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5032 4976 WerFault.exe ccsetup600pro.exe

pid	pid_target	process	target process
5032	4976	WerFault.exe	ccsetup600pro.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccsetup600pro.exeCCleaner64.exeCCleaner64.exeCCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup600pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup600pro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup600pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4956 timeout.exe
1264 timeout.exe

pid	process
4956	timeout.exe
1264	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

ccsetup600pro.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup600pro.exe

Modifies registry class 64 IoCs

Processes:

patch.exechrome.exepatch.execcsetup600pro.exepatch.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	patch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup600pro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup600pro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE\Piriform	ccsetup600pro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup600pro.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\SOFTWARE	ccsetup600pro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = c2003100000000004355e23b100043434c45414e7e312e3937320000a60009000400efbe4355d63b4355e33b2e000000232f020000000600000000000000000000000000000052790e00430043006c00650061006e0065007200200036002e00300030002e0039003700320037002000280078003600340029002000500072006f00660065007300730069006f006e0061006c002000450064006900740069006f006e0020004d0075006c00740069006c0069006e006700750061006c0000001c000000	patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\NodeSlot = "4"	patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command	ccsetup600pro.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	patch.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	patch.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

CCleaner64.exeCCleaner64.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.execcsetup600pro.execcsetup600pro.exe

pid	process
2816	chrome.exe
2816	chrome.exe
1760	chrome.exe
1760	chrome.exe
3972	chrome.exe
3972	chrome.exe
2264	chrome.exe
2264	chrome.exe
2348	chrome.exe
2348	chrome.exe
2740	chrome.exe
2740	chrome.exe
3064	chrome.exe
3064	chrome.exe
2464	chrome.exe
2464	chrome.exe
1264	chrome.exe
1264	chrome.exe
64	chrome.exe
64	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4648	chrome.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

patch.exe

pid process

4340 patch.exe

pid	process
4340	patch.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

chrome.exemsedge.exe

pid	process
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

AUDIODG.EXE7zG.exe7zG.execcsetup600pro.exeCCleaner64.exe

description	pid	process
Token: 33	4316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4316	AUDIODG.EXE
Token: SeRestorePrivilege	3680	7zG.exe
Token: 35	3680	7zG.exe
Token: SeSecurityPrivilege	3680	7zG.exe
Token: SeSecurityPrivilege	3680	7zG.exe
Token: SeRestorePrivilege	4688	7zG.exe
Token: 35	4688	7zG.exe
Token: SeSecurityPrivilege	4688	7zG.exe
Token: SeSecurityPrivilege	4688	7zG.exe
Token: SeRestorePrivilege	176	ccsetup600pro.exe
Token: SeShutdownPrivilege	3896	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3896	CCleaner64.exe
Token: SeShutdownPrivilege	3896	CCleaner64.exe
Token: SeCreatePagefilePrivilege	3896	CCleaner64.exe

Suspicious use of FindShellTrayWindow 45 IoCs

Processes:

chrome.exe7zG.exe7zG.exemsedge.exeCCleaner64.exe

pid	process
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
3680	7zG.exe
4688	7zG.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe
5868	CCleaner64.exe
5868	CCleaner64.exe
5868	CCleaner64.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exeCCleaner64.exe

pid	process
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
1760	chrome.exe
5868	CCleaner64.exe
5868	CCleaner64.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

ccsetup600pro.execcsetup600pro.exeCCleaner64.exeCCUpdate.exeCCUpdate.exeCCleaner64.exeCCleaner64.exepatch.exepatch.exe

pid	process
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
4976	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
176	ccsetup600pro.exe
1028	CCleaner64.exe
1504	CCUpdate.exe
176	ccsetup600pro.exe
1900	CCUpdate.exe
3896	CCleaner64.exe
3896	CCleaner64.exe
3896	CCleaner64.exe
3896	CCleaner64.exe
3896	CCleaner64.exe
3896	CCleaner64.exe
5868	CCleaner64.exe
5868	CCleaner64.exe
5868	CCleaner64.exe
5868	CCleaner64.exe
5868	CCleaner64.exe
5868	CCleaner64.exe
4340	patch.exe
5228	patch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1760 wrote to memory of 2960	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2960	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 1172	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2816	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2816	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe
PID 1760 wrote to memory of 2404	1760	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1828 attrib.exe
4900 attrib.exe

pid	process
1828	attrib.exe
4900	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/dVo31I6A#ZcoYTJffHohVB1U_0hsI9YLAngdsrLuGvKbj8jJkFh4
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa998c4f50,0x7ffa998c4f60,0x7ffa998c4f70
2⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1676 /prefetch:2
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1968 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:8
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
2⤵
PID:3152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
2⤵
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4304 /prefetch:8
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5292 /prefetch:8
2⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:8
2⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:8
2⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2756 /prefetch:8
2⤵
PID:3132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1124 /prefetch:8
2⤵
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1560 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5504 /prefetch:8
2⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
2⤵
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5520 /prefetch:8
2⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:64

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5336 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 /prefetch:8
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5480 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:8
2⤵
PID:972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4824 /prefetch:8
2⤵
PID:3664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,3128886855718750861,13545614086122546294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=808 /prefetch:8
2⤵
PID:1764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4196

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4196_533640246\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4196_533640246\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={82a1d785-ad47-44f6-9365-5ea3b48301dc} --system
2⤵
- Executes dropped EXE
PID:4776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2820

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\" -spe -an -ai#7zMap21053:178:7zEvent27808
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3680

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\" -spe -an -ai#7zMap23533:190:7zEvent24641
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4688

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\readme.txt
1⤵
PID:1976

C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe
"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1880
2⤵
- Program crash
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4976 -ip 4976
1⤵
PID:1496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\BlockerKeyVerificator.cmd"
1⤵
- Drops file in Drivers directory
PID:1180

C:\Windows\system32\fltMC.exe
fltmc
2⤵
PID:3228

C:\Windows\system32\timeout.exe
timeout -1
2⤵
- Delays execution with timeout.exe
PID:4956

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\drivers\etc\hosts" /a
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5116

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\drivers\etc\hosts" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2664

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\System32\drivers\etc\hosts"
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1828

C:\Windows\system32\find.exe
FIND /C /I "# Piriform Blocker Key Verificator" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:4132

C:\Windows\system32\find.exe
FIND /C /I "license.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:2892

C:\Windows\system32\find.exe
FIND /C /I "www.license.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:3320

C:\Windows\system32\find.exe
FIND /C /I "speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:4948

C:\Windows\system32\find.exe
FIND /C /I "www.speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:844

C:\Windows\system32\find.exe
FIND /C /I "recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:812

C:\Windows\system32\find.exe
FIND /C /I "www.recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:3904

C:\Windows\system32\find.exe
FIND /C /I "defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:3224

C:\Windows\system32\find.exe
FIND /C /I "www.defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:3008

C:\Windows\system32\find.exe
FIND /C /I "ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:3896

C:\Windows\system32\find.exe
FIND /C /I "www.ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:4196

C:\Windows\system32\find.exe
FIND /C /I "license-api.ccleaner.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:2864

C:\Windows\system32\attrib.exe
attrib +h +r +s "C:\Windows\system32\drivers\etc\hosts"
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4900

C:\Windows\system32\timeout.exe
timeout -1
2⤵
- Delays execution with timeout.exe
PID:1264

C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\patch.exe
"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\patch.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5008

C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe
"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:176

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Program Files\CCleaner\CCUpdate.exe
"C:\Program Files\CCleaner\CCUpdate.exe" /reg
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Program Files\CCleaner\CCUpdate.exe
CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\9137af65-f3af-4037-a67b-fd70502af35a.dll"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ccleaner.com/go/app_releasenotes?p=1&v=&l=1033&b=1&a=3
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf4,0x118,0x11c,0xcc,0x120,0x7ffa98fc46f8,0x7ffa98fc4708,0x7ffa98fc4718
3⤵
PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
3⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
3⤵
PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
3⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
3⤵
PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
3⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5164 /prefetch:8
3⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
3⤵
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
3⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
3⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
3⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4208 /prefetch:8
3⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
3⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
3⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
3⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6c5b75460,0x7ff6c5b75470,0x7ff6c5b75480
4⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13861956037114402317,7189975646789539369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
3⤵
PID:5612

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /monitor
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3832

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:6100

C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\patch.exe
"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\patch.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4340

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\readme.txt
1⤵
PID:5752

C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\patch.exe
"C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\patch.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4196_533640246\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\QuotaManager
Filesize
52KB

MD5
47fd1ba8d05a8fe7b89595eab845dc0f

SHA1
8c5cbbb6fcf8fa8e005ecae7cfe7a6137896739b

SHA256
9e79c9588ee0e7fcc322f22af17ae73b4fa840ce999a0e85b50ab73c50922bed

SHA512
bc91d69e103eba7235849b22452497b8543183cfccbb860fce3d9482396c5fb393fc0c715e538c2180b1fd08fc2fa56e8bab187c2da83ab696d17400cbfe41e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cookies
Filesize
20KB

MD5
6f4dac17465c0f6d726f1f8f349de588

SHA1
195444b1672eba229c3f54b96953e1d64ec58cc9

SHA256
af60c78be5623ac559a6bcb5fc72705cd4c848c318f3686147cc53daf1f34d60

SHA512
e53af341cf90a262542fddca989ac8b9d0505f8663c321b3d3487870808ce0b1fc5af58d8e998e571ebc60946f666f57132f546bfed9fe5edcbc78010399e43e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4AEC.tmp\System.dll
Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4AEC.tmp\System.dll
Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4AEC.tmp\UserInfo.dll
Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4AEC.tmp\UserInfo.dll
Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4AEC.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4AEC.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4AEC.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4AEC.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4AEC.tmp\p\pfBL.dll
Filesize
10.4MB

MD5
8ee717b1ec6d2a35cc822bbefaaf4869

SHA1
dcec8360fb20c736b31b5aa45f895cc0195ffde1

SHA256
459d1a6e88410bdb8f286fb0001ecff79ab87b9555e9266d3cfeb391b1f32077

SHA512
9b8762999cf5c86491f058a26c4f7505f03096cf2674b95db6c713e9d55ca24dbd33b283590ce0a037150870ce5b7f0b2630244e424cb1b630f884626e509e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4AEC.tmp\ui\pfUI.dll
Filesize
14.8MB

MD5
8c8ea8e14bfe3ed07b8cd258a7cea642

SHA1
88f18522dc53cf35abbd4d5fe45e55c367ea74db

SHA256
9b29d3a555f66aa4ca156216653a657250732eecee4134ba5a2f4a46a8c7835a

SHA512
b8671c803621fcaab92add6229863fb56862cd7e0d6051ddbee3240fdd7bf68651f67faae81275e1d948988b52352fc2c1ae3369e04c15f9f9d0899bfa8af1d4

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual.zip
Filesize
46.5MB

MD5
c4f6b7208dd86c37e3e914e1355ee128

SHA1
2d6243373836f27a2f90ede02bd1b18c5a72c970

SHA256
e61e4307479b59fff371109891bea3b99b1a59c35cc6aae6b70eb067fac28a19

SHA512
afe5a37f46549d727d5ab7ae9ec7e03aa9b9d533f17835ae3bdf0469434f04a9652da6a236caf61a831363b6d3e28058229151d22bb8b36114e6c3f46b00058f

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe
Filesize
46.5MB

MD5
9a991c5bc89c23008a67f5e419348f61

SHA1
3c16710b775648009d371e8315d2f1e4dbf3e157

SHA256
67da9a2829a99e9392817d1b7092d77b7416d4b1c1581a8ecea1c53a6d8060b6

SHA512
f5d47c9175aee4b3948af9f781a490b84f0ebf30d94d93c3192dc57ad7cdd52d9221f3ebe647cc2de40aaf8ac2f74aec6e6e1f19c3cfceb8f770836d565feb50

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe
Filesize
46.5MB

MD5
9a991c5bc89c23008a67f5e419348f61

SHA1
3c16710b775648009d371e8315d2f1e4dbf3e157

SHA256
67da9a2829a99e9392817d1b7092d77b7416d4b1c1581a8ecea1c53a6d8060b6

SHA512
f5d47c9175aee4b3948af9f781a490b84f0ebf30d94d93c3192dc57ad7cdd52d9221f3ebe647cc2de40aaf8ac2f74aec6e6e1f19c3cfceb8f770836d565feb50

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe
Filesize
46.5MB

MD5
9a991c5bc89c23008a67f5e419348f61

SHA1
3c16710b775648009d371e8315d2f1e4dbf3e157

SHA256
67da9a2829a99e9392817d1b7092d77b7416d4b1c1581a8ecea1c53a6d8060b6

SHA512
f5d47c9175aee4b3948af9f781a490b84f0ebf30d94d93c3192dc57ad7cdd52d9221f3ebe647cc2de40aaf8ac2f74aec6e6e1f19c3cfceb8f770836d565feb50

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch.rar
Filesize
134KB

MD5
1b1fd9c8825b9c3cd8269ee9cfb72aca

SHA1
7fb86f3dd9a71d5f9a0135d52dcb3065684432a3

SHA256
4a87829442191f740651898de24561796fb9ab097666a1a039ee818516ec754b

SHA512
19a38e6af805b45db87c8b3e19c9fcb4f5b8c63d73a8b3b93fe1306716f89646817a706daeebef6739dee4a5095af0a3b3bc34d166a1189f462283eae7790816

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\BlockerKeyVerificator.cmd
Filesize
4KB

MD5
6ba5c46261ff52e7438f21ccef5f8c7e

SHA1
acdf309fbfebecb7a93b78068fc1498fae4d9e62

SHA256
f7d87d0a3977d9ed4ed6eaa2da2fe2aea9564f58cf062f828dec0aa21d9ec11e

SHA512
106b05fbeca31c78e5e5f33cbd62580aac1b4ef781a78ac2cbe80f92eb01f75beeaa480772dcf2f9f2bbea178e681aff2247dd3d08387b35ca507b90b4a5cc43

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\patch.exe
Filesize
129KB

MD5
f3f183ba8a3c43dfcbef0396ad5d917b

SHA1
8a6edcfa27a7f29cab0d6e2f0595eec2c8b2c123

SHA256
849d56ebcfdc2cb97c4a7ab9c961c3b7b80700d43963b7db2b6934609de6104d

SHA512
2b997fa759e206ac1576615e048f0f11665c2ae57abe55e780022796c02214aaf66fbe6d7ea37152908f833ab8c6ddbdf9a53fa96910f499aa9850e6e3170c77

Download Submit
C:\Users\Admin\Downloads\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\patch\readme.txt
Filesize
469B

MD5
35328ae324e1a3d40718533b9ea33ca7

SHA1
63c5e8486d204a7bed95b2aa391a0cc76642b622

SHA256
3f150b73a1d4581303436f2c4e30a16d3fabb7927cad31eab9668f8f8afb6276

SHA512
df8293f25111aa1844e8b06b58f6d04e0296b0a5053039d0655a260acb40a07f8e483408bd7848260424c033c2c9fc9ebb55e29a1b463f5b6391e0c74cf720fc

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
860B

MD5
068b41bfeb76dae036c850c44c120de4

SHA1
c57dfc4cc500cec4e355cc4442c691a88fae0957

SHA256
8e4a6a8935ff1b0d74175d7557793a25c64fa499d0032062b849ecdbd414e6b3

SHA512
f2f52c0336f9c693d30002d269b0c56ed6eb899cc16f9373b31b7bc2d47dc1818bff60a0ed0f98158b73619ce8ce3bae4253e55fbdecf130e5d0f7a0b12c422a

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
910B

MD5
c678ca09571516b0b154b7bb16615c6d

SHA1
98d589355c7677ce407bceca0912e361ce463a20

SHA256
3d426cc5f69ec2e4ac6cc872096488ec27d59e4ca4e390f00cb765e573702810

SHA512
8c2b88eff81bc52fadb25411dfc5c702cbaad97f4901a2a490fdc9846dc775844baf3751872266818ca3a4a0ae1d4b07a8a802a4e9726429e2189df767856a50

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
964B

MD5
995d138a41f1b15081df0a9451589261

SHA1
c3c3c2c82a8b635464a47ff24f389d3d05fe0be4

SHA256
ab4a13e1860bb7e217bde555c08e2b4b3186cfcf5e0072793bfa28b69660bc68

SHA512
dc4ab59f7b0e4b84daa892bf1e615c116f75571df965715d5fe84452632a808a6f39b34cc62a0ddd3c39a46eb313bc7583b17478e7592a41853c3b2468aa2536

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1013B

MD5
0d6e797208adb212724c50c3728408e1

SHA1
73cdc6868f848025dccd36a8cfe89807ca8e2a1e

SHA256
d98e575fb9b84e5b45822969a7bee9b51d55ceecd230aec968846f40c5eb0449

SHA512
7fcb4b45c0ac2e1fd923cc24c93b33432747e87ff67cd46d9fec021c083bfe4264521d2ed2ba3453e60e41948b81229c4b95daf36c6db945bc029c2fe425fb81

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
5905a6804cc613f2040ed02be796fff9

SHA1
51742113a11450b3d1c688392274b5d7ae0328e0

SHA256
8a856b271d9ebe03216c64713e1870aa6922083d821a6c6222ca9e0ef7004266

SHA512
8f249142fd409fed2331fb6d9aa0d30aefee8eaf84369377461517c78ae9603505eb23cd83215f3f6029c15dae3dec70cf707b06b7fa0d18073f4dd36336a823

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
bc0000aa28132d22c5e9e3b4c1e7250e

SHA1
746ce30214393f83be7c18359a47a0dd164b5b22

SHA256
2742178eb33a9489f676caa9446f13231221f2444291abec0fc15f6c0152a686

SHA512
0d46083dfdbb35f54a3600eb761b522f9f172d9c2e732251b2304e05de6d304e64128892d94989209e9c3b8adcf2c06981b6aa2a1d364dba1bda3c24ccc16ee2

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
aac5422a2e9bffb60ce03bbc2e24fd57

SHA1
31a4b61a744364f6735c49e5363866875203111d

SHA256
df7d8c446842caafb2df1928dc37e49770f3682af99ae571e26acc5ed91aab11

SHA512
2851de3e369bb1fbf67b8f0eb2e4ec4467da41e54c9cc6142148dcc87d7fd76240e72fce0adbc359a61744285a54618884ba2d0330d545d7c4d337eaab609fd6

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
ab98b10e2d122ab15b87cd98f93477a1

SHA1
f1abffb0d97d3a2c9bbe1f1af93bda307790218b

SHA256
bf23542a44b679195b918d6d81a8c9249073adce461a1d067a5cb7d6f834a2bd

SHA512
59d4d2ce79cda4e3e8af92e8a0e5f83ee6d3dfd3edca46f0bfb2096f88621440e2838001970d2acba8b29109247fe257ced638290c9b579bdbf288e67e914977

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
a06f0e37a224c20fe0a3eb7bc13c4235

SHA1
cc587749fa0eba12d508df329fb91a703e1d73a9

SHA256
14013897e9d424b0c5d9cb2bc00a41adb0b733fdb00085ec0f3736b65a5eaf78

SHA512
249f92c6137bc5a77989957ca7856b27e7be889d4d161e9f4efdd5d3260d1621156afdb37b00e56775aaf9ea4a527ce21f41abc7076fc3afc1953f2941a917b7

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
b38cfbcbd2506ec4ebac4c99c8793bd0

SHA1
7ddee9b156a01dbb068c2777acf795fca4c52b0b

SHA256
d95b8af1f473911c5d6950390ccaba5f4ce1cc8723c70851b0b44d696bf8fc8a

SHA512
0176acc00efc2e6ce543940924a409a884612c3711e658e8699411ff7cd2c574f7afce371863da206563eb363ef091e43d160ebbcad446cd320dca08bd37aa54

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
8dfc59bf1369f7f25b40faa93a4ab66e

SHA1
e4a280f6333388ca48727d98198aa2a3387cc4d1

SHA256
369e43332f981ee1cb19aeac61cf7a156cc4eb4989db5576f0a950a2a4fbb244

SHA512
1392bdd342b3ab67e1cc868939280f550e3d8e938af187c8b8c1b42ecdcc041fc0d6a5631d5cb45638a873ad5222c39051abe7066f84af04503712913876e9bf

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
2629955a387082e05aeffc1ec83f0e8b

SHA1
03e59b13caeb0a6be3f2db49fa0ae742b908a7ab

SHA256
f6b6f08f1c06debbf229c9454288ffdd5f9921f04e54fc41009683e4f4e3b537

SHA512
e237a784264636cbfc72274cc69245bd30f99a254e3d9d7d24d628ecb682c9fd073375e031659a5501788f9db86e1795ed7bc3002933d8ece8ea3dbc5af42475

Download Submit
\??\pipe\crashpad_1760_WZFFKMYGZODLOJGR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/176-194-0x0000000005741000-0x0000000005743000-memory.dmp

Filesize
8KB

Download
memory/176-196-0x0000000005B51000-0x0000000005B54000-memory.dmp

Filesize
12KB

Download
memory/208-216-0x0000000000000000-mapping.dmp

Download
memory/388-200-0x0000000000000000-mapping.dmp

Download
memory/652-214-0x0000000000000000-mapping.dmp

Download
memory/812-175-0x0000000000000000-mapping.dmp

Download
memory/844-173-0x0000000000000000-mapping.dmp

Download
memory/1028-197-0x0000000000000000-mapping.dmp

Download
memory/1264-190-0x0000000000000000-mapping.dmp

Download
memory/1316-205-0x0000000000000000-mapping.dmp

Download
memory/1504-198-0x0000000000000000-mapping.dmp

Download
memory/1828-164-0x0000000000000000-mapping.dmp

Download
memory/1864-228-0x0000000000000000-mapping.dmp

Download
memory/1900-199-0x0000000000000000-mapping.dmp

Download
memory/1912-209-0x0000000000000000-mapping.dmp

Download
memory/2128-222-0x0000000000000000-mapping.dmp

Download
memory/2324-202-0x0000000000000000-mapping.dmp

Download
memory/2340-204-0x0000000000000000-mapping.dmp

Download
memory/2664-163-0x0000000000000000-mapping.dmp

Download
memory/2864-187-0x0000000000000000-mapping.dmp

Download
memory/2892-167-0x0000000000000000-mapping.dmp

Download
memory/3008-181-0x0000000000000000-mapping.dmp

Download
memory/3148-211-0x0000000000000000-mapping.dmp

Download
memory/3224-179-0x0000000000000000-mapping.dmp

Download
memory/3228-160-0x0000000000000000-mapping.dmp

Download
memory/3272-207-0x0000000000000000-mapping.dmp

Download
memory/3320-169-0x0000000000000000-mapping.dmp

Download
memory/3896-183-0x0000000000000000-mapping.dmp

Download
memory/3896-201-0x0000000000000000-mapping.dmp

Download
memory/3904-177-0x0000000000000000-mapping.dmp

Download
memory/4132-218-0x0000000000000000-mapping.dmp

Download
memory/4132-165-0x0000000000000000-mapping.dmp

Download
memory/4196-185-0x0000000000000000-mapping.dmp

Download
memory/4320-224-0x0000000000000000-mapping.dmp

Download
memory/4340-233-0x0000000075290000-0x00000000752B6000-memory.dmp

Filesize
152KB

Download
memory/4544-220-0x0000000000000000-mapping.dmp

Download
memory/4776-135-0x0000000000000000-mapping.dmp

Download
memory/4900-189-0x0000000000000000-mapping.dmp

Download
memory/4948-171-0x0000000000000000-mapping.dmp

Download
memory/4956-161-0x0000000000000000-mapping.dmp

Download
memory/4976-155-0x0000000007810000-0x0000000007818000-memory.dmp

Filesize
32KB

Download
memory/4976-156-0x0000000007800000-0x0000000007808000-memory.dmp

Filesize
32KB

Download
memory/4976-150-0x0000000005C51000-0x0000000005C53000-memory.dmp

Filesize
8KB

Download
memory/4976-154-0x0000000007810000-0x0000000007818000-memory.dmp

Filesize
32KB

Download
memory/5008-192-0x00000000751F0000-0x0000000075216000-memory.dmp

Filesize
152KB

Download
memory/5008-212-0x00000000751F0000-0x0000000075216000-memory.dmp

Filesize
152KB

Download
memory/5016-226-0x0000000000000000-mapping.dmp

Download
memory/5116-162-0x0000000000000000-mapping.dmp

Download
memory/5228-234-0x0000000075290000-0x00000000752B6000-memory.dmp

Filesize
152KB

Download
memory/5348-229-0x0000000000000000-mapping.dmp

Download
memory/5408-230-0x0000000000000000-mapping.dmp

Download
memory/5612-231-0x0000000000000000-mapping.dmp

Download
memory/5868-232-0x0000000000000000-mapping.dmp

Download