Malware analysis com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe Malicious activity

Add for printing

File name:	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe
Full analysis:	https://app.any.run/tasks/52f7f9dd-d941-4127-ab69-5dbfaf5948ba
Verdict:	Malicious activity
Analysis date:	February 23, 2026, 09:57:13
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	antivm teamviewer anti-evasion
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:	B4BD6A06886DF1306D709D2FA69CF226
SHA1:	38DF70CA0F18DDE752652FAB71363080DB873E1E
SHA256:	3EF376716C0E6C9552F8C83BD226150A35E6BE0C5B2D490262F76C7C1CE30B8C
SSDEEP:	98304:401k5GTjWeX4vezDECi+F6ZMalgsvuEuW2Yu9wB+yKsGTCHO/vZZSuNa+o3VnqjV:yg5ik

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Registers / Runs the DLL via REGSVR32.EXE
  - Setup.exe (PID: 1932)
- Proxy execution via Explorer
  - AndrowsStore.exe (PID: 8504)
SUSPICIOUS
- The process verifies whether the antivirus software is installed
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - crashpad_handler.exe (PID: 8608)
  - crashpad_handler.exe (PID: 3644)
  - AndrowsAssistant.exe (PID: 3508)
  - opengl_checker.exe (PID: 8448)
  - AndrowsAssistant.exe (PID: 6236)
  - AndrowsAssistant.exe (PID: 7508)
  - regsvr32.exe (PID: 7304)
  - AndrowsSvr.exe (PID: 5892)
  - crashpad_handler.exe (PID: 3212)
  - regsvr32.exe (PID: 8028)
  - AndrowsLauncher.exe (PID: 1984)
  - crashpad_handler.exe (PID: 7712)
  - AndrowsAssistant.exe (PID: 2096)
  - AndrowsStore.exe (PID: 8504)
  - crashpad_handler.exe (PID: 6992)
  - AndrowsDlSvr.exe (PID: 5308)
  - AndrowsAssistant.exe (PID: 7240)
  - CefRendererProcess.exe (PID: 4368)
  - CefRendererProcess.exe (PID: 8916)
  - CefRendererProcess.exe (PID: 6692)
  - CefRendererProcess.exe (PID: 8876)
  - AndrowsAssistant.exe (PID: 5468)
  - CefRendererProcess.exe (PID: 7844)
  - CefRendererProcess.exe (PID: 4220)
  - CefRendererProcess.exe (PID: 5788)
  - CefRendererProcess.exe (PID: 5220)
  - opengl_checker.exe (PID: 1188)
  - AndrowsAssistant.exe (PID: 8332)
  - AndrowsAssistant.exe (PID: 8024)
  - AndrowsAssistant.exe (PID: 1844)
  - AndrowsAssistant.exe (PID: 7028)
  - AndrowsAssistant.exe (PID: 3304)
  - AndrowsAssistant.exe (PID: 4756)
  - AndrowsAssistant.exe (PID: 2228)
  - CefRendererProcess.exe (PID: 6920)
  - Setup.exe (PID: 3036)
  - AndrowsAssistant.exe (PID: 5788)
  - AndrowsAssistant.exe (PID: 2448)
  - crashpad_handler.exe (PID: 1352)
  - AndrowsLauncher.exe (PID: 8108)
  - AndrowsAssistantToast.exe (PID: 8652)
  - dxdiag.exe (PID: 8996)
  - AndrowsAssistant.exe (PID: 6792)
  - AndrowsAssistant.exe (PID: 6212)
  - AndrowsAssistant.exe (PID: 8608)
  - AndrowsAssistant.exe (PID: 4784)
  - AndrowsAssistant.exe (PID: 5804)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
  - explorer.exe (PID: 7100)
  - explorer.exe (PID: 4140)
  - Weixin.exe (PID: 3988)
  - crashpad_handler.exe (PID: 4064)
- There is functionality for VM detection VMWare (YARA)
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - AndrowsStore.exe (PID: 8504)
- There is functionality for VM detection VirtualBox (YARA)
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - AndrowsStore.exe (PID: 8504)
- Executable content was dropped or overwritten
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - AndrowsStore.exe (PID: 8504)
  - Setup.exe (PID: 3036)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
  - Weixin.exe (PID: 3988)
- Drops 7-zip archiver for unpacking
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
- Reads the date of Windows installation
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - AndrowsAssistant.exe (PID: 3508)
  - Setup.exe (PID: 1932)
  - AndrowsSvr.exe (PID: 5892)
  - AndrowsLauncher.exe (PID: 1984)
  - AndrowsStore.exe (PID: 8504)
  - AndrowsLauncher.exe (PID: 8108)
  - AndrowsAssistant.exe (PID: 8332)
  - Weixin.exe (PID: 3988)
- Drops a system driver (possible attempt to evade defenses)
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
- The process drops C-runtime libraries
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - AndrowsStore.exe (PID: 8504)
- Named pipe usage
  - crashpad_handler.exe (PID: 8608)
  - crashpad_handler.exe (PID: 3644)
  - crashpad_handler.exe (PID: 7712)
  - crashpad_handler.exe (PID: 6992)
  - crashpad_handler.exe (PID: 1352)
- Reads the BIOS version
  - Setup.exe (PID: 1932)
  - Weixin.exe (PID: 3988)
- Creates file in the systems drive root
  - Setup.exe (PID: 1932)
  - AndrowsSvr.exe (PID: 5892)
  - AndrowsStore.exe (PID: 8504)
- The process checks if it is being run in the virtual environment
  - Setup.exe (PID: 1932)
  - AndrowsSvr.exe (PID: 5892)
  - AndrowsStore.exe (PID: 8504)
- Executes as Windows Service
  - AndrowsSvr.exe (PID: 5892)
- Creates files in the driver directory
  - Setup.exe (PID: 1932)
- Windows service management via SC.EXE
  - sc.exe (PID: 7916)
- Creates or modifies Windows services
  - Setup.exe (PID: 1932)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 8028)
  - dxdiag.exe (PID: 8996)
- Starts SC.EXE for service management
  - cmd.exe (PID: 1400)
- Searches for installed software
  - AndrowsStore.exe (PID: 8504)
- Application launched itself
  - AndrowsAssistant.exe (PID: 8332)
  - WeChatAppEx.exe (PID: 2992)
- The process creates files with name similar to system file names
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
- Explorer used for Indirect Command Execution
  - explorer.exe (PID: 7100)
- Malware-specific behavior (creating "System.dll" in Temp)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
INFO
- Checks supported languages
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - crashpad_handler.exe (PID: 8608)
  - Setup.exe (PID: 1932)
  - AndrowsAssistant.exe (PID: 3508)
  - crashpad_handler.exe (PID: 3644)
  - opengl_checker.exe (PID: 8448)
  - AndrowsAssistant.exe (PID: 6236)
  - AndrowsAssistant.exe (PID: 7508)
  - AndrowsSvr.exe (PID: 5892)
  - crashpad_handler.exe (PID: 3212)
  - dokanctl.exe (PID: 5448)
  - AndrowsLauncher.exe (PID: 1984)
  - crashpad_handler.exe (PID: 7712)
  - AndrowsAssistant.exe (PID: 2096)
  - AndrowsStore.exe (PID: 8504)
  - crashpad_handler.exe (PID: 6992)
  - AndrowsDlSvr.exe (PID: 5308)
  - AndrowsAssistant.exe (PID: 7240)
  - CefRendererProcess.exe (PID: 4368)
  - CefRendererProcess.exe (PID: 8916)
  - CefRendererProcess.exe (PID: 6692)
  - AndrowsAssistant.exe (PID: 5468)
  - CefRendererProcess.exe (PID: 8876)
  - CefRendererProcess.exe (PID: 4220)
  - CefRendererProcess.exe (PID: 7844)
  - CefRendererProcess.exe (PID: 5788)
  - CefRendererProcess.exe (PID: 5220)
  - opengl_checker.exe (PID: 1188)
  - AndrowsAssistant.exe (PID: 8332)
  - AndrowsAssistant.exe (PID: 1844)
  - AndrowsAssistant.exe (PID: 7028)
  - AndrowsAssistant.exe (PID: 3304)
  - AndrowsAssistant.exe (PID: 8024)
  - AndrowsAssistant.exe (PID: 4756)
  - AndrowsAssistant.exe (PID: 2228)
  - CefRendererProcess.exe (PID: 6920)
  - Setup.exe (PID: 3036)
  - AndrowsAssistant.exe (PID: 5788)
  - AndrowsAssistant.exe (PID: 2448)
  - AndrowsLauncher.exe (PID: 8108)
  - crashpad_handler.exe (PID: 1352)
  - AndrowsAssistantToast.exe (PID: 8652)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
  - AndrowsAssistant.exe (PID: 6212)
  - AndrowsAssistant.exe (PID: 5804)
  - AndrowsAssistant.exe (PID: 8608)
  - AndrowsAssistant.exe (PID: 4784)
  - AndrowsAssistant.exe (PID: 6792)
  - Weixin.exe (PID: 3988)
  - WeChatAppEx.exe (PID: 2992)
  - WeChatAppEx.exe (PID: 9092)
  - WeChatAppEx.exe (PID: 2232)
  - crashpad_handler.exe (PID: 4064)
- Creates files or folders in the user directory
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - AndrowsSvr.exe (PID: 5892)
  - CefRendererProcess.exe (PID: 8916)
  - AndrowsStore.exe (PID: 8504)
  - dxdiag.exe (PID: 8996)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
  - crashpad_handler.exe (PID: 4064)
  - Weixin.exe (PID: 3988)
  - WeChatAppEx.exe (PID: 2992)
  - WeChatAppEx.exe (PID: 2232)
- Reads the computer name
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - crashpad_handler.exe (PID: 8608)
  - Setup.exe (PID: 1932)
  - AndrowsAssistant.exe (PID: 3508)
  - AndrowsAssistant.exe (PID: 6236)
  - AndrowsAssistant.exe (PID: 7508)
  - crashpad_handler.exe (PID: 3644)
  - opengl_checker.exe (PID: 8448)
  - AndrowsSvr.exe (PID: 5892)
  - crashpad_handler.exe (PID: 3212)
  - dokanctl.exe (PID: 5448)
  - AndrowsLauncher.exe (PID: 1984)
  - crashpad_handler.exe (PID: 7712)
  - AndrowsAssistant.exe (PID: 2096)
  - AndrowsStore.exe (PID: 8504)
  - crashpad_handler.exe (PID: 6992)
  - AndrowsAssistant.exe (PID: 7240)
  - AndrowsDlSvr.exe (PID: 5308)
  - CefRendererProcess.exe (PID: 4368)
  - CefRendererProcess.exe (PID: 8916)
  - AndrowsAssistant.exe (PID: 5468)
  - CefRendererProcess.exe (PID: 4220)
  - CefRendererProcess.exe (PID: 5788)
  - opengl_checker.exe (PID: 1188)
  - AndrowsAssistant.exe (PID: 8332)
  - AndrowsAssistant.exe (PID: 8024)
  - AndrowsAssistant.exe (PID: 1844)
  - AndrowsAssistant.exe (PID: 7028)
  - AndrowsAssistant.exe (PID: 3304)
  - AndrowsAssistant.exe (PID: 2228)
  - AndrowsAssistant.exe (PID: 4756)
  - CefRendererProcess.exe (PID: 6920)
  - Setup.exe (PID: 3036)
  - AndrowsAssistant.exe (PID: 5788)
  - AndrowsAssistant.exe (PID: 2448)
  - AndrowsLauncher.exe (PID: 8108)
  - crashpad_handler.exe (PID: 1352)
  - AndrowsAssistantToast.exe (PID: 8652)
  - AndrowsAssistant.exe (PID: 6792)
  - AndrowsAssistant.exe (PID: 6212)
  - AndrowsAssistant.exe (PID: 8608)
  - AndrowsAssistant.exe (PID: 5804)
  - AndrowsAssistant.exe (PID: 4784)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
  - Weixin.exe (PID: 3988)
  - WeChatAppEx.exe (PID: 2992)
  - WeChatAppEx.exe (PID: 2232)
  - WeChatAppEx.exe (PID: 9092)
- Reads the machine GUID from the registry
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - crashpad_handler.exe (PID: 8608)
  - Setup.exe (PID: 1932)
  - AndrowsAssistant.exe (PID: 3508)
  - crashpad_handler.exe (PID: 3644)
  - AndrowsSvr.exe (PID: 5892)
  - crashpad_handler.exe (PID: 3212)
  - crashpad_handler.exe (PID: 7712)
  - AndrowsStore.exe (PID: 8504)
  - crashpad_handler.exe (PID: 6992)
  - AndrowsDlSvr.exe (PID: 5308)
  - AndrowsAssistant.exe (PID: 8332)
  - AndrowsAssistant.exe (PID: 8024)
  - AndrowsAssistant.exe (PID: 1844)
  - Setup.exe (PID: 3036)
  - crashpad_handler.exe (PID: 1352)
  - AndrowsAssistantToast.exe (PID: 8652)
  - AndrowsAssistant.exe (PID: 6792)
  - Weixin.exe (PID: 3988)
  - WeChatAppEx.exe (PID: 2232)
  - WeChatAppEx.exe (PID: 2992)
- Create files in a temporary directory
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - AndrowsAssistant.exe (PID: 6236)
  - crashpad_handler.exe (PID: 8608)
  - AndrowsLauncher.exe (PID: 1984)
  - AndrowsStore.exe (PID: 8504)
  - AndrowsAssistantToast.exe (PID: 8652)
  - dxdiag.exe (PID: 8996)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
- There is functionality for taking screenshot (YARA)
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - AndrowsSvr.exe (PID: 5892)
  - AndrowsStore.exe (PID: 8504)
- The sample compiled with english language support
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - AndrowsStore.exe (PID: 8504)
  - Setup.exe (PID: 3036)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
  - Weixin.exe (PID: 3988)
- Creates files in the program directory
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - AndrowsAssistant.exe (PID: 3508)
  - AndrowsSvr.exe (PID: 5892)
  - crashpad_handler.exe (PID: 3212)
  - AndrowsAssistant.exe (PID: 2096)
  - AndrowsStore.exe (PID: 8504)
  - AndrowsDlSvr.exe (PID: 5308)
  - AndrowsAssistant.exe (PID: 8332)
  - Setup.exe (PID: 3036)
  - AndrowsAssistantToast.exe (PID: 8652)
  - AndrowsAssistant.exe (PID: 6792)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
- Drops script file
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - AndrowsStore.exe (PID: 8504)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
  - Weixin.exe (PID: 3988)
- The sample compiled with chinese language support
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - AndrowsStore.exe (PID: 8504)
  - Setup.exe (PID: 3036)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
  - Weixin.exe (PID: 3988)
- Process checks computer location settings
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - AndrowsAssistant.exe (PID: 3508)
  - AndrowsLauncher.exe (PID: 1984)
  - AndrowsStore.exe (PID: 8504)
  - CefRendererProcess.exe (PID: 6692)
  - CefRendererProcess.exe (PID: 8876)
  - CefRendererProcess.exe (PID: 7844)
  - AndrowsLauncher.exe (PID: 8108)
  - AndrowsAssistant.exe (PID: 8332)
  - WeChatAppEx.exe (PID: 2992)
- Reads security settings of Internet Explorer
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - Setup.exe (PID: 1932)
  - AndrowsAssistant.exe (PID: 3508)
  - AndrowsSvr.exe (PID: 5892)
  - AndrowsLauncher.exe (PID: 1984)
  - AndrowsStore.exe (PID: 8504)
  - AndrowsLauncher.exe (PID: 8108)
  - AndrowsAssistant.exe (PID: 8332)
  - dxdiag.exe (PID: 8996)
  - explorer.exe (PID: 4140)
  - WeChatAppEx.exe (PID: 2232)
  - WeChatAppEx.exe (PID: 2992)
- Reads Environment values
  - Setup.exe (PID: 1932)
  - AndrowsSvr.exe (PID: 5892)
  - AndrowsStore.exe (PID: 8504)
- Reads product name
  - Setup.exe (PID: 1932)
  - AndrowsSvr.exe (PID: 5892)
  - AndrowsStore.exe (PID: 8504)
- Checks proxy server information
  - Setup.exe (PID: 1932)
  - AndrowsSvr.exe (PID: 5892)
  - AndrowsStore.exe (PID: 8504)
  - AndrowsAssistant.exe (PID: 8332)
  - AndrowsAssistant.exe (PID: 8024)
  - AndrowsAssistant.exe (PID: 1844)
  - slui.exe (PID: 6664)
  - WeChatAppEx.exe (PID: 2992)
  - WeChatAppEx.exe (PID: 2232)
- Reads Windows Product ID
  - Setup.exe (PID: 1932)
- TeamViewer related mutex has been found
  - Setup.exe (PID: 1932)
  - AndrowsSvr.exe (PID: 5892)
  - AndrowsStore.exe (PID: 8504)
- Creates a software uninstall entry
  - com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe (PID: 5204)
  - 9ae9269a74ecebf1ae12679a3a3b0165_0__4.1.7_1769680500.exe (PID: 8480)
- Reads the time zone
  - AndrowsStore.exe (PID: 8504)
- Reads CPU info
  - AndrowsStore.exe (PID: 8504)
  - Weixin.exe (PID: 3988)
  - WeChatAppEx.exe (PID: 2992)
  - WeChatAppEx.exe (PID: 9092)
  - WeChatAppEx.exe (PID: 2232)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2026:01:29 17:05:47+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.29
CodeSize:	4135936
InitializedDataSize:	3642880
UninitializedDataSize:	-
EntryPoint:	0x3999e8
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	3.0.3.7
ProductVersionNumber:	3.0.3.7
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Tencent
FileDescription:	腾讯应用宝移动应用引擎
FileVersion:	3.0.3.7
LegalCopyright:	Copyright (C) 2022 Tencent. All Rights Reserved.
InternalName:	Androws
ProductName:	Androws
ProductVersion:	3.0.3.7

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

222

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1188

"C:\Program Files\Tencent\Androws\Application\5.10.5200.4987\opengl_checker.exe"

C:\Program Files\Tencent\Androws\Application\5.10.5200.4987\opengl_checker.exe

—

AndrowsStore.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\program files\tencent\androws\application\5.10.5200.4987\opengl_checker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1352

"C:\Program Files\Tencent\Androws\Application\5.10.5200.4987\crashpad_handler.exe" --no-rate-limit --database=C:\Users\admin\AppData\Local\Temp\Tencent\Androws\ --metrics-dir=C:\Users\admin\AppData\Local\Temp\Tencent\Androws\ --annotation=account_id=5e1c3e388d1eef9d2f17f1974d5b1810 --annotation=app_id=7ebaf51295 --annotation=app_key=3595ca0a-0ac2-42e7-988b-bb08e6767e24 --annotation=app_version=5.10.52.10 --annotation=build_id=5.10.5200.4987 --annotation=bundle_id=com.tencent.androws --annotation=buz_ipc_pipe_name=\\.\pipe\5.10.5200.4987-27833917-46AC-42BC-88F9-90554702E8FE --annotation=database=7ebaf51295 --annotation=format=minidump --annotation=is_need_attach_info=true --annotation=is_need_upload=true --annotation=is_pop_dialog=false --annotation=is_server_process=false --annotation=process_display_name=AndrowsLauncher --annotation=process_name=AndrowsLauncher --annotation=product=7ebaf51295 --annotation=version=5.10.52.10 --initial-client-data=0x280,0x284,0x288,0x25c,0x290,0x7ffd6d40e8d8,0x7ffd6d40e898,0x7ffd6d40e8a8

C:\Program Files\Tencent\Androws\Application\5.10.5200.4987\crashpad_handler.exe

AndrowsLauncher.exe

User:

admin

Integrity Level:

HIGH

Description:

Bugly-Windows SDK

Exit code:

Version:

1.0.22.1

Modules

Images
c:\program files\tencent\androws\application\5.10.5200.4987\crashpad_handler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1400

"C:\Windows\System32\cmd.exe" /c sc start dokan2t

C:\Windows\System32\cmd.exe

—

Setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

1056

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

1844

"C:\Program Files\Tencent\Androws\Application\5.10.5200.4987\AndrowsAssistant.exe" --report-vulkan-version ""

C:\Program Files\Tencent\Androws\Application\5.10.5200.4987\AndrowsAssistant.exe

AndrowsStore.exe

User:

admin

Company:

Tencent

Integrity Level:

HIGH

Description:

腾讯应用宝移动应用引擎

Exit code:

Version:

5.10.5200.4987

Modules

Images
c:\program files\tencent\androws\application\5.10.5200.4987\androwsassistant.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\opengl32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\advapi32.dll

1932

"C:\Program Files\Tencent\AndrowsData\Component\Androws\Setup.exe" --install "1" --no-create-desktop-link "1" --no-create-start-menu-link "1"

C:\Program Files\Tencent\AndrowsData\Component\Androws\Setup.exe

com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe

User:

admin

Company:

Tencent

Integrity Level:

HIGH

Description:

腾讯应用宝移动应用引擎

Exit code:

Version:

5.10.5200.4987

Modules

Images
c:\program files\tencent\androwsdata\component\androws\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1984

"C:\Users\admin\AppData\Local\Temp\com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe"

C:\Users\admin\AppData\Local\Temp\com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe

—

explorer.exe

User:

admin

Company:

Tencent

Integrity Level:

MEDIUM

Description:

腾讯应用宝移动应用引擎

Version:

3.0.3.7

Modules

Images
c:\users\admin\appdata\local\temp\com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe
c:\windows\system32\ntdll.dll

1984

"C:\Program Files\Tencent\Androws\Application\AndrowsLauncher.exe" --launch-proc-name "AndrowsAssistant.exe" --update-env-info ""

C:\Program Files\Tencent\Androws\Application\AndrowsLauncher.exe

—

AndrowsSvr.exe

User:

admin

Company:

Tencent

Integrity Level:

HIGH

Description:

腾讯应用宝移动应用引擎

Exit code:

Version:

5.10.5200.4987

Modules

Images
c:\program files\tencent\androws\application\androwslauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

2096

"C:\Program Files\Tencent\Androws\Application\5.10.5200.4987\AndrowsAssistant.exe" --update-env-info "" --androws_launcher_start_time "1771840715039" --app-launch-info "{\"engine_type\":2,\"is_premium_game\":false,\"launch_second_step\":3,\"pkg_name\":\"\",\"rotation\":0,\"show_full_screen\":false,\"show_maximum\":false}" --emulator-launch-from "1"

C:\Program Files\Tencent\Androws\Application\5.10.5200.4987\AndrowsAssistant.exe

—

AndrowsLauncher.exe

User:

admin

Company:

Tencent

Integrity Level:

HIGH

Description:

腾讯应用宝移动应用引擎

Exit code:

1006

Version:

5.10.5200.4987

Modules

Images
c:\program files\tencent\androws\application\5.10.5200.4987\androwsassistant.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\opengl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cfgmgr32.dll

2228

"C:\Program Files\Tencent\Androws\Application\5.10.5200.4987\AndrowsAssistant.exe" --check-opengl-process "AndrowsStore.exe"

C:\Program Files\Tencent\Androws\Application\5.10.5200.4987\AndrowsAssistant.exe

—

AndrowsStore.exe

User:

admin

Company:

Tencent

Integrity Level:

HIGH

Description:

腾讯应用宝移动应用引擎

Exit code:

1000

Version:

5.10.5200.4987

Modules

Images
c:\program files\tencent\androws\application\5.10.5200.4987\androwsassistant.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\opengl32.dll

2232

"C:\Users\admin\AppData\Roaming\Tencent\xwechat\xplugin\plugins\RadiumWMPF\18787\extracted\runtime\WeChatAppEx.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --client_version=4065597214 --enable-crash-reporter --wmpf_root_dir="C:\Users\admin\AppData\Roaming\Tencent\xwechat\radium" --instance-index=0 --product-id=1002 --disable-mojo-broker --field-trial-handle=2304,i,17192733242486597569,13516785059580803417,262144 --enable-features=OverlayScrollbar,WinSystemLocationPermission,XWorker --disable-features=AudioServiceOutOfProcess,AutoupgradeMixedContent,BackForwardCache,DigitalGoodsApi,NotificationTriggers,PeriodicBackgroundSync,TFLiteLanguageDetectionEnabled,Vulkan,WebOTP --variations-seed-version --log-level=2 --mojo-platform-channel-handle=2296 /prefetch:3

C:\Users\admin\AppData\Roaming\Tencent\xwechat\xplugin\plugins\RadiumWMPF\18787\extracted\runtime\WeChatAppEx.exe

WeChatAppEx.exe

User:

admin

Company:

Tencent LLC

Integrity Level:

MEDIUM

Description:

WeChatAppEx

Version:

2.3.8.18787

Modules

Images
c:\users\admin\appdata\roaming\tencent\xwechat\xplugin\plugins\radiumwmpf\18787\extracted\runtime\wechatappex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\users\admin\appdata\roaming\tencent\xwechat\xplugin\plugins\radiumwmpf\18787\extracted\runtime\xweb_elf.dll
c:\windows\system32\win32u.dll

Add for printing

Total events

56 190

Read events

55 542

Write events

606

Delete events

Modification events


(PID) Process:	(5204) com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Tencent\Androws
Operation:	write	Name:	ChannelId
Value: B1FB2C7D00000000
(PID) Process:	(5204) com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Tencent\Androws
Operation:	write	Name:	InstallSource
Value: {"androws_main_version":"","app_id":"com.jf.lkrj","app_pullup_type":0,"app_type":1,"auto_start_market":1,"build_id":558004,"channel_id":2100100017,"client_pseudo_protocol":"","create_desktop_link":1,"ctrl_code":0,"display_name":"花生日记电脑版","extra_info":{"apk_channel":"","apk_deep_link":"","source":"","wx_app_path":""},"install_mode":0,"install_priority":0,"oem_preinstall":0,"oem_type":0,"pullup_type":1,"report_info":{"account_id":"","browser":"Edge","click_id":"","distribute_tool":"downloader","group_id":"","h5_url":"https://sj.qq.com/appdetail/com.jf.lkrj?&from_wxz=1","keyword_id":"","launch_exp_ids":"","launch_exp_type":"","media_id":"yyb-website","ocpc":"","plan_id":"","seo_source":"google","source_id":"","target_channel":"PCYYB"},"show_tray_icon":1}
(PID) Process:	(5204) com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Tencent\Androws\Env
Operation:	write	Name:	svid
Value: 5e1c3e388d1eef9d2f17f1974d5b1810
(PID) Process:	(5204) com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tencent\Androws\Env
Operation:	write	Name:	svid
Value: 5e1c3e388d1eef9d2f17f1974d5b1810
(PID) Process:	(5204) com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Tencent\Androws
Operation:	write	Name:	VDIImageDiscType
Value: 0100000000000000
(PID) Process:	(5204) com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Tencent\Androws
Operation:	write	Name:	HyperVState
Value: 0000000000000000
(PID) Process:	(5204) com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Tencent\Androws
Operation:	write	Name:	VtState
Value: 0100000000000000
(PID) Process:	(5204) com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Tencent\Androws
Operation:	write	Name:	InstallPath
Value: C:\Program Files\Tencent\Androws
(PID) Process:	(5204) com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Tencent\Androws
Operation:	write	Name:	AndrowsData
Value: C:\Program Files\Tencent\AndrowsData
(PID) Process:	(5204) com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Tencent\Androws\Androws
Operation:	write	Name:	BrandCode
Value: 0000000000000000

Add for printing

Executable files

768

Suspicious files

588

Text files

701

Unknown types

Dropped files

PID	Process	Filename		Type
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	C:\Program Files\Tencent\AndrowsData\Component\Androws.7z.teemo		—
		MD5:—	SHA256:—
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	C:\Program Files\Tencent\AndrowsData\Component\Androws.7z		—
		MD5:—	SHA256:—
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	C:\Users\admin\AppData\Roaming\Tencent\Androws\db\bc_0WIN0GIA035UNMF7_0e.db-journal		binary
		MD5:C52C2746A5129C8171541447B0E19163	SHA256:0CE1CC3B03535DF995D2F78E76537EA6ADD3905075D7E2EA933FFAF005777675
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	C:\Users\admin\AppData\Roaming\Tencent\beacon\GlobalMgr.db		text
		MD5:B604F0677E4B581EDAB8BA88E75E02E5	SHA256:6739C39C09D479C8ACF3930A4FBDDA4A8097FC00A745B485879AD4C3211909E4
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	C:\Users\admin\AppData\Roaming\Tencent\Androws\db\install_states.db-wal		binary
		MD5:693F3E5A3662F5069C0A617EA38EF4D6	SHA256:B40FEF4316756ADD8E5FED8C1AB0B2002B0B9305C2CD9067772816FBD897C041
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	C:\androws_temp.txt		binary
		MD5:0D5A9115CA3E62AAC00A5D6B68392C56	SHA256:6F24BAE6C7B73ED650F4E9777D5420898356B3CB2E08DABB3EDB2253A655F9E6
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	C:\Program Files\Tencent\AndrowsData\Component\Androws.7z.efdindex		text
		MD5:48E26AA865207424669A4F1B69E3D0E5	SHA256:78F5837D20E0AC28ED95AEB068D8B28BA51EC230A32D036630675EE37410E262
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	C:\Program Files\Tencent\AndrowsData\Component\Androws\font\Noto Sans SC (TrueType).otf		—
		MD5:—	SHA256:—
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	C:\Program Files\Tencent\AndrowsData\Component\Androws\font\Noto Sans SC Bold (TrueType).otf		—
		MD5:—	SHA256:—
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	C:\Program Files\Tencent\AndrowsData\Component\Androws\font\Noto Sans SC Medium (TrueType).otf		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

119

TCP/UDP connections

366

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	HEAD	200	43.152.137.29:443	https://conf.syzs.qq.com/xy/yyb_management_system/942b224a4356ae056c1cb3d0d465b83b.7z	SG	—	—	unknown
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	GET	—	43.152.137.29:443	https://conf.syzs.qq.com/xy/yyb_management_system/942b224a4356ae056c1cb3d0d465b83b.7z	SG	—	—	unknown
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	GET	—	43.152.137.29:443	https://conf.syzs.qq.com/xy/yyb_management_system/942b224a4356ae056c1cb3d0d465b83b.7z	SG	—	—	unknown
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	GET	—	43.152.137.29:443	https://conf.syzs.qq.com/xy/yyb_management_system/942b224a4356ae056c1cb3d0d465b83b.7z	SG	—	—	unknown
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	GET	—	43.152.137.29:443	https://conf.syzs.qq.com/xy/yyb_management_system/942b224a4356ae056c1cb3d0d465b83b.7z	SG	—	—	unknown
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	GET	—	43.152.137.29:443	https://conf.syzs.qq.com/xy/yyb_management_system/942b224a4356ae056c1cb3d0d465b83b.7z	SG	—	—	unknown
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	POST	200	129.226.102.75:443	https://yybadaccess.3g.qq.com/v3/pcyyb_get_install_source	CN	text	915 b	unknown
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	POST	200	129.226.102.75:443	https://yybadaccess.3g.qq.com/pc_yyb_client/pcyyb_get_app_detail	CN	text	958 b	unknown
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	POST	200	129.226.102.75:443	https://yybadaccess.3g.qq.com/pc_yyb_client/pcyyb_get_app_detail	CN	text	958 b	unknown
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	GET	200	43.152.26.142:443	https://static.pc.yyb.qq.com/downloader-img/3295ca0ecf22243628c3e975a1f3cc2d.png	SG	image	31.8 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
6200	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1856	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3412	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	129.226.102.75:443	yybadaccess.3g.qq.com	TENCENT-NET-AP-CN Tencent Building, Kejizhongyi Avenue	CN	unknown
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	43.173.131.185:8081	oth.eve.mdt.qq.com	TENCENT-NET-AP-CN Tencent Building, Kejizhongyi Avenue	CN	unknown
5204	com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe	43.152.26.142:443	static.pc.yyb.qq.com	ACE-AS-AP ACE	SG	whitelisted
356	svchost.exe	20.190.160.14:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.251.208.14	whitelisted
self.events.data.microsoft.com	40.74.98.192 40.79.197.34	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
yybadaccess.3g.qq.com	129.226.102.75	unknown
oth.eve.mdt.qq.com	43.173.131.185 101.33.47.68 101.33.47.206	unknown
static.pc.yyb.qq.com	43.152.26.142 43.152.26.110 43.152.26.238 43.152.26.154 43.152.26.151 43.152.26.209 43.152.29.101 43.152.28.43 43.175.168.193	whitelisted
login.live.com	20.190.160.14 20.190.160.2 20.190.160.132 40.126.32.134 20.190.160.5 20.190.160.67 20.190.160.131 20.190.160.128	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
crl.microsoft.com	23.216.77.30 23.216.77.25 23.216.77.41 23.216.77.6 23.216.77.38 23.216.77.29 23.216.77.27 23.216.77.19 23.216.77.10 23.216.77.37 23.216.77.39	whitelisted

Threats

PID	Process	Class	Message
8916	CefRendererProcess.exe	Misc activity	ET INFO Tencent Cloud Storage Domain in DNS Lookup (myqcloud .com)
8916	CefRendererProcess.exe	Misc activity	ET INFO Tencent Cloud Storage Domain in DNS Lookup (myqcloud .com)
8916	CefRendererProcess.exe	Misc activity	ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI)
8916	CefRendererProcess.exe	Misc activity	ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI)
8916	CefRendererProcess.exe	Misc activity	ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI)
8916	CefRendererProcess.exe	Misc activity	ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI)
8916	CefRendererProcess.exe	Misc activity	ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI)
5308	AndrowsDlSvr.exe	A Network Trojan was detected	ET USER_AGENTS Aria2 User-Agent
5308	AndrowsDlSvr.exe	A Network Trojan was detected	ET USER_AGENTS Aria2 User-Agent
5308	AndrowsDlSvr.exe	A Network Trojan was detected	ET USER_AGENTS Aria2 User-Agent

Add for printing

Process	Message
crashpad_handler.exe	[8608:9184:20260223,045811.105:ERROR filesystem_win.cc:130] GetFileAttributes C:\Users\admin\AppData\Local\Temp\Tencent\Androws\BTrace\7ebaf51295\Trace: The system cannot find the file specified. (2)
crashpad_handler.exe	Bugly: [statistices] find statistices file count:0
crashpad_handler.exe	[8608:9184:20260223,045811.105:INFO bugly_crash_monitor_statistics.cc:282] Bugly: [statistices] find statistices file count:0
crashpad_handler.exe	[Trace] checkReportCacheFile num:0
crashpad_handler.exe	[8608:5888:20260223,045811.105:INFO bugly_trace_report.cc:322] [Trace] checkReportCacheFile num:0
crashpad_handler.exe	Bugly: [statistices] find statistices file count:0
crashpad_handler.exe	[3644:7812:20260223,045811.480:INFO bugly_crash_monitor_statistics.cc:282] Bugly: [statistices] find statistices file count:0
crashpad_handler.exe	[Trace] checkReportCacheFile num:0
crashpad_handler.exe	[3644:8900:20260223,045811.480:INFO bugly_trace_report.cc:322] [Trace] checkReportCacheFile num:0
crashpad_handler.exe	[8608:5772:20260223,045812.199:INFO crash_report_upload_thread.cc:257] On CheckAndReportResiduesCrashReports, status:000007FF7AC4E9BC80

General Info

com.jf.lkrj_yybinstaller_7ad071edd32a3971.exe

B4BD6A06886DF1306D709D2FA69CF226

38DF70CA0F18DDE752652FAB71363080DB873E1E

3EF376716C0E6C9552F8C83BD226150A35E6BE0C5B2D490262F76C7C1CE30B8C

98304:401k5GTjWeX4vezDECi+F6ZMalgsvuEuW2Yu9wB+yKsGTCHO/vZZSuNa+o3VnqjV:yg5ik

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

Proxy execution via Explorer

SUSPICIOUS

The process verifies whether the antivirus software is installed

There is functionality for VM detection VMWare (YARA)

There is functionality for VM detection VirtualBox (YARA)

Executable content was dropped or overwritten

Drops 7-zip archiver for unpacking

Reads the date of Windows installation

Drops a system driver (possible attempt to evade defenses)

The process drops C-runtime libraries

Named pipe usage

Reads the BIOS version

Creates file in the systems drive root

The process checks if it is being run in the virtual environment

Executes as Windows Service

Creates files in the driver directory

Windows service management via SC.EXE

Creates or modifies Windows services

Creates/Modifies COM task schedule object

Starts SC.EXE for service management

Searches for installed software

Application launched itself

The process creates files with name similar to system file names

Explorer used for Indirect Command Execution

Malware-specific behavior (creating "System.dll" in Temp)

INFO

Checks supported languages

Creates files or folders in the user directory

Reads the computer name

Reads the machine GUID from the registry

Create files in a temporary directory

There is functionality for taking screenshot (YARA)

The sample compiled with english language support

Creates files in the program directory

Drops script file

The sample compiled with chinese language support

Process checks computer location settings

Reads security settings of Internet Explorer

Reads Environment values

Reads product name

Checks proxy server information

Reads Windows Product ID

TeamViewer related mutex has been found

Creates a software uninstall entry

Reads the time zone

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information