File name:	GLManager.exe
Full analysis:	https://app.any.run/tasks/c3f5deb1-4ee4-4427-9743-438197de82ea
Verdict:	Malicious activity
Analysis date:	August 10, 2024, 08:29:28
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	7C89FF18306D4E50E4BBD2BDFCD62DB4
SHA1:	93698A1D85176D811E6CC25B7265A8D2C88FCA7A
SHA256:	2A6A1509DBBBC3AC7EC0479B363C3533645488FAF9C8B4B725B8D9D93EB0A2C3
SSDEEP:	393216:jtj4SwVBplcSykMOlcx5HlfIHnMZ7Pso4X7Jay1w84Bv2MC:jtj4SwVBplczOlUZtz7ETXMy1AJ2MC

.exe	\|	Win32 EXE PECompact compressed (generic) (45.7)
.exe	\|	Win64 Executable (generic) (30.4)
.scr	\|	Windows screen saver (14.4)
.exe	\|	Win32 Executable (generic) (4.9)
.exe	\|	Generic Win/DOS Executable (2.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2014:06:10 16:50:53+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	259584
InitializedDataSize:	496640
UninitializedDataSize:	-
EntryPoint:	0x2cbbc
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	5.8.0.0
ProductVersionNumber:	5.8.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	ASCII
CompanyName:	GeeseLand Developers
FileDescription:	GeeseLand Менеджер
FileVersion:	5.8.0.0
InternalName:	GLManager
LegalCopyright:	GLManager Copyright © 2021 GeeseLand Developers
LegalTrademarks:	GLManager is a Trademark of GeeseLand Developers
ProductName:	GeeseLand Менеджер
ProductVersion:	5.8.0.0


(PID) Process:	(6564) autorun.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:	write	Name:	Speaker Configuration
Value: 4

PID	Process	Filename		Type
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\data.res		—
		MD5:—	SHA256:—
6564	autorun.exe	C:\ProgramData\alrevc\com1\InstallLog_10.08.2024		text
		MD5:81051BCC2CF1BEDF378224B0A93E2877	SHA256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\67356783_3.png		image
		MD5:D7FE3A0A05C6E21C3E7AB1A3023BA049	SHA256:3FCA83E31AAC9AA988573E08E5198010C21E5951741E0354FE0D7F046A25FD66
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe		executable
		MD5:4FA2B993B61532318BC2BC7CEC7BB1F9	SHA256:D1124D2A1B0E1AD62B5A58B704FBF7C2F20CCAA35218579792AA5C1220A15D70
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\sb_Windows7.png		image
		MD5:9611CE75DF8EBEA96DB486763CF650F7	SHA256:84D49DBE7E6B2A8C40B9C347F8CEF4ED8743E42E25685E9A7686452BA2C64C3B
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\lua51.dll		executable
		MD5:7FA818F532EFFD80CF7C1C54676E5A0D	SHA256:1C2D1BA8425139D45DE89192D2AE4982E9581F8AE0F22B8497AA0055080237CA
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\aop.res		binary
		MD5:7B586D5DAD13AFC9951BCEAB67152F11	SHA256:DB1047C592BAB297395BCF4078C1E6EB20B8F94F488C79EE3C94FBD838CE2940
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\128.ico		image
		MD5:382BF5E039443222F577E714AF6A76A3	SHA256:1F26182A76E14F3F7AC30CFF0F229EE85C3156CDB705297411DA7EDD0129F952
6484	GLManager.exe	C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\aqi.res		text
		MD5:5EB11DF17175D5E185E02637527F6C9D	SHA256:DC316D59C0ECA5C858817019213FF3B42B0935BF9A5D6FD7C2B3B69116DC0DB2
6564	autorun.exe	C:\Users\admin\AppData\Local\Temp\_ir_tmpfnt_1\Segoe UI_1.TFT		odttf
		MD5:3B7CF1CD7D71AB5F984D4839E446F379	SHA256:DE98550430E2E17A8399DB094F1A809743A137CCBA389B0F0B56061473D29AD4

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
2680	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4064	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2680	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4324	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
google.com	172.217.16.142	whitelisted

General Info

GLManager.exe

7C89FF18306D4E50E4BBD2BDFCD62DB4

93698A1D85176D811E6CC25B7265A8D2C88FCA7A

2A6A1509DBBBC3AC7EC0479B363C3533645488FAF9C8B4B725B8D9D93EB0A2C3

393216:jtj4SwVBplcSykMOlcx5HlfIHnMZ7Pso4X7Jay1w84Bv2MC:jtj4SwVBplczOlUZtz7ETXMy1AJ2MC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads the BIOS version

The process checks if it is being run in the virtual environment

There is functionality for taking screenshot (YARA)

Executable content was dropped or overwritten

Drops the executable file immediately after the start

INFO

Creates files in the program directory

Checks supported languages

Create files in a temporary directory

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings