URL:

http://www.plotsoft.com/download/gs901w32.exe

Full analysis: https://app.any.run/tasks/d250088d-ecd6-45b2-9b38-7cccdeb7f980
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 25, 2022, 06:56:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

957A0D4566607309C915C53851E2A93C

SHA1:

DAEA5A0530A61AB18C8256B6BE8C0DB6A6F1E70C

SHA256:

9B2AF57B1533760734DF88E1725233D5F78415FAC2B71BEFFD893B76AC657E39

SSDEEP:

3:N1KJS4CtR8L2kkC:Cc4CtR8hkC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • iexplore.exe (PID: 3328)
      • iexplore.exe (PID: 2956)
      • gs901w32.exe (PID: 3104)
      • setupgs.exe (PID: 1800)

    • Application was dropped or rewritten from another process

      • gs901w32.exe (PID: 2472)
      • gs901w32.exe (PID: 3104)
      • setupgs.exe (PID: 1800)
      • gswin32.exe (PID: 2680)

    • Loads dropped or rewritten executable

      • gswin32.exe (PID: 2680)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3328)

    • Drops a file with a compile date too recent

      • iexplore.exe (PID: 3328)
      • iexplore.exe (PID: 2956)
      • gs901w32.exe (PID: 3104)
      • setupgs.exe (PID: 1800)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3328)
      • iexplore.exe (PID: 2956)
      • setupgs.exe (PID: 1800)
      • gs901w32.exe (PID: 3104)

    • Checks supported languages

      • gs901w32.exe (PID: 3104)
      • setupgs.exe (PID: 1800)
      • gswin32.exe (PID: 2680)

    • Creates a directory in Program Files

      • setupgs.exe (PID: 1800)

    • Creates files in the user directory

      • setupgs.exe (PID: 1800)

    • Creates a software uninstall entry

      • setupgs.exe (PID: 1800)

    • Reads the computer name

      • setupgs.exe (PID: 1800)

    • Creates files in the program directory

      • setupgs.exe (PID: 1800)

  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 2956)
      • iexplore.exe (PID: 3328)

    • Checks supported languages

      • iexplore.exe (PID: 3328)
      • iexplore.exe (PID: 2956)

    • Application launched itself

      • iexplore.exe (PID: 2956)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2956)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2956)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3328)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2956)

    • Reads the date of Windows installation

      • iexplore.exe (PID: 2956)

    • Changes internet zones settings

      • iexplore.exe (PID: 2956)

    • Manual execution by user

      • gswin32.exe (PID: 2680)

    • Creates files in the user directory

      • iexplore.exe (PID: 2956)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2956)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start iexplore.exe iexplore.exe gs901w32.exe no specs gs901w32.exe setupgs.exe gswin32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1800setupgs.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\setupgs.exe
gs901w32.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wzse0.tmp\setupgs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2472"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\gs901w32.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\gs901w32.exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\gs901w32.exe
c:\windows\system32\ntdll.dll
2680"C:\Program Files\gs\gs9.01\bin\gswin32.exe" "-IC:\Program Files\gs\gs9.01\lib;C:\Program Files\gs\fonts"C:\Program Files\gs\gs9.01\bin\gswin32.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\program files\gs\gs9.01\bin\gswin32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2956"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.plotsoft.com/download/gs901w32.exe"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3104"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\gs901w32.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\gs901w32.exe
iexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\gs901w32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
3328"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
8 320
Read events
8 178
Write events
140
Delete events
2

Modification events

(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30955633
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30955633
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2956) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
12
Suspicious files
17
Text files
591
Unknown types
103

Dropped files

PID
Process
Filename
Type
3328iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\gs901w32[1].exeexecutable
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:
SHA256:
3328iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\gs901w32.exe.r1lz6o8.partialexecutable
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFC9B2DE7548699F69.TMPgmc
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{DF94DBF5-C464-11EC-B7B7-12A9866C77DE}.datbinary
MD5:
SHA256:
3104gs901w32.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\gs9.01\bin\gsdll32.libobj
MD5:
SHA256:
3104gs901w32.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\filelist.txttext
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{E90D937C-C464-11EC-B7B7-12A9866C77DE}.datbinary
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\gs901w32.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3328
iexplore.exe
GET
200
192.254.190.68:80
http://www.plotsoft.com/download/gs901w32.exe
US
executable
14.7 Mb
suspicious
2956
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
631 b
whitelisted
2956
iexplore.exe
GET
200
8.248.137.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7dd2f3291066ef71
US
compressed
4.70 Kb
whitelisted
2956
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
US
der
471 b
whitelisted
2956
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3328
iexplore.exe
192.254.190.68:80
www.plotsoft.com
Unified Layer
US
suspicious
2956
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2956
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2956
iexplore.exe
8.248.137.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
2956
iexplore.exe
13.107.22.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2956
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2956
iexplore.exe
204.79.197.200:443
ieonline.microsoft.com
Microsoft Corporation
US
whitelisted
96.16.143.41:443
go.microsoft.com
Akamai International B.V.
US
whitelisted
2956
iexplore.exe
96.16.143.41:443
go.microsoft.com
Akamai International B.V.
US
whitelisted
131.253.33.203:443
www.msn.com
Microsoft Corporation
US
malicious

DNS requests

Domain
IP
Reputation
www.plotsoft.com
  • 192.254.190.68
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 8.248.137.254
  • 8.241.89.126
  • 8.253.204.120
  • 67.27.234.126
  • 8.241.90.126
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 96.16.143.41
whitelisted

Threats

PID
Process
Class
Message
3328
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.plotsoft.com/download/gs901w32.exe