analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://download.glarysoft.com/gu5setup.exe

Full analysis: https://app.any.run/tasks/ab532fde-ab56-4f71-a5b5-d38564e2ab36
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 15, 2019, 06:40:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
opendir
Indicators:
MD5:

3E85D9C24F3AF771B87F51A1AB1A2690

SHA1:

03C837278FB3173E5D0773DFC4A682159E3DCBC7

SHA256:

0FEAFDB80D1588EECC460B7D6E8B04E2C538CBDCFE559563E5CADFDE94FB3CF2

SSDEEP:

3:N1KaKElyXTQxlA:Ca5I0lA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • gu5setup.exe (PID: 3688)
      • gu5setup.exe (PID: 1824)
      • DiskDefrag.exe (PID: 3472)
      • sendinfo.exe (PID: 2452)
      • DiskDefrag.exe (PID: 2416)
      • StartupManager.exe (PID: 2628)
      • Initialize.exe (PID: 1288)
      • Integrator.exe (PID: 3044)
      • autoupdate.exe (PID: 772)
      • upgrade.exe (PID: 3640)

    • Loads dropped or rewritten executable

      • gu5setup.exe (PID: 3688)
      • DiskDefrag.exe (PID: 3472)
      • DiskDefrag.exe (PID: 2416)
      • sendinfo.exe (PID: 2452)
      • StartupManager.exe (PID: 2628)
      • Initialize.exe (PID: 1288)
      • Integrator.exe (PID: 3044)
      • upgrade.exe (PID: 3640)
      • autoupdate.exe (PID: 772)

    • Downloads executable files from the Internet

      • chrome.exe (PID: 1892)

    • Changes the autorun value in the registry

      • StartupManager.exe (PID: 2628)

    • Loads the Task Scheduler DLL interface

      • Initialize.exe (PID: 1288)

    • Loads the Task Scheduler COM API

      • Initialize.exe (PID: 1288)
      • Integrator.exe (PID: 3044)

    • Actions looks like stealing of personal data

      • Initialize.exe (PID: 1288)
      • Integrator.exe (PID: 3044)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 1892)
      • sendinfo.exe (PID: 2452)
      • DiskDefrag.exe (PID: 3472)
      • StartupManager.exe (PID: 2628)
      • gu5setup.exe (PID: 3688)

    • Creates COM task schedule object

      • gu5setup.exe (PID: 3688)

    • Creates files in the user directory

      • DiskDefrag.exe (PID: 3472)
      • gu5setup.exe (PID: 3688)
      • Initialize.exe (PID: 1288)
      • Integrator.exe (PID: 3044)

    • Creates a software uninstall entry

      • gu5setup.exe (PID: 3688)
      • sendinfo.exe (PID: 2452)

    • Creates files in the Windows directory

      • DiskDefrag.exe (PID: 3472)
      • StartupManager.exe (PID: 2628)

    • Creates files in the driver directory

      • DiskDefrag.exe (PID: 3472)
      • StartupManager.exe (PID: 2628)

    • Low-level read access rights to disk partition

      • DiskDefrag.exe (PID: 2416)

    • Removes files from Windows directory

      • DiskDefrag.exe (PID: 2416)

    • Creates files in the program directory

      • StartupManager.exe (PID: 2628)
      • Initialize.exe (PID: 1288)
      • gu5setup.exe (PID: 3688)
      • Integrator.exe (PID: 3044)

    • Creates or modifies windows services

      • DiskDefrag.exe (PID: 2416)

    • Modifies the open verb of a shell class

      • gu5setup.exe (PID: 3688)

    • Starts Internet Explorer

      • gu5setup.exe (PID: 3688)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 1892)
      • iexplore.exe (PID: 3976)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 1892)
      • iexplore.exe (PID: 1352)

    • Dropped object may contain Bitcoin addresses

      • gu5setup.exe (PID: 3688)

    • Creates files in the user directory

      • iexplore.exe (PID: 1352)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1352)

    • Changes internet zones settings

      • iexplore.exe (PID: 3976)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1352)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1352)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
20
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs gu5setup.exe no specs gu5setup.exe chrome.exe no specs sendinfo.exe diskdefrag.exe diskdefrag.exe no specs startupmanager.exe initialize.exe iexplore.exe iexplore.exe integrator.exe autoupdate.exe upgrade.exe

Process information

PID
CMD
Path
Indicators
Parent process
1892"C:\Program Files\Google\Chrome\Application\chrome.exe" http://download.glarysoft.com/gu5setup.exeC:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
73.0.3683.75
2776"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6e870f18,0x6e870f28,0x6e870f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2556"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=252 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
592"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=940,15379422907693368005,9165559896744267503,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=66203899630775436 --mojo-platform-channel-handle=956 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2552"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,15379422907693368005,9165559896744267503,131072 --enable-features=PasswordImport --service-pipe-token=15907371985053690175 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15907371985053690175 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2476"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,15379422907693368005,9165559896744267503,131072 --enable-features=PasswordImport --service-pipe-token=11167921306620372008 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11167921306620372008 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3416"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,15379422907693368005,9165559896744267503,131072 --enable-features=PasswordImport --service-pipe-token=10391253757976413120 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10391253757976413120 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
1824"C:\Users\admin\Downloads\gu5setup.exe" C:\Users\admin\Downloads\gu5setup.exechrome.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
MEDIUM
Description:
Glary Utilities Installer
Exit code:
3221226540
3688"C:\Users\admin\Downloads\gu5setup.exe" C:\Users\admin\Downloads\gu5setup.exe
chrome.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
HIGH
Description:
Glary Utilities Installer
Exit code:
0
3148"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=940,15379422907693368005,9165559896744267503,131072 --enable-features=PasswordImport --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=17928454504747871700 --mojo-platform-channel-handle=4068 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Total events
1 969
Read events
1 603
Write events
0
Delete events
0

Modification events

No data
Executable files
116
Suspicious files
58
Text files
554
Unknown types
22

Dropped files

PID
Process
Filename
Type
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\f83d95c4-d131-4416-aa73-a5e425c33f4d.tmp
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000018.dbtmp
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
66
DNS requests
32
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1352
iexplore.exe
GET
301
54.204.19.120:80
http://www.glarysoft.com/css/new.css?141112:0442
US
html
257 b
whitelisted
1352
iexplore.exe
GET
200
54.204.19.120:80
http://www.glarysoft.com/update/release-notes/gu/5.119.0.144
US
html
23.1 Kb
whitelisted
1352
iexplore.exe
GET
301
54.204.19.120:80
http://www.glarysoft.com/css/global.css?1711221730
US
html
259 b
whitelisted
1352
iexplore.exe
GET
301
54.204.19.120:80
http://www.glarysoft.com/css/content.css?18011003
US
html
258 b
whitelisted
1352
iexplore.exe
GET
302
54.204.19.120:80
http://www.glarysoft.com/update/release-notes/?p=1&v=5.119.0.144&l=1
US
html
254 b
whitelisted
1352
iexplore.exe
GET
200
2.23.104.167:80
http://s7.addthis.com/js/250/addthis_widget.js
unknown
text
109 Kb
whitelisted
1352
iexplore.exe
GET
301
54.204.19.120:80
http://www.glarysoft.com/css/layout.css?141112:0442
US
html
260 b
whitelisted
3976
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
1352
iexplore.exe
GET
200
54.230.129.50:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
1892
chrome.exe
GET
200
52.85.246.96:80
http://download.glarysoft.com/gu5setup.exe
US
executable
16.8 Mb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1892
chrome.exe
216.58.206.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3976
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1892
chrome.exe
172.217.23.131:443
ssl.gstatic.com
Google Inc.
US
whitelisted
1892
chrome.exe
172.217.18.100:443
www.google.com
Google Inc.
US
whitelisted
1892
chrome.exe
172.217.16.141:443
accounts.google.com
Google Inc.
US
suspicious
2452
sendinfo.exe
54.186.7.180:80
metrics.glarysoft.com
Amazon.com, Inc.
US
whitelisted
1352
iexplore.exe
2.23.104.167:80
s7.addthis.com
Akamai International B.V.
whitelisted
1352
iexplore.exe
172.217.21.202:80
fonts.googleapis.com
Google Inc.
US
whitelisted
1892
chrome.exe
52.85.246.96:80
download.glarysoft.com
Amazon.com, Inc.
US
suspicious
1352
iexplore.exe
54.204.19.120:80
www.glarysoft.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 216.58.206.3
whitelisted
download.glarysoft.com
  • 52.85.246.96
  • 52.85.246.33
  • 52.85.246.218
  • 52.85.246.51
shared
accounts.google.com
  • 172.217.16.141
shared
www.google.com
  • 172.217.18.100
whitelisted
ssl.gstatic.com
  • 172.217.23.131
whitelisted
sb-ssl.google.com
  • 172.217.18.110
whitelisted
metrics.glarysoft.com
  • 54.186.7.180
whitelisted
www.glarysoft.com
  • 54.204.19.120
  • 54.243.205.134
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
fonts.googleapis.com
  • 172.217.21.202
whitelisted

Threats

PID
Process
Class
Message
1892
chrome.exe
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
1892
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2452
sendinfo.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://download.glarysoft.com/gu5setup.exe