File name:

GlaryUtilitiesPro6.16.0.20.exe

Full analysis: https://app.any.run/tasks/fc9c08b3-7b74-49cb-bc64-97ec0c9f2686
Verdict: Malicious activity
Analysis date: October 06, 2024, 04:06:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
websocket
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

99386C862BED83E492FBBF2DE408E6E0

SHA1:

7D16931EA38310BCC5F03B124E9A2B5C9D00661B

SHA256:

F504DE8804DDC1E96155FBC8EA588DD58F9FCA7577512CE294E1BE21BA9A9DD9

SSDEEP:

196608:vpGxT1Np0xcyOh2rIn4Z3Vb/dVadr+NK/I6PxkUR72UCLcMf:vpWT1NTySlnw3V2oNK/B+c2RRf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 1964)

    • Registers / Runs the DLL via REGSVR32.EXE

      • gupsetup.exe (PID: 2632)

    • Starts NET.EXE for service management

      • net.exe (PID: 2512)
      • net.exe (PID: 6672)
      • gupsetup.exe (PID: 2632)
      • net.exe (PID: 1460)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • GlaryUtilitiesPro6.16.0.20.exe (PID: 4980)
      • GlaryUtilitiesPro6.16.0.20.exe (PID: 608)
      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 1964)
      • powershell.exe (PID: 3588)
      • GlaryUtilitiesPro6.16.0.20.exe (PID: 5728)
      • gupsetup.exe (PID: 2632)
      • statisticsinfo.exe (PID: 3924)
      • StartupManager.exe (PID: 2608)

    • Reads security settings of Internet Explorer

      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 5524)

    • Reads the Windows owner or organization settings

      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 1964)

    • Starts CMD.EXE for commands execution

      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 1964)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 5220)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2128)

    • Process drops legitimate windows executable

      • gupsetup.exe (PID: 2632)

    • The process drops C-runtime libraries

      • gupsetup.exe (PID: 2632)

    • Drops a system driver (possible attempt to evade defenses)

      • StartupManager.exe (PID: 2608)

    • Executes as Windows Service

      • MemfilesService.exe (PID: 6920)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 2980)

    • Found IP address in command line

      • powershell.exe (PID: 3588)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • gupsetup.exe (PID: 2632)

  • INFO

    • Create files in a temporary directory

      • GlaryUtilitiesPro6.16.0.20.exe (PID: 4980)
      • GlaryUtilitiesPro6.16.0.20.exe (PID: 608)
      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 1964)

    • Reads the computer name

      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 5524)
      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 1964)

    • Checks supported languages

      • GlaryUtilitiesPro6.16.0.20.exe (PID: 608)
      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 5524)
      • GlaryUtilitiesPro6.16.0.20.exe (PID: 4980)
      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 1964)

    • Process checks computer location settings

      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 5524)

    • Creates files or folders in the user directory

      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 1964)

    • Creates a software uninstall entry

      • GlaryUtilitiesPro6.16.0.20.tmp (PID: 1964)

    • Application launched itself

      • msedge.exe (PID: 5796)
      • msedge.exe (PID: 5712)

    • Attempting to connect via WebSocket

      • wlogon.exe (PID: 6556)

    • Manual execution by a user

      • msedge.exe (PID: 5712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:06:03 08:09:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 249344
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 6.16.0.20
ProductVersionNumber: 6.16.0.20
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: GlarySoft
FileDescription: Glary Utilities Pro
FileVersion: 6.16.0.20
LegalCopyright: © GlarySoft, Inc.
OriginalFileName:
ProductName: Glary Utilities Pro
ProductVersion: 6.16.0.20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
204
Monitored processes
79
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start glaryutilitiespro6.16.0.20.exe glaryutilitiespro6.16.0.20.tmp no specs glaryutilitiespro6.16.0.20.exe glaryutilitiespro6.16.0.20.tmp cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe wlogon.exe glaryutilitiespro6.16.0.20.exe gupsetup.exe net.exe no specs conhost.exe no specs net1.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs guassistcomsvc.exe no specs statisticsinfo.exe diskdefrag.exe no specs startupmanager.exe gubootservice.exe no specs gupmservice.exe no specs procmgr.exe no specs memfilesservice.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs memfilesservice.exe no specs initialize.exe no specs gubootservice.exe no specs guassistcomsvc.exe no specs schtasks.exe no specs conhost.exe no specs infdefaultinstall.exe no specs runonce.exe no specs grpconv.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
8"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6096 --field-trial-handle=2340,i,13818360214599537579,15558284707528499972,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
240"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6560 --field-trial-handle=2340,i,13818360214599537579,15558284707528499972,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
608"C:\Users\admin\Desktop\GlaryUtilitiesPro6.16.0.20.exe" /SPAWNWND=$D0318 /NOTIFYWND=$F025A C:\Users\admin\Desktop\GlaryUtilitiesPro6.16.0.20.exe
GlaryUtilitiesPro6.16.0.20.tmp
User:
admin
Company:
GlarySoft
Integrity Level:
HIGH
Description:
Glary Utilities Pro
Exit code:
0
Version:
6.16.0.20
Modules
Images
c:\users\admin\desktop\glaryutilitiespro6.16.0.20.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
908"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3752 --field-trial-handle=2340,i,13818360214599537579,15558284707528499972,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1076"C:\Program Files (x86)\Common Files\Glarysoft\StartupManager\1.0\GUBootService.exe" /ServiceC:\Program Files (x86)\Common Files\Glarysoft\StartupManager\1.0\GUBootService.exeStartupManager.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
HIGH
Description:
Glary Startup Manager Boot Service
Exit code:
0
Version:
6.0.0.2
Modules
Images
c:\program files (x86)\common files\glarysoft\startupmanager\1.0\gubootservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1116"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2344 --field-trial-handle=2340,i,13818360214599537579,15558284707528499972,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1168"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=6116 --field-trial-handle=2340,i,13818360214599537579,15558284707528499972,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1460net start GUMemfilesServiceC:\Windows\SysWOW64\net.exegupsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1608"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3512 --field-trial-handle=2340,i,13818360214599537579,15558284707528499972,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 486
Read events
14 288
Write events
170
Delete events
28

Modification events

(PID) Process:(1964) GlaryUtilitiesPro6.16.0.20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Utilities Pro_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.0
(PID) Process:(1964) GlaryUtilitiesPro6.16.0.20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Utilities Pro_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local
(PID) Process:(1964) GlaryUtilitiesPro6.16.0.20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Utilities Pro_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\
(PID) Process:(1964) GlaryUtilitiesPro6.16.0.20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Utilities Pro_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Glary Utilities Pro
(PID) Process:(1964) GlaryUtilitiesPro6.16.0.20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Utilities Pro_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(1964) GlaryUtilitiesPro6.16.0.20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Utilities Pro_is1
Operation:writeName:Inno Setup: Language
Value:
english
(PID) Process:(1964) GlaryUtilitiesPro6.16.0.20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Utilities Pro_is1
Operation:writeName:DisplayName
Value:
Glary Utilities Pro
(PID) Process:(1964) GlaryUtilitiesPro6.16.0.20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Utilities Pro_is1
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\unins000.exe"
(PID) Process:(1964) GlaryUtilitiesPro6.16.0.20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Utilities Pro_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Local\unins000.exe" /SILENT
(PID) Process:(1964) GlaryUtilitiesPro6.16.0.20.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Glary Utilities Pro_is1
Operation:writeName:DisplayVersion
Value:
6.16.0.20
Executable files
159
Suspicious files
171
Text files
793
Unknown types
1

Dropped files

PID
Process
Filename
Type
1964GlaryUtilitiesPro6.16.0.20.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.lnkbinary
MD5:9B920507C04EBF550879F5A54E9EC4D5
SHA256:DA922462B29F6BF868DAB40D6F95F3A9E2719B510D180B8CC4C5E3EA0B3F97D7
1964GlaryUtilitiesPro6.16.0.20.tmpC:\Users\admin\AppData\Local\is-HR58T.tmpexecutable
MD5:56A008C51E18B04CA18A231BDDAD8E61
SHA256:97688EC3A9DC72FFBEE52F604F6B84FAAD90CC4061CD9067A0424D8356BFE456
1964GlaryUtilitiesPro6.16.0.20.tmpC:\Users\admin\AppData\Local\Packages\Glary Utilities Pro 6.16.0.20.zipcompressed
MD5:B52114E3105237EA5AABDF49EA3C6211
SHA256:01EC5C55479BA62DF905C5CD0606E1FE7C8DF84E257CAC8353EC8FC2C4013DE9
3588powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vrhtx343.jla.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3588powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gguszxnr.3gl.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
608GlaryUtilitiesPro6.16.0.20.exeC:\Users\admin\AppData\Local\Temp\is-M6GG2.tmp\GlaryUtilitiesPro6.16.0.20.tmpexecutable
MD5:32F80014D48D2192ACA9C811538CF923
SHA256:0E97E48BFE3C8DCEF1BF7A0B349F9DC27730AD24EB849713C4B2703874919E04
5728GlaryUtilitiesPro6.16.0.20.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Register.infbinary
MD5:D35C0E900605F157653EFCF82C88C554
SHA256:3EF78A03F14D92665877959ECC4D32ABD545EAAE10A1BDC8C7628AB1644417C2
3588powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nukrrwz3.met.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3588powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ubmwmowa.p4e.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3588powershell.exeC:\Users\admin\AppData\Local\Packages\GlaryUtilitiesPro6.16.0.20.exeexecutable
MD5:5F4F72F5A965838101382343F93120DF
SHA256:D95A3AE527A5267A2E50A0064BB00EE3B3CE956292A1BB175AF634102E060923
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
95
TCP/UDP connections
145
DNS requests
96
Threats
30

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6556
wlogon.exe
GET
502
54.38.216.83:443
http://54.38.216.83:443/strvn
unknown
unknown
6556
wlogon.exe
GET
502
54.38.216.83:443
http://54.38.216.83:443/strvn
unknown
unknown
3924
statisticsinfo.exe
POST
200
52.24.207.204:80
http://analytics.glarysoft.com/api/v1/install
unknown
unknown
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
unknown
6556
wlogon.exe
GET
502
54.38.216.83:443
http://54.38.216.83:443/strvn
unknown
unknown
GET
200
1.0.0.1:443
https://cloudflare-dns.com/dns-query?name=register.akamaized.ca&type=A
unknown
binary
205 b
whitelisted
GET
13.107.246.64:443
https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v2/GetEligibleSites?version=0&type=topSite&IsStable=false
unknown
unknown
GET
13.107.246.64:443
https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v2/GetEligibleSites?version=0&type=dafSite&IsStable=false
unknown
unknown
GET
200
1.0.0.1:443
https://cloudflare-dns.com/dns-query?name=register.akamaized.ca&type=A
unknown
binary
205 b
whitelisted
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=45&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1
unknown
binary
735 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2280
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
5336
SearchApp.exe
51.105.71.137:443
browser.pipe.aria.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
6556
wlogon.exe
1.1.1.1:443
CLOUDFLARENET
malicious
6556
wlogon.exe
54.38.216.83:443
OVH SAS
FR
unknown
3924
statisticsinfo.exe
52.24.207.204:80
analytics.glarysoft.com
AMAZON-02
US
suspicious
3812
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.238
whitelisted
browser.pipe.aria.microsoft.com
  • 51.105.71.137
whitelisted
analytics.glarysoft.com
  • 52.24.207.204
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
ftuapps.dev
  • 188.114.97.3
  • 188.114.96.3
malicious
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.64
whitelisted
ftuapps.io
  • 188.114.96.3
  • 188.114.97.3
unknown

Threats

PID
Process
Class
Message
6556
wlogon.exe
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
6556
wlogon.exe
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
3924
statisticsinfo.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
6556
wlogon.exe
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
6556
wlogon.exe
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
3812
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GlaryUtilitiesPro6.16.0.20.exe