File name:

CCSetup.exe

Full analysis: https://app.any.run/tasks/f77571ee-3898-476c-96a4-b3e709064367
Verdict: Malicious activity
Analysis date: August 23, 2024, 03:05:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FEC08CD443DA550781BB3F12CF64439B

SHA1:

CE0607A0D2E1E87BC6F02DCCD8BD242FD64402E6

SHA256:

F2945E170B8F97CDB773D4E271C9F8892F585372262EBB773F1AB9008BD1787A

SSDEEP:

98304:P9t0taQEx5Tf+S+PqFe+Qo7LJwhYpL6Gee+kXE0ulNadVeewWOUl48f1Z4qmtMqC:CE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 2480)
      • rundll32.exe (PID: 7000)
      • rundll32.exe (PID: 6940)
      • CCSetup.exe (PID: 6872)
      • ComboCleaner.WinService.exe (PID: 6716)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 6112)
      • net.exe (PID: 2368)
      • cmd.exe (PID: 6660)
      • net.exe (PID: 4284)
      • cmd.exe (PID: 4592)
      • net.exe (PID: 1076)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • CCSetup.exe (PID: 6848)
      • CCSetup.exe (PID: 6872)
      • msiexec.exe (PID: 6956)

    • Executable content was dropped or overwritten

      • CCSetup.exe (PID: 6848)
      • CCSetup.exe (PID: 6872)
      • rundll32.exe (PID: 2480)
      • rundll32.exe (PID: 7000)
      • rundll32.exe (PID: 6940)

    • Starts itself from another location

      • CCSetup.exe (PID: 6848)

    • Reads security settings of Internet Explorer

      • CCSetup.exe (PID: 6872)
      • msiexec.exe (PID: 6956)
      • ComboCleaner.WinService.exe (PID: 6716)
      • ComboCleaner.Guard.exe (PID: 6244)
      • ComboCleaner.exe (PID: 3800)
      • ComboCleaner.exe (PID: 3272)

    • Checks Windows Trust Settings

      • CCSetup.exe (PID: 6872)
      • msiexec.exe (PID: 6956)
      • ComboCleaner.WinService.exe (PID: 6716)
      • ComboCleaner.Guard.exe (PID: 6244)
      • ComboCleaner.exe (PID: 3272)

    • Reads the Windows owner or organization settings

      • CCSetup.exe (PID: 6872)
      • msiexec.exe (PID: 6956)

    • Starts CMD.EXE for commands execution

      • CCSetup.exe (PID: 6872)
      • ComboCleaner.WinService.exe (PID: 6716)

    • Uses DRIVERQUERY.EXE to obtain a list of installed device drivers

      • cmd.exe (PID: 6504)

    • Reads Microsoft Outlook installation path

      • CCSetup.exe (PID: 6872)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 6956)
      • rundll32.exe (PID: 2480)
      • rundll32.exe (PID: 7000)
      • rundll32.exe (PID: 6940)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6956)

    • Searches for installed software

      • CCSetup.exe (PID: 6872)
      • ComboCleaner.WinService.exe (PID: 6716)

    • Creates a software uninstall entry

      • CCSetup.exe (PID: 6872)
      • ComboCleaner.WinService.exe (PID: 6716)

    • Uses RUNDLL32.EXE to load library

      • CCSetup.exe (PID: 6872)

    • Reads the date of Windows installation

      • CCSetup.exe (PID: 6872)
      • ComboCleaner.WinService.exe (PID: 6716)

    • Reads Internet Explorer settings

      • CCSetup.exe (PID: 6872)

    • Creates or modifies Windows services

      • rundll32.exe (PID: 7000)
      • rundll32.exe (PID: 6940)
      • ComboCleaner.WinService.exe (PID: 6716)

    • Executes as Windows Service

      • ComboCleaner.WinService.exe (PID: 6716)
      • ComboCleaner.Guard.exe (PID: 6244)
      • WmiApSrv.exe (PID: 6840)
      • WmiApSrv.exe (PID: 6172)

    • Application launched itself

      • ComboCleaner.exe (PID: 3800)

    • The process checks if it is being run in the virtual environment

      • ComboCleaner.WinService.exe (PID: 6716)

    • The process deletes folder without confirmation

      • CCSetup.exe (PID: 6872)

  • INFO

    • Reads the computer name

      • CCSetup.exe (PID: 6848)
      • CCSetup.exe (PID: 6872)
      • msiexec.exe (PID: 6956)
      • msiexec.exe (PID: 7072)
      • ISBEW64.exe (PID: 7132)
      • ISBEW64.exe (PID: 4672)
      • ISBEW64.exe (PID: 6724)
      • ISBEW64.exe (PID: 6580)
      • ISBEW64.exe (PID: 2180)
      • ISBEW64.exe (PID: 6156)
      • ISBEW64.exe (PID: 6200)
      • ISBEW64.exe (PID: 6240)
      • ISBEW64.exe (PID: 6300)
      • msiexec.exe (PID: 6236)
      • ISBEW64.exe (PID: 6332)
      • ComboCleaner.WinService.exe (PID: 6716)
      • ComboCleaner.Guard.exe (PID: 6244)
      • ComboCleaner.exe (PID: 3800)
      • ComboCleaner.exe (PID: 3272)

    • Create files in a temporary directory

      • CCSetup.exe (PID: 6848)
      • CCSetup.exe (PID: 6872)

    • Checks supported languages

      • CCSetup.exe (PID: 6872)
      • CCSetup.exe (PID: 6848)
      • msiexec.exe (PID: 6956)
      • msiexec.exe (PID: 7072)
      • ISBEW64.exe (PID: 4672)
      • ISBEW64.exe (PID: 2180)
      • ISBEW64.exe (PID: 7132)
      • ISBEW64.exe (PID: 6580)
      • ISBEW64.exe (PID: 6724)
      • ISBEW64.exe (PID: 6240)
      • ISBEW64.exe (PID: 6156)
      • ISBEW64.exe (PID: 6200)
      • ISBEW64.exe (PID: 6300)
      • msiexec.exe (PID: 6236)
      • ISBEW64.exe (PID: 6332)
      • ComboCleaner.WinService.exe (PID: 6716)
      • ComboCleaner.Guard.exe (PID: 6244)
      • ComboCleaner.exe (PID: 3800)
      • ComboCleaner.exe (PID: 3272)

    • Checks proxy server information

      • CCSetup.exe (PID: 6872)
      • ComboCleaner.exe (PID: 3272)

    • Reads the machine GUID from the registry

      • CCSetup.exe (PID: 6872)
      • msiexec.exe (PID: 6956)
      • ComboCleaner.WinService.exe (PID: 6716)
      • ComboCleaner.Guard.exe (PID: 6244)
      • ComboCleaner.exe (PID: 3800)
      • ComboCleaner.exe (PID: 3272)

    • Creates files or folders in the user directory

      • CCSetup.exe (PID: 6872)
      • ComboCleaner.exe (PID: 3272)

    • Reads the software policy settings

      • CCSetup.exe (PID: 6872)
      • msiexec.exe (PID: 6956)
      • ComboCleaner.WinService.exe (PID: 6716)
      • ComboCleaner.Guard.exe (PID: 6244)
      • ComboCleaner.exe (PID: 3272)

    • Process checks Internet Explorer phishing filters

      • CCSetup.exe (PID: 6872)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6956)

    • Dropped object may contain TOR URL's

      • msiexec.exe (PID: 6956)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6956)

    • Process checks computer location settings

      • CCSetup.exe (PID: 6872)

    • Creates files in the driver directory

      • rundll32.exe (PID: 2480)
      • rundll32.exe (PID: 7000)
      • rundll32.exe (PID: 6940)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 1556)
      • runonce.exe (PID: 188)
      • runonce.exe (PID: 6172)

    • Reads the time zone

      • runonce.exe (PID: 1556)
      • runonce.exe (PID: 188)
      • runonce.exe (PID: 6172)
      • ComboCleaner.WinService.exe (PID: 6716)

    • Creates files in the program directory

      • CCSetup.exe (PID: 6872)
      • ComboCleaner.WinService.exe (PID: 6716)
      • ComboCleaner.Guard.exe (PID: 6244)

    • Reads Environment values

      • ComboCleaner.WinService.exe (PID: 6716)
      • ComboCleaner.Guard.exe (PID: 6244)
      • ComboCleaner.exe (PID: 3272)

    • Disables trace logs

      • ComboCleaner.WinService.exe (PID: 6716)
      • ComboCleaner.exe (PID: 3272)
      • ComboCleaner.Guard.exe (PID: 6244)

    • Reads CPU info

      • ComboCleaner.WinService.exe (PID: 6716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:06:20 19:44:34+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 622080
InitializedDataSize: 780288
UninitializedDataSize: -
EntryPoint: 0x59e5a
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.65.0
ProductVersionNumber: 1.0.65.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: RCS LT
FileDescription: Combo Cleaner
FileVersion: 1.0.65.0
InternalName: Setup
LegalCopyright: Copyright (c) 2024 RCS LT, UAB. All Rights Reserved.
OriginalFileName: CCSetup.exe
ProductName: Combo Cleaner
ProductVersion: 1.0.65.0
InternalBuildNumber: 202227
ISInternalVersion: 26.0.720
ISInternalDescription: Setup Launcher Unicode
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
189
Monitored processes
52
Malicious processes
6
Suspicious processes
5

Behavior graph

Click at the process to see the details
start ccsetup.exe ccsetup.exe msiexec.exe msiexec.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs cmd.exe no specs conhost.exe no specs driverquery.exe no specs msiexec.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs combocleaner.winservice.exe cmd.exe no specs conhost.exe no specs combocleaner.guard.exe net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs combocleaner.exe no specs combocleaner.exe wmiapsrv.exe no specs wmiapsrv.exe no specs cmd.exe no specs conhost.exe no specs ccsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\WINDOWS\system32\runonce.exe" -rC:\Windows\System32\runonce.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1064\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1076net start gzfltC:\Windows\System32\net.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\bcrypt.dll
1124"C:\WINDOWS\system32\cmd.exe" /c rmdir /s /q "C:\Users\admin\AppData\Local\Temp\{20FD435F-4273-4A20-A7D3-619C3BF7F3AD}"C:\Windows\SysWOW64\cmd.exeCCSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1556"C:\WINDOWS\system32\runonce.exe" -rC:\Windows\System32\runonce.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
1636\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1644"C:\Windows\System32\grpconv.exe" -oC:\Windows\System32\grpconv.exerunonce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2180C:\Users\admin\AppData\Local\Temp\{70320C92-2F10-4A87-B954-900468ABCA1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4097FA81-1AEE-49AC-A92D-AA5D80B39C12}C:\Users\admin\AppData\Local\Temp\{70320C92-2F10-4A87-B954-900468ABCA1A}\ISBEW64.exeCCSetup.exe
User:
admin
Company:
Flexera
Integrity Level:
HIGH
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
26.0.720
Modules
Images
c:\users\admin\appdata\local\temp\{70320c92-2f10-4a87-b954-900468abca1a}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
2368net start trufosC:\Windows\System32\net.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wkscli.dll
Total events
56 731
Read events
56 283
Write events
431
Delete events
17

Modification events

(PID) Process:(6872) CCSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:delete valueName:%IS_PREREQ%-Combo Cleaner
Value:
(PID) Process:(6872) CCSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:delete valueName:%IS_PREREQF%-Combo Cleaner
Value:
(PID) Process:(6872) CCSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName: ISSetupPrerequisistes
Value:
(PID) Process:(6872) CCSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6872) CCSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6872) CCSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6872) CCSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6872) CCSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6872) CCSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6872) CCSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
88
Suspicious files
118
Text files
41
Unknown types
5

Dropped files

PID
Process
Filename
Type
6848CCSetup.exeC:\Users\admin\AppData\Local\Temp\{20FD435F-4273-4A20-A7D3-619C3BF7F3AD}\_ISMSIDEL.INItext
MD5:79FD20EDCF3C3FBF3597CDC3BEF2DB32
SHA256:52332DF859102D53A800AEF83677FF9925D23D6B2EA5592132F1708BAF0FDEBE
6848CCSetup.exeC:\Users\admin\AppData\Local\Temp\~DB2B.tmptext
MD5:83DA0B2E6F742807321B9017D42057E0
SHA256:2787A904EED56017DF786FFA19A13607E977685A337B40A2210A383C6A4B422B
6872CCSetup.exeC:\Users\admin\AppData\Local\Temp\{20FD435F-4273-4A20-A7D3-619C3BF7F3AD}\setup.isnbinary
MD5:158B74E43CB4EE3467E9DB23AFDBD32C
SHA256:AE7E9458770CDA907AC9205730D3EE1315BC0C14A5F143247E97C03294EB5560
6872CCSetup.exeC:\Users\admin\AppData\Local\Temp\{20FD435F-4273-4A20-A7D3-619C3BF7F3AD}\Setup.INItext
MD5:83DA0B2E6F742807321B9017D42057E0
SHA256:2787A904EED56017DF786FFA19A13607E977685A337B40A2210A383C6A4B422B
6848CCSetup.exeC:\Users\admin\AppData\Local\Temp\~DB1B.tmptext
MD5:83DA0B2E6F742807321B9017D42057E0
SHA256:2787A904EED56017DF786FFA19A13607E977685A337B40A2210A383C6A4B422B
6872CCSetup.exeC:\Users\admin\AppData\Local\Temp\{20FD435F-4273-4A20-A7D3-619C3BF7F3AD}\CCSetup.msiexecutable
MD5:2F050B2E5B8CB3609BEADCD3D14883D9
SHA256:315466D1A0BBDC23FA24548CBB191CBE67A263819F3B2D361C95951C07F3EECE
6872CCSetup.exeC:\Users\admin\AppData\Local\Temp\~DBE6.tmptext
MD5:83DA0B2E6F742807321B9017D42057E0
SHA256:2787A904EED56017DF786FFA19A13607E977685A337B40A2210A383C6A4B422B
6872CCSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_C5856A5EB1E3B74AE8014850A678CDBFder
MD5:926340427BC801FF886F2DFAE2CAA65E
SHA256:3457217FECC60C1550F46AB0554DF6351501FD6011F24AF5627D9AC5B799FF7A
6872CCSetup.exeC:\Users\admin\AppData\Local\Temp\{20FD435F-4273-4A20-A7D3-619C3BF7F3AD}\Microsoft .NET Framework 4.7.2 Full.prqxml
MD5:742F35470542E0F3B871918C6A10ABB2
SHA256:880DF4512FFA3353A9658C8FCF0927F9E285B2E41905864EA0A04661C0649BBA
6872CCSetup.exeC:\Users\admin\AppData\Local\Temp\{20FD435F-4273-4A20-A7D3-619C3BF7F3AD}\CCSetup.iscbinary
MD5:3916988E2596364F7E8BCFA29FF729D2
SHA256:0725EB46F67CF94080FDDAA5CF6DD44B6F0028AA7CF4016AB1D5AFFEA69FF09D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
46
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6872
CCSetup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEA%2B4p0C5FY0DUUO8WdnwQCk%3D
unknown
whitelisted
6872
CCSetup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSE67Nbq3jfQQg8yXEpbmqLTNn7XwQUm1%2BwNrqdBq4ZJ73AoCLAi4s4d%2B0CEAGtzR3ebXqHxeW3NrExxPc%3D
unknown
whitelisted
6772
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6716
ComboCleaner.WinService.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEA%2B4p0C5FY0DUUO8WdnwQCk%3D
unknown
whitelisted
6716
ComboCleaner.WinService.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSE67Nbq3jfQQg8yXEpbmqLTNn7XwQUm1%2BwNrqdBq4ZJ73AoCLAi4s4d%2B0CEAGtzR3ebXqHxeW3NrExxPc%3D
unknown
whitelisted
2068
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7120
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3852
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5744
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6872
CCSetup.exe
172.67.96.20:443
services.combocleaner.com
CLOUDFLARENET
US
unknown
6872
CCSetup.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3852
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2068
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2068
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
services.combocleaner.com
  • 172.67.96.20
  • 104.25.185.50
  • 104.25.186.50
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.22
  • 20.190.160.14
  • 20.190.160.17
  • 40.126.32.133
  • 40.126.32.68
  • 40.126.32.76
  • 20.190.160.20
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.74
  • 40.126.32.140
  • 40.126.32.138
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CCSetup.exe