Malware analysis Printer DCA 4.5.0.30612 [eps.printfleet.com ED49-4CBC] Setup.exe Malicious activity

Add for printing

File name:	Printer DCA 4.5.0.30612 [eps.printfleet.com ED49-4CBC] Setup.exe
Full analysis:	https://app.any.run/tasks/9c9d6aca-f3ee-41c1-abaa-c3a75848cda1
Verdict:	Malicious activity
Analysis date:	December 02, 2019, 13:28:05
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	installer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	9F10195C04A1503000CA88803B2C0964
SHA1:	B51CA25AF96FAEF6CFE0FCE8A2A141D2C6A51957
SHA256:	284DBE71303A1AAFE040BE4CA39836B39FB36B16205C9BC7818AF0B704EAD86B
SSDEEP:	98304:SQX4tSC2Xcnh1j2jbGvaHvJ3XY7lVksDKE9TWNkcDqBYWLEIqmZYWtM:JIsqfjUavaHRnsk9s/mgEIbZHS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - dismhost.exe (PID: 1816)
  - dismhost.exe (PID: 2896)
  - PrinterDCA.Service.exe (PID: 4080)
  - dismhost.exe (PID: 2732)
  - PrinterDCA.Activate.exe (PID: 1712)
- Loads dropped or rewritten executable
  - dism.exe (PID: 1728)
  - dismhost.exe (PID: 1816)
  - TrustedInstaller.exe (PID: 328)
  - dism.exe (PID: 3196)
  - dismhost.exe (PID: 2896)
  - dism.exe (PID: 1852)
  - dismhost.exe (PID: 2732)
  - PrinterDCA.Activate.exe (PID: 1712)
  - PrinterDCA.Service.exe (PID: 4080)
- Changes settings of System certificates
  - msiexec.exe (PID: 2552)
- Starts Visual C# compiler
  - PrinterDCA.Activate.exe (PID: 1712)
  - PrinterDCA.Service.exe (PID: 4080)
- Starts NET.EXE for service management
  - cmd.exe (PID: 3716)
SUSPICIOUS
- Executable content was dropped or overwritten
  - dism.exe (PID: 3196)
  - dism.exe (PID: 1728)
  - msiexec.exe (PID: 2552)
  - dism.exe (PID: 1852)
  - csc.exe (PID: 2104)
  - csc.exe (PID: 3704)
- Executed as Windows Service
  - vssvc.exe (PID: 2004)
  - PrinterDCA.Service.exe (PID: 4080)
- Starts Microsoft Installer
  - Printer DCA 4.5.0.30612 [eps.printfleet.com ED49-4CBC] Setup.exe (PID: 1904)
- Creates files in the Windows directory
  - TrustedInstaller.exe (PID: 328)
  - PrinterDCA.Service.exe (PID: 4080)
  - csc.exe (PID: 2824)
  - csc.exe (PID: 1328)
  - csc.exe (PID: 3996)
- Adds / modifies Windows certificates
  - msiexec.exe (PID: 2552)
- Reads Environment values
  - MsiExec.exe (PID: 2912)
- Starts CMD.EXE for commands execution
  - Printer DCA 4.5.0.30612 [eps.printfleet.com ED49-4CBC] Setup.exe (PID: 1904)
  - PrinterDCA.Service.exe (PID: 4080)
- Creates files in the program directory
  - PrinterDCA.Activate.exe (PID: 1712)
- Creates files in the user directory
  - PrinterDCA.Activate.exe (PID: 1712)
- Removes files from Windows directory
  - csc.exe (PID: 2824)
  - PrinterDCA.Service.exe (PID: 4080)
  - csc.exe (PID: 1328)
  - csc.exe (PID: 3996)
INFO
- Searches for installed software
  - msiexec.exe (PID: 2552)
- Loads dropped or rewritten executable
  - MsiExec.exe (PID: 2912)
  - MsiExec.exe (PID: 3732)
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 2004)
- Application launched itself
  - msiexec.exe (PID: 2552)
- Creates files in the program directory
  - msiexec.exe (PID: 2552)
  - MsiExec.exe (PID: 2912)
- Creates a software uninstall entry
  - msiexec.exe (PID: 2552)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (34.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (25.2)
.exe	\|	Win64 Executable (generic) (22.3)
.scr	\|	Windows screen saver (10.6)
.exe	\|	Win32 Executable (generic) (3.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2014:01:06 20:42:36+01:00
PEType:	PE32
LinkerVersion:	8
CodeSize:	860160
InitializedDataSize:	4751360
UninitializedDataSize:	-
EntryPoint:	0x8ee33
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	4.5.0.30612
ProductVersionNumber:	4.5.0.30612
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	-
CompanyName:	PrintFleet Inc
FileDescription:	Printer DCA Installer (Pre-registered)
FileVersion:	4.5.0.30612
InternalName:	-
LegalCopyright:	(c) PrintFleet Inc
LegalTrademarks:	All Rights Reserved
OLESelfRegister:	-
OriginalFileName:	-
PrivateBuild:	-
ProductName:	dotNetInstaller
ProductVersion:	4.5.0.30612
SpecialBuild:	-

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	06-Jan-2014 19:42:36
Detected languages:	English - United States Italian - Italy
Debug artifacts:	c:\Users\dblock\source\dotnetinstaller\dblock\dotNetInstaller\Release\dotNetInstaller.pdb
Comments:	-
CompanyName:	PrintFleet Inc
FileDescription:	Printer DCA Installer (Pre-registered)
FileVersion:	4.5.0.30612
InternalName:	-
LegalCopyright:	(c) PrintFleet Inc
LegalTrademarks:	All Rights Reserved
OLESelfRegister:	-
OriginalFilename:	-
PrivateBuild:	-
ProductName:	dotNetInstaller
ProductVersion:	4.5.0.30612
SpecialBuild:	-

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000100

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	4
Time date stamp:	06-Jan-2014 19:42:36
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x000D1DC6	0x000D2000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.5996
.rdata	0x000D3000	0x00035B68	0x00036000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.58027
.data	0x00109000	0x00009098	0x00005000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.63854
.rsrc	0x00113000	0x0044CB4C	0x0044D000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	7.99777

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.23858	1205	Latin 1 / Western European	UNKNOWN	RT_MANIFEST
2	4.53363	1384	Latin 1 / Western European	UNKNOWN	RT_ICON
3	3.19513	744	Latin 1 / Western European	UNKNOWN	RT_ICON
4	5.97994	2216	Latin 1 / Western European	UNKNOWN	RT_ICON
5	5.45173	3752	Latin 1 / Western European	UNKNOWN	RT_ICON
6	2.0442	748	Latin 1 / Western European	UNKNOWN	RT_CURSOR
7	3.02695	308	Latin 1 / Western European	Italian - Italy	RT_CURSOR
8	2.74274	180	Latin 1 / Western European	Italian - Italy	RT_CURSOR
9	2.34038	308	Latin 1 / Western European	Italian - Italy	RT_CURSOR
10	2.34004	308	Latin 1 / Western European	Italian - Italy	RT_CURSOR

Imports


ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll (delay-loaded)
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINSPOOL.DRV

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

328

C:\Windows\servicing\TrustedInstaller.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Modules Installer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\servicing\trustedinstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll

720

C:\Windows\system32\net1 stop "Printer DCA"

C:\Windows\system32\net1.exe

—

net.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Net Command

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll

904

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\jdzbjic-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

—

PrinterDCA.Activate.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Visual C# Command Line Compiler

Exit code:

Version:

8.0.50727.4927 (NetFXspW7.050727-4900)

Modules

Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

912

net stop "Printer DCA"

C:\Windows\system32\net.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Net Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll

1096

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\vkovaqw_.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

—

PrinterDCA.Activate.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Visual C# Command Line Compiler

Exit code:

Version:

8.0.50727.4927 (NetFXspW7.050727-4900)

Modules

Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

1328

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESB8D7.tmp" "c:\Users\admin\AppData\Local\Temp\CSCB8D6.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft® Resource File To COFF Object Conversion Utility

Exit code:

Version:

8.00.50727.4940 (Win7SP1.050727-5400)

Modules

Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll

1328

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\sdujokyu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

—

PrinterDCA.Service.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Visual C# Command Line Compiler

Exit code:

Version:

8.0.50727.4927 (NetFXspW7.050727-4900)

Modules

Images
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\kernel32.dll
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll

1516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC8A6.tmp" "c:\Users\admin\AppData\Local\Temp\CSCC8A5.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft® Resource File To COFF Object Conversion Utility

Exit code:

Version:

8.00.50727.4940 (Win7SP1.050727-5400)

Modules

Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll

1712

"C:\Program Files\Printer DCA\PrinterDCA.Activate.exe" /server:http://eps.printfleet.com /pin:ED49-4CBC

C:\Program Files\Printer DCA\PrinterDCA.Activate.exe

cmd.exe

User:

admin

Company:

PrintFleet Inc

Integrity Level:

HIGH

Description:

PrintFleetDCA.Activate

Exit code:

Version:

4.5.0.30612

Modules

Images
c:\program files\printer dca\printerdca.activate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1728

/quiet /norestart /english /online /get-features /format:table

C:\Windows\system32\dism.exe

MsiExec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Dism Image Servicing Utility

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\dism.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

4 662

Read events

4 322

Write events

328

Delete events

Modification events


(PID) Process:	(2552) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 40000000000000001CCFF66A14A9D501F8090000B80B0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2552) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 40000000000000001CCFF66A14A9D501F8090000B80B0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2552) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 33
(PID) Process:	(2552) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4000000000000000D2CA536B14A9D501F8090000B80B0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2552) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4000000000000000D2CA536B14A9D501F80900007C0A0000E8030000010000000000000000000000732F3E7C30BBEA4DAF791EB5395FA4710000000000000000
(PID) Process:	(2004) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4000000000000000487B646B14A9D501D4070000E0020000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2004) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4000000000000000487B646B14A9D501D4070000FC050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2004) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4000000000000000487B646B14A9D501D4070000D0030000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2004) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4000000000000000487B646B14A9D501D4070000B00B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2004) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Leave)
Value: 40000000000000000A67706B14A9D501D4070000FC050000E8030000000000000100000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

122

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1904	Printer DCA 4.5.0.30612 [eps.printfleet.com ED49-4CBC] Setup.exe	C:\Users\admin\AppData\Local\Temp\DVAFD2.tmp		—
		MD5:—	SHA256:—
1904	Printer DCA 4.5.0.30612 [eps.printfleet.com ED49-4CBC] Setup.exe	C:\Users\admin\AppData\Local\Temp\{2499F1B9-9C33-4D32-81AE-62163260F936}\dcasetup.msi		—
		MD5:—	SHA256:—
2552	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
2552	msiexec.exe	C:\Windows\Installer\3a22a1.msi		—
		MD5:—	SHA256:—
2004	vssvc.exe	C:		—
		MD5:—	SHA256:—
2552	msiexec.exe	C:\Users\admin\AppData\Local\Temp\Cab5DD5.tmp		—
		MD5:—	SHA256:—
2552	msiexec.exe	C:\Users\admin\AppData\Local\Temp\Tar5DD6.tmp		—
		MD5:—	SHA256:—
2552	msiexec.exe	C:\Users\admin\AppData\Local\Temp\Cab5ED1.tmp		—
		MD5:—	SHA256:—
2552	msiexec.exe	C:\Users\admin\AppData\Local\Temp\Tar5ED2.tmp		—
		MD5:—	SHA256:—
2552	msiexec.exe	C:\Users\admin\AppData\Local\Temp\Cab5F6F.tmp		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1712	PrinterDCA.Activate.exe	HEAD	405	52.213.124.228:80	http://eps.printfleet.com/pfe_ws/DCAActivation.asmx	IE	—	—	unknown
4080	PrinterDCA.Service.exe	POST	200	52.51.76.151:80	http://eps.printfleet.com/pfe_ws/Main.asmx	IE	xml	3.06 Kb	unknown
4080	PrinterDCA.Service.exe	GET	200	52.51.76.151:80	http://eps.printfleet.com/pfe_ws/Main.asmx	IE	html	5.77 Kb	unknown
4080	PrinterDCA.Service.exe	GET	200	52.51.76.151:80	http://eps.printfleet.com/pfe_ws/Main.asmx?disco	IE	xml	735 b	unknown
2552	msiexec.exe	GET	200	91.199.212.52:80	http://crt.comodoca.com/COMODORSAAddTrustCA.crt	GB	der	1.37 Kb	whitelisted
2552	msiexec.exe	GET	200	205.185.216.42:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4.crt	US	der	1.46 Kb	whitelisted
2552	msiexec.exe	GET	200	205.185.216.42:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	US	compressed	57.4 Kb	whitelisted
4080	PrinterDCA.Service.exe	GET	200	52.51.76.151:80	http://eps.printfleet.com/pfe_ws/Main.asmx	IE	html	5.77 Kb	unknown
4080	PrinterDCA.Service.exe	POST	200	52.51.76.151:80	http://eps.printfleet.com/pfe_ws/Main.asmx	IE	xml	517 b	unknown
4080	PrinterDCA.Service.exe	GET	200	52.51.76.151:80	http://eps.printfleet.com/pfe_ws/Main.asmx?disco	IE	xml	735 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2552	msiexec.exe	91.199.212.52:80	crt.comodoca.com	Comodo CA Ltd	GB	suspicious
2552	msiexec.exe	205.185.216.42:80	www.download.windowsupdate.com	Highwinds Network Group, Inc.	US	whitelisted
1712	PrinterDCA.Activate.exe	52.213.124.228:80	eps.printfleet.com	Amazon.com, Inc.	IE	unknown
4080	PrinterDCA.Service.exe	52.51.76.151:80	eps.printfleet.com	Amazon.com, Inc.	IE	unknown

DNS requests

Domain	IP	Reputation
crt.comodoca.com	91.199.212.52	whitelisted
www.download.windowsupdate.com	205.185.216.42 205.185.216.10	whitelisted
eps.printfleet.com	52.213.124.228 52.213.53.247 52.51.76.151	unknown
2.100.168.192.in-addr.arpa	—	whitelisted
www.eps.printfleet.com	—	unknown

Threats

No threats detected

Add for printing

Process	Message
dism.exe	PID=3196 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
dism.exe	PID=3196 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
dism.exe	PID=3196 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
dism.exe	PID=3196 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
dism.exe	PID=3196 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
dism.exe	PID=3196 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
dism.exe	PID=3196 Getting Provider OSServices - CDISMProviderStore::GetProvider
dism.exe	PID=3196 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005)
dism.exe	PID=3196 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005)
dismhost.exe	PID=1816 Disconnecting Provider: DISMLogger - CDISMProviderStore::Internal_DisconnectProvider

General Info

Printer DCA 4.5.0.30612 [eps.printfleet.com ED49-4CBC] Setup.exe

9F10195C04A1503000CA88803B2C0964

B51CA25AF96FAEF6CFE0FCE8A2A141D2C6A51957

284DBE71303A1AAFE040BE4CA39836B39FB36B16205C9BC7818AF0B704EAD86B

98304:SQX4tSC2Xcnh1j2jbGvaHvJ3XY7lVksDKE9TWNkcDqBYWLEIqmZYWtM:JIsqfjUavaHRnsk9s/mgEIbZHS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Changes settings of System certificates

Starts Visual C# compiler

Starts NET.EXE for service management

SUSPICIOUS

Executable content was dropped or overwritten

Executed as Windows Service

Starts Microsoft Installer

Creates files in the Windows directory

Adds / modifies Windows certificates

Reads Environment values

Starts CMD.EXE for commands execution

Creates files in the program directory

Creates files in the user directory

Removes files from Windows directory

INFO

Searches for installed software

Loads dropped or rewritten executable

Low-level read access rights to disk partition

Application launched itself

Creates files in the program directory

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats