File name:

granny-chapter-two-gameloop-1-0-23.exe

Full analysis: https://app.any.run/tasks/41484a2f-7f76-4621-b28d-54b05264d7a1
Verdict: Malicious activity
Analysis date: October 08, 2023, 21:47:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0E641EB23F28590C018FE5282AEC8063

SHA1:

68CA627BF38DFDDAB676F3AB156B11BBC6A98479

SHA256:

269672776FE5DD74DA3A3F8FCE5B971EC0A9B16750BC2D77C5788CB93AA80169

SSDEEP:

98304:HHShnyAv85RgB6yU41Q6a7ofZoTS7acH/94WFQZAjBz8pjT8YKUV08ZlwFnCzUw4:V0B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • granny-chapter-two-gameloop-1-0-23.exe (PID: 940)
      • Market.exe (PID: 1884)
      • TInst.exe (PID: 3836)
      • wmpf_installer.exe (PID: 3756)

    • Loads dropped or rewritten executable

      • granny-chapter-two-gameloop-1-0-23.exe (PID: 940)
      • QMEmulatorService.exe (PID: 3076)
      • wmpf_installer.exe (PID: 3756)
      • AppMarket.exe (PID: 3156)
      • cef_frame_render.exe (PID: 396)
      • wmpf_installer.exe (PID: 3632)
      • cef_frame_render.exe (PID: 1892)
      • cef_frame_render.exe (PID: 1820)
      • AppMarket.exe (PID: 3232)
      • cef_frame_render.exe (PID: 3600)

    • Application was dropped or rewritten from another process

      • QMEmulatorService.exe (PID: 3076)
      • TInst.exe (PID: 3836)
      • AppMarket.exe (PID: 3156)
      • wmpf_installer.exe (PID: 3756)
      • syzs_dl_svr.exe (PID: 744)
      • AppMarket.exe (PID: 2668)
      • cef_frame_render.exe (PID: 396)
      • AppMarket.exe (PID: 3232)
      • wmpf_installer.exe (PID: 3632)
      • cef_frame_render.exe (PID: 1892)
      • cef_frame_render.exe (PID: 1820)
      • cef_frame_render.exe (PID: 3600)

    • Creates a writable file the system directory

      • QMEmulatorService.exe (PID: 3076)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • granny-chapter-two-gameloop-1-0-23.exe (PID: 940)
      • TInst.exe (PID: 3836)
      • cef_frame_render.exe (PID: 1892)

    • Reads the Internet Settings

      • granny-chapter-two-gameloop-1-0-23.exe (PID: 940)
      • AppMarket.exe (PID: 3156)

    • The process drops C-runtime libraries

      • Market.exe (PID: 1884)
      • TInst.exe (PID: 3836)

    • Process drops legitimate windows executable

      • Market.exe (PID: 1884)
      • TInst.exe (PID: 3836)

    • Executes as Windows Service

      • QMEmulatorService.exe (PID: 3076)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • TInst.exe (PID: 3836)

  • INFO

    • Checks supported languages

      • granny-chapter-two-gameloop-1-0-23.exe (PID: 940)
      • wmpnscfg.exe (PID: 2060)
      • Market.exe (PID: 1884)
      • TInst.exe (PID: 3836)
      • QMEmulatorService.exe (PID: 3076)
      • wmpf_installer.exe (PID: 3756)
      • syzs_dl_svr.exe (PID: 744)
      • AppMarket.exe (PID: 3156)
      • cef_frame_render.exe (PID: 396)
      • AppMarket.exe (PID: 3232)
      • cef_frame_render.exe (PID: 1892)
      • cef_frame_render.exe (PID: 1820)
      • wmpf_installer.exe (PID: 3632)
      • cef_frame_render.exe (PID: 3600)

    • Reads the computer name

      • granny-chapter-two-gameloop-1-0-23.exe (PID: 940)
      • wmpnscfg.exe (PID: 2060)
      • Market.exe (PID: 1884)
      • TInst.exe (PID: 3836)
      • QMEmulatorService.exe (PID: 3076)
      • AppMarket.exe (PID: 3156)
      • wmpf_installer.exe (PID: 3756)
      • syzs_dl_svr.exe (PID: 744)
      • cef_frame_render.exe (PID: 396)
      • AppMarket.exe (PID: 3232)
      • cef_frame_render.exe (PID: 1892)

    • Reads the machine GUID from the registry

      • granny-chapter-two-gameloop-1-0-23.exe (PID: 940)
      • wmpnscfg.exe (PID: 2060)
      • TInst.exe (PID: 3836)
      • AppMarket.exe (PID: 3156)
      • wmpf_installer.exe (PID: 3756)
      • syzs_dl_svr.exe (PID: 744)
      • wmpf_installer.exe (PID: 3632)
      • cef_frame_render.exe (PID: 1892)
      • AppMarket.exe (PID: 3232)

    • Creates files or folders in the user directory

      • granny-chapter-two-gameloop-1-0-23.exe (PID: 940)
      • AppMarket.exe (PID: 3156)
      • wmpf_installer.exe (PID: 3756)
      • TInst.exe (PID: 3836)
      • AppMarket.exe (PID: 3232)
      • cef_frame_render.exe (PID: 1892)

    • Create files in a temporary directory

      • granny-chapter-two-gameloop-1-0-23.exe (PID: 940)
      • TInst.exe (PID: 3836)
      • AppMarket.exe (PID: 3156)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2060)
      • AppMarket.exe (PID: 2668)
      • AppMarket.exe (PID: 3232)

    • Creates files in the program directory

      • granny-chapter-two-gameloop-1-0-23.exe (PID: 940)
      • TInst.exe (PID: 3836)
      • QMEmulatorService.exe (PID: 3076)
      • AppMarket.exe (PID: 3156)
      • syzs_dl_svr.exe (PID: 744)
      • AppMarket.exe (PID: 3232)

    • Dropped object may contain TOR URL's

      • Market.exe (PID: 1884)
      • TInst.exe (PID: 3836)

    • Process checks computer location settings

      • cef_frame_render.exe (PID: 1820)

    • Checks proxy server information

      • AppMarket.exe (PID: 3156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:09:27 07:56:56+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 2605568
InitializedDataSize: 1210368
UninitializedDataSize: -
EntryPoint: 0x22109e
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: Uptodown GameLoop Downloader
ProductName: Uptodown GameLoop Downloader
CompanyName: Tencent
FileVersion: 1, 0, 0, 1
InternalName: TGBDownloader.exe
LegalCopyright: Copyright ? 2020 Tencent. All Rights Reserved.
OriginalFileName: TGBDownloader.exe
ProductVersion: 1, 0, 0, 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
79
Monitored processes
23
Malicious processes
8
Suspicious processes
5

Behavior graph

Click at the process to see the details
start granny-chapter-two-gameloop-1-0-23.exe wmpnscfg.exe no specs market.exe no specs tinst.exe qmemulatorservice.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs appmarket.exe wmpf_installer.exe syzs_dl_svr.exe appmarket.exe no specs appmarket.exe cef_frame_render.exe no specs wmpf_installer.exe no specs cef_frame_render.exe cef_frame_render.exe no specs systeminfo.exe no specs cef_frame_render.exe no specs granny-chapter-two-gameloop-1-0-23.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396"C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=gpu-process --field-trial-handle=1920,4595638667879258192,16522751005216129263,131072 --disable-features=OutOfBlinkCors --no-sandbox --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.11.2811.80" --lang=en-US --gpu-preferences=KAAAAAAAAADgAAAgAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --service-request-channel-token=7857745258293382077 --mojo-platform-channel-handle=1984 /prefetch:2C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exeAppMarket.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\txgameassistant\appmarket\cef_frame_render.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\txgameassistant\appmarket\cef_frame.dll
c:\program files\txgameassistant\appmarket\libcef.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
744"C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.exe" --conf-path="C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.cfg" --daemon --log="C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.log" --rpc-secret=4ee7155204db616a98a228d8b1cb93e9C:\Program Files\TxGameAssistant\AppMarket\DL\syzs_dl_svr.exe
AppMarket.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\txgameassistant\appmarket\dl\syzs_dl_svr.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
940"C:\Users\admin\AppData\Local\Temp\granny-chapter-two-gameloop-1-0-23.exe" C:\Users\admin\AppData\Local\Temp\granny-chapter-two-gameloop-1-0-23.exe
explorer.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Description:
Uptodown GameLoop Downloader
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\granny-chapter-two-gameloop-1-0-23.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\nsi.dll
1820"C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --force-device-scale-factor=1.00 --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --field-trial-handle=1920,4595638667879258192,16522751005216129263,131072 --disable-features=OutOfBlinkCors --lang=en-US --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.11.2811.80" --disable-pdf-extension=1 --ppapi-flash-path="PepperFlash\pepflashplayer.dll" --ppapi-flash-version=18.0.0.209 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=18261938093157184331 --renderer-client-id=3 --mojo-platform-channel-handle=2588 /prefetch:1C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exeAppMarket.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\txgameassistant\appmarket\cef_frame_render.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\txgameassistant\appmarket\cef_frame.dll
c:\program files\txgameassistant\appmarket\libcef.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
1876"C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="AppMarket" dir=in program="c:\program files\txgameassistant\appmarket\AppMarket.exe" action=allowC:\Windows\System32\netsh.exeTInst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1884"C:\Temp\TxGameDownload\Component\AppMarket\becefe7c1c99bd9d30cfd82e33e92fb1\Market.exe" C:\Temp\TxGameDownload\Component\AppMarket\becefe7c1c99bd9d30cfd82e33e92fb1\Market.exegranny-chapter-two-gameloop-1-0-23.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\temp\txgamedownload\component\appmarket\becefe7c1c99bd9d30cfd82e33e92fb1\market.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
1892"C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=utility --field-trial-handle=1920,4595638667879258192,16522751005216129263,131072 --disable-features=OutOfBlinkCors --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.11.2811.80" --lang=en-US --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --service-request-channel-token=348471059734440425 --mojo-platform-channel-handle=2520 /prefetch:8C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe
AppMarket.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\txgameassistant\appmarket\cef_frame_render.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\txgameassistant\appmarket\cef_frame.dll
c:\program files\txgameassistant\appmarket\libcef.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
2060"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
2544"C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="TUpdate" dir=in program="c:\program files\txgameassistant\appmarket\GF186\TUpdate.exe" action=allowC:\Windows\System32\netsh.exeTInst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2668"C:\Program Files\TxGameAssistant\AppMarket\AppMarket.exe" -startpkg com.dvloper.grannychaptertwo -gametype 1 -from DesktopLinkC:\Program Files\TxGameAssistant\AppMarket\AppMarket.exeexplorer.exe
User:
admin
Company:
Tencent
Integrity Level:
MEDIUM
Description:
Uptodown GameLoop
Exit code:
3221226540
Version:
3.11.2811.80
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\txgameassistant\appmarket\appmarket.exe
Total events
16 686
Read events
15 927
Write events
756
Delete events
3

Modification events

(PID) Process:(940) granny-chapter-two-gameloop-1-0-23.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(2060) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{16EEB3EC-338C-4D78-A056-4ABD44F1447C}\{8990D6E2-5A1C-4225-8F65-ACB180949D94}
Operation:delete keyName:(default)
Value:
(PID) Process:(2060) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{16EEB3EC-338C-4D78-A056-4ABD44F1447C}
Operation:delete keyName:(default)
Value:
(PID) Process:(2060) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{65C903D3-65FF-4EDC-9FAC-D321DAE3F901}
Operation:delete keyName:(default)
Value:
(PID) Process:(940) granny-chapter-two-gameloop-1-0-23.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(940) granny-chapter-two-gameloop-1-0-23.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(940) granny-chapter-two-gameloop-1-0-23.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(940) granny-chapter-two-gameloop-1-0-23.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(940) granny-chapter-two-gameloop-1-0-23.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3836) TInst.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
251
Suspicious files
230
Text files
1 941
Unknown types
0

Dropped files

PID
Process
Filename
Type
940granny-chapter-two-gameloop-1-0-23.exeC:\Temp\TxGameDownload\Component\AppMarket\becefe7c1c99bd9d30cfd82e33e92fb1\Market.exe
MD5:
SHA256:
940granny-chapter-two-gameloop-1-0-23.exeC:\test.tmpbinary
MD5:FF048CCEE25A2BE17E18CE61483A8109
SHA256:79D1968CBD7200D1BA5A28628E87E8984B67BA321189173549C859D117A7A141
940granny-chapter-two-gameloop-1-0-23.exeC:\Users\admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.dbtext
MD5:8CDD2558D98B4A8E924575F8C97B7475
SHA256:11C9004AEDA5FA30E4F03083546DEE226DB390CCBCEB7CC2D7F9F9B0CD8A1065
1884Market.exeC:\Temp\TxGameDownload\Component\AppMarket\becefe7c1c99bd9d30cfd82e33e92fb1\Setup\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:11E55839FCB3A53BDFED2A27FB7D5E80
SHA256:F6BDC8FFD172B44F4D169707D9A457AEEF619872661229B8629EE4F15EEFFF0D
1884Market.exeC:\Temp\TxGameDownload\Component\AppMarket\becefe7c1c99bd9d30cfd82e33e92fb1\Setup\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:D826D27C73D9F2420FB39FBE0745C7F0
SHA256:C0E5D482BD93BF71A73C01D0C1EC0722EA3260EBA1F4C87E797BAE334B5E9870
1884Market.exeC:\Temp\TxGameDownload\Component\AppMarket\becefe7c1c99bd9d30cfd82e33e92fb1\Setup\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:B9287EB7BCBFDCEC2E8D4198FD266509
SHA256:096409422ECD1894E4D6289FD2D1C7490BD83DAFF0C1E3D16C36C78BD477B895
1884Market.exeC:\Temp\TxGameDownload\Component\AppMarket\becefe7c1c99bd9d30cfd82e33e92fb1\Setup\AowGame.xmltext
MD5:246F115203C0921C7C94F917F99556BF
SHA256:C7A43199C7FFDAC35ECC3E1504B272DDB2539E55EB2BE6C8A1643315F77C0877
940granny-chapter-two-gameloop-1-0-23.exeC:\Users\admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dllexecutable
MD5:2814ACBD607BA47BDBCDF6AC3076EE95
SHA256:5904A7E4D97EEAC939662C3638A0E145F64FF3DD0198F895C4BF0337595C6A67
1884Market.exeC:\Temp\TxGameDownload\Component\AppMarket\becefe7c1c99bd9d30cfd82e33e92fb1\Setup\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:9F3CF9F22836C32D988D7C7E0A977E1B
SHA256:7D588A5A958E32875D7BD346D1371E6EBFD9D5D2EDE47755942BADFC9C74E207
1884Market.exeC:\Temp\TxGameDownload\Component\AppMarket\becefe7c1c99bd9d30cfd82e33e92fb1\Setup\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:6A35A52D536E34BA060A19D06B1DAC80
SHA256:A369EF130749BF8CD9F67055179E6F537F200C060AF47493D49473912A95021E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
173
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
484
lsass.exe
GET
200
67.27.234.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fa816a76618a270a
unknown
compressed
4.66 Kb
unknown
484
lsass.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkcHsQGaDFetObPhfan5
unknown
binary
1.41 Kb
unknown
484
lsass.exe
GET
200
104.18.20.226:80
http://ocsp2.globalsign.com/gsorganizationvalsha2g3/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSVLM6m9XSaK2pXyc357yFJVjgNwQQUaIa4fXrZbUlrhy8YixU0bNe0eg4CDG5N%2BmMQwoBRs0mcUQ%3D%3D
unknown
binary
1.43 Kb
unknown
484
lsass.exe
GET
200
47.246.48.205:80
http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAxmDhtkizfDME27WQvSt7A%3D
unknown
binary
471 b
unknown
3156
AppMarket.exe
POST
200
43.154.254.18:80
http://masterconn.qq.com/q.cgi
unknown
binary
155 b
unknown
484
lsass.exe
GET
200
67.27.234.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?49f39e188b4307b0
unknown
compressed
4.66 Kb
unknown
484
lsass.exe
GET
200
47.246.48.205:80
http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
940
granny-chapter-two-gameloop-1-0-23.exe
157.255.4.39:443
master.etl.desktop.qq.com
China Unicom Guangdong IP network
CN
unknown
940
granny-chapter-two-gameloop-1-0-23.exe
101.33.47.206:8081
oth.eve.mdt.qq.com
Tencent Building, Kejizhongyi Avenue
SG
unknown
4
System
192.168.100.255:138
whitelisted
940
granny-chapter-two-gameloop-1-0-23.exe
49.51.129.71:443
unifiedaccess.gameloop.com
Tencent Building, Kejizhongyi Avenue
DE
unknown
940
granny-chapter-two-gameloop-1-0-23.exe
43.152.26.151:443
down.gameloop.com
ACE
DE
unknown
3836
TInst.exe
43.152.26.221:443
down.gameloop.com
ACE
DE
unknown
3836
TInst.exe
43.152.26.197:443
down.gameloop.com
ACE
DE
unknown
3076
QMEmulatorService.exe
157.255.4.39:443
master.etl.desktop.qq.com
China Unicom Guangdong IP network
CN
unknown

DNS requests

Domain
IP
Reputation
master.etl.desktop.qq.com
  • 157.255.4.39
whitelisted
oth.eve.mdt.qq.com
  • 101.33.47.206
  • 101.33.47.68
unknown
unifiedaccess.gameloop.com
  • 49.51.129.71
  • 49.51.131.79
unknown
down.gameloop.com
  • 43.152.26.151
  • 43.152.26.221
  • 43.152.26.154
  • 43.152.26.58
  • 43.152.26.197
  • 43.152.44.160
unknown
webapp.gameloop.com
  • 43.152.26.221
  • 43.152.26.58
  • 43.152.44.160
  • 43.152.26.197
  • 43.152.26.154
  • 43.152.26.151
unknown
masterconn11.qq.com
  • 157.255.4.39
whitelisted
dldir1.qq.com
  • 116.153.64.183
  • 111.206.187.78
  • 116.153.90.78
  • 119.167.147.208
  • 111.206.186.229
  • 116.153.90.68
  • 221.204.165.214
  • 221.204.165.234
  • 116.153.64.103
  • 116.153.90.58
  • 42.236.84.139
  • 116.153.64.78
  • 119.167.147.187
whitelisted
masterconn.qq.com
  • 43.154.254.18
whitelisted
sy.guanjia.qq.com
  • 121.14.78.51
  • 121.14.76.247
  • 121.14.76.43
whitelisted
masterconn2.qq.com
  • 180.163.210.217
unknown

Threats

No threats detected
Process
Message
granny-chapter-two-gameloop-1-0-23.exe
Standard VGA Graphics Adapter
AppMarket.exe
[Downloader] DriverType C: = 3
AppMarket.exe
[Downloader] GetLogicalDrives 4
AppMarket.exe
=========== mem dump after here is valid ========
AppMarket.exe
[Downloader] GetLogicalDrives 4
AppMarket.exe
[Downloader] DriverType C: = 3
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
granny-chapter-two-gameloop-1-0-23.exe