URL:

http://download.glarysoft.com/gu5setup.exe

Full analysis: https://app.any.run/tasks/ab532fde-ab56-4f71-a5b5-d38564e2ab36
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 15, 2019, 06:40:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
opendir
Indicators:
MD5:

3E85D9C24F3AF771B87F51A1AB1A2690

SHA1:

03C837278FB3173E5D0773DFC4A682159E3DCBC7

SHA256:

0FEAFDB80D1588EECC460B7D6E8B04E2C538CBDCFE559563E5CADFDE94FB3CF2

SSDEEP:

3:N1KaKElyXTQxlA:Ca5I0lA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • gu5setup.exe (PID: 1824)
      • gu5setup.exe (PID: 3688)
      • DiskDefrag.exe (PID: 3472)
      • DiskDefrag.exe (PID: 2416)
      • Initialize.exe (PID: 1288)
      • sendinfo.exe (PID: 2452)
      • StartupManager.exe (PID: 2628)
      • autoupdate.exe (PID: 772)
      • Integrator.exe (PID: 3044)
      • upgrade.exe (PID: 3640)

    • Loads dropped or rewritten executable

      • gu5setup.exe (PID: 3688)
      • DiskDefrag.exe (PID: 3472)
      • DiskDefrag.exe (PID: 2416)
      • sendinfo.exe (PID: 2452)
      • StartupManager.exe (PID: 2628)
      • Initialize.exe (PID: 1288)
      • Integrator.exe (PID: 3044)
      • autoupdate.exe (PID: 772)
      • upgrade.exe (PID: 3640)

    • Downloads executable files from the Internet

      • chrome.exe (PID: 1892)

    • Changes the autorun value in the registry

      • StartupManager.exe (PID: 2628)

    • Actions looks like stealing of personal data

      • Initialize.exe (PID: 1288)
      • Integrator.exe (PID: 3044)

    • Loads the Task Scheduler DLL interface

      • Initialize.exe (PID: 1288)

    • Loads the Task Scheduler COM API

      • Integrator.exe (PID: 3044)
      • Initialize.exe (PID: 1288)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 1892)
      • sendinfo.exe (PID: 2452)
      • DiskDefrag.exe (PID: 3472)
      • gu5setup.exe (PID: 3688)
      • StartupManager.exe (PID: 2628)

    • Creates COM task schedule object

      • gu5setup.exe (PID: 3688)

    • Creates a software uninstall entry

      • gu5setup.exe (PID: 3688)
      • sendinfo.exe (PID: 2452)

    • Creates files in the user directory

      • DiskDefrag.exe (PID: 3472)
      • Initialize.exe (PID: 1288)
      • Integrator.exe (PID: 3044)
      • gu5setup.exe (PID: 3688)

    • Creates files in the Windows directory

      • DiskDefrag.exe (PID: 3472)
      • StartupManager.exe (PID: 2628)

    • Creates files in the driver directory

      • DiskDefrag.exe (PID: 3472)
      • StartupManager.exe (PID: 2628)

    • Creates or modifies windows services

      • DiskDefrag.exe (PID: 2416)

    • Creates files in the program directory

      • StartupManager.exe (PID: 2628)
      • gu5setup.exe (PID: 3688)
      • Initialize.exe (PID: 1288)
      • Integrator.exe (PID: 3044)

    • Removes files from Windows directory

      • DiskDefrag.exe (PID: 2416)

    • Low-level read access rights to disk partition

      • DiskDefrag.exe (PID: 2416)

    • Modifies the open verb of a shell class

      • gu5setup.exe (PID: 3688)

    • Starts Internet Explorer

      • gu5setup.exe (PID: 3688)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 1892)
      • iexplore.exe (PID: 3976)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 1892)
      • iexplore.exe (PID: 1352)

    • Dropped object may contain Bitcoin addresses

      • gu5setup.exe (PID: 3688)

    • Creates files in the user directory

      • iexplore.exe (PID: 1352)

    • Changes internet zones settings

      • iexplore.exe (PID: 3976)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1352)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1352)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1352)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
20
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs gu5setup.exe no specs gu5setup.exe chrome.exe no specs sendinfo.exe diskdefrag.exe diskdefrag.exe no specs startupmanager.exe initialize.exe iexplore.exe iexplore.exe integrator.exe autoupdate.exe upgrade.exe

Process information

PID
CMD
Path
Indicators
Parent process
592"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=940,15379422907693368005,9165559896744267503,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=66203899630775436 --mojo-platform-channel-handle=956 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
772"C:\Program Files\Glary Utilities 5\autoupdate.exe" C:\Program Files\Glary Utilities 5\autoupdate.exe
Integrator.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
HIGH
Description:
Glary Utilities AutoUpdate
Exit code:
0
Version:
5, 0, 0, 8
Modules
Images
c:\program files\glary utilities 5\autoupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1288"C:\Program Files\Glary Utilities 5\Initialize.exe" /setupschedule /installinitC:\Program Files\Glary Utilities 5\Initialize.exe
gu5setup.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
HIGH
Description:
Glary Utilities Initialize
Exit code:
0
Version:
5, 0, 0, 43
Modules
Images
c:\program files\glary utilities 5\initialize.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_4bf7e3e2bf9ada4c\mfc90u.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1352"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3976 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1824"C:\Users\admin\Downloads\gu5setup.exe" C:\Users\admin\Downloads\gu5setup.exechrome.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
MEDIUM
Description:
Glary Utilities Installer
Exit code:
3221226540
Modules
Images
c:\users\admin\downloads\gu5setup.exe
c:\systemroot\system32\ntdll.dll
1892"C:\Program Files\Google\Chrome\Application\chrome.exe" http://download.glarysoft.com/gu5setup.exeC:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
73.0.3683.75
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2416"C:\Program Files\Glary Utilities 5\DiskDefrag.exe" -InstallNativeC:\Program Files\Glary Utilities 5\DiskDefrag.exegu5setup.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
HIGH
Description:
Glary Utilities Defragmenter
Exit code:
0
Version:
5.0.0.63
Modules
Images
c:\program files\glary utilities 5\diskdefrag.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_4bf7e3e2bf9ada4c\mfc90u.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2452"C:\Users\admin\AppData\Local\Temp\nss766D.tmp\sendinfo.exe" /install /GU5C:\Users\admin\AppData\Local\Temp\nss766D.tmp\sendinfo.exe
gu5setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nss766d.tmp\sendinfo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2476"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,15379422907693368005,9165559896744267503,131072 --enable-features=PasswordImport --service-pipe-token=11167921306620372008 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11167921306620372008 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2552"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,15379422907693368005,9165559896744267503,131072 --enable-features=PasswordImport --service-pipe-token=15907371985053690175 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15907371985053690175 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
Total events
1 969
Read events
1 603
Write events
362
Delete events
4

Modification events

(PID) Process:(1892) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1892) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1892) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(1892) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(1892) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2556) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:1892-13202376030680500
Value:
259
(PID) Process:(1892) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(1892) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(1892) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:3488-13197474229333984
Value:
0
(PID) Process:(1892) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
Executable files
116
Suspicious files
58
Text files
554
Unknown types
22

Dropped files

PID
Process
Filename
Type
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\f83d95c4-d131-4416-aa73-a5e425c33f4d.tmp
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000018.dbtmp
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0
MD5:
SHA256:
1892chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
66
DNS requests
32
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1892
chrome.exe
GET
200
52.85.246.96:80
http://download.glarysoft.com/gu5setup.exe
US
executable
16.8 Mb
shared
1352
iexplore.exe
GET
301
54.204.19.120:80
http://www.glarysoft.com/js/jquery.min.js?161014:0914
US
html
262 b
whitelisted
1352
iexplore.exe
GET
301
54.204.19.120:80
http://www.glarysoft.com/css/new.css?141112:0442
US
html
257 b
whitelisted
2452
sendinfo.exe
POST
200
54.186.7.180:80
http://metrics.glarysoft.com/install.php
US
whitelisted
1352
iexplore.exe
GET
301
54.204.19.120:80
http://www.glarysoft.com/css/global.css?1711221730
US
html
259 b
whitelisted
1352
iexplore.exe
GET
301
54.204.19.120:80
http://www.glarysoft.com/css/layout.css?141112:0442
US
html
260 b
whitelisted
3044
Integrator.exe
POST
200
23.23.198.31:80
http://gu.glarysoft.com/boottime/service.php
US
xml
675 b
suspicious
1352
iexplore.exe
GET
301
54.204.19.120:80
http://www.glarysoft.com/css/content.css?18011003
US
html
258 b
whitelisted
1352
iexplore.exe
GET
301
54.204.19.120:80
http://www.glarysoft.com/js/index.js?160729
US
html
252 b
whitelisted
1352
iexplore.exe
GET
200
2.23.104.167:80
http://s7.addthis.com/js/250/addthis_widget.js
unknown
text
109 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1892
chrome.exe
172.217.18.110:443
sb-ssl.google.com
Google Inc.
US
whitelisted
1892
chrome.exe
52.85.246.96:80
download.glarysoft.com
Amazon.com, Inc.
US
suspicious
1352
iexplore.exe
2.23.104.167:80
s7.addthis.com
Akamai International B.V.
whitelisted
1892
chrome.exe
172.217.23.131:443
ssl.gstatic.com
Google Inc.
US
whitelisted
1352
iexplore.exe
54.204.19.120:80
www.glarysoft.com
Amazon.com, Inc.
US
unknown
2452
sendinfo.exe
54.186.7.180:80
metrics.glarysoft.com
Amazon.com, Inc.
US
whitelisted
1892
chrome.exe
216.58.206.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3976
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1352
iexplore.exe
54.230.129.68:80
x.ss2.us
Amazon.com, Inc.
US
whitelisted
1352
iexplore.exe
172.217.21.202:80
fonts.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 216.58.206.3
whitelisted
download.glarysoft.com
  • 52.85.246.96
  • 52.85.246.33
  • 52.85.246.218
  • 52.85.246.51
shared
accounts.google.com
  • 172.217.16.141
shared
www.google.com
  • 172.217.18.100
malicious
ssl.gstatic.com
  • 172.217.23.131
whitelisted
sb-ssl.google.com
  • 172.217.18.110
whitelisted
metrics.glarysoft.com
  • 54.186.7.180
whitelisted
www.glarysoft.com
  • 54.204.19.120
  • 54.243.205.134
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
fonts.googleapis.com
  • 172.217.21.202
whitelisted

Threats

PID
Process
Class
Message
1892
chrome.exe
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
1892
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2452
sendinfo.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://download.glarysoft.com/gu5setup.exe