File name:	GLManager.exe
Full analysis:	https://app.any.run/tasks/c3f5deb1-4ee4-4427-9743-438197de82ea
Verdict:	Malicious activity
Analysis date:	August 10, 2024, 08:29:28
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	7C89FF18306D4E50E4BBD2BDFCD62DB4
SHA1:	93698A1D85176D811E6CC25B7265A8D2C88FCA7A
SHA256:	2A6A1509DBBBC3AC7EC0479B363C3533645488FAF9C8B4B725B8D9D93EB0A2C3
SSDEEP:	393216:jtj4SwVBplcSykMOlcx5HlfIHnMZ7Pso4X7Jay1w84Bv2MC:jtj4SwVBplczOlUZtz7ETXMy1AJ2MC

.exe	\|	Win32 EXE PECompact compressed (generic) (45.7)
.exe	\|	Win64 Executable (generic) (30.4)
.scr	\|	Windows screen saver (14.4)
.exe	\|	Win32 Executable (generic) (4.9)
.exe	\|	Generic Win/DOS Executable (2.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2014:06:10 16:50:53+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	259584
InitializedDataSize:	496640
UninitializedDataSize:	-
EntryPoint:	0x2cbbc
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	5.8.0.0
ProductVersionNumber:	5.8.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	ASCII
CompanyName:	GeeseLand Developers
FileDescription:	GeeseLand Менеджер
FileVersion:	5.8.0.0
InternalName:	GLManager
LegalCopyright:	GLManager Copyright © 2021 GeeseLand Developers
LegalTrademarks:	GLManager is a Trademark of GeeseLand Developers
ProductName:	GeeseLand Менеджер
ProductVersion:	5.8.0.0


(PID) Process:	(6564) autorun.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:	write	Name:	Speaker Configuration
Value: 4

PID	Process	Filename		Type
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\data.res		—
		MD5:—	SHA256:—
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd		compressed
		MD5:7C280BD0847437C4E176E01F5E1F56FA	SHA256:EFBC5A7FBC1631C79E9A426C92E5C1E89EE01BE10937070679FA6BEAAA449479
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\aop.res		binary
		MD5:7B586D5DAD13AFC9951BCEAB67152F11	SHA256:DB1047C592BAB297395BCF4078C1E6EB20B8F94F488C79EE3C94FBD838CE2940
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\sb_Windows7.png		image
		MD5:9611CE75DF8EBEA96DB486763CF650F7	SHA256:84D49DBE7E6B2A8C40B9C347F8CEF4ED8743E42E25685E9A7686452BA2C64C3B
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll		executable
		MD5:C9E58D1D66271921C21366023B8ED94F	SHA256:841732BB7E629D67E99505722200645771B7CB61C266C15356F0BABDADAC40C8
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\aqi.res		text
		MD5:5EB11DF17175D5E185E02637527F6C9D	SHA256:DC316D59C0ECA5C858817019213FF3B42B0935BF9A5D6FD7C2B3B69116DC0DB2
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\673567832_1.png		image
		MD5:9DE0A32B05D2447008183AE7EEEDC793	SHA256:E11A64D356D3B6DFA2A1AD1393FC80E8ECD8E91B5DCCF6F2A9009E0E6789AA8D
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\67356783_3.png		image
		MD5:D7FE3A0A05C6E21C3E7AB1A3023BA049	SHA256:3FCA83E31AAC9AA988573E08E5198010C21E5951741E0354FE0D7F046A25FD66
6564	autorun.exe	C:\Users\admin\AppData\Local\Temp\_ir_tmpfnt_1\Segoe UI Semibold_1.TFT		odttf
		MD5:D4D6E1A6527A21185217393C427A52CB	SHA256:7B61FCA63DA26E45444402F42CE068B29244D9D3D351E86796DF7CA0A94DF63C
6564	autorun.exe	C:\ProgramData\alrevc\com1\InstallLog_10.08.2024		text
		MD5:81051BCC2CF1BEDF378224B0A93E2877	SHA256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
2680	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4064	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2680	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4324	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
google.com	172.217.16.142	whitelisted

General Info

GLManager.exe

7C89FF18306D4E50E4BBD2BDFCD62DB4

93698A1D85176D811E6CC25B7265A8D2C88FCA7A

2A6A1509DBBBC3AC7EC0479B363C3533645488FAF9C8B4B725B8D9D93EB0A2C3

393216:jtj4SwVBplcSykMOlcx5HlfIHnMZ7Pso4X7Jay1w84Bv2MC:jtj4SwVBplczOlUZtz7ETXMy1AJ2MC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Drops the executable file immediately after the start

Executable content was dropped or overwritten

The process checks if it is being run in the virtual environment

There is functionality for taking screenshot (YARA)

Reads the BIOS version

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings