File name:

CleanSetup.exe

Full analysis: https://app.any.run/tasks/45855c48-0339-45d6-9656-480c36a91252
Verdict: Malicious activity
Analysis date: November 21, 2023, 22:15:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

5722A538612B57A2BEE3842DF21E1283

SHA1:

83680B29F3606A870F443C2F2B19321F92971EEC

SHA256:

C0938EAE7B15D45F414F54A28101DF5FB1E04CFA91F21E313EA29A8E17432B03

SSDEEP:

24576:fcvF7xCH6Hnk58PD0xbyCraLC/+8XPdU9Q9qbR9JEHa3il3NlKlsEcnuWS/z9vtk:fct0H6Hk58PINyCraLC/+8XVU9Q9qbRk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • CleanSetup.exe (PID: 3512)

    • Actions looks like stealing of personal data

      • SuperCleaner.exe (PID: 3688)

  • SUSPICIOUS

    • Reads the Internet Settings

      • SuperCleaner.exe (PID: 3688)
      • CleanSetup.exe (PID: 3512)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 4060)
      • SuperCleaner.exe (PID: 3688)
      • CleanSetup.exe (PID: 3512)
      • wmpnscfg.exe (PID: 3384)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4060)

    • Checks supported languages

      • SuperCleaner.exe (PID: 3688)
      • CleanSetup.exe (PID: 3512)
      • wmpnscfg.exe (PID: 3384)
      • wmpnscfg.exe (PID: 4060)

    • Creates files in the program directory

      • CleanSetup.exe (PID: 3512)

    • Reads the machine GUID from the registry

      • SuperCleaner.exe (PID: 3688)
      • CleanSetup.exe (PID: 3512)
      • wmpnscfg.exe (PID: 3384)
      • wmpnscfg.exe (PID: 4060)

    • Create files in a temporary directory

      • CleanSetup.exe (PID: 3512)

    • Checks proxy server information

      • SuperCleaner.exe (PID: 3688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:10:27 20:00:27+02:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 40960
InitializedDataSize: 532480
UninitializedDataSize: -
EntryPoint: 0x4ed1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.8.0.0
ProductVersionNumber: 1.8.0.0
FileFlagsMask: 0x003f
FileFlags: Private build, Special build
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: http://www.SouthBayPC.com
CompanyName: South Bay Software
FileDescription: OmniSetup Installer
FileVersion: 1.8
InternalName: Setup
LegalCopyright: Copyright © 1999-2005 South Bay Software
LegalTrademarks:
OriginalFileName: Setup.exe
PrivateBuild:
ProductName: OmniSetup
ProductVersion: 1.8
SpecialBuild:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cleansetup.exe supercleaner.exe wmpnscfg.exe no specs wmpnscfg.exe no specs cleansetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3384"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3484"C:\Users\admin\AppData\Local\Temp\CleanSetup.exe" C:\Users\admin\AppData\Local\Temp\CleanSetup.exeexplorer.exe
User:
admin
Company:
South Bay Software
Integrity Level:
MEDIUM
Description:
OmniSetup Installer
Exit code:
3221226540
Version:
1.8
Modules
Images
c:\users\admin\appdata\local\temp\cleansetup.exe
c:\windows\system32\ntdll.dll
3512"C:\Users\admin\AppData\Local\Temp\CleanSetup.exe" C:\Users\admin\AppData\Local\Temp\CleanSetup.exe
explorer.exe
User:
admin
Company:
South Bay Software
Integrity Level:
HIGH
Description:
OmniSetup Installer
Exit code:
1
Version:
1.8
Modules
Images
c:\users\admin\appdata\local\temp\cleansetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3688"C:\Program Files\SuperCleaner\SuperCleaner.exe" /sC:\Program Files\SuperCleaner\SuperCleaner.exe
CleanSetup.exe
User:
admin
Company:
South Bay Software
Integrity Level:
HIGH
Description:
SuperCleaner
Exit code:
0
Version:
2.96
Modules
Images
c:\program files\supercleaner\supercleaner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
4060"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
1 058
Read events
1 032
Write events
20
Delete events
6

Modification events

(PID) Process:(3384) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{627951C3-4EDB-4436-A745-FF833C13693C}\{857FCC3A-00A8-40B3-BF86-E5A324CC6E41}
Operation:delete keyName:(default)
Value:
(PID) Process:(3384) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{627951C3-4EDB-4436-A745-FF833C13693C}
Operation:delete keyName:(default)
Value:
(PID) Process:(3384) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{7B3D071F-D581-4596-84AB-25C6800DF61B}
Operation:delete keyName:(default)
Value:
(PID) Process:(3512) CleanSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3512) CleanSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3512) CleanSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3512) CleanSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3688) SuperCleaner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3688) SuperCleaner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000059010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3688) SuperCleaner.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
4
Suspicious files
31
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
3512CleanSetup.exeC:\Users\admin\Desktop\SuperCleaner.lnkbinary
MD5:9574BCFEB77F8CA0909414929D61F0A4
SHA256:36F7C5945876DDE8A04C36EC6CA041D82ECBF2C1FFBDA0B10C6371F58BB0DEAD
3512CleanSetup.exeC:\Users\admin\AppData\Local\Temp\osf9678.tmpbinary
MD5:1BEBC78B567898E18097A6C59A917A37
SHA256:33CF0F8A5060F4E6F363199BFF8F3523541BBF4F7648CA81A70A3B830658EC95
3512CleanSetup.exeC:\Program Files\SuperCleaner\click.wavbinary
MD5:C2E5A28D15ADA7BBFF5F039C4C55DEA3
SHA256:D5712A8963EB3E1E181B25649ECFF3080EDE89C96350EB07E7D7CAD429E959EA
3512CleanSetup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\SuperCleaner\SuperCleaner Help.lnkbinary
MD5:881D393CB589C5030BDE7D0D8A852272
SHA256:C090DEF87CF100632F298FBB99A43E66711606B6266FE46BC0EC98D4368D2741
3512CleanSetup.exeC:\Users\admin\AppData\Local\Temp\osf96DE.tmpbinary
MD5:B3FECF00F02FF7C2046FABC8A7762254
SHA256:B160F9BFB3758313DB843EC445610273DB90FC7F199808F3B0AA26F1D654A9B9
3512CleanSetup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\SuperCleaner\SuperCleaner.lnkbinary
MD5:EAE9A116F399BA898A200F115958ACCE
SHA256:29BBE78BE6045EF0B5AAE87B357E457706B7B8D68E6E15A3963D6ADBFF6A305A
3512CleanSetup.exeC:\Program Files\SuperCleaner\osf9679.tmpexecutable
MD5:EC0CAECE0B5E03D40C675D87D992395D
SHA256:E58BA2E33026FFFC81802CBC970AF32EF7758D4C385E3BAC0729C01350A26359
3512CleanSetup.exeC:\Program Files\SuperCleaner\Uninst.initext
MD5:E653BEB7D6880728049A152870878593
SHA256:D961824E5558818560C027D407D967185EF9FA874EABBF6A16428D27771E1795
3512CleanSetup.exeC:\Users\Administrator\Desktop\SuperCleaner.lnkbinary
MD5:9574BCFEB77F8CA0909414929D61F0A4
SHA256:36F7C5945876DDE8A04C36EC6CA041D82ECBF2C1FFBDA0B10C6371F58BB0DEAD
3512CleanSetup.exeC:\Program Files\SuperCleaner\SuperCleaner.exeexecutable
MD5:EC0CAECE0B5E03D40C675D87D992395D
SHA256:E58BA2E33026FFFC81802CBC970AF32EF7758D4C385E3BAC0729C01350A26359
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
6
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3688
SuperCleaner.exe
GET
200
208.112.93.37:80
http://www.SouthBayPC.com/SuperCleaner/ver.txt
US
text
4 b
unknown
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9cf51b384cb57221
GB
compressed
4.66 Kb
unknown
GET
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?linkid=44661
DE
unknown
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
binary
471 b
unknown
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
US
binary
471 b
unknown
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
US
binary
471 b
unknown
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
US
binary
471 b
unknown
GET
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkId=129792
DE
unknown
GET
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkId=129791
DE
unknown
GET
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?linkid=68920
DE
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3688
SuperCleaner.exe
208.112.93.37:80
www.southbaypc.com
LNH-INC
US
unknown

DNS requests

Domain
IP
Reputation
www.southbaypc.com
  • 208.112.93.37
unknown
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
rssgov.windows.microsoft.com
  • 2.21.20.151
  • 2.21.20.137
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
support.microsoft.com
  • 23.35.228.112
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CleanSetup.exe