analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://download.garmin.com/omt/express/GarminExpress.exe

Full analysis: https://app.any.run/tasks/2e2902a1-f1e4-4f5a-a88e-12ea66e1f9f1
Verdict: Malicious activity
Analysis date: October 09, 2019, 18:20:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

2CE9AB9DC5C16C771BB97EB61E0FA9B2

SHA1:

76CE9673349A969A147A1000D1824094930546CA

SHA256:

32D1D9BDC0215AF4F0708B3BB0E7FA6625A4D76BCC24E82705B659FF5EF9D4EC

SSDEEP:

3:N8SEl3IMl6IfYD6L4A:2SKBl68YrA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • GarminExpressInstaller.exe (PID: 3028)
      • GarminExpress.exe (PID: 2508)
      • GarminExpress.exe (PID: 1996)
      • LegacyApplicationsUninstaller.exe (PID: 1460)
      • express.exe (PID: 2872)
    • Loads dropped or rewritten executable

      • GarminExpress.exe (PID: 1996)
      • rundll32.exe (PID: 3892)
      • rundll32.exe (PID: 1172)
      • rundll32.exe (PID: 2176)
      • rundll32.exe (PID: 3040)
      • rundll32.exe (PID: 2692)
      • express.exe (PID: 2872)
    • Changes the autorun value in the registry

      • GarminExpressInstaller.exe (PID: 3028)
    • Loads the Task Scheduler COM API

      • rundll32.exe (PID: 2176)
    • Changes settings of System certificates

      • express.exe (PID: 2872)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • GarminExpress.exe (PID: 2508)
      • chrome.exe (PID: 1228)
      • GarminExpressInstaller.exe (PID: 3028)
      • chrome.exe (PID: 732)
      • GarminExpress.exe (PID: 1996)
      • rundll32.exe (PID: 2176)
      • rundll32.exe (PID: 3040)
      • MsiExec.exe (PID: 2752)
      • msiexec.exe (PID: 1912)
      • DrvInst.exe (PID: 3400)
    • Starts itself from another location

      • GarminExpress.exe (PID: 1996)
    • Creates files in the program directory

      • GarminExpressInstaller.exe (PID: 3028)
      • express.exe (PID: 2872)
    • Searches for installed software

      • GarminExpressInstaller.exe (PID: 3028)
    • Executed as Windows Service

      • vssvc.exe (PID: 2320)
    • Executed via COM

      • DrvInst.exe (PID: 4028)
      • DrvInst.exe (PID: 3400)
      • DrvInst.exe (PID: 2296)
    • Creates a software uninstall entry

      • GarminExpressInstaller.exe (PID: 3028)
    • Uses RUNDLL32.EXE to load library

      • MsiExec.exe (PID: 3720)
    • Uses TASKKILL.EXE to kill process

      • MsiExec.exe (PID: 3720)
    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 1912)
    • Changes the autorun value in the registry

      • msiexec.exe (PID: 1912)
    • Creates files in the driver directory

      • DrvInst.exe (PID: 3400)
      • DrvInst.exe (PID: 2296)
    • Creates files in the Windows directory

      • DrvInst.exe (PID: 3400)
      • DrvInst.exe (PID: 2296)
    • Removes files from Windows directory

      • DrvInst.exe (PID: 3400)
      • DrvInst.exe (PID: 2296)
    • Adds / modifies Windows certificates

      • express.exe (PID: 2872)
  • INFO

    • Reads Internet Cache Settings

      • chrome.exe (PID: 732)
    • Reads the hosts file

      • chrome.exe (PID: 732)
      • chrome.exe (PID: 1228)
      • express.exe (PID: 2872)
    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2320)
    • Application launched itself

      • chrome.exe (PID: 732)
      • msiexec.exe (PID: 1912)
    • Dropped object may contain Bitcoin addresses

      • GarminExpress.exe (PID: 1996)
      • msiexec.exe (PID: 1912)
    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3720)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 1912)
      • MsiExec.exe (PID: 2752)
    • Creates files in the program directory

      • MsiExec.exe (PID: 2752)
      • msiexec.exe (PID: 1912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
33
Malicious processes
13
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs garminexpress.exe garminexpress.exe garminexpressinstaller.exe vssvc.exe no specs drvinst.exe no specs msiexec.exe msiexec.exe no specs rundll32.exe no specs rundll32.exe taskkill.exe no specs rundll32.exe no specs rundll32.exe rundll32.exe no specs legacyapplicationsuninstaller.exe no specs msiexec.exe no specs msiexec.exe drvinst.exe drvinst.exe no specs express.exe

Process information

PID
CMD
Path
Indicators
Parent process
732"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://download.garmin.com/omt/express/GarminExpress.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
3792"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6fb2a9d0,0x6fb2a9e0,0x6fb2a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
864"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3084 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
184"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1060,8475717110484979740,526156141443692777,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=2725320405656820203 --mojo-platform-channel-handle=1048 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1228"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1060,8475717110484979740,526156141443692777,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=5681374841160907610 --mojo-platform-channel-handle=1604 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2348"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,8475717110484979740,526156141443692777,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9363932903925655610 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2632"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,8475717110484979740,526156141443692777,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11643059644545172494 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3368"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,8475717110484979740,526156141443692777,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5568758084581362921 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2468 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3596"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1060,8475717110484979740,526156141443692777,131072 --enable-features=PasswordImport --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=10643771167717969046 --mojo-platform-channel-handle=3512 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2964"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,8475717110484979740,526156141443692777,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6477592575348405710 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
2 889
Read events
1 930
Write events
0
Delete events
0

Modification events

No data
Executable files
208
Suspicious files
105
Text files
206
Unknown types
21

Dropped files

PID
Process
Filename
Type
732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old
MD5:
SHA256:
732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
MD5:
SHA256:
732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\912fd922-2205-443a-ba22-3705adc83aa3.tmp
MD5:
SHA256:
732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:A519780ED0A2F4336DB4F5651D79C369
SHA256:DA5B71BD0075B55757BF757BF5F4D4A1DCBCF0762CDA5B31B28680963E068C75
732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF100fc1.TMPtext
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30
SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RF10104e.TMPtext
MD5:3D551B6E929CF62F7AA66091E718704B
SHA256:1698A1B1BC3E86676392FB8BD4C712438302A5A2220503C08F290ED4B1790404
732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:213AE3DA120D7862D60B5763B6C9D466
SHA256:5736534D6EE654C1BF1A8E79E73330AF58F622E8657285330D2C7189A55604F4
732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF100fe0.TMPtext
MD5:213AE3DA120D7862D60B5763B6C9D466
SHA256:5736534D6EE654C1BF1A8E79E73330AF58F622E8657285330D2C7189A55604F4
732chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:3D551B6E929CF62F7AA66091E718704B
SHA256:1698A1B1BC3E86676392FB8BD4C712438302A5A2220503C08F290ED4B1790404
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
21
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2872
express.exe
GET
403
104.18.217.73:80
http://download.garmin.com/garmindlm/temp.tmp
US
html
1.45 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1228
chrome.exe
172.217.18.99:443
ssl.gstatic.com
Google Inc.
US
whitelisted
2872
express.exe
104.18.77.231:443
Cloudflare Inc
US
unknown
1228
chrome.exe
172.217.22.110:443
clients1.google.com
Google Inc.
US
whitelisted
1228
chrome.exe
172.217.18.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2872
express.exe
104.19.213.29:443
serviceregistry.garmin.com
Cloudflare Inc
US
unknown
2872
express.exe
104.18.217.73:80
download.garmin.com
Cloudflare Inc
US
shared
2872
express.exe
104.19.174.78:443
omt.garmin.com
Cloudflare Inc
US
unknown
1228
chrome.exe
172.217.16.132:443
www.google.com
Google Inc.
US
whitelisted
1228
chrome.exe
172.217.22.13:443
accounts.google.com
Google Inc.
US
whitelisted
1228
chrome.exe
104.18.217.73:443
download.garmin.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.22.3
whitelisted
download.garmin.com
  • 104.18.218.73
  • 104.18.217.73
whitelisted
accounts.google.com
  • 172.217.22.13
shared
www.google.com
  • 172.217.16.132
whitelisted
ssl.gstatic.com
  • 172.217.18.99
whitelisted
www.gstatic.com
  • 172.217.18.99
whitelisted
safebrowsing.googleapis.com
  • 172.217.18.10
whitelisted
clients1.google.com
  • 172.217.22.110
whitelisted
serviceregistry.garmin.com
  • 104.19.213.29
  • 104.19.212.29
unknown
omt.garmin.com
  • 104.19.174.78
  • 104.19.173.78
unknown

Threats

No threats detected
No debug info