File name: | gplgs.exe |
Full analysis: | https://app.any.run/tasks/11efb54c-553c-4a0b-821f-95d9b507da5f |
Verdict: | Malicious activity |
Analysis date: | February 21, 2020, 18:24:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | BF9F58A65F6954406E6DCD29BB458A19 |
SHA1: | 9302E9671FD31D6CE714817D354194897AC42BDC |
SHA256: | AD578753BFC7F03FBFDE3DEA1DA4C281153B12EE9369709A616F6B0149A7434C |
SSDEEP: | 196608:GpHHh4vA+IS5m3twMpmtdtBmdQUB2Y6+UsAl0XvUrxV6:ch4vA+IS5m3tBQQQ661lgvUc |
.exe | | | Win32 Executable MS Visual C++ (generic) (32.1) |
---|---|---|
.exe | | | Win64 Executable (generic) (28.5) |
.exe | | | Winzip Win32 self-extracting archive (generic) (23.7) |
.dll | | | Win32 Dynamic Link Library (generic) (6.7) |
.exe | | | Win32 Executable (generic) (4.6) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2001:01:09 15:09:05+01:00 |
PEType: | PE32 |
LinkerVersion: | 5.1 |
CodeSize: | 22016 |
InitializedDataSize: | 10752 |
UninitializedDataSize: | - |
EntryPoint: | 0x3f8f |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-Jan-2001 14:09:05 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000C8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 09-Jan-2001 14:09:05 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00005486 | 0x00005600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.45543 |
.rdata | 0x00007000 | 0x00000BD2 | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.0843 |
.data | 0x00008000 | 0x00001735 | 0x00000E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.88046 |
.rsrc | 0x0000A000 | 0x00000508 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.53334 |
_winzip_ | 0x0000B000 | 0x007B2000 | 0x007B2000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 7.99903 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.37086 | 34 | UNKNOWN | English - United States | RT_GROUP_ICON |
2 | 3.05812 | 296 | UNKNOWN | English - United States | RT_ICON |
GDI32.dll |
KERNEL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2864 | "C:\Users\admin\AppData\Local\Temp\gplgs.exe" | C:\Users\admin\AppData\Local\Temp\gplgs.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
2528 | "C:\Users\admin\AppData\Local\Temp\gplgs.exe" | C:\Users\admin\AppData\Local\Temp\gplgs.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2132 | Setup.exe | C:\Users\admin\AppData\Local\Temp\WZSE0.TMP\Setup.exe | gplgs.exe | |
User: admin Integrity Level: HIGH Exit code: 0 |
(PID) Process: | (2132) Setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\GPL Ghostscript\9.06 |
Operation: | write | Name: | GS_LIB |
Value: C:\Program Files\GPLGS | |||
(PID) Process: | (2132) Setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\GPL Ghostscript\9.06 |
Operation: | write | Name: | GS_DLL |
Value: C:\Program Files\GPLGS\gsdll32.dll |
PID | Process | Filename | Type | |
---|---|---|---|---|
2528 | gplgs.exe | C:\Users\admin\AppData\Local\Temp\WZSE0.TMP\GPLGS\bj8.rpd | text | |
MD5:561E434D8B29339E188E7EBA5EC1F414 | SHA256:1E6113001D6FC5DCFB94A2B06653DD69D6EDA966159627B9B7AAE659A260ED9E | |||
2528 | gplgs.exe | C:\Users\admin\AppData\Local\Temp\WZSE0.TMP\GPLGS\bjc610a4.upp | text | |
MD5:8AC7079FB35C110F197D50BC64F5B8BC | SHA256:8F39800FEC647CD4E4C10DDE12752B7443A06E7672080EB37F60416D9FF63B9C | |||
2528 | gplgs.exe | C:\Users\admin\AppData\Local\Temp\WZSE0.TMP\GPLGS\bj8pa06n.upp | text | |
MD5:08DFBC8D265585B313E704B49406819C | SHA256:ED6AE6CDE403A8E394C62E028F863879D2F4DECF45965946B74D40B89D27E810 | |||
2528 | gplgs.exe | C:\Users\admin\AppData\Local\Temp\WZSE0.TMP\GPLGS\bjc610a2.upp | text | |
MD5:29567F275B715DC9F3DF2DF48A7FAB05 | SHA256:57DBD7B910CF4097EC3781E43BB0B066F6356DEBA8086E6392E9FBDD0C036B2B | |||
2528 | gplgs.exe | C:\Users\admin\AppData\Local\Temp\WZSE0.TMP\GPLGS\afmdiff.awk | text | |
MD5:C81C5317F43C397EA47BD6DDBA3936D8 | SHA256:10B7F8A4F13CA076F543E56357DC9E14E29BEB8A6615F4BD630D6DDFA97986AE | |||
2528 | gplgs.exe | C:\Users\admin\AppData\Local\Temp\WZSE0.TMP\GPLGS\bj8pp12f.upp | text | |
MD5:987D285072D871242EDFB65630EA6BFD | SHA256:265390EF8A4B203E86C9D65C309177A4131210F54055C7F9AA8F804CA90DA971 | |||
2528 | gplgs.exe | C:\Users\admin\AppData\Local\Temp\WZSE0.TMP\GPLGS\bjc610a8.upp | text | |
MD5:938071F80CA83BA489905E0DDE3701EB | SHA256:A422DF1E096044BD651B62C5991B55F05025466A5B068944EAF226ED4BD7311B | |||
2528 | gplgs.exe | C:\Users\admin\AppData\Local\Temp\WZSE0.TMP\GPLGS\bj8oh06n.upp | text | |
MD5:8D3D588B8B52D520527268D981382EAF | SHA256:EA04A1BDC5506DA3FE1A770796B4E5B717D75CA2EE3E6FA4F3196328188DF79E | |||
2528 | gplgs.exe | C:\Users\admin\AppData\Local\Temp\WZSE0.TMP\GPLGS\acctest.ps | ps | |
MD5:8BC30F8B14AD40BACC5A893F2D676AE2 | SHA256:4F3AA79817806DC00B5EC34309CC7613E4440941B48A097B1EE24463FE5AF207 | |||
2528 | gplgs.exe | C:\Users\admin\AppData\Local\Temp\WZSE0.TMP\GPLGS\bj8hg12f.upp | text | |
MD5:692CD4BE60E7347D4691DEB06C6B50AE | SHA256:8D18EB8F26DCE23DB0C870C33E8FB7DEE880C46E6C224E1E8547D6ACA9538E4C |