Malware analysis setup.msi Malicious activity | ANY.RUN

Add for printing

File name:	setup.msi
Full analysis:	https://app.any.run/tasks/8f1b2daf-aa26-41e5-901f-c551b358482e
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	October 16, 2024, 19:24:05
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc rat
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: This setup package will Install Arhana version 2.2.2, Author: ARH, Keywords: Installer, Comments: This installer database contains the logic and data required to install Arhana., Template: Intel;1033, Revision Number: {AEDB5D85-A9C4-4B31-A45E-2E505DE2843F}, Create Time/Date: Tue Oct 15 05:06:26 2024, Last Saved Time/Date: Tue Oct 15 05:06:26 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1528), Security: 2
MD5:	CC7CF110BC43165463E51675775A2050
SHA1:	A4A80DC684F61D8EB8BCDE68856E84A16B5EF3D9
SHA256:	5B95F27FD07D589E652816F564066EAC2424AC744764587E503D5D040ABA3EBA
SSDEEP:	24576:ntg/Qe7QDmsL9rYXJZ3fh+pQBmC6kzMhX+:ntg/Qe7QDmsL9rYXJZ3fh+pQBmC6kzMw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Connects to the CnC server
  - DSAWcfProxy.exe (PID: 6688)
  - DSAWcfProxy.exe (PID: 6940)
SUSPICIOUS
- Application launched itself
  - DSAWcfProxy.exe (PID: 2280)
- Contacting a server suspected of hosting an CnC
  - DSAWcfProxy.exe (PID: 6688)
  - DSAWcfProxy.exe (PID: 6940)
- Connects to the server without a host name
  - DSAWcfProxy.exe (PID: 6940)
  - DSAWcfProxy.exe (PID: 6688)
  - DSAWcfProxy.exe (PID: 2280)
- Executes as Windows Service
  - VSSVC.exe (PID: 6596)
INFO
- Reads the computer name
  - msiexec.exe (PID: 4072)
- An automatically generated document
  - msiexec.exe (PID: 4792)
- Manages system restore points
  - SrTasks.exe (PID: 7132)
- Checks supported languages
  - msiexec.exe (PID: 4072)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 4072)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	This setup package will Install Arhana version 2.2.2
Author:	ARH
Keywords:	Installer
Comments:	This installer database contains the logic and data required to install Arhana.
Template:	Intel;1033
RevisionNumber:	{AEDB5D85-A9C4-4B31-A45E-2E505DE2843F}
CreateDate:	2024:10:15 05:06:26
ModifyDate:	2024:10:15 05:06:26
Pages:	200
Words:	10
Software:	Windows Installer XML Toolset (3.11.0.1528)
Security:	Read-only recommended

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

146

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1204

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1280

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

UCPDMgr.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2280

"C:\ProgramData\Arh\DSAWcfProxy.exe"

C:\ProgramData\Arh\DSAWcfProxy.exe

msiexec.exe

User:

admin

Company:

AutoHotkey Foundation LLC

Integrity Level:

MEDIUM

Description:

AutoHotkey Unicode 32-bit

Version:

1.1.37.02

Modules

Images
c:\programdata\arh\dsawcfproxy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll

3848

"C:\WINDOWS\system32\UCPDMgr.exe"

C:\Windows\System32\UCPDMgr.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

User Choice Protection Manager

Exit code:

Version:

1.0.0.414301

Modules

Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4072

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4340

"C:\WINDOWS\system32\UCPDMgr.exe"

C:\Windows\System32\UCPDMgr.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

User Choice Protection Manager

Exit code:

Version:

1.0.0.414301

Modules

Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4792

"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\setup.msi

C:\Windows\System32\msiexec.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

5984

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

UCPDMgr.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6596

C:\WINDOWS\system32\vssvc.exe

C:\Windows\System32\VSSVC.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6688

C:\ProgramData\Arh\DSAWcfProxy.exe C:\ProgramData\Arh\DSAWcfProxy.exe~

C:\ProgramData\Arh\DSAWcfProxy.exe

DSAWcfProxy.exe

User:

admin

Company:

AutoHotkey Foundation LLC

Integrity Level:

MEDIUM

Description:

AutoHotkey Unicode 32-bit

Exit code:

Version:

1.1.37.02

Modules

Images
c:\programdata\arh\dsawcfproxy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

5 183

Read events

4 979

Write events

186

Delete events

Modification events


(PID) Process:	(4072) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4800000000000000700D1CFB0020DB01E80F0000A8190000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4072) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 4800000000000000700D1CFB0020DB01E80F0000A8190000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4072) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000975468FB0020DB01E80F0000A8190000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4072) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 4800000000000000975468FB0020DB01E80F0000A8190000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4072) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 48000000000000001FB96AFB0020DB01E80F0000A8190000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4072) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000541C6DFB0020DB01E80F0000A8190000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4072) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 11
(PID) Process:	(4072) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4800000000000000B0061FFC0020DB01E80F0000A8190000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4072) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000F0CE23FC0020DB01E80F000074050000E8030000010000000000000000000000DAEF707F8343E547B9D106ED00854EDA00000000000000000000000000000000
(PID) Process:	(6596) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 480000000000000000AF2FFC0020DB01C419000028060000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4072	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
4072	msiexec.exe	C:\Windows\Temp\~DF5B056B5207967528.TMP		binary
		MD5:0FA6E482210877E0C79CFE65C475F685	SHA256:752233E88F35643543785FD4EBE7DD5C0980DDD799D01610594633EC3909A9CF
4072	msiexec.exe	C:\Windows\Installer\SourceHash{49FBE0A1-9D8A-4E7D-B2BE-75D35C08341C}		binary
		MD5:CCEC033363607B800CA2DB4F906E58D2	SHA256:FA616D382F74231929E22DBB0F86CCC3D5A6D2682815AE1AAB3EB69D72076E3A
4072	msiexec.exe	C:\Windows\Temp\~DFEE3FE474C7AF9E8C.TMP		binary
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
4072	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{7f70efda-4383-47e5-b9d1-06ed00854eda}_OnDiskSnapshotProp		binary
		MD5:EFF3329A1598B19528C35BDF9F3C97C6	SHA256:2EBE3CB3F2F8F2FAC9BF3261F15B45B127F00C7B4CD632CE61AB7299108F9879
4072	msiexec.exe	C:\Windows\Temp\~DF1817EEE539813B19.TMP		binary
		MD5:6DA5AFBDC8C8F3AA66E07A20E9D7E6CB	SHA256:86CE1E93A645C210D7EBA2CD3F497E3EEFE0BDFBC75212E872A3526476AFDDAE
4072	msiexec.exe	C:\ProgramData\Arh\DSAWcfProxy.exe		executable
		MD5:B6AF97AA32C636C3C4E87BB768A3CEB7	SHA256:BA35B8B4346B79B8BB4F97360025CB6BEFAF501B03149A3B5FEF8F07BDF265C7
4072	msiexec.exe	C:\Windows\Installer\MSI553.tmp		binary
		MD5:AD523D9EA8D372B95F27E5F8118FE550	SHA256:415317B3603C30CF8690695685C8EBF298FE0639335D6C862D6E7C6E72962764
4072	msiexec.exe	C:\Windows\Installer\inprogressinstallinfo.ipi		binary
		MD5:A73892937B1DE65F0E413F163F3063E5	SHA256:3B0B873DE00B35BE8DD7AFEA25B441896230E3FA9E4846AAF4CC8E38287551D1
4072	msiexec.exe	C:\ProgramData\Arh\DSAWcfProxy.ahk		text
		MD5:672ACEA81E55B00E8659571BDE188196	SHA256:22D24136B8F0B1B4196B94BAA3CE6CA049ABD318EBFE3FD8A7A8F5566CF7FB28

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2280	DSAWcfProxy.exe	GET	404	66.23.227.33:80	http://66.23.227.33/649566714	unknown	—	—	malicious
2280	DSAWcfProxy.exe	GET	404	66.23.227.33:80	http://66.23.227.33/649566714	unknown	—	—	malicious
2280	DSAWcfProxy.exe	GET	404	66.23.227.33:80	http://66.23.227.33/649566714	unknown	—	—	malicious
2280	DSAWcfProxy.exe	GET	404	66.23.227.33:80	http://66.23.227.33/649566714	unknown	—	—	malicious
2280	DSAWcfProxy.exe	GET	404	66.23.227.33:80	http://66.23.227.33/649566714	unknown	—	—	malicious
2280	DSAWcfProxy.exe	GET	404	66.23.227.33:80	http://66.23.227.33/649566714	unknown	—	—	malicious
2280	DSAWcfProxy.exe	GET	404	66.23.227.33:80	http://66.23.227.33/649566714	unknown	—	—	malicious
2280	DSAWcfProxy.exe	GET	404	66.23.227.33:80	http://66.23.227.33/649566714	unknown	—	—	malicious
2280	DSAWcfProxy.exe	GET	404	66.23.227.33:80	http://66.23.227.33/649566714	unknown	—	—	malicious
2280	DSAWcfProxy.exe	GET	404	66.23.227.33:80	http://66.23.227.33/649566714	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6944	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2280	DSAWcfProxy.exe	66.23.227.33:80	—	IS-AS-1	US	malicious
6688	DSAWcfProxy.exe	66.23.227.33:80	—	IS-AS-1	US	malicious
6940	DSAWcfProxy.exe	66.23.227.33:80	—	IS-AS-1	US	malicious

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.180.78	whitelisted
crl.microsoft.com	—	whitelisted
www.bing.com	—	whitelisted
www.microsoft.com	—	whitelisted
self.events.data.microsoft.com	—	whitelisted
slscr.update.microsoft.com	—	whitelisted
fe3cr.delivery.mp.microsoft.com	—	whitelisted

Threats

PID	Process	Class	Message
2280	DSAWcfProxy.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User-Agent (AutoHotkey)
2280	DSAWcfProxy.exe	A Network Trojan was detected	ET USER_AGENTS Suspicious User-Agent (AutoHotkey)
6688	DSAWcfProxy.exe	Malware Command and Control Activity Detected	ET MALWARE AHK Bot Domain Profiler CnC Activity
6688	DSAWcfProxy.exe	Malware Command and Control Activity Detected	ET MALWARE AHK Bot Domain Profiler CnC Activity
6688	DSAWcfProxy.exe	Misc activity	SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
6940	DSAWcfProxy.exe	Malware Command and Control Activity Detected	ET MALWARE AHK Bot Domain Profiler CnC Activity

5 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

setup.msi

CC7CF110BC43165463E51675775A2050

A4A80DC684F61D8EB8BCDE68856E84A16B5EF3D9

5B95F27FD07D589E652816F564066EAC2424AC744764587E503D5D040ABA3EBA

24576:ntg/Qe7QDmsL9rYXJZ3fh+pQBmC6kzMhX+:ntg/Qe7QDmsL9rYXJZ3fh+pQBmC6kzMw

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Connects to the CnC server

SUSPICIOUS

Application launched itself

Contacting a server suspected of hosting an CnC

Connects to the server without a host name

Executes as Windows Service

INFO

Reads the computer name

An automatically generated document

Manages system restore points

Checks supported languages

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings