File name:

GLP_installer_900223086_market.exe

Full analysis: https://app.any.run/tasks/eb00a94c-87d6-4dce-96ba-31398aa6f24d
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: June 22, 2025, 01:24:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adware
tgbdownloader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

503A84464431D9FB77FFF5C76B9181DC

SHA1:

622114E85462B0814C787D30EFE11983E3497D33

SHA256:

D34EF58261364124C05B91D7874E26E251F64B6EA8C2390A378EDBAA4BC9C689

SSDEEP:

98304:kS9OGiqMfLwOqhOu5Y0ItCgGl3AF/YVieFn+WJRTxoCqXhMKm8Qc9SRToNUpJFDK:yD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TGBDOWNLOADER has been detected

      • GLP_installer_900223086_market.exe (PID: 2648)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • GLP_installer_900223086_market.exe (PID: 2648)

    • Creates file in the systems drive root

      • GLP_installer_900223086_market.exe (PID: 2648)

    • There is functionality for taking screenshot (YARA)

      • GLP_installer_900223086_market.exe (PID: 2648)

    • The process executes via Task Scheduler

      • updater.exe (PID: 2188)

    • Application launched itself

      • updater.exe (PID: 2188)

  • INFO

    • Checks supported languages

      • GLP_installer_900223086_market.exe (PID: 2648)
      • updater.exe (PID: 6256)
      • updater.exe (PID: 2188)

    • The sample compiled with english language support

      • GLP_installer_900223086_market.exe (PID: 2648)

    • The sample compiled with chinese language support

      • GLP_installer_900223086_market.exe (PID: 2648)

    • Create files in a temporary directory

      • GLP_installer_900223086_market.exe (PID: 2648)

    • Reads the computer name

      • GLP_installer_900223086_market.exe (PID: 2648)
      • updater.exe (PID: 2188)

    • Creates files or folders in the user directory

      • GLP_installer_900223086_market.exe (PID: 2648)

    • Reads the machine GUID from the registry

      • GLP_installer_900223086_market.exe (PID: 2648)

    • Reads the software policy settings

      • GLP_installer_900223086_market.exe (PID: 2648)
      • slui.exe (PID: 2664)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 2188)

    • Checks proxy server information

      • slui.exe (PID: 2664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:10 09:00:25+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 2629120
InitializedDataSize: 1223168
UninitializedDataSize: -
EntryPoint: 0x225f1f
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: TGBDownloader
ProductName: TGBDownloader
CompanyName: Tencent
FileVersion: 1, 0, 0, 1
InternalName: TGBDownloader.exe
LegalCopyright: Copyright ? 2020 Tencent. All Rights Reserved.
OriginalFileName: TGBDownloader.exe
ProductVersion: 1, 0, 0, 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start glp_installer_900223086_market.exe slui.exe updater.exe no specs updater.exe no specs glp_installer_900223086_market.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1604"C:\Users\admin\Desktop\GLP_installer_900223086_market.exe" C:\Users\admin\Desktop\GLP_installer_900223086_market.exeexplorer.exe
User:
admin
Company:
Tencent
Integrity Level:
MEDIUM
Description:
TGBDownloader
Exit code:
3221226540
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\glp_installer_900223086_market.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2188"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2648"C:\Users\admin\Desktop\GLP_installer_900223086_market.exe" C:\Users\admin\Desktop\GLP_installer_900223086_market.exe
explorer.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Description:
TGBDownloader
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\glp_installer_900223086_market.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
2664C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6256"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
6 832
Read events
6 828
Write events
4
Delete events
0

Modification events

(PID) Process:(2648) GLP_installer_900223086_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC\Beacon
Operation:writeName:Last_Sid_GLP_installer_900223086_market.exe
Value:
4B140C8F-8724-4A96-B495-E65C25D7A17A
(PID) Process:(2648) GLP_installer_900223086_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:TempPath
Value:
C:\Temp\TxGameDownload\Component\
(PID) Process:(2648) GLP_installer_900223086_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:UserLanguage
Value:
en
(PID) Process:(2648) GLP_installer_900223086_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:abtestid
Value:
{"Component":"0"}
Executable files
1
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2648GLP_installer_900223086_market.exeC:\Users\admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dllexecutable
MD5:2814ACBD607BA47BDBCDF6AC3076EE95
SHA256:5904A7E4D97EEAC939662C3638A0E145F64FF3DD0198F895C4BF0337595C6A67
2648GLP_installer_900223086_market.exeC:\test.tmpbinary
MD5:43638EA7667FA4FD70C0DCE5B50B4329
SHA256:04201272BC32BE050B561E45147D4D6CE5781430EFF27F65FC05295EF4674589
6256updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:91E8ABC2B1884D57C59162AC620AE495
SHA256:3FF7DB5D48BB43B080255A3D2AED05FD17E4649EF10B5A462138D03C5AAD1BB1
2648GLP_installer_900223086_market.exeC:\Users\admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.dbtext
MD5:337860A406E99FA23E029DE46EBC4828
SHA256:3F8F8E74CC3AC815E4496202692E189E603C00A81E13A4F01F8F363915A31499
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
71
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1644
RUXIMICS.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1644
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
49.51.131.79:443
https://unifiedaccess.gameloop.com/syzsclient/update/clientupdate
unknown
text
5.81 Kb
GET
43.152.26.197:443
https://down.gameloop.com/syzs_cms/202402/1d218714941abf910cf39c6d4f265e7d.exe
unknown
POST
200
40.126.31.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.159.131:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1644
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1644
RUXIMICS.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2648
GLP_installer_900223086_market.exe
101.33.47.206:8081
oth.eve.mdt.qq.com
Tencent Building, Kejizhongyi Avenue
SG
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.12
  • 184.24.77.35
whitelisted
master.etl.desktop.qq.com
  • 157.255.4.39
whitelisted
oth.eve.mdt.qq.com
  • 101.33.47.206
  • 101.33.47.68
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.159.4
  • 40.126.31.1
  • 20.190.159.73
  • 40.126.31.67
  • 20.190.159.129
  • 20.190.159.0
  • 20.190.159.131
  • 40.126.31.73
whitelisted
unifiedaccess.gameloop.com
  • 49.51.131.79
  • 49.51.129.71
unknown
down.gameloop.com
  • 43.152.26.197
  • 43.152.26.151
  • 43.174.109.182
  • 43.152.28.43
  • 43.174.109.95
  • 43.152.28.77
  • 43.152.29.72
  • 43.152.28.41
  • 43.152.29.77
  • 43.152.26.209
  • 43.152.26.154
  • 43.152.28.111
  • 43.152.26.238
  • 43.152.26.142
  • 43.152.29.148
unknown
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GLP_installer_900223086_market.exe