File name:

ef8c8443e3dfc5b6ecb147313ce83617d74ea27571745553f33402dd87ae704f.exe

Full analysis: https://app.any.run/tasks/9794e32b-9c0b-4a08-bade-deb59592ac89
Verdict: Malicious activity
Analysis date: January 23, 2024, 10:07:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

DB51AF75497A8B69ADF2932C0117B671

SHA1:

45F5519BDE8007B704CAE1BBFCF7838E552E9BAD

SHA256:

198A3E5E334F5BC39E4F0E5A7432334E9DA81D38BF117067D97FE749BCFCCBA5

SSDEEP:

98304:TKk1IcIIZG4LRF+q6nS7rvtH8a45useAJUed/zO3h7oV7sAqB266CAx2OzuiHK99:wBHrI5oxDx0m6b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2640)
      • Install-GSK-Online-Setup.exe (PID: 980)

    • Create files in the Startup directory

      • Install-GSK-Online-Setup.exe (PID: 980)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Executable content was dropped or overwritten

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Process drops legitimate windows executable

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Reads settings of System Certificates

      • Install-GSK-Online-Setup.exe (PID: 980)

    • The process creates files with name similar to system file names

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Reads the Internet Settings

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Reads security settings of Internet Explorer

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Checks Windows Trust Settings

      • Install-GSK-Online-Setup.exe (PID: 980)

  • INFO

    • Creates files in the program directory

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Checks proxy server information

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Creates files or folders in the user directory

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Create files in a temporary directory

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2640)

    • Reads the machine GUID from the registry

      • Install-GSK-Online-Setup.exe (PID: 980)

    • Checks supported languages

      • wmpnscfg.exe (PID: 2564)
      • Install-GSK-Online-Setup.exe (PID: 980)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2564)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2564)
      • Install-GSK-Online-Setup.exe (PID: 980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2023:12:25 12:07:48
ZipCRC: 0x978399bb
ZipCompressedSize: 6518429
ZipUncompressedSize: 6706216
ZipFileName: Install-GSK-Online-Setup.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe install-gsk-online-setup.exe no specs install-gsk-online-setup.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
980"C:\Users\admin\AppData\Local\Temp\Rar$EXb2640.44107\Install-GSK-Online-Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2640.44107\Install-GSK-Online-Setup.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb2640.44107\install-gsk-online-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
2052"C:\Users\admin\AppData\Local\Temp\Rar$EXb2640.44107\Install-GSK-Online-Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2640.44107\Install-GSK-Online-Setup.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb2640.44107\install-gsk-online-setup.exe
c:\windows\system32\ntdll.dll
2564"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2640"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ef8c8443e3dfc5b6ecb147313ce83617d74ea27571745553f33402dd87ae704f.exe.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
7 293
Read events
7 247
Write events
46
Delete events
0

Modification events

(PID) Process:(2640) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
14
Suspicious files
16
Text files
39
Unknown types
0

Dropped files

PID
Process
Filename
Type
980Install-GSK-Online-Setup.exeC:\Program Files\Volkswagen AG\GSK Online\Resources\Driver\API_DA.txttext
MD5:9662943340159CDCF84494C9E3691EFE
SHA256:82FABD1DC102C207FF46411159368C460F68B43991A365E8E27C82D71EC2D085
980Install-GSK-Online-Setup.exeC:\Users\admin\AppData\Local\Temp\nshCCF5.tmp\nsDialogs.dllexecutable
MD5:6C3F8C94D0727894D706940A8A980543
SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
980Install-GSK-Online-Setup.exeC:\Users\admin\AppData\Local\Temp\nshCCF5.tmp\LangDLL.dllexecutable
MD5:68B287F4067BA013E34A1339AFDB1EA8
SHA256:18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
980Install-GSK-Online-Setup.exeC:\Program Files\Volkswagen AG\GSK Online\Resources\Driver\API_CS.txttext
MD5:D2ECFDD998A72278F55AA1ABF3862F39
SHA256:891AFDAA03963AAD5A194E831FF3AC5C65CEBCC1ABBB370BEE180BC9D9C10C00
980Install-GSK-Online-Setup.exeC:\Program Files\Volkswagen AG\GSK Online\Resources\Driver\API_DE.TXTtext
MD5:816FA995559B4ED4A06C1F2590742B98
SHA256:82FD0453BE6DE7FDEFDAD61FCEE223CDA3F350F0535C9A0BB846E9A093CA1B1B
980Install-GSK-Online-Setup.exeC:\Program Files\Volkswagen AG\GSK Online\tray-app.exeexecutable
MD5:CCC3B349EFBAC83916A90752DE261937
SHA256:8F8919D632AAAD4B2138A9ABFC11A121490C5D1E1B6CB9BC6213F4FCBD3FDC69
980Install-GSK-Online-Setup.exeC:\Program Files\Volkswagen AG\GSK Online\Resources\Driver\API_EN.TXTtext
MD5:EDA35AEC367689DA6F9EFE78C1C2D950
SHA256:B044D235EDD6632AF48D2DDE6C3E855DB41221B24DED7A85E9399AA574BD1E8D
980Install-GSK-Online-Setup.exeC:\Program Files\Volkswagen AG\GSK Online\Resources\Driver\API_BG.TXTtext
MD5:B3B27BB2B12AA033CC8140B2A0C94A71
SHA256:82D5844915CA34C15B40EDE2AFEA54AEC79AD0D5593A510261D7E687EA87C04B
980Install-GSK-Online-Setup.exeC:\Users\admin\AppData\Local\Temp\nshCCF5.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
980Install-GSK-Online-Setup.exeC:\Program Files\Volkswagen AG\GSK Online\Resources\Driver\API_CA.txttext
MD5:75F7360623342C7245A51F4C117F8F29
SHA256:243FB9E63ED0BF83E13119D4B43354879266B02D04AABC6FD7DE44F4E609CF23
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
980
Install-GSK-Online-Setup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
1080
svchost.exe
GET
200
23.53.42.66:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a414549a770d7263
unknown
compressed
65.2 Kb
unknown
980
Install-GSK-Online-Setup.exe
GET
304
23.53.42.26:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?82d2a731a2837293
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
980
Install-GSK-Online-Setup.exe
68.232.34.200:443
download.visualstudio.microsoft.com
EDGECAST
US
whitelisted
980
Install-GSK-Online-Setup.exe
23.53.42.26:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
980
Install-GSK-Online-Setup.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1080
svchost.exe
23.53.42.66:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
download.visualstudio.microsoft.com
  • 68.232.34.200
whitelisted
ctldl.windowsupdate.com
  • 23.53.42.26
  • 23.53.42.66
  • 23.53.42.59
  • 23.53.41.251
  • 23.53.42.25
  • 23.53.41.242
  • 23.53.42.17
  • 23.53.42.42
  • 23.53.42.16
  • 23.53.41.241
  • 23.53.42.41
  • 23.53.42.43
  • 23.53.42.65
  • 23.53.42.50
  • 23.53.42.67
  • 23.53.42.40
  • 23.53.42.64
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ef8c8443e3dfc5b6ecb147313ce83617d74ea27571745553f33402dd87ae704f.exe