Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [<HKLM>\Software\Classes\cclaunch\shell\open\command] '' = '"%ProgramFiles%\CCleaner\ccleaner.exe" /%1'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'CCleaner Smart Cleaning' = '"%ProgramFiles%\CCleaner\CCleaner64.exe" /MONITOR'
Создает или изменяет следующие файлы
- <SYSTEM32>\tasks\ccleaner update
- <SYSTEM32>\tasks\ccleanerskipuac
Вредоносные функции
Запускает на исполнение
- '%WINDIR%\syswow64\taskkill.exe' /F /IM CCleaner.exe /T
- '%WINDIR%\syswow64\taskkill.exe' /F /IM CCleaner64.exe /T
Ищет ветки реестра, отвечающие за хранение паролей сторонними программами
- [<HKCU>\Software\Headlight\GetRight\]
- [<HKLM>\SOFTWARE\FileZilla Client]
- [<HKLM>\SOFTWARE\Wow6432Node\FileZilla Client]
- [<HKCU>\SOFTWARE\FileZilla Client]
- [<HKCU>\Software\RIT\The Bat!]
Читает файлы, отвечающие за хранение паролей сторонними программами
- %APPDATA%\mozilla\firefox\profiles.ini
- %APPDATA%\thunderbird\profiles.ini
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\aut3707.tmp
- %ProgramFiles%\ccleaner\lang\lang-1093.dll
- %ProgramFiles%\ccleaner\lang\lang-1092.dll
- %ProgramFiles%\ccleaner\lang\lang-1090.dll
- %ProgramFiles%\ccleaner\lang\lang-1087.dll
- %ProgramFiles%\ccleaner\lang\lang-1086.dll
- %ProgramFiles%\ccleaner\lang\lang-1081.dll
- %ProgramFiles%\ccleaner\lang\lang-1071.dll
- %ProgramFiles%\ccleaner\lang\lang-1079.dll
- %ProgramFiles%\ccleaner\lang\lang-1068.dll
- %ProgramFiles%\ccleaner\lang\lang-1067.dll
- %ProgramFiles%\ccleaner\lang\lang-1102.dll
- %ProgramFiles%\ccleaner\lang\lang-1066.dll
- %ProgramFiles%\ccleaner\lang\lang-1063.dll
- %ProgramFiles%\ccleaner\lang\lang-1062.dll
- %ProgramFiles%\ccleaner\lang\lang-1061.dll
- %ProgramFiles%\ccleaner\lang\lang-1060.dll
- %ProgramFiles%\ccleaner\lang\lang-1059.dll
- %ProgramFiles%\ccleaner\lang\lang-1058.dll
- %ProgramFiles%\ccleaner\lang\lang-1057.dll
- %ProgramFiles%\ccleaner\lang\lang-1056.dll
- %ProgramFiles%\ccleaner\lang\lang-1055.dll
- %ProgramFiles%\ccleaner\lang\lang-1054.dll
- %ProgramFiles%\ccleaner\lang\lang-1065.dll
- %ProgramFiles%\ccleaner\uninst.exe
- %APPDATA%\thunderbird\profiles\wjj9aet2.default\cookies.sqlite-shm
- %ProgramFiles%\ccleaner\lang\lang-1110.dll
- %ProgramFiles%\ccleaner\setup\d4e47b35-9706-44cb-b788-7b49579a89c3.xml
- %TEMP%\aswa66ffa7288a10816.tmp
- %TEMP%\asw46aba1281dbbacc7.tmp
- %TEMP%\asw474fbcaa1a3b7b68.tmp
- %ProgramFiles%\ccleaner\gcapi_dll.dll
- %ProgramFiles%\ccleaner\setup\726c3fa1-8d68-4e53-843c-e226fbdca2bf.dll
- %ProgramFiles%\ccleaner\setup\676d0fbe-203a-4eaa-8157-c0f4ab37ef4f.ini
- %HOMEPATH%\desktop\download free full programs\byemir candan - youtube channel.url
- %HOMEPATH%\desktop\download free full programs\facebook grups free full programs.url
- %HOMEPATH%\desktop\download free full programs\web site download free full programs.url
- %ProgramFiles%\ccleaner\lang\lang-1053.dll
- %HOMEPATH%\desktop\download free full programs\important note.txt
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ccleaner\ccleaner homepage.url
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ccleaner\ccleaner.lnk
- C:\users\public\desktop\ccleaner.lnk
- %ProgramFiles%\ccleaner\lang\lang-9999.dll
- %ProgramFiles%\ccleaner\lang\lang-5146.dll
- %ProgramFiles%\ccleaner\lang\lang-3098.dll
- %ProgramFiles%\ccleaner\lang\lang-2074.dll
- %ProgramFiles%\ccleaner\lang\lang-2070.dll
- %ProgramFiles%\ccleaner\lang\lang-2052.dll
- %ProgramFiles%\ccleaner\lang\lang-1155.dll
- %ProgramFiles%\ccleaner\lang\lang-1104.dll
- %ProgramFiles%\ccleaner\lang\lang-1109.dll
- %ProgramFiles%\ccleaner\lang\lang-1052.dll
- %ProgramFiles%\ccleaner\ccupdate.exe
- %TEMP%\nss70ae.tmp\nsprocess.dll
- %TEMP%\nss70ae.tmp\ui\pfui.dll
- %TEMP%\nss70ae.tmp\p\pfbl.dll
- %TEMP%\nss70ae.tmp\userinfo.dll
- %TEMP%\nss70ae.tmp\system.dll
- %TEMP%\nsn708e.tmp
- %ProgramFiles%\ccleaner\ccleaner.dat
- C:\gecici_proje_klasoru\temp.vbs
- %TEMP%\aut41e6.tmp
- C:\gecici_proje_klasoru\r.vbs
- %TEMP%\nss70ae.tmp\inetc.dll
- %TEMP%\aut41d6.tmp
- %TEMP%\aut41b6.tmp
- C:\gecici_proje_klasoru\e.exe
- %TEMP%\aut4167.tmp
- C:\gecici_proje_klasoru\cctrialsetup.exe
- %TEMP%\aut3748.tmp
- C:\gecici_proje_klasoru\ccrun.vbs
- %TEMP%\aut3737.tmp
- C:\gecici_proje_klasoru\k.png
- %TEMP%\aut3727.tmp
- C:\gecici_proje_klasoru\grey.gif
- C:\gecici_proje_klasoru\m.exe
- %ProgramFiles%\ccleaner\lang\lang-1036.dll
- %ProgramFiles%\ccleaner\lang\lang-1050.dll
- %ProgramFiles%\ccleaner\branding.dll
- %ProgramFiles%\ccleaner\lang\lang-1049.dll
- %ProgramFiles%\ccleaner\lang\lang-1048.dll
- %ProgramFiles%\ccleaner\lang\lang-1046.dll
- %ProgramFiles%\ccleaner\lang\lang-1045.dll
- %ProgramFiles%\ccleaner\lang\lang-1044.dll
- %ProgramFiles%\ccleaner\lang\lang-1043.dll
- %ProgramFiles%\ccleaner\lang\lang-1042.dll
- %ProgramFiles%\ccleaner\lang\lang-1041.dll
- %ProgramFiles%\ccleaner\lang\lang-1040.dll
- %ProgramFiles%\ccleaner\lang\lang-1038.dll
- %ProgramFiles%\ccleaner\lang\lang-1051.dll
- %ProgramFiles%\ccleaner\lang\lang-1037.dll
- %ProgramFiles%\ccleaner\lang\lang-1035.dll
- %ProgramFiles%\ccleaner\lang\lang-1034.dll
- %ProgramFiles%\ccleaner\lang\lang-1032.dll
- %ProgramFiles%\ccleaner\lang\lang-1031.dll
- %ProgramFiles%\ccleaner\lang\lang-1030.dll
- %ProgramFiles%\ccleaner\lang\lang-1029.dll
- %ProgramFiles%\ccleaner\lang\lang-1028.dll
- %ProgramFiles%\ccleaner\lang\lang-1027.dll
- %ProgramFiles%\ccleaner\lang\lang-1026.dll
- %ProgramFiles%\ccleaner\lang\lang-1025.dll
- %ProgramFiles%\ccleaner\ccleaner64.exe
- %APPDATA%\thunderbird\profiles\wjj9aet2.default\webappsstore.sqlite-shm
Присваивает атрибут 'скрытый' для следующих файлов
- C:\gecici_proje_klasoru\m.exe
- C:\gecici_proje_klasoru\e.exe
- C:\gecici_proje_klasoru\k.png
Удаляет следующие файлы
- %TEMP%\aut3707.tmp
- %ProgramFiles%\ccleaner\setup\d4e47b35-9706-44cb-b788-7b49579a89c3.xml
- %ProgramFiles%\ccleaner\setup\726c3fa1-8d68-4e53-843c-e226fbdca2bf.dll
- %TEMP%\aswa66ffa7288a10816.tmp
- C:\gecici_proje_klasoru\temp.vbs
- C:\gecici_proje_klasoru\r.vbs
- C:\gecici_proje_klasoru\m.exe
- C:\gecici_proje_klasoru\k.png
- C:\gecici_proje_klasoru\grey.gif
- C:\gecici_proje_klasoru\e.exe
- C:\gecici_proje_klasoru\cctrialsetup.exe
- C:\gecici_proje_klasoru\ccrun.vbs
- %TEMP%\asw46aba1281dbbacc7.tmp
- %TEMP%\asw474fbcaa1a3b7b68.tmp
- %APPDATA%\thunderbird\profiles\wjj9aet2.default\cookies.sqlite-shm
- %ProgramFiles%\ccleaner\gcapi_1614294345732.dll
- %TEMP%\nss70ae.tmp\userinfo.dll
- %TEMP%\nss70ae.tmp\ui\pfui.dll
- %TEMP%\nss70ae.tmp\system.dll
- %TEMP%\nss70ae.tmp\p\pfbl.dll
- %TEMP%\nss70ae.tmp\nsprocess.dll
- %TEMP%\nss70ae.tmp\inetc.dll
- %TEMP%\aut41e6.tmp
- %TEMP%\aut41d6.tmp
- %TEMP%\aut41b6.tmp
- %TEMP%\aut4167.tmp
- %TEMP%\aut3748.tmp
- %TEMP%\aut3737.tmp
- %TEMP%\aut3727.tmp
- %ProgramFiles%\ccleaner\setup\676d0fbe-203a-4eaa-8157-c0f4ab37ef4f.ini
- %APPDATA%\thunderbird\profiles\wjj9aet2.default\webappsstore.sqlite-shm
Перемещает следующие файлы
- %ProgramFiles%\ccleaner\gcapi_dll.dll в %ProgramFiles%\ccleaner\gcapi_1614294345732.dll
- %ProgramFiles%\ccleaner\gcapi_dll.dll в %ProgramFiles%\ccleaner\gcapi_16142943461572.dll
- %ProgramFiles%\ccleaner\gcapi_dll.dll в %ProgramFiles%\ccleaner\gcapi_16142943541200.dll
Изменяет следующие файлы
Подменяет следующие файлы
- %ProgramFiles%\ccleaner\gcapi_dll.dll
Сетевая активность
Подключается к
- 'an#####cs.ff.avast.com':443
- 'se#####.piriform.com':80
- 'li######api.ccleaner.com':443
- 'microsoft.com':80
- 'sh#####d.ff.avast.com':443
- 'ip#####.ff.avast.com':443
- 'em####te.avcdn.net':80
- 'cc######.tools.avcdn.net':80
- 'nc#.#vast.com':80
- 'go#####analytics.com':80
- 'cc###ner.com':80
- 'li#####.piriform.com':443
- 'ip######ider.ff.avast.com':443
- 'oc##.#tartssl.com':80
TCP
Запросы HTTP GET
- http://cc######.tools.avcdn.net/tools/ccleaner/update/20180205.dll
- http://www.go#####analytics.com/collect?v=############################################################################################################################################
- http://www.go#####analytics.com/collect?v=########################################################################################################################################
- http://cc######.tools.avcdn.net/tools/ccleaner/update/updates.xml
UDP
- DNS ASK an#####cs.ff.avast.com
- DNS ASK se#####.piriform.com
- DNS ASK li######api.ccleaner.com
- DNS ASK microsoft.com
- DNS ASK sh#####d.ff.avast.com
- DNS ASK ip#####.ff.avast.com
- DNS ASK em####te.avcdn.net
- DNS ASK cc######.tools.avcdn.net
- DNS ASK nc#.#vast.com
- DNS ASK go#####analytics.com
- DNS ASK cc###ner.com
- DNS ASK li#####.piriform.com
- DNS ASK ip######ider.ff.avast.com
- DNS ASK oc##.#tartssl.com
Другое
Ищет следующие окна
- ClassName: '' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'PiriformRegistration' WindowName: ''
- ClassName: '#32770' WindowName: 'CCleaner'
- ClassName: '#32770' WindowName: 'Piriform CCleaner'
- ClassName: 'ThunderRT6FormDC' WindowName: 'CCleaner'
- ClassName: 'PiriformCCleaner' WindowName: ''
- ClassName: '#32770' WindowName: ''
Создает и запускает на исполнение
- '%WINDIR%\syswow64\wscript.exe' "C:\gecici_proje_klasoru\R.vbs"
- '%WINDIR%\syswow64\wscript.exe' "C:\gecici_proje_klasoru\Temp.vbs"
- '%ProgramFiles%\ccleaner\ccleaner64.exe'
- 'C:\gecici_proje_klasoru\e.exe'
- '%WINDIR%\syswow64\wscript.exe' "C:\gecici_proje_klasoru\CCrun.vbs"
- '%ProgramFiles%\ccleaner\ccupdate.exe' /reg
- '%ProgramFiles%\ccleaner\ccleaner64.exe' /createSkipUAC
- 'C:\gecici_proje_klasoru\cctrialsetup.exe' /S
- '%ProgramFiles%\ccleaner\ccupdate.exe' /emupdater /applydll "%ProgramFiles%\CCleaner\Setup\726c3fa1-8d68-4e53-843c-e226fbdca2bf.dll"
- 'C:\gecici_proje_klasoru\m.exe'
- '%ProgramFiles%\ccleaner\ccleaner64.exe' /monitor
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru"' (со скрытым окном)
- '%WINDIR%\syswow64\robocopy.exe' "%HOMEPATH%\Empty" "%LOCALAPPDATA%\Temp" /purge' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /Q /C taskkill /F /IM CCleaner.exe /T' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru\K.png"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru\Гѓ‡.exe"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru\E.exe"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru\R.exe"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /Q /C "\Program Files\CCleaner\CCleaner.exe"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru\M.exe"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru\S.vbs"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /Q /C taskkill /F /IM CCleaner64.exe /T' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru"
- '%WINDIR%\syswow64\cmd.exe' /Q /C "\Program Files\CCleaner\CCleaner.exe"
- '%WINDIR%\syswow64\attrib.exe' +R +H +S "C:\gecici_proje_klasoru\K.png"
- '%WINDIR%\syswow64\attrib.exe' +R +H +S "C:\gecici_proje_klasoru\E.exe"
- '%WINDIR%\syswow64\attrib.exe' +R +H +S "C:\gecici_proje_klasoru\Гѓ‡.exe"
- '%WINDIR%\syswow64\cmd.exe' /Q /C taskkill /F /IM CCleaner64.exe /T
- '%WINDIR%\syswow64\attrib.exe' +R +H +S "C:\gecici_proje_klasoru\M.exe"
- '%WINDIR%\syswow64\attrib.exe' +R +H +S "C:\gecici_proje_klasoru\R.exe"
- '%ProgramFiles%\ccleaner\ccleaner.exe'
- '%WINDIR%\syswow64\attrib.exe' +R +H +S "C:\gecici_proje_klasoru"
- '%WINDIR%\syswow64\cmd.exe' /Q /C taskkill /F /IM CCleaner.exe /T
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru\K.png"
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru\Гѓ‡.exe"
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru\E.exe"
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru\R.exe"
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru\M.exe"
- '%WINDIR%\syswow64\cmd.exe' /Q /C attrib +R +H +S "C:\gecici_proje_klasoru\S.vbs"
- '%WINDIR%\syswow64\attrib.exe' +R +H +S "C:\gecici_proje_klasoru\S.vbs"
- '%WINDIR%\syswow64\robocopy.exe' "%HOMEPATH%\Empty" "%LOCALAPPDATA%\Temp" /purge
