URL:

https://kuaimai-public.oss-cn-shanghai.aliyuncs.com/housekeeper/%E7%95%AA%E8%8C%84%E6%89%93%E5%8D%B0%E7%AE%A1%E5%AE%B6-win.exe

Full analysis: https://app.any.run/tasks/1982c803-5794-4ca8-85a0-b0667910151e
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: April 09, 2026, 21:32:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-doc
adware
qrcode
Indicators:
MD5:

5F6549FAB7247671BDE8DB6E956B9564

SHA1:

75D5844F122ED9AF8D5ED344B1DB766AAAE7283D

SHA256:

7EECE0C69DE9A3814C81AB85857DD9D0E1413A31E9D904C6ACD49D4F034FCF0C

SSDEEP:

3:N8VZsMWWIINFjF/KufkzdFiymeUAfdMgA:2sXWnMzjtm6MF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • certutil.exe (PID: 7976)

    • Changes the autorun value in the registry

      • KMPrtDrvCtrl.exe (PID: 812)
      • reg.exe (PID: 9040)
      • 番茄打印管家.exe (PID: 9192)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • 番茄打印管家-win.exe (PID: 8896)

    • Stops a currently running service

      • sc.exe (PID: 8932)
      • sc.exe (PID: 9148)
      • sc.exe (PID: 7840)

    • The process creates files with name similar to system file names

      • 番茄打印管家-win.exe (PID: 8896)

    • Windows service management via SC.EXE

      • sc.exe (PID: 8996)
      • sc.exe (PID: 9212)
      • sc.exe (PID: 7636)
      • sc.exe (PID: 8452)

    • Uses TASKKILL.EXE to kill process

      • 番茄打印管家-win.exe (PID: 8896)
      • cmd.exe (PID: 8280)

    • Drops 7-zip archiver for unpacking

      • 番茄打印管家-win.exe (PID: 8896)

    • Executable content was dropped or overwritten

      • 番茄打印管家-win.exe (PID: 8896)
      • KMPrtDrvCtrl.exe (PID: 2792)
      • xcopy.exe (PID: 8724)
      • 番茄打印管家.exe (PID: 9192)
      • 番茄打印管家.exe (PID: 7324)

    • Process drops SQLite DLL files

      • 番茄打印管家-win.exe (PID: 8896)

    • The process drops C-runtime libraries

      • 番茄打印管家-win.exe (PID: 8896)
      • xcopy.exe (PID: 8724)

    • Drops a system driver (possible attempt to evade defenses)

      • 番茄打印管家-win.exe (PID: 8896)
      • xcopy.exe (PID: 8724)

    • Executing commands from a ".bat" file

      • 番茄打印管家-win.exe (PID: 8896)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 8280)
      • cmd.exe (PID: 7656)
      • cmd.exe (PID: 2532)
      • cmd.exe (PID: 1116)
      • cmd.exe (PID: 2316)
      • cmd.exe (PID: 5772)
      • cmd.exe (PID: 8104)
      • cmd.exe (PID: 4116)
      • cmd.exe (PID: 9036)

    • Adds/modifies Windows certificates

      • certutil.exe (PID: 7976)

    • Executes as Windows Service

      • KMPrtDrvService.exe (PID: 2832)

    • Uses REG/REGEDIT.EXE to modify or delete registry entries

      • cmd.exe (PID: 8280)
      • cmd.exe (PID: 2316)

    • Access to an unwanted program domain was detected

      • FQPrintServerAgent.exe (PID: 8012)

    • Application launched itself

      • 番茄打印管家.exe (PID: 9192)

    • Starts CMD.EXE with AutoRun commands disabled

      • cmd.exe (PID: 1116)
      • cmd.exe (PID: 2316)
      • cmd.exe (PID: 5772)
      • cmd.exe (PID: 8104)
      • cmd.exe (PID: 9036)

    • Starts CMD.EXE with special quote handling

      • cmd.exe (PID: 1116)
      • cmd.exe (PID: 2316)
      • cmd.exe (PID: 5772)
      • cmd.exe (PID: 8104)
      • cmd.exe (PID: 9036)

    • Get information on the list of running processes

      • 番茄打印管家.exe (PID: 9192)
      • cmd.exe (PID: 5772)

    • Starts application with an unusual extension

      • cmd.exe (PID: 8104)
      • powershell.exe (PID: 5288)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 8104)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 8020)
      • msedge.exe (PID: 8980)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 8020)

    • Checks supported languages

      • identity_helper.exe (PID: 7352)
      • 番茄打印管家-win.exe (PID: 8896)
      • KMPrtDrvCtrl.exe (PID: 8224)
      • drvinst.exe (PID: 8048)
      • KMPrtDrvCtrl.exe (PID: 2792)
      • KMPrtDrvService.exe (PID: 8720)
      • KMPrtDrvCtrl.exe (PID: 812)
      • KMPrtDrvService.exe (PID: 2832)
      • FQPrintServerAgent.exe (PID: 8012)
      • FQPrintDriverServerB.exe (PID: 9136)
      • FQPrintEngine.exe (PID: 5572)
      • FQPrintDriverServerA.exe (PID: 9132)
      • 番茄打印管家.exe (PID: 9192)
      • 番茄打印管家.exe (PID: 8264)
      • 番茄打印管家.exe (PID: 8416)
      • 番茄打印管家.exe (PID: 1900)
      • 番茄打印管家.exe (PID: 7324)
      • chcp.com (PID: 1780)
      • 番茄打印管家.exe (PID: 6768)
      • 番茄打印管家.exe (PID: 8448)
      • 番茄打印管家.exe (PID: 8692)
      • 番茄打印管家.exe (PID: 3100)
      • chcp.com (PID: 6896)
      • 番茄打印管家.exe (PID: 1116)
      • 番茄打印管家.exe (PID: 5584)
      • 番茄打印管家.exe (PID: 1728)
      • 番茄打印管家.exe (PID: 7776)
      • 番茄打印管家.exe (PID: 8588)

    • Reads Environment values

      • identity_helper.exe (PID: 7352)

    • Reads the computer name

      • identity_helper.exe (PID: 7352)
      • 番茄打印管家-win.exe (PID: 8896)
      • KMPrtDrvCtrl.exe (PID: 8224)
      • KMPrtDrvCtrl.exe (PID: 2792)
      • KMPrtDrvCtrl.exe (PID: 812)
      • KMPrtDrvService.exe (PID: 8720)
      • KMPrtDrvService.exe (PID: 2832)
      • drvinst.exe (PID: 8048)
      • FQPrintEngine.exe (PID: 5572)
      • FQPrintServerAgent.exe (PID: 8012)
      • 番茄打印管家.exe (PID: 9192)
      • FQPrintDriverServerB.exe (PID: 9136)
      • 番茄打印管家.exe (PID: 8416)
      • 番茄打印管家.exe (PID: 1900)
      • 番茄打印管家.exe (PID: 7324)

    • Manual execution by a user

      • 番茄打印管家-win.exe (PID: 8828)
      • 番茄打印管家-win.exe (PID: 8896)
      • 番茄打印管家.exe (PID: 9192)

    • Create files in a temporary directory

      • 番茄打印管家-win.exe (PID: 8896)
      • KMPrtDrvCtrl.exe (PID: 8224)
      • KMPrtDrvCtrl.exe (PID: 2792)
      • KMPrtDrvService.exe (PID: 8720)
      • FQPrintEngine.exe (PID: 5572)
      • 番茄打印管家.exe (PID: 9192)
      • 番茄打印管家.exe (PID: 7324)

    • The sample compiled with english language support

      • 番茄打印管家-win.exe (PID: 8896)
      • drvinst.exe (PID: 8048)
      • KMPrtDrvCtrl.exe (PID: 2792)
      • xcopy.exe (PID: 8724)

    • The sample compiled with chinese language support

      • 番茄打印管家-win.exe (PID: 8896)

    • Creates files or folders in the user directory

      • 番茄打印管家-win.exe (PID: 8896)
      • FQPrintServerAgent.exe (PID: 8012)
      • 番茄打印管家.exe (PID: 9192)
      • 番茄打印管家.exe (PID: 8264)
      • 番茄打印管家.exe (PID: 7324)
      • 番茄打印管家.exe (PID: 1900)

    • Reads security settings of Internet Explorer

      • 番茄打印管家-win.exe (PID: 8896)
      • KMPrtDrvCtrl.exe (PID: 8224)
      • KMPrtDrvCtrl.exe (PID: 2792)
      • rundll32.exe (PID: 7420)
      • FQPrintServerAgent.exe (PID: 8012)
      • 番茄打印管家.exe (PID: 9192)
      • 番茄打印管家.exe (PID: 7324)

    • Creates a software uninstall entry

      • 番茄打印管家-win.exe (PID: 8896)

    • Reads the machine GUID from the registry

      • KMPrtDrvCtrl.exe (PID: 8224)
      • drvinst.exe (PID: 8048)
      • KMPrtDrvCtrl.exe (PID: 2792)
      • KMPrtDrvCtrl.exe (PID: 812)
      • KMPrtDrvService.exe (PID: 8720)
      • FQPrintServerAgent.exe (PID: 8012)
      • FQPrintDriverServerA.exe (PID: 9132)
      • FQPrintDriverServerB.exe (PID: 9136)
      • KMPrtDrvService.exe (PID: 2832)
      • 番茄打印管家.exe (PID: 9192)

    • Process checks computer location settings

      • KMPrtDrvCtrl.exe (PID: 8224)
      • KMPrtDrvCtrl.exe (PID: 2792)
      • 番茄打印管家.exe (PID: 9192)
      • 番茄打印管家.exe (PID: 7324)
      • 番茄打印管家.exe (PID: 8448)
      • 番茄打印管家.exe (PID: 6768)
      • 番茄打印管家.exe (PID: 3100)
      • 番茄打印管家.exe (PID: 8692)
      • 番茄打印管家.exe (PID: 1116)
      • 番茄打印管家.exe (PID: 5584)
      • 番茄打印管家.exe (PID: 1728)
      • 番茄打印管家.exe (PID: 7776)
      • 番茄打印管家.exe (PID: 8588)

    • There is functionality for taking screenshot (YARA)

      • 番茄打印管家-win.exe (PID: 8896)
      • FQPrintEngine.exe (PID: 5572)

    • Adds/modifies Windows certificates

      • drvinst.exe (PID: 8048)

    • Launching a file from a Registry key

      • KMPrtDrvCtrl.exe (PID: 812)
      • reg.exe (PID: 9040)
      • 番茄打印管家.exe (PID: 9192)

    • Changes settings of System certificates

      • drvinst.exe (PID: 8048)

    • Search a value from a registry key

      • reg.exe (PID: 2304)
      • cmd.exe (PID: 1116)
      • cmd.exe (PID: 9036)
      • cmd.exe (PID: 4116)
      • reg.exe (PID: 4368)

    • Changes the display of characters in the console

      • cmd.exe (PID: 8104)
      • powershell.exe (PID: 5288)

    • Reads CPU info

      • 番茄打印管家.exe (PID: 9192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
262
Monitored processes
116
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 番茄打印管家-win.exe no specs 番茄打印管家-win.exe sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs kmprtdrvctrl.exe no specs cmd.exe no specs conhost.exe no specs kmprtdrvctrl.exe certutil.exe no specs cmd.exe no specs conhost.exe no specs certutil.exe no specs drvinst.exe no specs rundll32.exe no specs printisolationhost.exe no specs kmprtdrvctrl.exe sc.exe no specs sc.exe no specs kmprtdrvservice.exe no specs sc.exe no specs kmprtdrvservice.exe no specs msedge.exe no specs fqprintengine.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs xcopy.exe reg.exe fqprintserveragent.exe fqprintdriverservera.exe no specs fqprintdriverserverb.exe no specs 番茄打印管家.exe 番茄打印管家.exe no specs 番茄打印管家.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs 番茄打印管家.exe reg.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs 番茄打印管家.exe cmd.exe no specs conhost.exe no specs chcp.com no specs powershell.exe no specs 番茄打印管家.exe no specs 番茄打印管家.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs reg.exe no specs 番茄打印管家.exe no specs 番茄打印管家.exe no specs chcp.com no specs 番茄打印管家.exe no specs 番茄打印管家.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 番茄打印管家.exe no specs 番茄打印管家.exe no specs 番茄打印管家.exe no specs openwith.exe no specs 番茄打印管家.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
812"C:\Program Files (x86)\tomato-print-steward\resources\scripts\"..\driver\KMPrtDrvCtrl.exe /FQPESettingC:\Program Files (x86)\tomato-print-steward\resources\driver\KMPrtDrvCtrl.exe
cmd.exe
User:
admin
Company:
KM Corp.
Integrity Level:
HIGH
Description:
KM printer driver control
Exit code:
0
Version:
2.0.9.0
Modules
Images
c:\program files (x86)\tomato-print-steward\resources\driver\kmprtdrvctrl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\setupapi.dll
1116C:\WINDOWS\system32\cmd.exe /d /s /c "reg query "HKEY_CURRENT_USER\Software\tomato-print-steward" /v "SourceName""C:\Windows\SysWOW64\cmd.exe番茄打印管家.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1116"C:\Program Files (x86)\tomato-print-steward\番茄打印管家.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\tomato-print-steward" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id="Comer Print Admin " --app-path="C:\Program Files (x86)\tomato-print-steward\resources\app.asar" --enable-sandbox --node-integration-in-worker --no-sandbox --js-flags=--max-old-space-size=2048 --field-trial-handle=1804,13575812481285343137,2984916692570016678,131072 --disable-features=BlockInsecurePrivateNetworkRequests,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4184 /prefetch:1C:\Program Files (x86)\tomato-print-steward\番茄打印管家.exe番茄打印管家.exe
User:
admin
Company:
Hangzhou Taoyun Technology Co.,Ltd
Integrity Level:
MEDIUM
Description:
番茄打印管家
Version:
2.0.19
Modules
Images
c:\program files (x86)\tomato-print-steward\番茄打印管家.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1652tasklistC:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1728"C:\Program Files (x86)\tomato-print-steward\番茄打印管家.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\tomato-print-steward" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id="Comer Print Admin " --app-path="C:\Program Files (x86)\tomato-print-steward\resources\app.asar" --enable-sandbox --enable-blink-features --disable-blink-features --no-sandbox --js-flags=--max-old-space-size=2048 --field-trial-handle=1804,13575812481285343137,2984916692570016678,131072 --disable-features=BlockInsecurePrivateNetworkRequests,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4424 /prefetch:1C:\Program Files (x86)\tomato-print-steward\番茄打印管家.exe番茄打印管家.exe
User:
admin
Company:
Hangzhou Taoyun Technology Co.,Ltd
Integrity Level:
MEDIUM
Description:
番茄打印管家
Exit code:
0
Version:
2.0.19
Modules
Images
c:\program files (x86)\tomato-print-steward\番茄打印管家.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1780chcp 65001C:\Windows\SysWOW64\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1900"C:\Program Files (x86)\tomato-print-steward\番茄打印管家.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,13575812481285343137,2984916692570016678,131072 --disable-features=BlockInsecurePrivateNetworkRequests,PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --no-sandbox --ignore-certificate-errors --ignore-certificate-errors --user-data-dir="C:\Users\admin\AppData\Roaming\tomato-print-steward" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2152 /prefetch:8C:\Program Files (x86)\tomato-print-steward\番茄打印管家.exe
番茄打印管家.exe
User:
admin
Company:
Hangzhou Taoyun Technology Co.,Ltd
Integrity Level:
MEDIUM
Description:
番茄打印管家
Version:
2.0.19
Modules
Images
c:\program files (x86)\tomato-print-steward\番茄打印管家.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2220reg add "HKEY_CURRENT_USER\Software\tomato-print-steward" /v "SourceName" /d "??????-win.exe" /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2304reg query "HKEY_CURRENT_USER\Software\tomato-print-steward" /v "SourceName"C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2316C:\WINDOWS\system32\cmd.exe /d /s /c "reg add "HKEY_CURRENT_USER\Software\tomato-print-steward" /v "SourceName" /d "??????-win.exe" /f"C:\Windows\SysWOW64\cmd.exe番茄打印管家.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
28 205
Read events
28 134
Write events
45
Delete events
26

Modification events

(PID) Process:(8896) 番茄打印管家-win.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\9e99d04f-d9dc-5d97-8c58-058452987fce
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\tomato-print-steward
(PID) Process:(8896) 番茄打印管家-win.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\9e99d04f-d9dc-5d97-8c58-058452987fce
Operation:writeName:KeepShortcuts
Value:
true
(PID) Process:(8896) 番茄打印管家-win.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\9e99d04f-d9dc-5d97-8c58-058452987fce
Operation:writeName:ShortcutName
Value:
番茄打印管家
(PID) Process:(8896) 番茄打印管家-win.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\9e99d04f-d9dc-5d97-8c58-058452987fce
Operation:writeName:DisplayName
Value:
番茄打印管家 2.0.19
(PID) Process:(8896) 番茄打印管家-win.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\9e99d04f-d9dc-5d97-8c58-058452987fce
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\tomato-print-steward\Uninstall 番茄打印管家.exe" /allusers
(PID) Process:(8896) 番茄打印管家-win.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\9e99d04f-d9dc-5d97-8c58-058452987fce
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files (x86)\tomato-print-steward\Uninstall 番茄打印管家.exe" /allusers /S
(PID) Process:(8896) 番茄打印管家-win.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\9e99d04f-d9dc-5d97-8c58-058452987fce
Operation:writeName:DisplayVersion
Value:
2.0.19
(PID) Process:(8896) 番茄打印管家-win.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\9e99d04f-d9dc-5d97-8c58-058452987fce
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\tomato-print-steward\uninstallerIcon.ico
(PID) Process:(8896) 番茄打印管家-win.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\9e99d04f-d9dc-5d97-8c58-058452987fce
Operation:writeName:Publisher
Value:
Hangzhou Taoyun Technology Co.,Ltd
(PID) Process:(8896) 番茄打印管家-win.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\9e99d04f-d9dc-5d97-8c58-058452987fce
Operation:writeName:NoModify
Value:
1
Executable files
322
Suspicious files
360
Text files
1 689
Unknown types
5

Dropped files

PID
Process
Filename
Type
8020msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFdfacb.TMP
MD5:
SHA256:
8020msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
8020msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFdfacb.TMP
MD5:
SHA256:
8020msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFdfadb.TMP
MD5:
SHA256:
8020msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
8020msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
8020msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFdfadb.TMP
MD5:
SHA256:
8020msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
8020msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFdfb0a.TMP
MD5:
SHA256:
8020msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
90
TCP/UDP connections
164
DNS requests
81
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4280
msedge.exe
GET
47.102.237.231:443
https://kuaimai-public.oss-cn-shanghai.aliyuncs.com/housekeeper/%E7%95%AA%E8%8C%84%E6%89%93%E5%8D%B0%E7%AE%A1%E5%AE%B6-win.exe
CN
unknown
4280
msedge.exe
GET
304
150.171.28.11:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
US
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
959 b
whitelisted
4280
msedge.exe
GET
200
150.171.27.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
text
132 b
whitelisted
4280
msedge.exe
GET
200
13.107.213.38:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
US
binary
82 b
whitelisted
4280
msedge.exe
GET
200
104.18.22.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
text
25 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
4280
msedge.exe
GET
200
150.171.27.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:g_Eo_ANkImi1J1gU07fi0UAJhQBfgqUEzjtkNpAR-h8&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
text
95 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
8728
SIHClient.exe
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3352
svchost.exe
52.137.106.217:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
52.137.106.217:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
2.16.204.141:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
162.159.142.9:80
ocsp.digicert.com
CLOUDFLARENET
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
4280
msedge.exe
150.171.27.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4280
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 52.137.106.217
  • 20.73.194.208
  • 40.127.240.158
  • 51.124.78.146
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
google.com
  • 142.251.13.139
  • 142.251.13.138
  • 142.251.13.100
  • 142.251.13.102
  • 142.251.13.113
  • 142.251.13.101
whitelisted
www.bing.com
  • 2.16.204.141
  • 2.16.204.161
  • 2.16.241.201
  • 2.16.241.218
  • 69.192.139.81
  • 69.192.139.93
  • 69.192.139.96
  • 69.192.139.80
  • 69.192.139.86
  • 69.192.139.83
  • 69.192.139.101
  • 69.192.139.87
  • 69.192.139.97
whitelisted
ocsp.digicert.com
  • 162.159.142.9
  • 172.66.2.5
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
kuaimai-public.oss-cn-shanghai.aliyuncs.com
  • 47.102.237.231
unknown
api.edgeoffer.microsoft.com
  • 13.107.213.38
  • 13.107.246.38
whitelisted

Threats

PID
Process
Class
Message
4280
msedge.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
4280
msedge.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
4280
msedge.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
5276
MoUsoCoreWorker.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2232
svchost.exe
Misc activity
INFO [ANY.RUN] .cc TLD domain request
2232
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
8012
FQPrintServerAgent.exe
Possibly Unwanted Program Detected
ET USER_AGENTS Suspicious User-Agent (Updater)
8012
FQPrintServerAgent.exe
Possibly Unwanted Program Detected
ET USER_AGENTS Suspicious User-Agent (Updater)
9192
番茄打印管家.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
1900
番茄打印管家.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://kuaimai-public.oss-cn-shanghai.aliyuncs.com/housekeeper/%E7%95%AA%E8%8C%84%E6%89%93%E5%8D%B0%E7%AE%A1%E5%AE%B6-win.exe