File name:

GLP_installer_1000218456_market.exe

Full analysis: https://app.any.run/tasks/a5f8da9b-2c3e-40e8-86e1-4bb51f320a9d
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: September 15, 2024, 04:27:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
tgbdownloader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

EF61CA12B115D390A2971608CF462A83

SHA1:

FBD0F3A9E64143952EB7D506949F4E0991269B4E

SHA256:

712B2B146E4F0CB412008F703DB52E6272299BB25597673075AECE1EC4167E4D

SSDEEP:

49152:l08OhxtUg9OUi82w6aQp9dgS1GUL38XhCOYc3iJXe9emEPGKOPkQThMYRMnm7LB9:l08vdsGaQNgS1C6e6ngKpqh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates file in the systems drive root

      • GLP_installer_1000218456_market.exe (PID: 4092)

    • Executable content was dropped or overwritten

      • GLP_installer_1000218456_market.exe (PID: 4092)

  • INFO

    • Creates files or folders in the user directory

      • GLP_installer_1000218456_market.exe (PID: 4092)

    • Checks supported languages

      • GLP_installer_1000218456_market.exe (PID: 4092)

    • Create files in a temporary directory

      • GLP_installer_1000218456_market.exe (PID: 4092)

    • Reads the machine GUID from the registry

      • GLP_installer_1000218456_market.exe (PID: 4092)

    • Reads the computer name

      • GLP_installer_1000218456_market.exe (PID: 4092)

    • Reads the software policy settings

      • GLP_installer_1000218456_market.exe (PID: 4092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:17 02:57:05+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 2604544
InitializedDataSize: 1211392
UninitializedDataSize: -
EntryPoint: 0x220be4
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Tencent
FileDescription: Tencent Game Downloader
FileVersion: 1, 0, 0, 1
InternalName: TGBDownloader.exe
LegalCopyright: Copyright ? 2020 Tencent. All Rights Reserved.
OriginalFileName: TGBDownloader.exe
ProductName: Tencent Game Downloader
ProductVersion: 1, 0, 0, 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start glp_installer_1000218456_market.exe glp_installer_1000218456_market.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4092"C:\Users\admin\Desktop\GLP_installer_1000218456_market.exe" C:\Users\admin\Desktop\GLP_installer_1000218456_market.exe
explorer.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Description:
Tencent Game Downloader
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\glp_installer_1000218456_market.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6792"C:\Users\admin\Desktop\GLP_installer_1000218456_market.exe" C:\Users\admin\Desktop\GLP_installer_1000218456_market.exeexplorer.exe
User:
admin
Company:
Tencent
Integrity Level:
MEDIUM
Description:
Tencent Game Downloader
Exit code:
3221226540
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\glp_installer_1000218456_market.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
3 315
Read events
3 311
Write events
4
Delete events
0

Modification events

(PID) Process:(4092) GLP_installer_1000218456_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC\Beacon
Operation:writeName:Last_Sid_GLP_installer_1000218456_market.exe
Value:
7E20014A-AFB9-4B27-9E86-B6CB5AD83458
(PID) Process:(4092) GLP_installer_1000218456_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:TempPath
Value:
C:\Temp\TxGameDownload\Component\
(PID) Process:(4092) GLP_installer_1000218456_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:UserLanguage
Value:
en
(PID) Process:(4092) GLP_installer_1000218456_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:abtestid
Value:
{"Component":"0"}
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4092GLP_installer_1000218456_market.exeC:\Users\admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dllexecutable
MD5:2814ACBD607BA47BDBCDF6AC3076EE95
SHA256:5904A7E4D97EEAC939662C3638A0E145F64FF3DD0198F895C4BF0337595C6A67
4092GLP_installer_1000218456_market.exeC:\Users\admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.dbtext
MD5:6B7035935AD6CB5F0DD0E8ABD98FCAFE
SHA256:8D0289C9612E34B2C9D27D5F90CF6F525EF48A9C98AFFADD00B3C5EF6FC3F916
4092GLP_installer_1000218456_market.exeC:\test.tmpbinary
MD5:903CB72E381EB1B40B73825727CDB54C
SHA256:579BC5D1B9A55FA60C4056C1E5359187DAAABDDF3737107F73C7B982727BCDFA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
43
DNS requests
9
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6052
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5644
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
43.152.26.151:443
https://down.gameloop.com/syzs_cms/202402/0ffa9228adbeeeb0adfb65c2ef40f630.exe
unknown
GET
43.152.137.72:443
https://down.gameloop.com/syzs_cms/202402/0ffa9228adbeeeb0adfb65c2ef40f630.exe
unknown
GET
43.152.29.72:443
https://down.gameloop.com/syzs_cms/202402/0ffa9228adbeeeb0adfb65c2ef40f630.exe
unknown
POST
200
49.51.129.71:443
https://unifiedaccess.gameloop.com/syzsclient/update/clientupdate
unknown
text
4.83 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6052
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5644
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4092
GLP_installer_1000218456_market.exe
101.33.47.68:8081
oth.eve.mdt.qq.com
Tencent Building, Kejizhongyi Avenue
SG
whitelisted
4092
GLP_installer_1000218456_market.exe
157.255.4.39:443
master.etl.desktop.qq.com
China Unicom Guangdong IP network
CN
whitelisted
6052
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5644
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2120
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4092
GLP_installer_1000218456_market.exe
150.109.28.234:443
unifiedaccess.gameloop.com
Tencent Building, Kejizhongyi Avenue
SG
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.14
whitelisted
master.etl.desktop.qq.com
  • 157.255.4.39
whitelisted
oth.eve.mdt.qq.com
  • 101.33.47.68
  • 101.33.47.206
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
unifiedaccess.gameloop.com
  • 150.109.28.234
  • 150.109.28.54
unknown
down.gameloop.com
  • 101.33.11.246
  • 43.152.29.63
  • 43.152.26.197
  • 43.152.26.151
  • 43.152.29.78
  • 43.152.26.80
  • 101.33.11.219
  • 43.152.26.209
  • 43.152.26.58
  • 43.152.28.41
  • 43.152.29.72
  • 43.152.137.72
  • 43.152.28.43
  • 43.152.26.154
  • 43.152.26.221
unknown

Threats

Found threats are available for the paid subscriptions
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GLP_installer_1000218456_market.exe