File name:

ef8c8443e3dfc5b6ecb147313ce83617d74ea27571745553f33402dd87ae704f.exe

Full analysis: https://app.any.run/tasks/9794e32b-9c0b-4a08-bade-deb59592ac89
Verdict: Malicious activity
Analysis date: January 23, 2024, 10:07:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

DB51AF75497A8B69ADF2932C0117B671

SHA1:

45F5519BDE8007B704CAE1BBFCF7838E552E9BAD

SHA256:

198A3E5E334F5BC39E4F0E5A7432334E9DA81D38BF117067D97FE749BCFCCBA5

SSDEEP:

98304:TKk1IcIIZG4LRF+q6nS7rvtH8a45useAJUed/zO3h7oV7sAqB266CAx2OzuiHK99:wBHrI5oxDx0m6b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2640)
      • Install-GSK-Online-Setup.exe (PID: 980)

    • Create files in the Startup directory

      • Install-GSK-Online-Setup.exe (PID: 980)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Process drops legitimate windows executable

      • Install-GSK-Online-Setup.exe (PID: 980)

    • The process creates files with name similar to system file names

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Reads the Internet Settings

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Reads settings of System Certificates

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Reads security settings of Internet Explorer

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Checks Windows Trust Settings

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Executable content was dropped or overwritten

      • Install-GSK-Online-Setup.exe (PID: 980)

  • INFO

    • Checks supported languages

      • Install-GSK-Online-Setup.exe (PID: 980)
      • wmpnscfg.exe (PID: 2564)

    • Reads the computer name

      • Install-GSK-Online-Setup.exe (PID: 980)
      • wmpnscfg.exe (PID: 2564)

    • Reads the machine GUID from the registry

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Creates files in the program directory

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Checks proxy server information

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2640)

    • Create files in a temporary directory

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2564)

    • Creates files or folders in the user directory

      • Install-GSK-Online-Setup.exe (PID: 980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2023:12:25 12:07:48
ZipCRC: 0x978399bb
ZipCompressedSize: 6518429
ZipUncompressedSize: 6706216
ZipFileName: Install-GSK-Online-Setup.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe install-gsk-online-setup.exe no specs install-gsk-online-setup.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
980"C:\Users\admin\AppData\Local\Temp\Rar$EXb2640.44107\Install-GSK-Online-Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2640.44107\Install-GSK-Online-Setup.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb2640.44107\install-gsk-online-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
2052"C:\Users\admin\AppData\Local\Temp\Rar$EXb2640.44107\Install-GSK-Online-Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2640.44107\Install-GSK-Online-Setup.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb2640.44107\install-gsk-online-setup.exe
c:\windows\system32\ntdll.dll
2564"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2640"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ef8c8443e3dfc5b6ecb147313ce83617d74ea27571745553f33402dd87ae704f.exe.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
7 293
Read events
7 247
Write events
46
Delete events
0

Modification events

(PID) Process:(2640) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
14
Suspicious files
16
Text files
39
Unknown types
0

Dropped files

PID
Process
Filename
Type
980Install-GSK-Online-Setup.exeC:\Users\admin\AppData\Local\Temp\nshCCF5.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
980Install-GSK-Online-Setup.exeC:\Users\admin\AppData\Local\Temp\nshCCF5.tmp\nsDialogs.dllexecutable
MD5:6C3F8C94D0727894D706940A8A980543
SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
980Install-GSK-Online-Setup.exeC:\Users\admin\AppData\Local\Temp\nshCCF5.tmp\LogEx.dllexecutable
MD5:0F96D9EB959AD4E8FD205E6D58CF01B8
SHA256:57EDE354532937E38C4AE9DA3710EE295705EA9770C402DFB3A5C56A32FD4314
2640WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2640.44107\Install-GSK-Online-Setup.exeexecutable
MD5:6A5D67C39F20D9A24D456D5F02669CBA
SHA256:EF8C8443E3DFC5B6ECB147313CE83617D74EA27571745553F33402DD87AE704F
980Install-GSK-Online-Setup.exeC:\Program Files\Volkswagen AG\GSK Online\runtimes\win-x86\native\WebView2Loader.dllexecutable
MD5:5B17DA9ADFC5A07FA499DDED4FD52747
SHA256:9D5918CEC81470225BE7478C7E092C24F248E8CAA824D667FB57431CAD94BE71
980Install-GSK-Online-Setup.exeC:\Users\admin\AppData\Local\Temp\nshCCF5.tmp\LangDLL.dllexecutable
MD5:68B287F4067BA013E34A1339AFDB1EA8
SHA256:18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
980Install-GSK-Online-Setup.exeC:\Users\admin\AppData\Local\Temp\nshCCF5.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
980Install-GSK-Online-Setup.exeC:\Program Files\Volkswagen AG\GSK Online\Resources\Driver\API_CA.txttext
MD5:75F7360623342C7245A51F4C117F8F29
SHA256:243FB9E63ED0BF83E13119D4B43354879266B02D04AABC6FD7DE44F4E609CF23
980Install-GSK-Online-Setup.exeC:\Program Files\Volkswagen AG\GSK Online\Resources\Driver\API_DA.txttext
MD5:9662943340159CDCF84494C9E3691EFE
SHA256:82FABD1DC102C207FF46411159368C460F68B43991A365E8E27C82D71EC2D085
980Install-GSK-Online-Setup.exeC:\Program Files\Volkswagen AG\GSK Online\WebView2Loader.dllexecutable
MD5:5B17DA9ADFC5A07FA499DDED4FD52747
SHA256:9D5918CEC81470225BE7478C7E092C24F248E8CAA824D667FB57431CAD94BE71
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
980
Install-GSK-Online-Setup.exe
GET
304
23.53.42.26:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?82d2a731a2837293
unknown
unknown
1080
svchost.exe
GET
200
23.53.42.66:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a414549a770d7263
unknown
compressed
65.2 Kb
unknown
980
Install-GSK-Online-Setup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
980
Install-GSK-Online-Setup.exe
68.232.34.200:443
download.visualstudio.microsoft.com
EDGECAST
US
whitelisted
980
Install-GSK-Online-Setup.exe
23.53.42.26:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
980
Install-GSK-Online-Setup.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1080
svchost.exe
23.53.42.66:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
download.visualstudio.microsoft.com
  • 68.232.34.200
whitelisted
ctldl.windowsupdate.com
  • 23.53.42.26
  • 23.53.42.66
  • 23.53.42.59
  • 23.53.41.251
  • 23.53.42.25
  • 23.53.41.242
  • 23.53.42.17
  • 23.53.42.42
  • 23.53.42.16
  • 23.53.41.241
  • 23.53.42.41
  • 23.53.42.43
  • 23.53.42.65
  • 23.53.42.50
  • 23.53.42.67
  • 23.53.42.40
  • 23.53.42.64
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ef8c8443e3dfc5b6ecb147313ce83617d74ea27571745553f33402dd87ae704f.exe