File name:

grlevel2_setup.exe

Full analysis: https://app.any.run/tasks/88b0615a-f018-4ff5-98db-ee7c7ae6d6ed
Verdict: Malicious activity
Analysis date: May 11, 2024, 03:33:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9A495ECFFEEB1033F0F9AEB6091F0301

SHA1:

AD6A6CDDB4E2E47C6FA220A964221D5C2A98E751

SHA256:

34104BC1322092013FCFD74399767ECA188723A65FE80BE7BB220F16A52D8A72

SSDEEP:

98304:G/8TOFoa831fh3CBmrnV7TSuCnmfGCvhOQ95R12o2dpr4Rm5exgOwnYJ53w+L8Ub:6ukmCw8kJtRo+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • grlevel2_setup.exe (PID: 1200)
      • is-5NO0F.tmp (PID: 1120)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • grlevel2_setup.exe (PID: 1200)
      • is-5NO0F.tmp (PID: 1120)

    • Reads the Windows owner or organization settings

      • is-5NO0F.tmp (PID: 1120)

    • Process drops legitimate windows executable

      • is-5NO0F.tmp (PID: 1120)

    • Detected use of alternative data streams (AltDS)

      • grlevel2.exe (PID: 1440)

    • Reads the BIOS version

      • grlevel2.exe (PID: 1440)

  • INFO

    • Checks supported languages

      • grlevel2_setup.exe (PID: 1200)
      • is-5NO0F.tmp (PID: 1120)
      • grlevel2.exe (PID: 1440)
      • wmpnscfg.exe (PID: 1060)

    • Create files in a temporary directory

      • grlevel2_setup.exe (PID: 1200)
      • is-5NO0F.tmp (PID: 1120)

    • Reads the computer name

      • is-5NO0F.tmp (PID: 1120)
      • grlevel2.exe (PID: 1440)
      • wmpnscfg.exe (PID: 1060)

    • Manual execution by a user

      • grlevel2.exe (PID: 1440)
      • wmpnscfg.exe (PID: 1060)

    • Creates a software uninstall entry

      • is-5NO0F.tmp (PID: 1120)

    • Creates files in the program directory

      • is-5NO0F.tmp (PID: 1120)
      • grlevel2.exe (PID: 1440)

    • Reads the machine GUID from the registry

      • grlevel2.exe (PID: 1440)

    • Creates files or folders in the user directory

      • grlevel2.exe (PID: 1440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable PowerBASIC/Win 9.x (51.2)
.exe | Inno Setup installer (37.9)
.exe | Win32 Executable Delphi generic (4.9)
.dll | Win32 Dynamic Link Library (generic) (2.2)
.exe | Win32 Executable (generic) (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 36864
InitializedDataSize: 16896
UninitializedDataSize: -
EntryPoint: 0x97f0
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: This installation was built with Inno Setup: http://www.innosetup.com
CompanyName:
FileDescription: GRLevel2 Setup
FileVersion:
LegalCopyright:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start grlevel2_setup.exe is-5no0f.tmp grlevel2.exe wmpnscfg.exe no specs grlevel2_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1060"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1120"C:\Users\admin\AppData\Local\Temp\is-IURI5.tmp\is-5NO0F.tmp" /SL4 $3012A "C:\Users\admin\Desktop\grlevel2_setup.exe" 8664369 52224 C:\Users\admin\AppData\Local\Temp\is-IURI5.tmp\is-5NO0F.tmp
grlevel2_setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.42.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-iuri5.tmp\is-5no0f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1200"C:\Users\admin\Desktop\grlevel2_setup.exe" C:\Users\admin\Desktop\grlevel2_setup.exe
explorer.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
GRLevel2 Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\grlevel2_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1440"C:\Program Files\GRLevelX\GRLevel2\grlevel2.exe" C:\Program Files\GRLevelX\GRLevel2\grlevel2.exe
explorer.exe
User:
admin
Company:
Gibson Ridge Software
Integrity Level:
MEDIUM
Description:
grlevel2
Version:
0, 9, 0, 1
Modules
Images
c:\program files\grlevelx\grlevel2\grlevel2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3968"C:\Users\admin\Desktop\grlevel2_setup.exe" C:\Users\admin\Desktop\grlevel2_setup.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GRLevel2 Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\desktop\grlevel2_setup.exe
c:\windows\system32\ntdll.dll
Total events
3 122
Read events
3 103
Write events
19
Delete events
0

Modification events

(PID) Process:(1120) is-5NO0F.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GRLevel2_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.1.6
(PID) Process:(1120) is-5NO0F.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GRLevel2_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\GRLevelX\GRLevel2
(PID) Process:(1120) is-5NO0F.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GRLevel2_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\GRLevelX\GRLevel2\
(PID) Process:(1120) is-5NO0F.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GRLevel2_is1
Operation:writeName:Inno Setup: Icon Group
Value:
GRLevelX\GRLevel2
(PID) Process:(1120) is-5NO0F.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GRLevel2_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(1120) is-5NO0F.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GRLevel2_is1
Operation:writeName:DisplayName
Value:
GRLevel2 version 1.43
(PID) Process:(1120) is-5NO0F.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GRLevel2_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files\GRLevelX\GRLevel2\grlevel2.exe
(PID) Process:(1120) is-5NO0F.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GRLevel2_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\GRLevelX\GRLevel2\unins000.exe"
(PID) Process:(1120) is-5NO0F.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GRLevel2_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\GRLevelX\GRLevel2\unins000.exe" /SILENT
(PID) Process:(1120) is-5NO0F.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GRLevel2_is1
Operation:writeName:NoModify
Value:
1
Executable files
7
Suspicious files
9
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
1120is-5NO0F.tmpC:\Program Files\GRLevelX\GRLevel2\is-ALRBH.tmp
MD5:
SHA256:
1120is-5NO0F.tmpC:\Program Files\GRLevelX\GRLevel2\counties.gis
MD5:
SHA256:
1120is-5NO0F.tmpC:\Program Files\GRLevelX\GRLevel2\is-8O3IV.tmp
MD5:
SHA256:
1120is-5NO0F.tmpC:\Program Files\GRLevelX\GRLevel2\roads.gis
MD5:
SHA256:
1120is-5NO0F.tmpC:\Program Files\GRLevelX\GRLevel2\is-D13LH.tmpexecutable
MD5:E70FDBE0016E16A3B4844DD164EA080B
SHA256:1E5291FE71E1B493A2F68AFFA6CB26B2278D98F2BAEFC8B0A2CB3BDD32FEC419
1120is-5NO0F.tmpC:\Program Files\GRLevelX\GRLevel2\is-RMF0S.tmpexecutable
MD5:D6ABC3C44E97BEEEA534E33E93AE97B4
SHA256:2A2A7409F4C700C1A15FEDB83BDF34DDEF0CBA671BF936F2876BA1040B3BB795
1120is-5NO0F.tmpC:\Users\admin\AppData\Local\Temp\is-D8G8P.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
1120is-5NO0F.tmpC:\Program Files\GRLevelX\GRLevel2\grlevel2.exeexecutable
MD5:E70FDBE0016E16A3B4844DD164EA080B
SHA256:1E5291FE71E1B493A2F68AFFA6CB26B2278D98F2BAEFC8B0A2CB3BDD32FEC419
1120is-5NO0F.tmpC:\Program Files\GRLevelX\GRLevel2\unins000.exeexecutable
MD5:D6ABC3C44E97BEEEA534E33E93AE97B4
SHA256:2A2A7409F4C700C1A15FEDB83BDF34DDEF0CBA671BF936F2876BA1040B3BB795
1120is-5NO0F.tmpC:\Users\admin\AppData\Local\Temp\is-D8G8P.tmp\_isetup\_RegDLL.tmpexecutable
MD5:BB211D7A8CEA15072DE7425403508C17
SHA256:E71EC712064F193C367B0BB95A07A6DD9EB450BE1BE12CD48073FEFA1C3E0E58
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1440
grlevel2.exe
132.163.96.1:123
time-a.timefreq.bldrdoc.gov
unknown

DNS requests

Domain
IP
Reputation
time-a.timefreq.bldrdoc.gov
  • 132.163.96.1
whitelisted

Threats

No threats detected
Process
Message
grlevel2.exe
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
grlevel2.exe
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
grlevel2_setup.exe