e61e4307479b59fff371109891bea3b99b1a59c35cc6aae6b70eb067fac28a19

Resubmissions

18-10-2022 22:20

221018-18773sdhh4 8

03-10-2022 07:47

221003-jmlcradge5 8

Analysis

max time kernel
127s
max time network
140s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCleaner 6.00.9727 (x64) Professional Edition Multilingual/ccsetup600pro.exe
Size

46.5MB
MD5

9a991c5bc89c23008a67f5e419348f61
SHA1

3c16710b775648009d371e8315d2f1e4dbf3e157
SHA256

67da9a2829a99e9392817d1b7092d77b7416d4b1c1581a8ecea1c53a6d8060b6
SHA512

f5d47c9175aee4b3948af9f781a490b84f0ebf30d94d93c3192dc57ad7cdd52d9221f3ebe647cc2de40aaf8ac2f74aec6e6e1f19c3cfceb8f770836d565feb50
SSDEEP

786432:Y7T+cuipUg01kfCRrr6p7411oscDHWOIqkeePWO0M8aAKh3YGJazY1/eQn6I9bf+:Y+JaV02fCRrO5Ijczva8an3YGJazWeI0

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

CCleaner64.exeCCUpdate.exeCCUpdate.exeCCleaner64.exe

pid process

952 CCleaner64.exe
268 CCUpdate.exe
1348 CCUpdate.exe
828 CCleaner64.exe

pid	process
952	CCleaner64.exe
268	CCUpdate.exe
1348	CCUpdate.exe
828	CCleaner64.exe

Loads dropped DLL 38 IoCs

Processes:

ccsetup600pro.exeCCUpdate.exeCCleaner64.exeCCUpdate.exeCCleaner64.exe

pid	process
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
1256
1256
1256
1256
560	ccsetup600pro.exe
1256
1256
560	ccsetup600pro.exe
268	CCUpdate.exe
268	CCUpdate.exe
952	CCleaner64.exe
952	CCleaner64.exe
952	CCleaner64.exe
268	CCUpdate.exe
1348	CCUpdate.exe
1348	CCUpdate.exe
1348	CCUpdate.exe
1348	CCUpdate.exe
1348	CCUpdate.exe
828	CCleaner64.exe
828	CCleaner64.exe
828	CCleaner64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CCUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ccleaner_update_helper = "C:\\Program Files\\CCleaner\\ccleaner_update_helper.exe"	CCUpdate.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

ccsetup600pro.exeCCUpdate.exeCCUpdate.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ccsetup600pro.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

ccsetup600pro.exeCCUpdate.exe

description	ioc	process
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1042.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1055.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1067.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1081.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1052.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1062.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1087.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1090.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1057.dll	ccsetup600pro.exe
File opened for modification	C:\Program Files\CCleaner\Setup\3ec129d2-972a-4fff-b5fb-913450e874e2	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1044.dll	ccsetup600pro.exe
File opened for modification	C:\Program Files\CCleaner\ccleaner_update_helper.exe	CCUpdate.exe
File created	C:\Program Files\CCleaner\CCUpdate.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\autotrial.dat	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1034.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1040.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1065.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1079.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1086.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2052.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1036.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1058.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1060.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1061.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\ccleaner_update_helper.exe	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1046.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleanerDU.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\uninst.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleaner64.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\branding.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2074.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1109.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1155.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.dll	ccsetup600pro.exe
File opened for modification	C:\Program Files\CCleaner\Setup\3ec129d2-972a-4fff-b5fb-913450e874e2\ccleaner_update_helper.exe	CCUpdate.exe
File created	C:\Program Files\CCleaner\Lang\lang-1048.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-5146.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-9999.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1027.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1029.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1037.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1041.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1025.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1031.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1043.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-3098.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1059.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-2070.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Setup\feeeab8c-cb98-4cdb-9438-44e5f811569c.ini	CCUpdate.exe
File opened for modification	C:\Program Files\CCleaner\Setup\3ec129d2-972a-4fff-b5fb-913450e874e2\update.xml	CCUpdate.exe
File created	C:\Program Files\CCleaner\CCleanerReactivator.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1045.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1053.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1063.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1068.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1056.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1092.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1093.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1104.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\CCleaner.exe	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1026.dll	ccsetup600pro.exe
File created	C:\Program Files\CCleaner\Lang\lang-1035.dll	ccsetup600pro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccsetup600pro.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup600pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup600pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup600pro.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

ccsetup600pro.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT	ccsetup600pro.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\UpdateBackground = "1"	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AutoICS = "1"	ccsetup600pro.exe

Modifies registry class 27 IoCs

Processes:

ccsetup600pro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\ = "URL: CCleaner Protocol"	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Software\Piriform\CCleaner	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /AUTORB"	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...\command\ = "C:\\Program Files\\CCleaner\\ccleaner.exe /FRB"	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Piriform	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Open CCleaner...	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	ccsetup600pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Piriform\CCleaner\UpdateBackground = "1"	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\Run CCleaner\command	ccsetup600pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\ = "\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /%1"	ccsetup600pro.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\SOFTWARE\Piriform\CCleaner	ccsetup600pro.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ccsetup600pro.exeCCleaner64.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	ccsetup600pro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	ccsetup600pro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ccsetup600pro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ccsetup600pro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	CCleaner64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ccsetup600pro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	ccsetup600pro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	ccsetup600pro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

ccsetup600pro.exeCCleaner64.exeCCleaner64.exe

pid	process
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
560	ccsetup600pro.exe
952	CCleaner64.exe
952	CCleaner64.exe
952	CCleaner64.exe
952	CCleaner64.exe
952	CCleaner64.exe
952	CCleaner64.exe
952	CCleaner64.exe
952	CCleaner64.exe
828	CCleaner64.exe
828	CCleaner64.exe
828	CCleaner64.exe
828	CCleaner64.exe
828	CCleaner64.exe
828	CCleaner64.exe
828	CCleaner64.exe
828	CCleaner64.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ccsetup600pro.exeCCUpdate.exeCCUpdate.exe

description	pid	process
Token: SeManageVolumePrivilege	560	ccsetup600pro.exe
Token: SeManageVolumePrivilege	560	ccsetup600pro.exe
Token: SeRestorePrivilege	560	ccsetup600pro.exe
Token: SeShutdownPrivilege	268	CCUpdate.exe
Token: SeShutdownPrivilege	1348	CCUpdate.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

ccsetup600pro.exe

pid process

560 ccsetup600pro.exe
560 ccsetup600pro.exe
560 ccsetup600pro.exe
560 ccsetup600pro.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

ccsetup600pro.exeCCUpdate.exe

description	pid	process	target process
PID 560 wrote to memory of 952	560	ccsetup600pro.exe	CCleaner64.exe
PID 560 wrote to memory of 952	560	ccsetup600pro.exe	CCleaner64.exe
PID 560 wrote to memory of 952	560	ccsetup600pro.exe	CCleaner64.exe
PID 560 wrote to memory of 952	560	ccsetup600pro.exe	CCleaner64.exe
PID 560 wrote to memory of 268	560	ccsetup600pro.exe	CCUpdate.exe
PID 560 wrote to memory of 268	560	ccsetup600pro.exe	CCUpdate.exe
PID 560 wrote to memory of 268	560	ccsetup600pro.exe	CCUpdate.exe
PID 560 wrote to memory of 268	560	ccsetup600pro.exe	CCUpdate.exe
PID 560 wrote to memory of 268	560	ccsetup600pro.exe	CCUpdate.exe
PID 560 wrote to memory of 268	560	ccsetup600pro.exe	CCUpdate.exe
PID 560 wrote to memory of 268	560	ccsetup600pro.exe	CCUpdate.exe
PID 268 wrote to memory of 1348	268	CCUpdate.exe	CCUpdate.exe
PID 268 wrote to memory of 1348	268	CCUpdate.exe	CCUpdate.exe
PID 268 wrote to memory of 1348	268	CCUpdate.exe	CCUpdate.exe
PID 268 wrote to memory of 1348	268	CCUpdate.exe	CCUpdate.exe
PID 268 wrote to memory of 1348	268	CCUpdate.exe	CCUpdate.exe
PID 268 wrote to memory of 1348	268	CCUpdate.exe	CCUpdate.exe
PID 268 wrote to memory of 1348	268	CCUpdate.exe	CCUpdate.exe
PID 560 wrote to memory of 828	560	ccsetup600pro.exe	CCleaner64.exe
PID 560 wrote to memory of 828	560	ccsetup600pro.exe	CCleaner64.exe
PID 560 wrote to memory of 828	560	ccsetup600pro.exe	CCleaner64.exe
PID 560 wrote to memory of 828	560	ccsetup600pro.exe	CCleaner64.exe

C:\Users\Admin\AppData\Local\Temp\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner 6.00.9727 (x64) Professional Edition Multilingual\ccsetup600pro.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:952

C:\Program Files\CCleaner\CCUpdate.exe
"C:\Program Files\CCleaner\CCUpdate.exe" /reg
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Program Files\CCleaner\CCUpdate.exe
CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\8ac22ef8-0202-48f6-a71f-fded5c02c997.dll"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
C:\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
C:\Program Files\CCleaner\CCleaner.exe
Filesize
29.5MB

MD5
7fde833f40f09bdaef889aa5d9378d2c

SHA1
61c9d7c79d51a4b35801d4306106fd50a0131b61

SHA256
11f1899608c861ced170456ab16a5e1aaa88b95d87d8d9e7ff1fd4251873892d

SHA512
551032a3a1213b340a1a250a286d24a1856c86256deb747398b5c8cfecc46a06720669ffb4732f904238dbb2fed9269a7f9080f39f55ad31d4729129dbe21084

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
C:\Program Files\CCleaner\Setup\8ac22ef8-0202-48f6-a71f-fded5c02c997.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
84d36e806b68aa8b20caa535d98a5a60

SHA1
e80366058cf790031ba38faa1ee6f4a2db052be1

SHA256
766bd6c5f4c4a032b5a087e868fa0a7b80849218e80cfc2e32ee178148d272ff

SHA512
2becb6351f9afdddbfdf036bc8ba861c78b9796b3e9ac6d1c5590681ae91c4327b1376de01636c698928282a03607fad574b1244672f9bf599c270da1ccd172b

Download Submit
\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
\Program Files\CCleaner\CCUpdate.exe
Filesize
668KB

MD5
21d34c75fd0b462067d408ba8b6bf765

SHA1
4047539c78ae99bd7cf7760ce137b9878174fa04

SHA256
721ee7b402ce1ea6a69ed90f2501dfa003725d1135136ac88762307ad0f426c0

SHA512
f0754b3007f9dd2bfec14b33697dfaf9c75e637df3fa85c490e9cbe762db388696ae06c9e81bec195cd7d3d773f9e928e3fe76e597fb63bf3fc50b63e9d5eedd

Download Submit
\Program Files\CCleaner\CCleaner.exe
Filesize
29.5MB

MD5
7fde833f40f09bdaef889aa5d9378d2c

SHA1
61c9d7c79d51a4b35801d4306106fd50a0131b61

SHA256
11f1899608c861ced170456ab16a5e1aaa88b95d87d8d9e7ff1fd4251873892d

SHA512
551032a3a1213b340a1a250a286d24a1856c86256deb747398b5c8cfecc46a06720669ffb4732f904238dbb2fed9269a7f9080f39f55ad31d4729129dbe21084

Download Submit
\Program Files\CCleaner\CCleaner.exe
Filesize
29.5MB

MD5
7fde833f40f09bdaef889aa5d9378d2c

SHA1
61c9d7c79d51a4b35801d4306106fd50a0131b61

SHA256
11f1899608c861ced170456ab16a5e1aaa88b95d87d8d9e7ff1fd4251873892d

SHA512
551032a3a1213b340a1a250a286d24a1856c86256deb747398b5c8cfecc46a06720669ffb4732f904238dbb2fed9269a7f9080f39f55ad31d4729129dbe21084

Download Submit
\Program Files\CCleaner\CCleaner.exe
Filesize
29.5MB

MD5
7fde833f40f09bdaef889aa5d9378d2c

SHA1
61c9d7c79d51a4b35801d4306106fd50a0131b61

SHA256
11f1899608c861ced170456ab16a5e1aaa88b95d87d8d9e7ff1fd4251873892d

SHA512
551032a3a1213b340a1a250a286d24a1856c86256deb747398b5c8cfecc46a06720669ffb4732f904238dbb2fed9269a7f9080f39f55ad31d4729129dbe21084

Download Submit
\Program Files\CCleaner\CCleaner.exe
Filesize
29.5MB

MD5
7fde833f40f09bdaef889aa5d9378d2c

SHA1
61c9d7c79d51a4b35801d4306106fd50a0131b61

SHA256
11f1899608c861ced170456ab16a5e1aaa88b95d87d8d9e7ff1fd4251873892d

SHA512
551032a3a1213b340a1a250a286d24a1856c86256deb747398b5c8cfecc46a06720669ffb4732f904238dbb2fed9269a7f9080f39f55ad31d4729129dbe21084

Download Submit
\Program Files\CCleaner\CCleaner.exe
Filesize
29.5MB

MD5
7fde833f40f09bdaef889aa5d9378d2c

SHA1
61c9d7c79d51a4b35801d4306106fd50a0131b61

SHA256
11f1899608c861ced170456ab16a5e1aaa88b95d87d8d9e7ff1fd4251873892d

SHA512
551032a3a1213b340a1a250a286d24a1856c86256deb747398b5c8cfecc46a06720669ffb4732f904238dbb2fed9269a7f9080f39f55ad31d4729129dbe21084

Download Submit
\Program Files\CCleaner\CCleaner.exe
Filesize
29.5MB

MD5
7fde833f40f09bdaef889aa5d9378d2c

SHA1
61c9d7c79d51a4b35801d4306106fd50a0131b61

SHA256
11f1899608c861ced170456ab16a5e1aaa88b95d87d8d9e7ff1fd4251873892d

SHA512
551032a3a1213b340a1a250a286d24a1856c86256deb747398b5c8cfecc46a06720669ffb4732f904238dbb2fed9269a7f9080f39f55ad31d4729129dbe21084

Download Submit
\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
\Program Files\CCleaner\CCleaner64.exe
Filesize
35.1MB

MD5
568a338f8628dc9ad35339bb483d1d39

SHA1
8c2c4b83213c41f7569ba2bcf73497984f8c2ac6

SHA256
7528c1be789ade6081fa33f89f2f68fc0c05455d446353851ad52ee87e590a71

SHA512
c9839855ef214372fc1cf13c27214213add580515d0b046dd2866f227927a8c0994776ca5423224d85413a2bba4de49f1c0227af2081387933dd5574d8d22da5

Download Submit
\Program Files\CCleaner\Setup\8ac22ef8-0202-48f6-a71f-fded5c02c997.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
\Program Files\CCleaner\branding.dll
Filesize
46KB

MD5
e4807cd4c9baf74c2b4fc0812c43db75

SHA1
5484e4bd75c713d13e3efeda17c57a574fad5396

SHA256
8331b56f1bcfe5c619eeac9c644688b6ecfbdc755dcb9fed12a64937220aba22

SHA512
f4b19cd749ff38bdefda9f89730bd3fe29d14e68d7d72dd5530268aa77f9d328194282b3050b39008f43b903a8b2ba8f77cf25362b4a7c0bdab17f6e5f894fcf

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\ButtonEvent.dll
Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\System.dll
Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\System.dll
Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\UserInfo.dll
Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\inetc.dll
Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\nsDialogs.dll
Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\p\ServiceUninstaller.dll
Filesize
216KB

MD5
336be1527375fb853b4e7c99a1bbcf8f

SHA1
10f125650507dda84e49e350897a3b36258e2e69

SHA256
37a3290799e3e6650996af1c40e29b779840f9010d4d40dd7ee1cada337668e7

SHA512
eadeafdef2fd4d0baa8a8868805e0cd68e48a4bd73e4212a2c671c719d84d5198179e99df86edf1dc300f0a6a546fde2f9525dbd5d19b26ca04056bbfcbe9dbe

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\p\pfBL.dll
Filesize
10.4MB

MD5
8ee717b1ec6d2a35cc822bbefaaf4869

SHA1
dcec8360fb20c736b31b5aa45f895cc0195ffde1

SHA256
459d1a6e88410bdb8f286fb0001ecff79ab87b9555e9266d3cfeb391b1f32077

SHA512
9b8762999cf5c86491f058a26c4f7505f03096cf2674b95db6c713e9d55ca24dbd33b283590ce0a037150870ce5b7f0b2630244e424cb1b630f884626e509e64

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDE8.tmp\ui\pfUI.dll
Filesize
14.8MB

MD5
8c8ea8e14bfe3ed07b8cd258a7cea642

SHA1
88f18522dc53cf35abbd4d5fe45e55c367ea74db

SHA256
9b29d3a555f66aa4ca156216653a657250732eecee4134ba5a2f4a46a8c7835a

SHA512
b8671c803621fcaab92add6229863fb56862cd7e0d6051ddbee3240fdd7bf68651f67faae81275e1d948988b52352fc2c1ae3369e04c15f9f9d0899bfa8af1d4

Download Submit
memory/268-127-0x0000000000000000-mapping.dmp

Download
memory/560-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/560-68-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/560-62-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/828-151-0x0000000000000000-mapping.dmp

Download
memory/952-126-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp

Filesize
8KB

Download
memory/952-119-0x0000000000000000-mapping.dmp

Download
memory/1348-142-0x0000000000000000-mapping.dmp

Download