Malware analysis 01759319 Malicious activity | ANY.RUN

Add for printing

File name:	01759319
Full analysis:	https://app.any.run/tasks/f11637c6-d09b-40d7-8857-13a6803c271b
Verdict:	Malicious activity
Analysis date:	January 09, 2020, 01:17:46
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	D5D9D98058E46B1FFF2E19084519FB55
SHA1:	C164661D62A75539FC1E97810BE62FE11D5DA61A
SHA256:	76613CD0915C03EBDCC61C148E7F4BEB48654F54794250FD5B5E9086E0CF56BA
SSDEEP:	393216:rJaHsJ05YjNlPZcnUd250JgD/yok8kAzmXvDaX6:rIwSWpZvACWDvt+f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Changes settings of System certificates
  - Config.exe (PID: 3752)
- Loads the Task Scheduler COM API
  - gsagent.exe (PID: 3844)
- Loads dropped or rewritten executable
  - GsAgent.exe (PID: 2356)
  - Config.exe (PID: 3752)
  - GsAgent.exe (PID: 2412)
  - Config.exe (PID: 3432)
  - Installer.exe (PID: 4088)
  - gsagent.exe (PID: 3844)
- Application was dropped or rewritten from another process
  - GsAgent.exe (PID: 2412)
  - Config.exe (PID: 3752)
  - GsAgent.exe (PID: 2356)
  - Config.exe (PID: 3432)
  - Installer.exe (PID: 4088)
  - gsagent.exe (PID: 3844)
SUSPICIOUS
- Executable content was dropped or overwritten
  - 01759319.exe (PID: 1784)
  - Installer.exe (PID: 4088)
  - gsagent.exe (PID: 3844)
- Creates files in the Windows directory
  - Config.exe (PID: 3752)
  - Installer.exe (PID: 4088)
  - gsagent.exe (PID: 3844)
- Adds / modifies Windows certificates
  - Config.exe (PID: 3752)
- Creates files in the program directory
  - GsAgent.exe (PID: 2356)
  - GsAgent.exe (PID: 2412)
  - gsagent.exe (PID: 3844)
  - Installer.exe (PID: 4088)
- Executed as Windows Service
  - gsagent.exe (PID: 3844)
- Removes files from Windows directory
  - gsagent.exe (PID: 3844)
- Creates or modifies windows services
  - gsagent.exe (PID: 3844)
- Creates a software uninstall entry
  - gsagent.exe (PID: 3844)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:11:05 11:52:42+01:00
PEType:	PE32
LinkerVersion:	14
CodeSize:	504320
InitializedDataSize:	251904
UninitializedDataSize:	-
EntryPoint:	0x586f7
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	4.0.0.0
ProductVersionNumber:	4.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Korean
CharacterSet:	Unicode
CompanyName:	GENIANS, INC.
FileDescription:	PackagerEx
FileVersion:	4.0.0.0
InternalName:	Packager.exe
LegalCopyright:	GENIANS, INC. All rights reserved.
OriginalFileName:	Packager.exe
PrivateBuild:	BN-201811051952-R1- -R
ProductName:	GENIAN
ProductVersion:	4.0.0.0

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	05-Nov-2018 10:52:42
Detected languages:	English - United States Korean - Korea
Debug artifacts:	X:\WORK\GENIANS\ALDER\branches\branches\CURRENT\agentu\Genian\Etc\Installer\Packager\x86\Release\Packager.pdb
CompanyName:	GENIANS, INC.
FileDescription:	PackagerEx
FileVersion:	4.0.0.0
InternalName:	Packager.exe
LegalCopyright:	GENIANS, INC. All rights reserved.
OriginalFilename:	Packager.exe
PrivateBuild:	BN-201811051952-R1- -R
ProductName:	GENIAN
ProductVersion:	4.0.0.0

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000130

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	8
Time date stamp:	05-Nov-2018 10:52:42
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0007B1E7	0x0007B200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.65241
.rdata	0x0007D000	0x00025556	0x00025600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.25768
.data	0x000A3000	0x00006C4C	0x00002600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.13082
.gfids	0x000AA000	0x00001A04	0x00001C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.79971
.giats	0x000AC000	0x00000004	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	0.0407808
.tls	0x000AD000	0x00000009	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.0203931
.rsrc	0x000AE000	0x00008190	0x00008200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.67801
.reloc	0x000B7000	0x00007174	0x00007200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.6332

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.16876	1985	UNKNOWN	English - United States	RT_MANIFEST
2	6.19437	2440	UNKNOWN	Korean - Korea	RT_ICON
3	6.6398	3240	UNKNOWN	Korean - Korea	RT_ICON
4	5.69557	9640	UNKNOWN	Korean - Korea	RT_ICON
5	3.02695	308	UNKNOWN	Korean - Korea	RT_CURSOR
6	2.74274	180	UNKNOWN	Korean - Korea	RT_CURSOR
7	2.34038	308	UNKNOWN	Korean - Korea	RT_CURSOR
8	2.34004	308	UNKNOWN	Korean - Korea	RT_CURSOR
9	2.51649	308	UNKNOWN	Korean - Korea	RT_CURSOR
10	2.45401	308	UNKNOWN	Korean - Korea	RT_CURSOR

Imports


ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINSPOOL.DRV

Exports

Title	Ordinal	Address
?Compress@@YA_NPAEK0AAK@Z	1	0x00029C10
?Uncompress@@YA_NPAEK0AAK@Z	2	0x00029C60
?UnzipFile@@YA_NPB_W0_NHPA_NP6AXHH@Z@Z	3	0x00028C30
?UnzipFileClose@@YAXPAX@Z	4	0x00029700
?UnzipFileCount@@YAKPB_W@Z	5	0x00029510
?UnzipFileForSelect@@YA_NPB_WAAV?$vector@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V?$allocator@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@std@@0_NHPA_NP6AXHH@Z@Z	6	0x00029240
?UnzipFileInfo@@YA_NPAXAAU_ZIPLIB_FILEINFO@@@Z	7	0x00029840
?UnzipFileOpen@@YAPAXPB_W@Z	8	0x00029630
?UnzipGotoFirstFile@@YA_NPAX@Z	9	0x00029740
?UnzipGotoNextFile@@YA_NPAX@Z	10	0x000297B0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1784

"C:\Users\admin\AppData\Local\Temp\01759319.exe"

C:\Users\admin\AppData\Local\Temp\01759319.exe

explorer.exe

User:

admin

Company:

GENIANS, INC.

Integrity Level:

HIGH

Description:

PackagerEx

Exit code:

Version:

4.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\01759319.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv

2356

"C:\Program Files\Geni\Insights\GsAgent.exe" --install

C:\Program Files\Geni\Insights\GsAgent.exe

—

Config.exe

User:

admin

Company:

GENIANS, INC.

Integrity Level:

HIGH

Description:

Genian Insights E Agent for Windows

Exit code:

Version:

1.5.109.1113

Modules

Images
c:\program files\geni\insights\gsagent.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

2412

"C:\Program Files\Geni\Insights\GsAgent.exe"

C:\Program Files\Geni\Insights\GsAgent.exe

—

Config.exe

User:

admin

Company:

GENIANS, INC.

Integrity Level:

HIGH

Description:

Genian Insights E Agent for Windows

Exit code:

4294967295

Version:

1.5.109.1113

Modules

Images
c:\program files\geni\insights\gsagent.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3400

"C:\Users\admin\AppData\Local\Temp\01759319.exe"

C:\Users\admin\AppData\Local\Temp\01759319.exe

—

explorer.exe

User:

admin

Company:

GENIANS, INC.

Integrity Level:

MEDIUM

Description:

PackagerEx

Exit code:

3221226540

Version:

4.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\01759319.exe
c:\systemroot\system32\ntdll.dll

3432

"C:\PROGRAM FILES\Geni\Insights\Config.exe" -i

C:\PROGRAM FILES\Geni\Insights\Config.exe

—

Installer.exe

User:

admin

Company:

GENIANS, INC.

Integrity Level:

HIGH

Description:

Genian Insights E Configuration tool

Exit code:

Version:

1.5.107.23

Modules

Images
c:\program files\geni\insights\config.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3752

"C:\Users\admin\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\Config.exe" -c

C:\Users\admin\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\Config.exe

—

Installer.exe

User:

admin

Company:

GENIANS, INC.

Integrity Level:

HIGH

Description:

Genian Insights E Configuration tool

Exit code:

Version:

1.5.107.23

Modules

Images
c:\users\admin\appdata\local\temp\$gnpack_5daa0763$\config.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3844

"C:\Program Files\Geni\Insights\gsagent.exe" --service

C:\Program Files\Geni\Insights\gsagent.exe

services.exe

User:

SYSTEM

Company:

GENIANS, INC.

Integrity Level:

SYSTEM

Description:

Genian Insights E Agent for Windows

Exit code:

Version:

1.5.109.1113

Modules

Images
c:\program files\geni\insights\gsagent.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

4088

"C:\Users\admin\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\Installer.exe" "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\INSTALL.isf" "/N:25.147.117.1"

C:\Users\admin\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\Installer.exe

01759319.exe

User:

admin

Company:

GENIANS, INC.

Integrity Level:

HIGH

Description:

GENIANS Software Install Manager

Exit code:

3221225725

Version:

4.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\$gnpack_5daa0763$\installer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll

Add for printing

Total events

976

Read events

885

Write events

Delete events

Modification events


(PID) Process:	(1784) 01759319.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(1784) 01759319.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(3752) Config.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3752) Config.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Operation:	write	Name:	Blob
Value: 0400000001000000100000008CCADC0B22CEF5BE72AC411A11A8D8120F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B81190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
(PID) Process:	(4088) Installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(4088) Installer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(4088) Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Geni\Insights\Install
Operation:	write	Name:	InstallPath
Value: C:\PROGRAM FILES\Geni\Insights
(PID) Process:	(4088) Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Geni\Insights\Install
Operation:	write	Name:	RunAppPath
Value: C:\PROGRAM FILES\Geni\Insights\GsAgent.exe
(PID) Process:	(4088) Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Geni\Insights\Install
Operation:	write	Name:	RunAppName
Value: GsAgent.exe
(PID) Process:	(4088) Installer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Geni\Insights\Install
Operation:	write	Name:	UpdateAppPath
Value: C:\PROGRAM FILES\Geni\Insights\XUpdate.exe

Add for printing

Executable files

260

Suspicious files

Text files

106

Unknown types

Dropped files

PID	Process	Filename		Type
1784	01759319.exe	C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\api-ms-win-core-console-l1-1-0.dll		executable
		MD5:F4604E259459F5A0D5BE6914A6D4C5FB	SHA256:BCE066193FEB60B08EDF4CBEB490AAAA5DFFEB8A63A720CADF948748A9AF4B8F
1784	01759319.exe	C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\api-ms-win-core-handle-l1-1-0.dll		executable
		MD5:0A0084D4B3635E4D8EBAB587DCFCC16C	SHA256:5089484C8C56AC8E095CADC3DC971DF71EDEB52F856940632821FD37E81AE5CA
1784	01759319.exe	C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\api-ms-win-core-file-l2-1-0.dll		executable
		MD5:AD895B2A99A3EC18F1690BBAC1E2037A	SHA256:A11C772B2451B0C9C706B03381819E4A1DEF3E2FBBBA8362509BBE57DBD5C666
1784	01759319.exe	C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\api-ms-win-core-file-l1-2-0.dll		executable
		MD5:EA4AE42721460002DC31515F295AD1C4	SHA256:668F91E94E76DB4457184909E6A1AB4655E81A8EF37DC37B4ECFE93146C29A88
1784	01759319.exe	C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\GenianINSIGHTS_X86.zip		compressed
		MD5:B881E5AD1C0BCDEE3E59B5067AA3CE2A	SHA256:0356DF7F7479595C461729F102AEA069B3B47EDFADD01EC6BA764537C08A18C9
1784	01759319.exe	C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\api-ms-win-core-debug-l1-1-0.dll		executable
		MD5:405BB6A7CD56CBF5276C3A8DC631963D	SHA256:F654E56C4299F507BC34271B6BAA29290FD4919B853E17D7470596CAD779F063
1784	01759319.exe	C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\api-ms-win-core-heap-l1-1-0.dll		executable
		MD5:0AEAF9CE58CBD0AF1E30D03B45C21F81	SHA256:9A5952C82CBCB1A8ECE9C51C258667D9AB96D13EC6455873999FF0BF78C3CAB0
1784	01759319.exe	C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\api-ms-win-core-rtlsupport-l1-1-0.dll		executable
		MD5:0AE94670FBD69ED5F8C923B75CE2C0BD	SHA256:6D541B215CFA452E54DC6AF9317A7FC24043FA465EF2B561E0F245A4870B2705
1784	01759319.exe	C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\api-ms-win-core-processenvironment-l1-1-0.dll		executable
		MD5:87E0EF2D5DF6F6E18E6EA9171E3D77E7	SHA256:9B5A5536AED84D45A00DA1056AF4762FEC805EABA742C6BF2D2FCA60993711BB
1784	01759319.exe	C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\$GNPACK_5DAA0763$\api-ms-win-core-processthreads-l1-1-1.dll		executable
		MD5:F43A8E9CD787B6D91BB29DBB8EB1A4E5	SHA256:5BACBBE62E36AD0F6D7742E70361F26BC56A44DBD28CC0291F588420E0C218A6

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

01759319

D5D9D98058E46B1FFF2E19084519FB55

C164661D62A75539FC1E97810BE62FE11D5DA61A

76613CD0915C03EBDCC61C148E7F4BEB48654F54794250FD5B5E9086E0CF56BA

393216:rJaHsJ05YjNlPZcnUd250JgD/yok8kAzmXvDaX6:rIwSWpZvACWDvt+f

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes settings of System certificates

Loads the Task Scheduler COM API

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the Windows directory

Adds / modifies Windows certificates

Creates files in the program directory

Executed as Windows Service

Removes files from Windows directory

Creates or modifies windows services

Creates a software uninstall entry

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Exports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings