File name: | setup.exe |
Full analysis: | https://app.any.run/tasks/b493ba2c-cff1-4c8a-844c-5fe72f6d7cd4 |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 00:55:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | D2EA92875A1B9A5BDCCF966F17C545B7 |
SHA1: | 40D18FCEBC8105512369910D9F30C95C24B53CFD |
SHA256: | E94A49E237EC3C99ABEAB49A8A676073D31F9BE841D4A38AFC555EC90893EFCF |
SSDEEP: | 49152:MDyo7MklXa+1NI9ZTSTIlqBbjbETbmjCg4:DOMklq+1NIoNj+byCj |
.exe | | | Win64 Executable (generic) (56.1) |
---|---|---|
.scr | | | Windows screen saver (26.6) |
.exe | | | Win32 Executable (generic) (9.1) |
.exe | | | Generic Win/DOS Executable (4) |
.exe | | | DOS Executable Generic (4) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2015-Sep-09 05:59:06 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | GIGABYTE |
FileDescription: | Setup Launcher Unicode |
FileVersion: | 1.19.0624.1 |
InternalName: | Setup |
LegalCopyright: | Copyright (c) 2015 Flexera Software LLC. All Rights Reserved. |
OriginalFilename: | InstallShield Setup.exe |
ProductName: | GService |
ProductVersion: | 1.19.0624.1 |
Internal Build Number: | 158438 |
ISInternalVersion: | 22.0.347 |
ISInternalDescription: | Setup Launcher Unicode |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 256 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 4 |
TimeDateStamp: | 2015-Sep-09 05:59:06 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 734341 | 734720 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.58334 |
.rdata | 741376 | 221704 | 222208 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.10399 |
.data | 966656 | 35896 | 9728 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.50984 |
.rsrc | 1003520 | 324916 | 325120 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.62524 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.27303 | 1640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
2 | 3.835 | 744 | Latin 1 / Western European | UNKNOWN | RT_ICON |
3 | 3.35696 | 296 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 6.14965 | 3752 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 6.18448 | 2216 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 4.85842 | 1384 | Latin 1 / Western European | UNKNOWN | RT_ICON |
7 | 5.57777 | 9640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
8 | 5.81004 | 4264 | Latin 1 / Western European | UNKNOWN | RT_ICON |
9 | 6.06596 | 1128 | Latin 1 / Western European | UNKNOWN | RT_ICON |
10 | 3.22977 | 744 | Latin 1 / Western European | UNKNOWN | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
CRYPT32.dll |
GDI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
RPCRT4.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1968 | "C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\setup.exe | — | Explorer.EXE |
User: admin Company: GIGABYTE Integrity Level: MEDIUM Description: Setup Launcher Unicode Exit code: 3221226540 Version: 1.19.0624.1 | ||||
3904 | "C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\setup.exe | Explorer.EXE | |
User: admin Company: GIGABYTE Integrity Level: HIGH Description: Setup Launcher Unicode Exit code: 0 Version: 1.19.0624.1 | ||||
2880 | MSIEXEC.EXE /i "C:\Users\admin\AppData\Local\Downloaded Installations\{89481967-8BEF-4362-BA5A-D05CF787E272}\GService.msi" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp" SETUPEXENAME="setup.exe" | C:\Windows\system32\MSIEXEC.EXE | — | setup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2824 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
1388 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3848 | C:\Windows\system32\MsiExec.exe -Embedding 74D05718AD9689AA712B56A42EB285F8 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2668 | "C:\Program Files\GIGABYTE\GService\GCloud.exe" | C:\Program Files\GIGABYTE\GService\GCloud.exe | — | services.exe |
User: SYSTEM Company: Microsoft Integrity Level: SYSTEM Description: GCloud Version: 1.0.0.0 | ||||
2768 | "Netsh.exe" advfirewall firewall add rule name="allow 9009" protocol=TCP dir=in localport=9009 action=allow | C:\Windows\system32\Netsh.exe | — | GCloud.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2824) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore |
Operation: | write | Name: | SrCreateRp (Enter) |
Value: 40000000000000001CB4A82E55D8D801080B0000F0050000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2824) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
Operation: | write | Name: | SppCreate (Enter) |
Value: 40000000000000001CB4A82E55D8D801080B0000F0050000D0070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2824) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
Operation: | write | Name: | LastIndex |
Value: 69 | |||
(PID) Process: | (2824) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 40000000000000009A13E92E55D8D801080B0000F0050000D3070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2824) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000F475EB2E55D8D801080B0000800C0000E803000001000000000000000000000042A179B64970064E94A30410F1BC18760000000000000000 | |||
(PID) Process: | (1388) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000B661F72E55D8D8016C050000380D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1388) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000B661F72E55D8D8016C050000B40E0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1388) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000B661F72E55D8D8016C0500000C0D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1388) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000B661F72E55D8D8016C050000140F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1388) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
Operation: | write | Name: | IDENTIFY (Leave) |
Value: 4000000000000000C488FE2E55D8D8016C0500000C0D0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2824 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2824 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:C2E070F3A42CBB9B31A1A2B5522048FC | SHA256:E90B9934A71CB58B216392055C7C2F81C1ADBF18962AA58D519C9A42AC6F0B04 | |||
3904 | setup.exe | C:\Users\admin\AppData\Local\Downloaded Installations\{89481967-8BEF-4362-BA5A-D05CF787E272}\GService.msi | executable | |
MD5:848B61A206614812B66CA9B43B2C05C5 | SHA256:9D791CD97730F263A109D0AA0BFD5BCC14892ABE6E84B192EBF966CC62C1C37B | |||
2824 | msiexec.exe | C:\Windows\Installer\dc8af.msi | executable | |
MD5:848B61A206614812B66CA9B43B2C05C5 | SHA256:9D791CD97730F263A109D0AA0BFD5BCC14892ABE6E84B192EBF966CC62C1C37B | |||
2824 | msiexec.exe | C:\Program Files\GIGABYTE\GService\Upfail.xml | xml | |
MD5:63A5644C1111C0D4FB99C49B6867D508 | SHA256:4C3106D22F6700C15F58493DDC908FF4A79268151E94668D0F118E04A74B9FA3 | |||
3904 | setup.exe | C:\Users\admin\AppData\Local\Temp\{C03AD033-C676-4914-94AC-981C80F00D28}\GService.msi | executable | |
MD5:848B61A206614812B66CA9B43B2C05C5 | SHA256:9D791CD97730F263A109D0AA0BFD5BCC14892ABE6E84B192EBF966CC62C1C37B | |||
2824 | msiexec.exe | C:\Windows\Installer\MSICA47.tmp | binary | |
MD5:A0FB8E14E33B20C617E9B0BAF35FD866 | SHA256:9AA63E18BB576A4E0DE95791588A446C6864DD3A45E89E0228117E723B803E32 | |||
2824 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF352D05B47C385612.TMP | gmc | |
MD5:946D6C588BC8B060347379AD9330D1CB | SHA256:0988B77B7EF92ADEB7C4DA8BD0CEDC8B0CE84913289F9893C386A880DC6E12A4 | |||
2824 | msiexec.exe | C:\Program Files\GIGABYTE\GService\RGB.xml | xml | |
MD5:41C7868AD2BA61D7A1A709E362AEBC58 | SHA256:3EA92B7FE1AFEB46859D1C72DAEDD79BA3B6F8AB6117EA0C1ADA12D266ECFB8F | |||
2824 | msiexec.exe | C:\Program Files\GIGABYTE\GService\RGB_Set.xml | xml | |
MD5:777466184C20F81CB178BB5F14E85EBF | SHA256:36013C918CEBE7810C157966B22B77CD912C4ECE4F1E33EC55B6DFDCA4FE0B7D |