File name:

syzs_installer_1000222765_market.exe

Full analysis: https://app.any.run/tasks/31799c08-79b7-4bec-b60a-2b88bed13b76
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: October 13, 2024, 20:48:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
tgbdownloader
arch-exec
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

586E8844E2D83C0F0B6D29608A44BE0C

SHA1:

A79B491D17EB8013E3FC76A1BD6C658EB3FC1607

SHA256:

91BFB1E88D6F17D0984856B918C1555DAAAE74D29CF7C10BAA6A9498CD61DD4C

SSDEEP:

98304:HSowhbt6OtfFWKfveQJ2gqVCjriH/MvKxNDMRZYgJjV/jTq5GOGRZ7AOgPps0EiO:VDi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TGBDOWNLOADER has been detected

      • syzs_installer_1000222765_market.exe (PID: 6728)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • syzs_installer_1000222765_market.exe (PID: 6728)

    • Executable content was dropped or overwritten

      • syzs_installer_1000222765_market.exe (PID: 6728)

    • Uses WMIC.EXE to obtain computer system information

      • PcyybAssistant.exe (PID: 7164)

  • INFO

    • Create files in a temporary directory

      • syzs_installer_1000222765_market.exe (PID: 6728)

    • Checks supported languages

      • syzs_installer_1000222765_market.exe (PID: 6728)

    • Creates files or folders in the user directory

      • syzs_installer_1000222765_market.exe (PID: 6728)

    • Reads the computer name

      • syzs_installer_1000222765_market.exe (PID: 6728)

    • Reads the machine GUID from the registry

      • syzs_installer_1000222765_market.exe (PID: 6728)

    • Reads the software policy settings

      • syzs_installer_1000222765_market.exe (PID: 6728)

    • Manual execution by a user

      • PcyybAssistant.exe (PID: 7164)
      • rundll32.exe (PID: 5832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:02:23 05:24:48+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 2630144
InitializedDataSize: 983040
UninitializedDataSize: -
EntryPoint: 0x2261ee
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: TGBDownloader
ProductName: TGBDownloader
CompanyName: Tencent
FileVersion: 1, 0, 0, 1
InternalName: TGBDownloader.exe
LegalCopyright: Copyright ? 2020 Tencent. All Rights Reserved.
OriginalFileName: TGBDownloader.exe
ProductVersion: 1, 0, 0, 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start syzs_installer_1000222765_market.exe pcyybassistant.exe no specs wmic.exe no specs conhost.exe no specs rundll32.exe no specs syzs_installer_1000222765_market.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4408wmic path Win32_ComputerSystem get HypervisorPresentC:\Windows\SysWOW64\wbem\WMIC.exePcyybAssistant.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5832"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\androws_logo.pngC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6200\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6668"C:\Users\admin\Desktop\syzs_installer_1000222765_market.exe" C:\Users\admin\Desktop\syzs_installer_1000222765_market.exeexplorer.exe
User:
admin
Company:
Tencent
Integrity Level:
MEDIUM
Description:
TGBDownloader
Exit code:
3221226540
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\syzs_installer_1000222765_market.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6728"C:\Users\admin\Desktop\syzs_installer_1000222765_market.exe" C:\Users\admin\Desktop\syzs_installer_1000222765_market.exe
explorer.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Description:
TGBDownloader
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\syzs_installer_1000222765_market.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
7164"C:\Users\admin\Desktop\PcyybAssistant.exe" C:\Users\admin\Desktop\PcyybAssistant.exeexplorer.exe
User:
admin
Company:
Tencent
Integrity Level:
MEDIUM
Description:
腾讯应用宝
Version:
1.0.90.0
Modules
Images
c:\users\admin\desktop\pcyybassistant.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
7 919
Read events
7 903
Write events
16
Delete events
0

Modification events

(PID) Process:(6728) syzs_installer_1000222765_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC\Beacon
Operation:writeName:Last_Sid_syzs_installer_1000222765_market.exe
Value:
20D8EBF4-78CA-42DC-95A8-07D8C026AA2D
(PID) Process:(6728) syzs_installer_1000222765_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:TempPath
Value:
C:\Temp\TxGameDownload\Component\
(PID) Process:(6728) syzs_installer_1000222765_market.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tencent\MobileGamePC
Operation:writeName:UserLanguage
Value:
en
(PID) Process:(5832) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids
Operation:writeName:pngfile
Value:
(PID) Process:(5832) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe%5Cmicrosoft.system.package.metadata%5CS-1-5-21-1693682860-607145093-2874071422-1001-MergedResources-0.pri\1d8b7afeb5c569c\55e3c056
Operation:writeName:@{microsoft.screensketch_10.1907.2471.0_x64__8wekyb3d8bbwe?ms-resource://microsoft.screensketch/files/assets/screensketchsquare44x44logo.png}
Value:
C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_contrast-black.png
Executable files
4
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6728syzs_installer_1000222765_market.exeC:\test.tmpbinary
MD5:AFBF9EC2DBD13017C0BDD89551765DAC
SHA256:192ADEC884E1F6379ABFCE715558162FD4D7324BE4910078844A227DCC1903C3
6728syzs_installer_1000222765_market.exeC:\Users\admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.dbtext
MD5:3C7FA136EC5E624287D1B9E579FEADC6
SHA256:131E5890413DC5C1746DF113982B6945A4B4DA8127570398B85BF4B20D80635D
7164PcyybAssistant.exeC:\Users\admin\AppData\Roaming\Tencent\Androws\db\bc_0WIN0GIA035UNMF7_0e.db-journalbinary
MD5:CD6F1CFE1CDCF9A05AB5C7E5038B7143
SHA256:8469F15FD5E70D5CFC2B76671A47DE2CEB9307A718D57D10144CCEBE352E0AD9
6728syzs_installer_1000222765_market.exeC:\Users\admin\AppData\Local\Temp\Tencent\Androws\pcyyb_sdk\AndrowsInstaller.exeexecutable
MD5:83D5EF931931B7E387EFEC4C23FA5D21
SHA256:8A880EFEA0429E4415941874CCDF17BEFCD936B2BDCFF6CF2CEEE0DE7FCA8F14
6728syzs_installer_1000222765_market.exeC:\Users\admin\AppData\Local\Temp\Tencent\Androws\pcyyb_sdk\PcyybAssistant.exeexecutable
MD5:61C095FE96D31C88C154A983259B963E
SHA256:95E85F7E57B0EDB4DB5D35400E1BEC31F560B3DCE42BFEE95B05A9C6400EA2B1
7164PcyybAssistant.exeC:\Users\admin\AppData\Roaming\Tencent\beacon\GlobalMgr.dbtext
MD5:290DE5DFBCE979C93A5994208FCC95F8
SHA256:915D673B8F46DA724E00000052CE08F6E4474227F9DF131E50B2192EECEC48ED
6728syzs_installer_1000222765_market.exeC:\Users\admin\AppData\Local\Temp\Tencent\Androws\pcyyb_sdk\androws_logo.pngimage
MD5:022FC5C29D8CF5EC7ABE4EAE57E5E311
SHA256:88DCCC3165B30052117C4FB9A17D8BD08AE014C8D6EC65366331FC078ABB54AC
6728syzs_installer_1000222765_market.exeC:\Users\admin\AppData\Local\Temp\Tencent\Androws\PcyybSdk.zipcompressed
MD5:27B35DFF356E73016EE962A31C0DF507
SHA256:268F91FDC43B4DDB4EF8F7CD3A3BE51992318384D50D7BD927864171FC7C7437
6728syzs_installer_1000222765_market.exeC:\Users\admin\AppData\Local\Temp\Tencent\Androws\pcyyb_sdk\pcyyb_sdk_dll.dllexecutable
MD5:3A4FFD9A768B951EF6FF4874CE43DC9C
SHA256:054288D57C5FA2FDEADB4871C892C8A511A74B66CAFA3CB8E7BC1862FBD48E8B
6728syzs_installer_1000222765_market.exeC:\Users\admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dllexecutable
MD5:DCCC58E47D693A626FE384B86F3EE094
SHA256:CF42D5B750058D2FE19016DB401EE26F6F2EC51A618F68ED231DE88CC23CB50E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
49
DNS requests
13
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
43.175.152.62:443
https://down.pc.yyb.qq.com/xy/yyb_management_system/DP1cIBZN.zip
unknown
unknown
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
43.152.28.43:443
https://down.pc.yyb.qq.com/pc_yyb_sdk/pc_yyb_sdk.json
unknown
binary
138 b
whitelisted
POST
129.226.102.75:443
https://yybadaccess.3g.qq.com/syzsclient/update/clientupdate
unknown
whitelisted
GET
200
101.33.11.246:443
https://down.pc.yyb.qq.com/xy/yyb_management_system/DP1cIBZN.zip
unknown
compressed
4.75 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6728
syzs_installer_1000222765_market.exe
157.255.4.39:443
master.etl.desktop.qq.com
China Unicom Guangdong IP network
CN
whitelisted
6728
syzs_installer_1000222765_market.exe
101.33.47.68:8081
oth.eve.mdt.qq.com
Tencent Building, Kejizhongyi Avenue
SG
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6728
syzs_installer_1000222765_market.exe
43.175.152.62:443
down.pc.yyb.qq.com
SG
whitelisted
6728
syzs_installer_1000222765_market.exe
129.226.102.75:443
yybadaccess.3g.qq.com
Tencent Building, Kejizhongyi Avenue
HK
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.206
whitelisted
master.etl.desktop.qq.com
  • 157.255.4.39
whitelisted
down.pc.yyb.qq.com
  • 43.175.152.62
  • 101.33.11.246
  • 43.152.29.77
  • 43.152.28.111
  • 43.152.29.78
  • 43.152.26.142
  • 43.152.28.77
  • 101.33.11.219
  • 43.175.152.66
  • 43.152.26.154
  • 43.152.28.41
  • 43.175.152.67
  • 43.152.29.72
  • 43.152.26.197
  • 43.152.28.43
whitelisted
oth.eve.mdt.qq.com
  • 101.33.47.68
  • 101.33.47.206
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.106
whitelisted
yybadaccess.3g.qq.com
  • 129.226.102.75
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.50.73.13
whitelisted

Threats

Found threats are available for the paid subscriptions
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
syzs_installer_1000222765_market.exe