File name:

GLP_installer_900223150_market.exe

Full analysis: https://app.any.run/tasks/9c9a18bc-a4d1-456a-b648-c606ab770dcf
Verdict: Malicious activity
Analysis date: August 16, 2024, 19:01:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0AC1FD602F5EC2D2231FE311777791E8

SHA1:

52CA6CCD121FAF4F3AAD9E7760EE1A519B323D83

SHA256:

BB68113CFABA1DEF162B8A0DF4B1D41B83EA34CE4FD5B23E0A0B75B259B62BFC

SSDEEP:

49152:808OhxtUg9OUi82w6aQp9dgS1GUL38XhCOYc3iJXe9emEPGKOPkQThMYRMnm7LBg:808vdsGaQNgS1C6e6ngKpqM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • GLP_installer_900223150_market.exe (PID: 6500)
      • Market.exe (PID: 876)
      • TInst.exe (PID: 6512)

    • Executable content was dropped or overwritten

      • GLP_installer_900223150_market.exe (PID: 6500)
      • Market.exe (PID: 876)
      • TInst.exe (PID: 6512)

    • Creates file in the systems drive root

      • GLP_installer_900223150_market.exe (PID: 6500)
      • TInst.exe (PID: 6512)
      • QMEmulatorService.exe (PID: 3696)
      • AppMarket.exe (PID: 6264)

    • Reads the date of Windows installation

      • GLP_installer_900223150_market.exe (PID: 6500)
      • AppMarket.exe (PID: 6264)

    • Reads security settings of Internet Explorer

      • GLP_installer_900223150_market.exe (PID: 6500)
      • TInst.exe (PID: 6512)
      • AppMarket.exe (PID: 6264)

    • Process drops legitimate windows executable

      • Market.exe (PID: 876)
      • TInst.exe (PID: 6512)

    • The process drops C-runtime libraries

      • Market.exe (PID: 876)
      • TInst.exe (PID: 6512)

    • The process creates files with name similar to system file names

      • Market.exe (PID: 876)
      • TInst.exe (PID: 6512)

    • Executes as Windows Service

      • QMEmulatorService.exe (PID: 3696)

    • Creates a software uninstall entry

      • TInst.exe (PID: 6512)

    • Uses WMIC.EXE to obtain computer system information

      • PcyybAssistant.exe (PID: 2336)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • TInst.exe (PID: 6512)

    • Checks Windows Trust Settings

      • AppMarket.exe (PID: 6264)

    • Reads the BIOS version

      • AppMarket.exe (PID: 6264)

    • Adds/modifies Windows certificates

      • cef_frame_render.exe (PID: 3140)

    • Uses SYSTEMINFO.EXE to read the environment

      • AppMarket.exe (PID: 6264)

  • INFO

    • Creates files or folders in the user directory

      • GLP_installer_900223150_market.exe (PID: 6500)
      • TInst.exe (PID: 6512)
      • AppMarket.exe (PID: 6264)
      • PcyybAssistant.exe (PID: 2336)
      • cef_frame_render.exe (PID: 3140)
      • wmpf_installer.exe (PID: 6404)

    • Create files in a temporary directory

      • GLP_installer_900223150_market.exe (PID: 6500)
      • TInst.exe (PID: 6512)
      • AppMarket.exe (PID: 6264)

    • Reads the computer name

      • GLP_installer_900223150_market.exe (PID: 6500)
      • Market.exe (PID: 876)
      • TInst.exe (PID: 6512)
      • AppMarket.exe (PID: 6264)
      • PcyybAssistant.exe (PID: 2336)
      • QMEmulatorService.exe (PID: 3696)
      • syzs_dl_svr.exe (PID: 5472)
      • cef_frame_render.exe (PID: 6852)
      • cef_frame_render.exe (PID: 3140)
      • cef_frame_render.exe (PID: 1944)
      • TextInputHost.exe (PID: 3032)

    • Checks supported languages

      • GLP_installer_900223150_market.exe (PID: 6500)
      • Market.exe (PID: 876)
      • QMEmulatorService.exe (PID: 3696)
      • TInst.exe (PID: 6512)
      • AppMarket.exe (PID: 6264)
      • PcyybAssistant.exe (PID: 2336)
      • wmpf_installer.exe (PID: 6404)
      • syzs_dl_svr.exe (PID: 5472)
      • cef_frame_render.exe (PID: 3140)
      • cef_frame_render.exe (PID: 6852)
      • cef_frame_render.exe (PID: 6844)
      • cef_frame_render.exe (PID: 7148)
      • cef_frame_render.exe (PID: 1944)
      • TextInputHost.exe (PID: 3032)

    • Reads the machine GUID from the registry

      • GLP_installer_900223150_market.exe (PID: 6500)
      • AppMarket.exe (PID: 6264)
      • wmpf_installer.exe (PID: 6404)
      • syzs_dl_svr.exe (PID: 5472)
      • cef_frame_render.exe (PID: 3140)

    • Reads the software policy settings

      • GLP_installer_900223150_market.exe (PID: 6500)
      • TInst.exe (PID: 6512)
      • AppMarket.exe (PID: 6264)
      • cef_frame_render.exe (PID: 3140)

    • Creates files in the program directory

      • GLP_installer_900223150_market.exe (PID: 6500)
      • TInst.exe (PID: 6512)
      • AppMarket.exe (PID: 6264)
      • QMEmulatorService.exe (PID: 3696)
      • syzs_dl_svr.exe (PID: 5472)

    • Dropped object may contain TOR URL's

      • Market.exe (PID: 876)
      • TInst.exe (PID: 6512)

    • Process checks computer location settings

      • GLP_installer_900223150_market.exe (PID: 6500)
      • AppMarket.exe (PID: 6264)
      • cef_frame_render.exe (PID: 6844)
      • cef_frame_render.exe (PID: 7148)

    • Checks proxy server information

      • AppMarket.exe (PID: 6264)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6048)

    • Reads product name

      • AppMarket.exe (PID: 6264)

    • Reads Environment values

      • AppMarket.exe (PID: 6264)

    • Reads Windows Product ID

      • AppMarket.exe (PID: 6264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:17 02:57:05+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 2604544
InitializedDataSize: 1211392
UninitializedDataSize: -
EntryPoint: 0x220be4
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Tencent
FileDescription: Tencent Game Downloader
FileVersion: 1, 0, 0, 1
InternalName: TGBDownloader.exe
LegalCopyright: Copyright ? 2020 Tencent. All Rights Reserved.
OriginalFileName: TGBDownloader.exe
ProductName: Tencent Game Downloader
ProductVersion: 1, 0, 0, 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
176
Monitored processes
33
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start glp_installer_900223150_market.exe market.exe tinst.exe qmemulatorservice.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs appmarket.exe pcyybassistant.exe no specs wmpf_installer.exe no specs wmic.exe no specs conhost.exe no specs syzs_dl_svr.exe no specs conhost.exe no specs cef_frame_render.exe no specs cef_frame_render.exe cef_frame_render.exe no specs cef_frame_render.exe no specs systeminfo.exe no specs conhost.exe no specs tiworker.exe no specs textinputhost.exe no specs cef_frame_render.exe no specs glp_installer_900223150_market.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
876"C:\Temp\TxGameDownload\Component\AppMarket\1d218714941abf910cf39c6d4f265e7d\Market.exe" C:\Temp\TxGameDownload\Component\AppMarket\1d218714941abf910cf39c6d4f265e7d\Market.exe
GLP_installer_900223150_market.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\temp\txgamedownload\component\appmarket\1d218714941abf910cf39c6d4f265e7d\market.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
1944"C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=gpu-process --field-trial-handle=1380,8801329147343237864,16715925901432954193,131072 --disable-features=OutOfBlinkCors --disable-gpu-sandbox --use-gl=disabled --no-sandbox --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.71.3146.81" --lang=en-US --gpu-preferences=KAAAAAAAAADoAAAgAAAAAAAAYAAAAAAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --service-request-channel-token=17545352173387255929 --mojo-platform-channel-handle=4312 /prefetch:2C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exeAppMarket.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\txgameassistant\appmarket\cef_frame_render.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
2224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesysteminfo.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2336"C:\Program Files\TxGameAssistant\AppMarket\PcyybAssistant.exe" C:\Program Files\TxGameAssistant\AppMarket\PcyybAssistant.exeAppMarket.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Description:
腾讯应用宝
Version:
1.0.109.0
Modules
Images
c:\program files\txgameassistant\appmarket\pcyybassistant.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
3032"C:\WINDOWS\system32\Netsh.exe" advfirewall firewall add rule name="AppMarket" dir=in program="c:\program files\txgameassistant\appmarket\AppMarket.exe" action=allowC:\Windows\SysWOW64\netsh.exeTInst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3032"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
3140"C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe" --type=utility --field-trial-handle=1380,8801329147343237864,16715925901432954193,131072 --disable-features=OutOfBlinkCors --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 Tencent AppMarket/3.71.3146.81" --lang=en-US --log-file="C:\Program Files\TxGameAssistant\AppMarket\debug.log" --service-request-channel-token=16164074364415592 --mojo-platform-channel-handle=3320 /prefetch:8C:\Program Files\TxGameAssistant\AppMarket\cef_frame_render.exe
AppMarket.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files\txgameassistant\appmarket\cef_frame_render.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
3144C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3696"C:\Program Files\TxGameAssistant\AppMarket\QMEmulatorService.exe"C:\Program Files\TxGameAssistant\AppMarket\QMEmulatorService.exe
services.exe
User:
SYSTEM
Company:
Tencent
Integrity Level:
SYSTEM
Description:
腾讯手游助手
Version:
3.71.3146.81
Modules
Images
c:\program files\txgameassistant\appmarket\qmemulatorservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
26 523
Read events
26 450
Write events
68
Delete events
5

Modification events

(PID) Process:(6500) GLP_installer_900223150_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC\Beacon
Operation:writeName:Last_Sid_GLP_installer_900223150_market.exe
Value:
FA0173D5-B677-4036-AAA9-3CBF8D1583FA
(PID) Process:(6500) GLP_installer_900223150_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:TempPath
Value:
C:\Temp\TxGameDownload\Component\
(PID) Process:(6500) GLP_installer_900223150_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:UserLanguage
Value:
en
(PID) Process:(6500) GLP_installer_900223150_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:abtestid
Value:
{"Component":"0"}
(PID) Process:(6500) GLP_installer_900223150_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC\GameDownload
Operation:writeName:DownloadSpeed
Value:
0
(PID) Process:(6500) GLP_installer_900223150_market.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Tencent\MobileGamePC
Operation:writeName:SupplyId
Value:
900223150
(PID) Process:(6500) GLP_installer_900223150_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:Region
Value:
DE
(PID) Process:(6500) GLP_installer_900223150_market.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Tencent\MobileGamePC\AppMarket
Operation:writeName:InstallPath
Value:
C:\Program Files\TxGameAssistant\AppMarket
(PID) Process:(6500) GLP_installer_900223150_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6500) GLP_installer_900223150_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
439
Suspicious files
347
Text files
1 807
Unknown types
4

Dropped files

PID
Process
Filename
Type
6500GLP_installer_900223150_market.exeC:\Temp\TxGameDownload\Component\AppMarket\1d218714941abf910cf39c6d4f265e7d\Market.exe
MD5:
SHA256:
876Market.exeC:\Temp\TxGameDownload\Component\AppMarket\1d218714941abf910cf39c6d4f265e7d\Setup\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:EC4F2CB68DCF7E96516EB284003BE8BB
SHA256:3816BBB7DD76D8FC6A7B83A0ED2F61B23DD5FC0843D3308EE077CB725D5C9088
876Market.exeC:\Temp\TxGameDownload\Component\AppMarket\1d218714941abf910cf39c6d4f265e7d\Setup\api-ms-win-core-file-l1-2-1.dllexecutable
MD5:A32230B9BFDB8813E94D095222AAFA11
SHA256:7068D2B8AEA252294E6B5C3BF3630475D0A91E11877F11A04E8ED1F91196410F
876Market.exeC:\Temp\TxGameDownload\Component\AppMarket\1d218714941abf910cf39c6d4f265e7d\Setup\api-ms-win-core-interlocked-l1-1-0.dllexecutable
MD5:48A5E206D92F3102256EC65E8D570EE0
SHA256:A272AE4FC60E511F48950B08F106FCDD3BC86831DF908EE78D630F1AE921880C
876Market.exeC:\Temp\TxGameDownload\Component\AppMarket\1d218714941abf910cf39c6d4f265e7d\Setup\api-ms-win-core-heap-l1-1-0.dllexecutable
MD5:EE5C2FB7BC23BFD06FF32556CC7C3B4D
SHA256:EFC9F0E32BCE971900DDF66A1A9E68DAA3BFB2099A1BA9F24C6EE82DA2CBD6E8
876Market.exeC:\Temp\TxGameDownload\Component\AppMarket\1d218714941abf910cf39c6d4f265e7d\Setup\AECommonDll.dllexecutable
MD5:B58C94617DF43430D2342A66EAA0A554
SHA256:74C2288B4FF073C5C947F96B0C79A01C587981A8B9440290A9FF33AA14F06E6D
876Market.exeC:\Temp\TxGameDownload\Component\AppMarket\1d218714941abf910cf39c6d4f265e7d\Setup\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:9F3CF9F22836C32D988D7C7E0A977E1B
SHA256:7D588A5A958E32875D7BD346D1371E6EBFD9D5D2EDE47755942BADFC9C74E207
876Market.exeC:\Temp\TxGameDownload\Component\AppMarket\1d218714941abf910cf39c6d4f265e7d\Setup\AowGame.xmltext
MD5:5FD0B9F7612369BCA18996D8AAA9F62C
SHA256:9937ADDC0F2EEA66EF456A53B21F93E8AE2732CB83F3E0E08E94E763F0150537
876Market.exeC:\Temp\TxGameDownload\Component\AppMarket\1d218714941abf910cf39c6d4f265e7d\Setup\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:6A35A52D536E34BA060A19D06B1DAC80
SHA256:A369EF130749BF8CD9F67055179E6F537F200C060AF47493D49473912A95021E
876Market.exeC:\Temp\TxGameDownload\Component\AppMarket\1d218714941abf910cf39c6d4f265e7d\Setup\aowgameex2.datbinary
MD5:C99BCCA61C47433E0DF19B4A7668EB56
SHA256:010C86CAC8101A693C2F35F798C40162FDC510CF809FA2604D42EF2B929A0062
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
283
DNS requests
53
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5092
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5092
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6912
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6960
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
768
lsass.exe
GET
200
163.181.92.233:80
http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbJNRrm8KxusAb7DCqnMkE%3D
unknown
whitelisted
768
lsass.exe
GET
200
163.181.92.233:80
http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAoKZFwCz6Rn2B5Bt25uYXo%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6264
AppMarket.exe
GET
200
163.181.92.233:80
http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQhnxEBNL9LgIhfSsTcHsrTt204QgQURNnISjOO01KNp5KUYR%2BayKW37MsCEAKpOeapfqJKkZUvKymOa1k%3D
unknown
whitelisted
6264
AppMarket.exe
POST
200
43.154.254.18:80
http://masterconn.qq.com/q.cgi
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2768
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5900
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6500
GLP_installer_900223150_market.exe
101.33.47.68:8081
oth.eve.mdt.qq.com
Tencent Building, Kejizhongyi Avenue
SG
unknown
6500
GLP_installer_900223150_market.exe
157.255.4.39:443
master.etl.desktop.qq.com
China Unicom Guangdong IP network
CN
unknown
6500
GLP_installer_900223150_market.exe
150.109.28.234:443
unifiedaccess.gameloop.com
Tencent Building, Kejizhongyi Avenue
SG
unknown
6500
GLP_installer_900223150_market.exe
43.175.152.68:443
down.gameloop.com
SG
unknown
5900
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
master.etl.desktop.qq.com
  • 157.255.4.39
whitelisted
oth.eve.mdt.qq.com
  • 101.33.47.68
  • 101.33.47.206
whitelisted
unifiedaccess.gameloop.com
  • 150.109.28.234
  • 150.109.28.54
  • 49.51.131.79
  • 49.51.129.71
unknown
down.gameloop.com
  • 43.175.152.68
  • 43.175.151.230
  • 43.152.28.41
  • 43.175.151.207
  • 43.152.137.72
  • 43.152.26.221
  • 43.152.26.209
  • 43.152.26.197
  • 43.152.29.72
  • 43.152.29.78
  • 101.33.11.246
  • 43.152.26.151
  • 43.175.152.66
  • 43.175.152.67
  • 43.152.29.63
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.23.209.177
  • 2.23.209.175
  • 2.23.209.181
  • 2.23.209.182
  • 2.23.209.188
  • 2.23.209.187
  • 2.23.209.176
  • 2.23.209.183
  • 2.23.209.185
  • 104.126.37.178
  • 104.126.37.146
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.186
  • 104.126.37.184
  • 104.126.37.153
  • 104.126.37.144
  • 104.126.37.128
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.140
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.138
  • 20.190.160.20
  • 20.190.160.17
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted

Threats

PID
Process
Class
Message
6500
GLP_installer_900223150_market.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
6500
GLP_installer_900223150_market.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
6500
GLP_installer_900223150_market.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3696
QMEmulatorService.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
6500
GLP_installer_900223150_market.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
6500
GLP_installer_900223150_market.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
6264
AppMarket.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
6264
AppMarket.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
Process
Message
AppMarket.exe
[Downloader] GetLogicalDrives 4
AppMarket.exe
[Downloader] DriverType C: = 3
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GLP_installer_900223150_market.exe