File name:

CustomInstallExec.exe

Full analysis: https://app.any.run/tasks/032041f4-582f-4e99-9a63-e019915cf94c
Verdict: Malicious activity
Analysis date: December 17, 2024, 08:39:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

503421F0338E740985B345A583774910

SHA1:

435199363FDBB36ABDBFA893D6C02D4B9A1565E8

SHA256:

BF540D6829830CEB83AB73171BE41C565E3BF13912292063F9FC16BC381BFE97

SSDEEP:

3072:8IozWOoBf3xLjdm7JSJJoREPI+YCiasVbMD:8IozWOoF9iJSJGR4I+YCiasVba

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • CustomInstallExec.exe (PID: 6504)
      • DataExchangeHost.exe (PID: 5076)
      • dasHost.exe (PID: 3808)
      • DataStoreCacheDumpTool.exe (PID: 5240)
      • dccw.exe (PID: 4136)
      • dccw.exe (PID: 5720)
      • dcomcnfg.exe (PID: 4672)
      • dcomcnfg.exe (PID: 5488)
      • ddodiag.exe (PID: 7028)
      • WinSAT.exe (PID: 3464)
      • WinSAT.exe (PID: 628)

    • Process drops legitimate windows executable

      • CustomInstallExec.exe (PID: 6504)

    • Executes as Windows Service

      • dllhost.exe (PID: 6216)
      • msdtc.exe (PID: 6744)

  • INFO

    • The sample compiled with english language support

      • CustomInstallExec.exe (PID: 6504)

    • Checks supported languages

      • CustomInstallExec.exe (PID: 6504)
      • dasHost.exe (PID: 3808)
      • DataExchangeHost.exe (PID: 5076)
      • DataStoreCacheDumpTool.exe (PID: 5240)
      • dccw.exe (PID: 5720)
      • dcomcnfg.exe (PID: 5488)
      • AsusDownLoadLicense.exe (PID: 6404)

    • Manual execution by a user

      • DataStoreCacheDumpTool.exe (PID: 5240)
      • DataExchangeHost.exe (PID: 5076)
      • dasHost.exe (PID: 3808)
      • dccw.exe (PID: 4136)
      • dccw.exe (PID: 5720)
      • dcomcnfg.exe (PID: 4672)
      • dcomcnfg.exe (PID: 5488)
      • ddodiag.exe (PID: 7028)
      • WinSAT.exe (PID: 3464)
      • WinSAT.exe (PID: 5460)
      • WinSAT.exe (PID: 628)
      • Defrag.exe (PID: 6836)
      • notepad.exe (PID: 6304)
      • AsusDownLoadLicense.exe (PID: 6404)
      • WinSAT.exe (PID: 2120)

    • Reads the computer name

      • DataExchangeHost.exe (PID: 5076)
      • AsusDownLoadLicense.exe (PID: 6404)

    • Reads security settings of Internet Explorer

      • mmc.exe (PID: 6160)
      • notepad.exe (PID: 6304)

    • Sends debugging messages

      • mmc.exe (PID: 6160)

    • Creates files in the program directory

      • mmc.exe (PID: 6160)
      • AsusDownLoadLicense.exe (PID: 6404)

    • Checks transactions between databases Windows and Oracle

      • dllhost.exe (PID: 6216)
      • msdtc.exe (PID: 6744)
      • mmc.exe (PID: 6160)

    • Creates files or folders in the user directory

      • mmc.exe (PID: 6160)

    • Reads the machine GUID from the registry

      • AsusDownLoadLicense.exe (PID: 6404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2059:12:14 07:43:20+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.38
CodeSize: 61440
InitializedDataSize: 98304
UninitializedDataSize: -
EntryPoint: 0x2b80
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 10
Subsystem: Windows GUI
FileVersionNumber: 10.0.26100.2033
ProductVersionNumber: 10.0.26100.2033
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft Store Package Dependency Installer
FileVersion: 10.0.26100.2033 (WinBuild.160101.0800)
InternalName: CUSTOMINSTALLEXEC.EXE
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: CUSTOMINSTALLEXEC.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.26100.2033
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
25
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start custominstallexec.exe no specs dashost.exe no specs conhost.exe no specs dataexchangehost.exe no specs datastorecachedumptool.exe no specs conhost.exe no specs dccw.exe no specs dccw.exe dcomcnfg.exe no specs dcomcnfg.exe mmc.exe dllhost.exe no specs msdtc.exe no specs ddodiag.exe no specs defrag.exe no specs conhost.exe no specs notepad.exe no specs asusdownloadlicense.exe no specs winsat.exe no specs winsat.exe conhost.exe no specs rundll32.exe no specs winsat.exe no specs winsat.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628"C:\Users\admin\Desktop\WinSAT.exe" C:\Users\admin\Desktop\WinSAT.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows System Assessment Tool
Exit code:
3221225785
Version:
10.0.26100.1882 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\winsat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWinSAT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2120"C:\Windows\System32\WinSAT.exe" C:\Windows\System32\WinSAT.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows System Assessment Tool
Exit code:
4
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winsat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWinSAT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3464"C:\Users\admin\Desktop\WinSAT.exe" C:\Users\admin\Desktop\WinSAT.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows System Assessment Tool
Exit code:
3221226540
Version:
10.0.26100.1882 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\winsat.exe
c:\windows\system32\ntdll.dll
3552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeDataStoreCacheDumpTool.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3808"C:\Users\admin\Desktop\dasHost.exe" C:\Users\admin\Desktop\dasHost.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Device Association Framework Provider Host
Exit code:
2147942487
Version:
10.0.26100.2161 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\dashost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cfgmgr32.dll
4136"C:\Users\admin\Desktop\dccw.exe" C:\Users\admin\Desktop\dccw.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Display Color Calibration
Exit code:
3221226540
Version:
10.0.26100.2161 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\dccw.exe
c:\windows\system32\ntdll.dll
4672"C:\Users\admin\Desktop\dcomcnfg.exe" C:\Users\admin\Desktop\dcomcnfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM+
Exit code:
3221226540
Version:
2001.12.10941.16384 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\dcomcnfg.exe
c:\windows\system32\ntdll.dll
5076"C:\Users\admin\Desktop\DataExchangeHost.exe" C:\Users\admin\Desktop\DataExchangeHost.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Data Exchange Host
Version:
10.0.26100.1882 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\dataexchangehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
Total events
2 425
Read events
2 404
Write events
20
Delete events
1

Modification events

(PID) Process:(5720) dccw.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\Calibration
Operation:writeName:CalibrationManagementEnabled
Value:
0
(PID) Process:(6160) mmc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}
Operation:writeName:HelpTopic
Value:
C:\WINDOWS\Help\eventviewer.chm
(PID) Process:(6160) mmc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}
Operation:writeName:LinkedHelpTopics
Value:
C:\WINDOWS\Help\eventviewer.chm
(PID) Process:(6160) mmc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}
Operation:writeName:HelpTopic
Value:
C:\WINDOWS\Help\eventviewer.chm
(PID) Process:(6160) mmc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}
Operation:writeName:LinkedHelpTopics
Value:
C:\WINDOWS\Help\eventviewer.chm
(PID) Process:(6216) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\Instrumentation
Operation:writeName:InstrumentationLogFileDir
Value:
C:\WINDOWS\system32\com
(PID) Process:(6160) mmc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Microsoft Management Console\Recent File List
Operation:delete keyName:(default)
Value:
(PID) Process:(6160) mmc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Microsoft Management Console\Recent File List
Operation:writeName:File1
Value:
C:\WINDOWS\system32\comexp.msc
(PID) Process:(6160) mmc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Microsoft Management Console\Recent File List
Operation:writeName:File2
Value:
C:\WINDOWS\system32\wf.msc
(PID) Process:(6160) mmc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Microsoft Management Console\Recent File List
Operation:writeName:File3
Value:
C:\WINDOWS\system32\services.msc
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6216dllhost.exeC:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8A5722A3-207F-4F9E-9393-10E46600F2F9}.crmlogbinary
MD5:E05776020EC192F8FF83B3B92461C148
SHA256:E0BEFF5FBA41D2F336EF8EE0844C80EF9556636732791854EB342A395E90A492
2120WinSAT.exeC:\Windows\Performance\WinSAT\winsat.logtext
MD5:188F8DC18B760ECE6A4BCE99637492AC
SHA256:01E12548E7A97E2532C86630C680C440D7BEDC7B7C3AFCA6E2670111C4250E7C
6160mmc.exeC:\Users\admin\AppData\Local\Microsoft\Event Viewer\Settings.Xmltext
MD5:884320A9B8F018F309F5A96107133F89
SHA256:50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
34
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6580
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5092
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5092
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.155:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6072
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.35.229.160
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 104.126.37.155
  • 104.126.37.185
  • 104.126.37.153
  • 104.126.37.162
  • 104.126.37.171
  • 104.126.37.186
  • 104.126.37.179
  • 104.126.37.152
  • 104.126.37.163
  • 92.123.104.66
  • 92.123.104.4
  • 92.123.104.67
  • 92.123.104.5
  • 92.123.104.64
  • 92.123.104.58
  • 92.123.104.59
  • 92.123.104.63
  • 92.123.104.65
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.73
  • 40.126.31.69
  • 20.190.159.2
  • 40.126.31.71
  • 20.190.159.75
  • 20.190.159.64
  • 20.190.159.23
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
Process
Message
mmc.exe
ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
SidCache: Hits: 0, Misses: 0, Remote: 0, Cache Clears: 0, Failed: 0, RPC Avoided: 0, Entries: 0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CustomInstallExec.exe