File name:

GTA V (fitgirl-repacks.site).exe

Full analysis: https://app.any.run/tasks/f3fb7698-bdb3-4132-ab5f-8d6a85e18341
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Malware Trends Tracker     >>>
Analysis date: July 16, 2024, 12:11:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
darkcomet
upx
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

64C7636FA6FC7C945A4E12053F3E3791

SHA1:

549811B6AEB13D7FA2C21E6DD52D9B5140DBABFB

SHA256:

08FDE517F38A9E1FFF89E0A0A5FB096B44FD0C32ADF537CEE3AE32A80A41225E

SSDEEP:

6144:KcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37dn7TVrfuH2jB3xz:KcW7KEZlPzCy37dThuHw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • GTA V (fitgirl-repacks.site).exe (PID: 6396)

    • Changes the autorun value in the registry

      • GTA V (fitgirl-repacks.site).exe (PID: 6396)

    • DARKCOMET has been detected (YARA)

      • explorer.exe (PID: 6464)

    • Drops the executable file immediately after the start

      • GTA V (fitgirl-repacks.site).exe (PID: 6396)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • GTA V (fitgirl-repacks.site).exe (PID: 6396)

    • Reads the date of Windows installation

      • GTA V (fitgirl-repacks.site).exe (PID: 6396)

    • The process creates files with name similar to system file names

      • GTA V (fitgirl-repacks.site).exe (PID: 6396)

    • Reads security settings of Internet Explorer

      • GTA V (fitgirl-repacks.site).exe (PID: 6396)

    • Starts itself from another location

      • GTA V (fitgirl-repacks.site).exe (PID: 6396)

    • There is functionality for taking screenshot (YARA)

      • explorer.exe (PID: 6464)

    • There is functionality for communication over UDP network (YARA)

      • explorer.exe (PID: 6464)

  • INFO

    • Checks supported languages

      • GTA V (fitgirl-repacks.site).exe (PID: 6396)
      • explorer.exe (PID: 6464)

    • Reads the computer name

      • GTA V (fitgirl-repacks.site).exe (PID: 6396)
      • explorer.exe (PID: 6464)

    • Process checks computer location settings

      • GTA V (fitgirl-repacks.site).exe (PID: 6396)

    • UPX packer has been detected

      • explorer.exe (PID: 6464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (42.1)
.exe | Win32 EXE Yoda's Crypter (41.3)
.exe | Win32 Executable (generic) (7)
.exe | Win16/32 Executable Delphi generic (3.2)
.exe | Generic Win/DOS Executable (3.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:07 15:59:53+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 253952
InitializedDataSize: 167936
UninitializedDataSize: 651264
EntryPoint: 0xdd860
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.0
ProductVersionNumber: 4.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Remote Service Application
CompanyName: Microsoft Corp.
FileDescription: Remote Service Application
FileVersion: 1, 0, 0, 1
InternalName: MSRSAAPP
LegalCopyright: Copyright (C) 1999
OriginalFileName: MSRSAAP.EXE
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start gta v (fitgirl-repacks.site).exe THREAT explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6396"C:\Users\admin\Desktop\GTA V (fitgirl-repacks.site).exe" C:\Users\admin\Desktop\GTA V (fitgirl-repacks.site).exe
explorer.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\gta v (fitgirl-repacks.site).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6464"C:\Users\admin\Documents\Docuiments\explorer.exe" C:\Users\admin\Documents\Docuiments\explorer.exe
GTA V (fitgirl-repacks.site).exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\documents\docuiments\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
2 936
Read events
2 924
Write events
12
Delete events
0

Modification events

(PID) Process:(6396) GTA V (fitgirl-repacks.site).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:AvastUpd
Value:
C:\Users\admin\Documents\Docuiments\explorer.exe
(PID) Process:(6396) GTA V (fitgirl-repacks.site).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:UserInit
Value:
C:\Windows\system32\userinit.exe,C:\Users\admin\Documents\Docuiments\explorer.exe
(PID) Process:(6396) GTA V (fitgirl-repacks.site).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
7B63966600000000
(PID) Process:(6396) GTA V (fitgirl-repacks.site).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6396) GTA V (fitgirl-repacks.site).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6396) GTA V (fitgirl-repacks.site).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6396) GTA V (fitgirl-repacks.site).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6396) GTA V (fitgirl-repacks.site).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6396GTA V (fitgirl-repacks.site).exeC:\Users\admin\Documents\Docuiments\explorer.exeexecutable
MD5:64C7636FA6FC7C945A4E12053F3E3791
SHA256:08FDE517F38A9E1FFF89E0A0A5FB096B44FD0C32ADF537CEE3AE32A80A41225E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
50
DNS requests
54
Threats
38

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5708
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6564
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5708
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4636
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2824
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2824
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2448
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4032
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1888
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4656
SearchApp.exe
104.126.37.137:443
www.bing.com
Akamai International B.V.
DE
unknown
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2824
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2824
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
6004
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.137
  • 104.126.37.144
  • 104.126.37.160
  • 104.126.37.154
  • 104.126.37.153
  • 104.126.37.136
  • 104.126.37.146
  • 104.126.37.155
  • 104.126.37.139
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
google.com
  • 142.250.184.206
whitelisted
mstelemetry.ignorelist.com
malicious
mstelemetry2.ignorelist.com
malicious
mstelemetry3.ignorelist.com
malicious
login.live.com
  • 40.126.32.140
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.20
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.136
whitelisted

Threats

PID
Process
Class
Message
2168
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ignorelist .com Domain
2168
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ignorelist .com Domain
2168
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ignorelist .com Domain
2168
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ignorelist .com Domain
2168
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ignorelist .com Domain
2168
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ignorelist .com Domain
2168
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ignorelist .com Domain
2168
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ignorelist .com Domain
2168
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ignorelist .com Domain
2168
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ignorelist .com Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GTA V (fitgirl-repacks.site).exe