Can you clarify why there is a second build of "5.33.6162" signed 16 minutes later? Why was this second copy created? What is changed? Is it typical to build and sign a second copy of the software (and installer) ever? (or not to change the build number?)

Is the malware different in version B? Does it connect to another server?

Variant A:

ccsetup533.exe
SHA-256
1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF
Signing date
8/3/2017 10:43 AM

CCleaner.exe (32-bit 5.33.6162)
SHA-256
6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
Signing date
8/3/2017 10:42 AM

Variant B:

ccsetup533.exe
SHA-256
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012
Signing date
8/3/2017 10:59 AM
CCleaner.exe (32-bit 5.33.6162)

SHA-256

36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9

Signing date

8/3/2017 10:58 AM

I'm open to non-staff input and speculation. Which ones did you encounter?

Hi NonConvergentWaveform,

From time to time we build a second set of binaries for testing purposes. A test version was built for version 5.33.6162 and this build was also affected by the compromise.

Hi NonConvergentWaveform,

From time to time we build a second set of binaries for testing purposes. A test version was built for version 5.33.6162 and this build was also affected by the compromise.

Thank you for your valid and concise answer.