File name:

GGSetup.exe

Full analysis: https://app.any.run/tasks/e5cdf97f-1fe4-4b61-acc5-7e3705f24a2c
Verdict: Malicious activity
Analysis date: March 03, 2024, 13:49:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FC5065F1885DADFBDB47EB6A46CF8327

SHA1:

59FC26D24C85C0FD45B959F63E7D23B5508AB69F

SHA256:

027D09C7639E8C2B2AE3AE91262AC00AF4D81878352B423090D8AD63EBF7DEB2

SSDEEP:

98304:kVTDz35H+uM9qfzcHiz1CxC8PfWZNMreRViRhKvNS/efVJKZs4OWi62ugHBYVPne:dWvR0Hylw0RDl8F0dVYFA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • GGSetup.exe (PID: 4060)

    • Drops the executable file immediately after the start

      • GGSetup.exe (PID: 4060)

  • SUSPICIOUS

    • Reads the BIOS version

      • GGSetup.exe (PID: 4060)

    • Creates or modifies Windows services

      • GGSetup.exe (PID: 4060)

    • Executable content was dropped or overwritten

      • GGSetup.exe (PID: 4060)

  • INFO

    • Checks supported languages

      • GGSetup.exe (PID: 4060)

    • Process checks whether UAC notifications are on

      • GGSetup.exe (PID: 4060)

    • Reads the computer name

      • GGSetup.exe (PID: 4060)

    • Creates files in the program directory

      • GGSetup.exe (PID: 4060)

    • Manual execution by a user

      • explorer.exe (PID: 2580)
      • rundll32.exe (PID: 2388)
      • notepad++.exe (PID: 1352)

    • Reads the machine GUID from the registry

      • GGSetup.exe (PID: 4060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:11:09 13:04:52+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 1404928
InitializedDataSize: 450560
UninitializedDataSize: -
EntryPoint: 0xeac058
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2022.11.9.1
ProductVersionNumber: 2022.11.9.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Korean
CharacterSet: Unicode
Comments: nProtect Game Monitor
CompanyName: INCA Internet Co., Ltd.
FileDescription: nProtect GameGuard Service Installer
FileVersion: 2022, 11, 9, 1
InternalName: GameMon
LegalCopyright: ⓒ INCA Internet Co.,Ltd. All rights reserved.
LegalTrademarks: nProtect
OriginalFileName: GameMon.des
ProductName: nProtect Game Monitor
ProductVersion: 2022, 11, 9, 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ggsetup.exe explorer.exe no specs notepad++.exe rundll32.exe no specs ggsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1352"C:\Program Files\Notepad++\notepad++.exe" "C:\Windows\System32\GameMon.des"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2388"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\GameMon.desC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2580"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3668"C:\Users\admin\AppData\Local\Temp\GGSetup.exe" C:\Users\admin\AppData\Local\Temp\GGSetup.exeexplorer.exe
User:
admin
Company:
INCA Internet Co., Ltd.
Integrity Level:
MEDIUM
Description:
nProtect GameGuard Service Installer
Exit code:
3221226540
Version:
2022, 11, 9, 1
Modules
Images
c:\users\admin\appdata\local\temp\ggsetup.exe
c:\windows\system32\ntdll.dll
4060"C:\Users\admin\AppData\Local\Temp\GGSetup.exe" C:\Users\admin\AppData\Local\Temp\GGSetup.exe
explorer.exe
User:
admin
Company:
INCA Internet Co., Ltd.
Integrity Level:
HIGH
Description:
nProtect GameGuard Service Installer
Exit code:
0
Version:
2022, 11, 9, 1
Modules
Images
c:\users\admin\appdata\local\temp\ggsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
Total events
540
Read events
518
Write events
15
Delete events
7

Modification events

(PID) Process:(4060) GGSetup.exeKey:HKEY_CURRENT_USER\Software\INCAInternet\nProtectGameGuard\GameGuardError
Operation:delete valueName:Error1
Value:
(PID) Process:(4060) GGSetup.exeKey:HKEY_CURRENT_USER\Software\INCAInternet\nProtectGameGuard\GameGuardError
Operation:delete valueName:Error2
Value:
(PID) Process:(4060) GGSetup.exeKey:HKEY_CURRENT_USER\Software\INCAInternet\nProtectGameGuard\GameGuardError
Operation:delete valueName:Error3
Value:
(PID) Process:(4060) GGSetup.exeKey:HKEY_CURRENT_USER\Software\INCAInternet\nProtectGameGuard\GameGuardError
Operation:delete valueName:Error4
Value:
(PID) Process:(4060) GGSetup.exeKey:HKEY_CURRENT_USER\Software\INCAInternet\nProtectGameGuard\GameGuardError
Operation:delete valueName:LastErrGame
Value:
(PID) Process:(4060) GGSetup.exeKey:HKEY_CURRENT_USER\Software\INCAInternet\nProtectGameGuard\GameGuardError
Operation:delete valueName:LastErrNum
Value:
(PID) Process:(4060) GGSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc
Operation:writeName:Description
Value:
nProtect GameGuard Service
(PID) Process:(1352) notepad++.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1352notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:75DAF0C838CA0F9DAA89D4074A504E1B
SHA256:97901B6DEF410AA997B0E91A0FD0947EB3A26B7D5C83FD7228FDE04F981AC53C
1352notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmltext
MD5:30A14B886E7F45B4C50BF70EA6905183
SHA256:00261647C666ABEA86D810834718B4DC0D607B2049ADD8C020109098559DC073
4060GGSetup.exeC:\ProgramData\mntemptext
MD5:B4DF83C32AF42D6BA81EBA6D35E84C68
SHA256:512BC7B05DF92A70C2B8C13C19D98B4DE836822396F1E15DC1A3DC13A830757D
4060GGSetup.exeC:\Windows\system32\GameMon.desexecutable
MD5:FC5065F1885DADFBDB47EB6A46CF8327
SHA256:027D09C7639E8C2B2AE3AE91262AC00AF4D81878352B423090D8AD63EBF7DEB2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GGSetup.exe