Malware analysis CCleaner Professional Plus v5.25.0.5902 x86-x64 Setup + CRACK.7z Malicious activity

Add for printing

File name:	CCleaner Professional Plus v5.25.0.5902 x86-x64 Setup + CRACK.7z
Full analysis:	https://app.any.run/tasks/91c95286-8258-43dd-898c-1c5ec8323bd9
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	November 05, 2019, 22:41:08
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	60786B0F79EFE2995981BF45983688C7
SHA1:	947DDA7CB4F573E8AB0D50615E727C6BBF2AE5E5
SHA256:	7D2299757D9B670AB453DFC1C76D9EDF0F0E71D4CDD8F0E461973CD59EDFE170
SSDEEP:	196608:ENCbkiT7xiIu5Cs6yFz4iKbmhxHHmN4yDHruVYbmIM98/j:ENCb5vu5HPFM4eKI48/j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - ccsetup525pro.exe (PID: 3296)
  - ccsetup525pro.exe (PID: 1904)
  - ns3215.tmp (PID: 1248)
  - ns4FFE.tmp (PID: 776)
  - PF-Toolbar-2016.exe (PID: 584)
  - GoogleUpdate.exe (PID: 3948)
  - GoogleUpdateSetup_1.3.21.169.exe (PID: 2864)
  - googletoolbarinstaller_en_signed.exe (PID: 3044)
  - GoogleToolbarNotifier.exe (PID: 1048)
  - GoogleUpdaterService.exe (PID: 3008)
  - GoogleUpdaterService.exe (PID: 1316)
  - GoogleToolbarNotifier.exe (PID: 2824)
  - GoogleUpdaterService_B33FC4DD36A473C6.exe (PID: 2248)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 504)
  - SearchWithGoogleUpdate_CA8A7236098B8F9A.exe (PID: 1416)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 2500)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3952)
  - CCleaner.exe (PID: 4092)
  - GoogleToolbarUser_32.exe (PID: 516)
  - GoogleToolbarNotifier.exe (PID: 2600)
  - GoogleUpdaterService.exe (PID: 4000)
  - CCleaner.exe (PID: 748)
  - GoogleToolbarNotifier.exe (PID: 2828)
  - CCleaner.exe (PID: 928)
  - CCleaner.exe (PID: 2528)
- Loads dropped or rewritten executable
  - ccsetup525pro.exe (PID: 1904)
  - PF-Toolbar-2016.exe (PID: 584)
  - GoogleUpdate.exe (PID: 3948)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 504)
  - GoogleToolbarNotifier.exe (PID: 1048)
  - GoogleToolbarNotifier.exe (PID: 2824)
  - CCleaner.exe (PID: 4092)
  - iexplore.exe (PID: 3372)
  - iexplore.exe (PID: 1948)
  - GoogleToolbarUser_32.exe (PID: 516)
  - svchost.exe (PID: 864)
  - GoogleToolbarNotifier.exe (PID: 2600)
  - explorer.exe (PID: 352)
  - GoogleToolbarNotifier.exe (PID: 2828)
  - SearchProtocolHost.exe (PID: 3416)
  - CCleaner.exe (PID: 928)
  - CCleaner.exe (PID: 2528)
- Actions looks like stealing of personal data
  - ccsetup525pro.exe (PID: 1904)
  - CCleaner.exe (PID: 928)
  - CCleaner.exe (PID: 2528)
- Changes settings of System certificates
  - msiexec.exe (PID: 3652)
- Loads the Task Scheduler DLL interface
  - GoogleUpdaterService_B33FC4DD36A473C6.exe (PID: 2248)
  - GoogleUpdaterService.exe (PID: 1316)
- Loads the Task Scheduler COM API
  - CCleaner.exe (PID: 4092)
  - CCleaner.exe (PID: 748)
  - CCleaner.exe (PID: 2528)
- Changes the autorun value in the registry
  - CCleaner.exe (PID: 2528)
SUSPICIOUS
- Reads internet explorer settings
  - ccsetup525pro.exe (PID: 1904)
  - CCleaner.exe (PID: 928)
  - CCleaner.exe (PID: 2528)
- Starts application with an unusual extension
  - ccsetup525pro.exe (PID: 1904)
- Reads Internet Cache Settings
  - explorer.exe (PID: 352)
  - GoogleToolbarNotifier.exe (PID: 1048)
  - googletoolbarinstaller_en_signed.exe (PID: 3044)
- Creates files in the user directory
  - ccsetup525pro.exe (PID: 1904)
  - CCleaner.exe (PID: 928)
- Reads the cookies of Google Chrome
  - ccsetup525pro.exe (PID: 1904)
  - CCleaner.exe (PID: 928)
- Executable content was dropped or overwritten
  - GoogleUpdateSetup_1.3.21.169.exe (PID: 2864)
  - PF-Toolbar-2016.exe (PID: 584)
  - googletoolbarinstaller_en_signed.exe (PID: 3044)
  - ccsetup525pro.exe (PID: 1904)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 504)
  - GoogleUpdate.exe (PID: 2784)
  - msiexec.exe (PID: 3652)
  - GoogleUpdaterService_B33FC4DD36A473C6.exe (PID: 2248)
  - SearchWithGoogleUpdate_CA8A7236098B8F9A.exe (PID: 1416)
  - DllHost.exe (PID: 3668)
- Reads the cookies of Mozilla Firefox
  - ccsetup525pro.exe (PID: 1904)
  - CCleaner.exe (PID: 928)
- Creates files in the program directory
  - GoogleUpdateSetup_1.3.21.169.exe (PID: 2864)
  - googletoolbarinstaller_en_signed.exe (PID: 3044)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 504)
  - GoogleUpdate.exe (PID: 2784)
  - GoogleUpdaterService_B33FC4DD36A473C6.exe (PID: 2248)
  - SearchWithGoogleUpdate_CA8A7236098B8F9A.exe (PID: 1416)
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 3952)
  - ccsetup525pro.exe (PID: 1904)
  - DllHost.exe (PID: 3668)
- Searches for installed software
  - ccsetup525pro.exe (PID: 1904)
- Creates COM task schedule object
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 504)
  - GoogleToolbarNotifier.exe (PID: 2824)
- Creates a software uninstall entry
  - GoogleToolbarManager_8B0481A9A34D47CD.exe (PID: 504)
  - ccsetup525pro.exe (PID: 1904)
- Adds / modifies Windows certificates
  - msiexec.exe (PID: 3652)
- Executed via COM
  - GoogleToolbarNotifier.exe (PID: 1048)
  - GoogleToolbarNotifier.exe (PID: 2600)
  - GoogleUpdateOnDemand.exe (PID: 2528)
  - GoogleToolbarNotifier.exe (PID: 2828)
  - DllHost.exe (PID: 3668)
  - unsecapp.exe (PID: 4048)
- Modifies the open verb of a shell class
  - ccsetup525pro.exe (PID: 1904)
- Application launched itself
  - GoogleUpdate.exe (PID: 2784)
  - CCleaner.exe (PID: 928)
- Starts Internet Explorer
  - ccsetup525pro.exe (PID: 1904)
- Executed as Windows Service
  - GoogleUpdaterService.exe (PID: 4000)
- Executed via Task Scheduler
  - CCleaner.exe (PID: 928)
INFO
- Manual execution by user
  - ccsetup525pro.exe (PID: 3296)
  - ccsetup525pro.exe (PID: 1904)
- Creates a software uninstall entry
  - msiexec.exe (PID: 3652)
- Application launched itself
  - iexplore.exe (PID: 3372)
- Changes internet zones settings
  - iexplore.exe (PID: 3372)
- Reads internet explorer settings
  - iexplore.exe (PID: 1948)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 1948)
- Creates files in the user directory
  - iexplore.exe (PID: 1948)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

352

C:\Windows\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll

504

"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_8B0481A9A34D47CD.exe" /install /sid:S-1-5-21-1302019708-1500728564-335382590-1000 /q /expon:PUMA /installerdata="C:\Users\admin\AppData\Local\Temp\gui7DB1.tmp" /d:ask /h:ask2 /r:PRFD /e:asknot

C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_8B0481A9A34D47CD.exe

googletoolbarinstaller_en_signed.exe

User:

admin

Company:

Google Inc.

Integrity Level:

HIGH

Description:

Google Toolbar Manager

Exit code:

Version:

7, 5, 8231, 2252

Modules

Images
c:\program files\google\google toolbar\component\googletoolbarmanager_8b0481a9a34d47cd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

516

"C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe" /medium

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

iexplore.exe

User:

admin

Company:

Google Inc.

Integrity Level:

HIGH

Description:

Google Toolbar Broker

Exit code:

Version:

7, 5, 8231, 2252

Modules

Images
c:\program files\google\google toolbar\googletoolbaruser_32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll

584

C:\Users\admin\AppData\Local\Temp\nsa2CD4.tmp\g\PF-Toolbar-2016.exe

ccsetup525pro.exe

User:

admin

Company:

Google Inc.

Integrity Level:

HIGH

Description:

Google Toolbar installer

Exit code:

Version:

1.0.0.5

Modules

Images
c:\users\admin\appdata\local\temp\nsa2cd4.tmp\g\pf-toolbar-2016.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

748

"C:\Program Files\CCleaner\CCleaner.exe"

C:\Program Files\CCleaner\CCleaner.exe

—

explorer.exe

User:

admin

Company:

Piriform Ltd

Integrity Level:

MEDIUM

Description:

CCleaner

Exit code:

Version:

5, 25, 00, 5902

Modules

Images
c:\program files\ccleaner\ccleaner.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

776

"C:\Users\admin\AppData\Local\Temp\nsa2CD4.tmp\ns4FFE.tmp" ping -n 1 -w 5000 www.piriform.com

C:\Users\admin\AppData\Local\Temp\nsa2CD4.tmp\ns4FFE.tmp

—

ccsetup525pro.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\nsa2cd4.tmp\ns4ffe.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll

864

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

928

"C:\Program Files\CCleaner\CCleaner.exe" /uac

C:\Program Files\CCleaner\CCleaner.exe

taskeng.exe

User:

admin

Company:

Piriform Ltd

Integrity Level:

HIGH

Description:

CCleaner

Exit code:

Version:

5, 25, 00, 5902

Modules

Images
c:\program files\ccleaner\ccleaner.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

932

"C:\Program Files\Google\Update\GoogleUpdate.exe" /ondemand

C:\Program Files\Google\Update\GoogleUpdate.exe

—

GoogleUpdateOnDemand.exe

User:

admin

Company:

Google Inc.

Integrity Level:

HIGH

Description:

Google Installer

Exit code:

Version:

1.3.33.23

Modules

Images
c:\program files\google\update\googleupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

1048

"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" -Embedding

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

svchost.exe

User:

admin

Company:

Google Inc.

Integrity Level:

MEDIUM

Description:

GoogleToolbarNotifier

Exit code:

Version:

4, 1, 509, 1944

Modules

Images
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\google\googletoolbarnotifier\5.12.11510.1228\gtn.dll
c:\windows\system32\user32.dll

Add for printing

Total events

8 035

Read events

5 907

Write events

2 092

Delete events

Modification events


(PID) Process:	(2816) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2816) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2816) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2816) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\CCleaner Professional Plus v5.25.0.5902 x86-x64 Setup + CRACK.7z
(PID) Process:	(2816) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2816) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2816) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2816) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(352) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.7z\OpenWithList
Operation:	write	Name:	a
Value: WinRAR.exe
(PID) Process:	(352) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.7z\OpenWithList
Operation:	write	Name:	MRUList
Value: a

Add for printing

Executable files

227

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2816.20981\CCleaner Professional Plus v5.25.0.5902 x86-x64 Setup\crack_files\CCleaner.dat		—
		MD5:—	SHA256:—
2816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2816.20981\CCleaner Professional Plus v5.25.0.5902 x86-x64 Setup\instructions.txt		—
		MD5:—	SHA256:—
2816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2816.20981\CCleaner Professional Plus v5.25.0.5902 x86-x64 Setup\ccsetup525pro.exe		—
		MD5:—	SHA256:—
2816	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2816.20981\CCleaner Professional Plus v5.25.0.5902 x86-x64 Setup\crack_files\branding.dll		—
		MD5:—	SHA256:—
352	explorer.exe	C:\Users\admin\Desktop\crack_files		—
		MD5:—	SHA256:—
352	explorer.exe	C:\Users\admin\Desktop\ccsetup525pro.exe		executable
		MD5:—	SHA256:—
864	svchost.exe	C:\Windows\appcompat\programs\RecentFileCache.bcf		txt
		MD5:—	SHA256:—
1904	ccsetup525pro.exe	C:\Users\admin\AppData\Local\Temp\nsa2CD4.tmp\g\gtapi_signed.dll		executable
		MD5:61BC40D1FAD9E0FAA9A07219B90BA0E4	SHA256:89E157A4F61D7D18180CB7F901C0095DA3B7A5CC5A9FD58D710099E5F0EE505A
352	explorer.exe	C:\Users\admin\Desktop\instructions.txt		text
		MD5:—	SHA256:—
1904	ccsetup525pro.exe	C:\Users\admin\AppData\Local\Temp\nsa2CD4.tmp\g\gtb\toolbar_1030.html		html
		MD5:EEC37C801A59BB89B409E3C3CBF4101D	SHA256:ACC3EE3D19F641C81F07E39618B8E8EC3A9943F129E444037D3971E111DDED49

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1948	iexplore.exe	GET	301	151.101.0.64:80	http://www.piriform.com/go/app_releasenotes?p=1&v=5.25.5902&l=1033&b=1&a=3	US	—	—	whitelisted
—	—	HEAD	200	216.58.205.238:80	http://dl.google.com/dl/toolbar/t7/data/7.5.8231.2252/googletoolbarinstaller_en_signed.exe	US	—	—	whitelisted
2600	GoogleToolbarNotifier.exe	GET	—	172.217.22.78:80	http://clients1.google.com/tools/swg2/update?type=c&as=swg&os=win-u&osv=6.1.7601&hl=en&ie=8.0.7601.17514&ds=0&pds=0&su=0&hpi=-1&brand=PRFD&pa=0&cl=1&tbv=7.5.8231.2252&id=0658ad3c32bf4aa0acfae528b41799c2035b210cbd&from=&to=5.12.11510.1228	US	—	—	whitelisted
1948	iexplore.exe	GET	302	172.217.21.238:80	http://toolbar.google.com/tbredir?r=ie8am&l=en&sd=com&v=7.5	US	html	254 b	whitelisted
1948	iexplore.exe	GET	200	172.217.22.78:80	http://clients4.google.com/toolbar/ie8/accelerators/intl/en/manifest.txt	US	—	—	whitelisted
1948	iexplore.exe	GET	200	172.217.21.238:80	http://toolbar.google.com/buttons/feeds/topbuttons/?hl=en&sd=com	US	html	2.30 Kb	whitelisted
3044	googletoolbarinstaller_en_signed.exe	GET	200	172.217.22.78:80	http://clients1.google.com/tools/pso/ping?as=tbin&gu=pi&mode=3&sin=1&ein=0&version=7.5.8231.2252&brand=PRFD&hl=en&tbiv=7.5.8231.2252&time=1572993752&fitime=1572993752&browser=8.0.7601.17514&osver=6.1&ossp=1.0&osarch=32&ext=EXE&id=3A84784EC97F302EF2437A9FBE1993DDA0A39EkEVTZ	US	text	2 b	whitelisted
1904	ccsetup525pro.exe	GET	200	151.101.0.64:80	http://service.piriform.com/installcheck.aspx?p=1&v=5.25.5902&vx=5.35.6210&l=1033&b=1&o=6.1W3&g=1&i=1&a=3&e=0&n=ccsetup525pro.exe&id=301	US	text	4 b	whitelisted
516	GoogleToolbarUser_32.exe	GET	200	172.217.22.78:80	http://clients1.google.com/tools/pso/ping?as=tbie&brand=PRFD&pid=&hl=en&events=T4I,R7I&rep=2&rlz=I7:,W1:,T4:1T4PRFD_enNO874,R7:&dcc=R2:1R2PRFD_enNO874,T4:1T4PRFD_enNO874&id=4E3014F88A1776A95D57E2AE3211A742FF35E455C4BA364784	US	text	319 b	whitelisted
3372	iexplore.exe	GET	200	204.79.197.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1904	ccsetup525pro.exe	151.101.0.64:443	www.piriform.com	Fastly	US	whitelisted
4024	GoogleUpdate.exe	172.217.16.131:443	update.googleapis.com	Google Inc.	US	whitelisted
2784	GoogleUpdate.exe	172.217.16.131:443	update.googleapis.com	Google Inc.	US	whitelisted
—	—	216.58.205.238:80	dl.google.com	Google Inc.	US	whitelisted
1048	GoogleToolbarNotifier.exe	172.217.22.78:80	clients1.google.com	Google Inc.	US	whitelisted
3044	googletoolbarinstaller_en_signed.exe	172.217.22.78:80	clients1.google.com	Google Inc.	US	whitelisted
3312	GoogleUpdate.exe	172.217.16.131:443	update.googleapis.com	Google Inc.	US	whitelisted
1904	ccsetup525pro.exe	151.101.0.64:80	www.piriform.com	Fastly	US	whitelisted
1948	iexplore.exe	151.101.0.64:80	www.piriform.com	Fastly	US	whitelisted
1948	iexplore.exe	151.101.2.202:443	www.ccleaner.com	Fastly	US	suspicious

DNS requests

Domain	IP	Reputation
www.piriform.com	151.101.0.64 151.101.64.64 151.101.128.64 151.101.192.64	whitelisted
update.googleapis.com	172.217.16.131	whitelisted
dl.google.com	216.58.205.238	whitelisted
clients1.google.com	172.217.22.78	whitelisted
service.piriform.com	151.101.0.64 151.101.64.64 151.101.128.64 151.101.192.64	whitelisted
www.ccleaner.com	151.101.2.202 151.101.66.202 151.101.130.202 151.101.194.202	whitelisted
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
toolbar.google.com	172.217.21.238	whitelisted
translate.google.com	216.58.205.238	whitelisted
clients4.google.com	172.217.22.78	whitelisted

Threats

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO EXE - Served Attached HTTP

Add for printing

Process	Message
GoogleUpdate.exe	LOG_SYSTEM: [GoogleUpdate:goopdate]: ERROR - Cannot create ETW log writer

General Info

CCleaner Professional Plus v5.25.0.5902 x86-x64 Setup + CRACK.7z

60786B0F79EFE2995981BF45983688C7

947DDA7CB4F573E8AB0D50615E727C6BBF2AE5E5

7D2299757D9B670AB453DFC1C76D9EDF0F0E71D4CDD8F0E461973CD59EDFE170

196608:ENCbkiT7xiIu5Cs6yFz4iKbmhxHHmN4yDHruVYbmIM98/j:ENCb5vu5HPFM4eKI48/j

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Actions looks like stealing of personal data

Changes settings of System certificates

Loads the Task Scheduler DLL interface

Loads the Task Scheduler COM API

Changes the autorun value in the registry

SUSPICIOUS

Reads internet explorer settings

Starts application with an unusual extension

Reads Internet Cache Settings

Creates files in the user directory

Reads the cookies of Google Chrome

Executable content was dropped or overwritten

Reads the cookies of Mozilla Firefox

Creates files in the program directory

Searches for installed software

Creates COM task schedule object

Creates a software uninstall entry

Adds / modifies Windows certificates

Executed via COM

Modifies the open verb of a shell class

Application launched itself

Starts Internet Explorer

Executed as Windows Service

Executed via Task Scheduler

INFO

Manual execution by user

Creates a software uninstall entry

Application launched itself

Changes internet zones settings

Reads internet explorer settings

Reads Internet Cache Settings

Creates files in the user directory

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests