Malware analysis https://dhsifbasb.top/sidajingang/hchaem_x64.5.3.zip Malicious activity

Add for printing

URL:	https://dhsifbasb.top/sidajingang/hchaem_x64.5.3.zip
Full analysis:	https://app.any.run/tasks/22895bf6-7e4c-40d9-ab76-d315e7853f68
Verdict:	Malicious activity
Analysis date:	December 20, 2025, 13:10:29
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	teamviewer anti-evasion antivm qrcode fingerprinting
Indicators:
MD5:	8D6149EE6B55D1B84B3730AF34EEDE5B
SHA1:	6EC3024642581A6AD135974DC92DBD9CE5C2F42F
SHA256:	E1A32074343FFFAB3ACEC2D68BECA292A66C2B79EA7CE5FDFA8786392104FF8C
SSDEEP:	3:N8VLTHANAE0LCiao63kLZn:2dTuAPCiaSZn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - s8ZGhshJ.exe (PID: 8524)
- Changes Windows Defender settings
  - s8ZGhshJ.exe (PID: 8524)
- Registers / Runs the DLL via REGSVR32.EXE
  - Setup.exe (PID: 7824)
- Changes settings of System certificates
  - QtWebEngineProcess.exe (PID: 8100)
SUSPICIOUS
- Executable content was dropped or overwritten
  - hchaem_x64.5.3.exe (PID: 8428)
  - hchaem_x64.5.3.tmp (PID: 8464)
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
  - AndrowsStore.exe (PID: 7180)
  - Setup.exe (PID: 8932)
  - TCGamer.exe (PID: 1184)
  - TInst.exe (PID: 8276)
- Reads the Windows owner or organization settings
  - hchaem_x64.5.3.tmp (PID: 8464)
- Script adds exclusion path to Windows Defender
  - s8ZGhshJ.exe (PID: 8524)
- Starts CMD.EXE for commands execution
  - elevation_service.exe (PID: 7488)
  - Setup.exe (PID: 7824)
  - AndrowsAssistant.exe (PID: 8880)
- Starts POWERSHELL.EXE for commands execution
  - s8ZGhshJ.exe (PID: 8524)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 8224)
- Deletes scheduled task without confirmation
  - schtasks.exe (PID: 8076)
- Contacting a server suspected of hosting an CnC
  - sihost.exe (PID: 4460)
- Connects to unusual port
  - sihost.exe (PID: 4460)
  - QtWebEngineProcess.exe (PID: 8100)
- The process verifies whether the antivirus software is installed
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
  - AndrowsAssistant.exe (PID: 8232)
  - regsvr32.exe (PID: 7220)
  - AndrowsSvr.exe (PID: 3008)
  - crashpad_handler.exe (PID: 2952)
  - regsvr32.exe (PID: 8948)
  - regsvr32.exe (PID: 9080)
  - AndrowsLauncher.exe (PID: 9180)
  - crashpad_handler.exe (PID: 8260)
  - AndrowsAssistant.exe (PID: 8228)
  - AndrowsStore.exe (PID: 7180)
  - AndrowsDlSvr.exe (PID: 1840)
  - AndrowsAssistant.exe (PID: 8292)
  - crashpad_handler.exe (PID: 2680)
  - CefRendererProcess.exe (PID: 8564)
  - CefRendererProcess.exe (PID: 8504)
  - CefRendererProcess.exe (PID: 8464)
  - CefRendererProcess.exe (PID: 8816)
  - AndrowsAssistant.exe (PID: 9084)
  - CefRendererProcess.exe (PID: 8956)
  - CefRendererProcess.exe (PID: 1344)
  - AndrowsAssistant.exe (PID: 4228)
  - AndrowsAssistant.exe (PID: 7864)
  - opengl_checker.exe (PID: 7856)
  - CefRendererProcess.exe (PID: 5392)
  - AndrowsAssistant.exe (PID: 7584)
  - AndrowsAssistant.exe (PID: 7824)
  - AndrowsAssistant.exe (PID: 8096)
  - AndrowsAssistant.exe (PID: 8880)
  - AndrowsAssistant.exe (PID: 8484)
  - AndrowsAssistant.exe (PID: 7396)
  - crashpad_handler.exe (PID: 2232)
  - crashpad_handler.exe (PID: 3056)
  - AndrowsAssistant.exe (PID: 1752)
  - AndrowsAssistant.exe (PID: 9024)
  - AndrowsSvr.exe (PID: 7864)
  - AndrowsAssistant.exe (PID: 8436)
  - AndrowsAssistant.exe (PID: 7380)
  - AndrowsAssistant.exe (PID: 8096)
  - AndrowsAssistant.exe (PID: 8272)
  - CefRendererProcess.exe (PID: 4020)
  - Setup.exe (PID: 8932)
  - AndrowsAssistant.exe (PID: 9136)
  - AndrowsAssistant.exe (PID: 144)
  - TInst.exe (PID: 8276)
  - TCGamer.exe (PID: 800)
  - QtWebEngineProcess.exe (PID: 8100)
  - pc_yyb.exe (PID: 8276)
  - QtWebEngineProcess.exe (PID: 4332)
  - AndrowsAssistant.exe (PID: 7432)
  - AndrowsLauncher.exe (PID: 2256)
  - crashpad_handler.exe (PID: 7564)
  - AndrowsAssistant.exe (PID: 8256)
- Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)
  - pc_yyb.exe (PID: 8100)
  - pc_yyb.exe (PID: 8276)
- Reads security settings of Internet Explorer
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
  - AndrowsAssistant.exe (PID: 8232)
  - AndrowsSvr.exe (PID: 3008)
  - AndrowsLauncher.exe (PID: 9180)
  - AndrowsStore.exe (PID: 7180)
  - AndrowsLauncher.exe (PID: 9036)
- Drops a system driver (possible attempt to evade defenses)
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
- Drops 7-zip archiver for unpacking
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
- The process drops C-runtime libraries
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
  - AndrowsStore.exe (PID: 7180)
  - TCGamer.exe (PID: 1184)
  - TInst.exe (PID: 8276)
- Process drops legitimate windows executable
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
  - AndrowsStore.exe (PID: 7180)
  - Setup.exe (PID: 8932)
  - TCGamer.exe (PID: 1184)
  - TInst.exe (PID: 8276)
- Reads the date of Windows installation
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
  - AndrowsAssistant.exe (PID: 8232)
  - AndrowsSvr.exe (PID: 3008)
  - AndrowsLauncher.exe (PID: 9180)
  - AndrowsStore.exe (PID: 7180)
  - AndrowsLauncher.exe (PID: 9036)
- Creates file in the systems drive root
  - Setup.exe (PID: 7824)
  - AndrowsSvr.exe (PID: 3008)
  - AndrowsStore.exe (PID: 7180)
- Named pipe usage
  - crashpad_handler.exe (PID: 8976)
  - crashpad_handler.exe (PID: 8920)
  - crashpad_handler.exe (PID: 8260)
  - crashpad_handler.exe (PID: 2680)
  - crashpad_handler.exe (PID: 3056)
  - crashpad_handler.exe (PID: 7564)
- Reads the BIOS version
  - Setup.exe (PID: 7824)
- There is functionality for VM detection VirtualBox (YARA)
  - Setup.exe (PID: 7824)
  - AndrowsStore.exe (PID: 7180)
- There is functionality for taking screenshot (YARA)
  - Setup.exe (PID: 7824)
  - AndrowsStore.exe (PID: 7180)
- The process checks if it is being run in the virtual environment
  - Setup.exe (PID: 7824)
  - AndrowsSvr.exe (PID: 3008)
  - AndrowsStore.exe (PID: 7180)
- Executes as Windows Service
  - AndrowsSvr.exe (PID: 3008)
  - AndrowsSvr.exe (PID: 7864)
- Creates files in the driver directory
  - Setup.exe (PID: 7824)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 8948)
  - regsvr32.exe (PID: 9080)
  - dxdiag.exe (PID: 6080)
  - dxdiag.exe (PID: 6552)
  - dxdiag.exe (PID: 8560)
  - dxdiag.exe (PID: 8688)
  - dxdiag.exe (PID: 468)
  - dxdiag.exe (PID: 6176)
  - dxdiag.exe (PID: 7248)
  - dxdiag.exe (PID: 6548)
  - dxdiag.exe (PID: 7776)
- Windows service management via SC.EXE
  - sc.exe (PID: 9104)
- Creates or modifies Windows services
  - Setup.exe (PID: 7824)
- Starts SC.EXE for service management
  - cmd.exe (PID: 4280)
- Searches for installed software
  - AndrowsStore.exe (PID: 7180)
- There is functionality for VM detection VMWare (YARA)
  - AndrowsStore.exe (PID: 7180)
- Adds/modifies Windows certificates
  - QtWebEngineProcess.exe (PID: 8100)
INFO
- Reads Environment values
  - identity_helper.exe (PID: 7368)
  - identity_helper.exe (PID: 7772)
  - Setup.exe (PID: 7824)
  - AndrowsSvr.exe (PID: 3008)
  - AndrowsStore.exe (PID: 7180)
  - identity_helper.exe (PID: 2092)
- Checks supported languages
  - hchaem_x64.5.3.exe (PID: 8428)
  - identity_helper.exe (PID: 7368)
  - hchaem_x64.5.3.tmp (PID: 8464)
  - s8ZGhshJ.exe (PID: 8524)
  - elevation_service.exe (PID: 7488)
  - pc_yyb.exe (PID: 8100)
  - identity_helper.exe (PID: 7772)
  - Setup.exe (PID: 7824)
  - crashpad_handler.exe (PID: 8976)
  - AndrowsAssistant.exe (PID: 8232)
  - crashpad_handler.exe (PID: 8920)
  - AndrowsAssistant.exe (PID: 7796)
  - AndrowsAssistant.exe (PID: 8500)
  - opengl_checker.exe (PID: 8816)
  - AndrowsSvr.exe (PID: 3008)
  - crashpad_handler.exe (PID: 2952)
  - AndrowsLauncher.exe (PID: 9180)
  - dokanctl.exe (PID: 8384)
  - crashpad_handler.exe (PID: 8260)
  - AndrowsAssistant.exe (PID: 8228)
  - AndrowsStore.exe (PID: 7180)
  - crashpad_handler.exe (PID: 2680)
  - AndrowsDlSvr.exe (PID: 1840)
  - AndrowsAssistant.exe (PID: 8292)
  - CefRendererProcess.exe (PID: 8464)
  - CefRendererProcess.exe (PID: 8816)
  - AndrowsAssistant.exe (PID: 9084)
  - CefRendererProcess.exe (PID: 8564)
  - CefRendererProcess.exe (PID: 8956)
  - CefRendererProcess.exe (PID: 8504)
  - CefRendererProcess.exe (PID: 1344)
  - CefRendererProcess.exe (PID: 5392)
  - AndrowsAssistant.exe (PID: 4228)
  - AndrowsAssistant.exe (PID: 7864)
  - opengl_checker.exe (PID: 7856)
  - AndrowsAssistant.exe (PID: 7824)
  - AndrowsAssistant.exe (PID: 8096)
  - AndrowsAssistant.exe (PID: 7584)
  - AndrowsAssistant.exe (PID: 8880)
  - AndrowsAssistant.exe (PID: 8484)
  - AndrowsSvr.exe (PID: 7864)
  - crashpad_handler.exe (PID: 2232)
  - crashpad_handler.exe (PID: 3056)
  - AndrowsLauncher.exe (PID: 9036)
  - AndrowsAssistant.exe (PID: 7396)
  - AndrowsAssistant.exe (PID: 9024)
  - AndrowsAssistant.exe (PID: 1752)
  - AndrowsAssistant.exe (PID: 8436)
  - AndrowsAssistant.exe (PID: 7380)
  - AndrowsAssistant.exe (PID: 8096)
  - AndrowsAssistant.exe (PID: 8272)
  - CefRendererProcess.exe (PID: 4020)
  - Setup.exe (PID: 8932)
  - AndrowsAssistant.exe (PID: 9136)
  - AndrowsAssistant.exe (PID: 144)
  - identity_helper.exe (PID: 2092)
  - TCGamer.exe (PID: 1184)
  - TCGamer.exe (PID: 800)
  - QtWebEngineProcess.exe (PID: 8100)
  - TInst.exe (PID: 8276)
  - QtWebEngineProcess.exe (PID: 4332)
  - pc_yyb.exe (PID: 8276)
  - AndrowsAssistant.exe (PID: 8256)
  - AndrowsAssistant.exe (PID: 7432)
  - AndrowsLauncher.exe (PID: 2256)
  - crashpad_handler.exe (PID: 7564)
- Reads the computer name
  - hchaem_x64.5.3.exe (PID: 8428)
  - hchaem_x64.5.3.tmp (PID: 8464)
  - identity_helper.exe (PID: 7368)
  - s8ZGhshJ.exe (PID: 8524)
  - elevation_service.exe (PID: 7488)
  - pc_yyb.exe (PID: 8100)
  - identity_helper.exe (PID: 7772)
  - Setup.exe (PID: 7824)
  - crashpad_handler.exe (PID: 8976)
  - AndrowsAssistant.exe (PID: 8232)
  - crashpad_handler.exe (PID: 8920)
  - AndrowsAssistant.exe (PID: 7796)
  - opengl_checker.exe (PID: 8816)
  - AndrowsAssistant.exe (PID: 8500)
  - AndrowsSvr.exe (PID: 3008)
  - crashpad_handler.exe (PID: 2952)
  - dokanctl.exe (PID: 8384)
  - AndrowsLauncher.exe (PID: 9180)
  - AndrowsAssistant.exe (PID: 8228)
  - AndrowsStore.exe (PID: 7180)
  - crashpad_handler.exe (PID: 8260)
  - crashpad_handler.exe (PID: 2680)
  - AndrowsAssistant.exe (PID: 8292)
  - AndrowsDlSvr.exe (PID: 1840)
  - CefRendererProcess.exe (PID: 8504)
  - AndrowsAssistant.exe (PID: 9084)
  - CefRendererProcess.exe (PID: 8816)
  - CefRendererProcess.exe (PID: 8464)
  - AndrowsAssistant.exe (PID: 4228)
  - AndrowsAssistant.exe (PID: 7864)
  - opengl_checker.exe (PID: 7856)
  - AndrowsAssistant.exe (PID: 7824)
  - AndrowsAssistant.exe (PID: 8096)
  - AndrowsAssistant.exe (PID: 7584)
  - AndrowsAssistant.exe (PID: 8484)
  - AndrowsAssistant.exe (PID: 8880)
  - AndrowsSvr.exe (PID: 7864)
  - crashpad_handler.exe (PID: 2232)
  - AndrowsLauncher.exe (PID: 9036)
  - crashpad_handler.exe (PID: 3056)
  - AndrowsAssistant.exe (PID: 7396)
  - AndrowsAssistant.exe (PID: 1752)
  - AndrowsAssistant.exe (PID: 9024)
  - AndrowsAssistant.exe (PID: 8436)
  - AndrowsAssistant.exe (PID: 7380)
  - AndrowsAssistant.exe (PID: 8096)
  - AndrowsAssistant.exe (PID: 8272)
  - CefRendererProcess.exe (PID: 4020)
  - Setup.exe (PID: 8932)
  - AndrowsAssistant.exe (PID: 9136)
  - AndrowsAssistant.exe (PID: 144)
  - identity_helper.exe (PID: 2092)
  - TCGamer.exe (PID: 1184)
  - TInst.exe (PID: 8276)
  - TCGamer.exe (PID: 800)
  - QtWebEngineProcess.exe (PID: 8100)
  - QtWebEngineProcess.exe (PID: 4332)
  - pc_yyb.exe (PID: 8276)
  - AndrowsAssistant.exe (PID: 7432)
  - AndrowsLauncher.exe (PID: 2256)
  - AndrowsAssistant.exe (PID: 8256)
  - crashpad_handler.exe (PID: 7564)
- Manual execution by a user
  - hchaem_x64.5.3.exe (PID: 8428)
  - pc_yyb.exe (PID: 8100)
  - msedge.exe (PID: 8736)
  - pc_yyb.exe (PID: 3204)
  - pc_yyb.exe (PID: 8276)
- Application launched itself
  - msedge.exe (PID: 7652)
  - msedge.exe (PID: 4040)
  - msedge.exe (PID: 7824)
  - msedge.exe (PID: 7460)
  - msedge.exe (PID: 8736)
  - msedge.exe (PID: 4572)
  - msedge.exe (PID: 8560)
- Create files in a temporary directory
  - hchaem_x64.5.3.exe (PID: 8428)
  - hchaem_x64.5.3.tmp (PID: 8464)
  - pc_yyb.exe (PID: 8100)
  - crashpad_handler.exe (PID: 8920)
  - AndrowsLauncher.exe (PID: 9180)
  - AndrowsAssistant.exe (PID: 8292)
  - AndrowsStore.exe (PID: 7180)
  - dxdiag.exe (PID: 8560)
  - dxdiag.exe (PID: 6552)
  - dxdiag.exe (PID: 8688)
  - dxdiag.exe (PID: 468)
  - dxdiag.exe (PID: 6176)
  - dxdiag.exe (PID: 7248)
  - dxdiag.exe (PID: 6548)
  - TCGamer.exe (PID: 1184)
  - dxdiag.exe (PID: 7776)
- Creates files or folders in the user directory
  - hchaem_x64.5.3.tmp (PID: 8464)
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
  - AndrowsSvr.exe (PID: 3008)
  - AndrowsStore.exe (PID: 7180)
  - CefRendererProcess.exe (PID: 8816)
  - TCGamer.exe (PID: 800)
  - QtWebEngineProcess.exe (PID: 8100)
  - pc_yyb.exe (PID: 8276)
- The sample compiled with english language support
  - hchaem_x64.5.3.tmp (PID: 8464)
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
  - AndrowsStore.exe (PID: 7180)
  - Setup.exe (PID: 8932)
  - TCGamer.exe (PID: 1184)
  - TInst.exe (PID: 8276)
- Reads the machine GUID from the registry
  - s8ZGhshJ.exe (PID: 8524)
  - elevation_service.exe (PID: 7488)
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
  - crashpad_handler.exe (PID: 8976)
  - crashpad_handler.exe (PID: 8920)
  - AndrowsAssistant.exe (PID: 8232)
  - AndrowsSvr.exe (PID: 3008)
  - crashpad_handler.exe (PID: 2952)
  - crashpad_handler.exe (PID: 8260)
  - crashpad_handler.exe (PID: 2680)
  - AndrowsDlSvr.exe (PID: 1840)
  - AndrowsStore.exe (PID: 7180)
  - AndrowsAssistant.exe (PID: 4228)
  - AndrowsAssistant.exe (PID: 8484)
  - AndrowsSvr.exe (PID: 7864)
  - crashpad_handler.exe (PID: 2232)
  - crashpad_handler.exe (PID: 3056)
  - Setup.exe (PID: 8932)
  - TCGamer.exe (PID: 800)
  - QtWebEngineProcess.exe (PID: 8100)
  - pc_yyb.exe (PID: 8276)
  - crashpad_handler.exe (PID: 7564)
- Executes as Windows Service
  - elevation_service.exe (PID: 7488)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 8616)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 8616)
- Creates files in the program directory
  - sihost.exe (PID: 4460)
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
  - AndrowsSvr.exe (PID: 3008)
  - AndrowsStore.exe (PID: 7180)
  - AndrowsDlSvr.exe (PID: 1840)
  - AndrowsAssistant.exe (PID: 4228)
  - Setup.exe (PID: 8932)
  - TCGamer.exe (PID: 800)
  - TInst.exe (PID: 8276)
  - pc_yyb.exe (PID: 8276)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 7760)
  - dxdiag.exe (PID: 6080)
  - dxdiag.exe (PID: 6552)
  - dxdiag.exe (PID: 8560)
  - dxdiag.exe (PID: 8688)
  - dxdiag.exe (PID: 468)
  - dxdiag.exe (PID: 6176)
  - dxdiag.exe (PID: 6548)
  - dxdiag.exe (PID: 7248)
  - WMIC.exe (PID: 8404)
  - dxdiag.exe (PID: 7776)
- The sample compiled with chinese language support
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
  - AndrowsStore.exe (PID: 7180)
  - Setup.exe (PID: 8932)
  - TCGamer.exe (PID: 1184)
  - TInst.exe (PID: 8276)
- Checks proxy server information
  - slui.exe (PID: 2752)
  - Setup.exe (PID: 7824)
  - AndrowsSvr.exe (PID: 3008)
  - AndrowsStore.exe (PID: 7180)
  - AndrowsAssistant.exe (PID: 4228)
  - AndrowsAssistant.exe (PID: 8484)
  - TCGamer.exe (PID: 800)
  - QtWebEngineProcess.exe (PID: 8100)
- Process checks computer location settings
  - pc_yyb.exe (PID: 8100)
  - Setup.exe (PID: 7824)
  - AndrowsAssistant.exe (PID: 8232)
  - AndrowsLauncher.exe (PID: 9180)
  - AndrowsStore.exe (PID: 7180)
  - CefRendererProcess.exe (PID: 8564)
  - CefRendererProcess.exe (PID: 8956)
  - CefRendererProcess.exe (PID: 1344)
  - AndrowsLauncher.exe (PID: 9036)
  - QtWebEngineProcess.exe (PID: 4332)
- Reads Windows Product ID
  - Setup.exe (PID: 7824)
- Reads product name
  - Setup.exe (PID: 7824)
  - AndrowsSvr.exe (PID: 3008)
  - AndrowsStore.exe (PID: 7180)
- TeamViewer related mutex has been found
  - Setup.exe (PID: 7824)
  - AndrowsSvr.exe (PID: 3008)
  - AndrowsStore.exe (PID: 7180)
- Creates a software uninstall entry
  - pc_yyb.exe (PID: 8100)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

338

Monitored processes

174

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

144

"C:\Program Files\Tencent\Androws\Application\5.10.3300.4496\AndrowsAssistant.exe" --check-opengl-process "AndrowsStore.exe"

C:\Program Files\Tencent\Androws\Application\5.10.3300.4496\AndrowsAssistant.exe

—

AndrowsStore.exe

User:

admin

Company:

Tencent

Integrity Level:

HIGH

Description:

腾讯应用宝移动应用引擎

Exit code:

1000

Version:

5.10.3300.4496

Modules

Images
c:\program files\tencent\androws\application\5.10.3300.4496\androwsassistant.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

148

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5112,i,732204595458458666,4393950313399381251,262144 --variations-seed-version --mojo-platform-channel-handle=5016 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

148

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

468

"C:\Windows\System32\dxdiag.exe" /t C:\Users\admin\AppData\Local\Temp\Tencent\Androws\AndrowsStore_dxdiag.log

C:\Windows\System32\dxdiag.exe

—

AndrowsStore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft DirectX Diagnostic Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dxdiag.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

792

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=4848,i,13736466013146461032,17500271244865584964,262144 --variations-seed-version --mojo-platform-channel-handle=5228 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

800

"C:\Program Files\Tencent\Androws\TCGamer\TCGamer.exe" -start=mobile_game_assistant -gameid=95147 -gameurl=https://gamer.qq.com/v2/cloudgame/game/95147?bid=pc_yyb&guid=a323b9911157d139eb134a4d7729287b&ichannel=pcyyb0Fpcyyb1&pkgname=com.tencent.tmgp.cod&platform=client&scene=discovery2_page&source_id=discovery2_page&trace_id= -third_logintype= -third_appid= -third_openid= -third_accesstoken= -third_channel=pc_yyb -display_name=使命召唤手游 -check_update=0 -gamemodule=0

C:\Program Files\Tencent\Androws\TCGamer\TCGamer.exe

AndrowsStore.exe

User:

admin

Company:

腾讯

Integrity Level:

HIGH

Description:

腾讯先锋云游戏

Exit code:

3221225547

Version:

1.1.22.50811

Modules

Images
c:\program files\tencent\androws\tcgamer\tcgamer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

1184

"C:\Users\admin\AppData\Local\Temp\TCGamer.exe"

C:\Users\admin\AppData\Local\Temp\TCGamer.exe

AndrowsStore.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\tcgamer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll

1344

"C:\Program Files\Tencent\Androws\Application\5.10.3300.4496\CefRendererProcess" --disable-extensions --disable-pdf-extension --locales-dir-path="C:\Program Files\Tencent\Androws\Application\5.10.3300.4496\resources\locales" --log-items=pid,tid,timestamp --log-severity=disable --resources-dir-path="C:\Program Files\Tencent\Androws\Application\5.10.3300.4496\resources" --type=renderer --user-agent-product="Chrome/126.0.0 CefView/1.0 (Windows; en-us) YYBAppClient/5.10.3300.4496" --user-data-dir="C:\Users\admin\AppData\Roaming\Tencent\Androws\cef\CEF_AndrowsStore" --windows-job-name=CefView-Job-{f0a3c1e3-ff89-4581-8a45-f0bfd74c4bb0}-7180 --disable-gpu-process-crash-limit --disable-extensions --disable-pdf-extension --disable-component-update --disable-site-isolation-trials=1 --use-fake-device-for-media-stream --bridge-obj-name=CallBridge --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4892,i,4196300418804148121,13032200713605025233,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --mojo-platform-channel-handle=4888 /prefetch:1

C:\Program Files\Tencent\Androws\Application\5.10.3300.4496\CefRendererProcess.exe

AndrowsStore.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\program files\tencent\androws\application\5.10.3300.4496\cefrendererprocess.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\tencent\androws\application\5.10.3300.4496\libcef.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll

1420

icacls "C:\Users\admin\AppData\Local\exter\QwXNMq\." /deny "Users":(D)

C:\Windows\System32\icacls.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll

1700

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

dokanctl.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

112 561

Read events

111 336

Write events

1 049

Delete events

176

Modification events


(PID) Process:	(4460) sihost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe
Operation:	write	Name:	WasEverActivated
Value: 1
(PID) Process:	(8768) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(8768) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(8768) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(8768) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\hchaem_x64.5.3.zip
(PID) Process:	(8768) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(8768) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(8768) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(8768) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(8768) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000

Add for printing

Executable files

873

Suspicious files

857

Text files

1 176

Unknown types

Dropped files

PID	Process	Filename		Type
7652	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFfdf1c.TMP		—
		MD5:—	SHA256:—
7652	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old		—
		MD5:—	SHA256:—
7652	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFfdf3b.TMP		—
		MD5:—	SHA256:—
7652	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFfdf3b.TMP		—
		MD5:—	SHA256:—
7652	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFfdf4b.TMP		—
		MD5:—	SHA256:—
7652	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old		—
		MD5:—	SHA256:—
7652	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
7652	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
7652	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFfdf4b.TMP		—
		MD5:—	SHA256:—
7652	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

301

TCP/UDP connections

528

DNS requests

265

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7976	msedge.exe	GET	200	104.26.4.222:443	https://dhsifbasb.top/sidajingang/hchaem_x64.5.3.zip	US	—	—	unknown
7976	msedge.exe	GET	304	150.171.28.11:443	https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist	US	—	—	whitelisted
7976	msedge.exe	GET	200	150.171.22.17:443	https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=65&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1741678270&lafgdate=0	US	text	768 b	unknown
7976	msedge.exe	GET	200	150.171.27.11:443	https://edge.microsoft.com/extensionwebstorebase/v1/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=edgecrx&prodchannel=&prodversion=133.0.3065.92&lang=en-US&acceptformat=crx3,puff&x=id%3Djmjflgjpcpepeafmmgdpfkogkghcpiha%26v%3D1.2.1%26installedby%3Dother%26uc%26ping%3Dr%253D520%2526e%253D1	US	xml	413 b	whitelisted
7976	msedge.exe	GET	200	150.171.27.11:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	US	text	462 b	whitelisted
1984	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
6244	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
7976	msedge.exe	POST	200	142.250.186.99:443	https://update.googleapis.com/service/update2/json?cup2key=14:FqXwAdvmg5JsjraJZVBVfWBGT-Pq9U80bue3OTmPKgs&cup2hreq=44944bb957edb0c55cd9a7f2f8bc20c5fd96d4584e5b9b2b817233d201902198	US	text	889 b	whitelisted
9172	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	US	binary	419 b	whitelisted
9172	SIHClient.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	NL	binary	824 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6244	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
6768	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
408	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
3412	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7976	msedge.exe	150.171.27.11:80	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7976	msedge.exe	150.171.22.17:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7976	msedge.exe	150.171.27.11:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7976	msedge.exe	104.26.4.222:443	dhsifbasb.top	CLOUDFLARENET	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
google.com	142.250.185.238	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.249	whitelisted
edge.microsoft.com	150.171.27.11 150.171.28.11	whitelisted
config.edge.skype.com	150.171.22.17	whitelisted
dhsifbasb.top	104.26.4.222 104.26.5.222 172.67.74.234	unknown
copilot.microsoft.com	104.18.23.222 104.18.22.222	whitelisted
update.googleapis.com	142.250.186.99	whitelisted
www.bing.com	23.3.88.58 23.3.88.43 23.3.88.49 23.3.88.27 23.3.88.48 23.3.88.59 23.3.88.50 23.3.88.56 23.3.88.57 2.20.142.251 2.20.142.187 92.122.215.65 2.20.142.3 2.20.142.154 2.20.142.180 92.122.215.53 23.33.40.135 23.33.40.138 23.33.40.152 23.33.40.154 23.33.40.149 23.33.40.132 23.33.40.155 23.33.40.147 23.33.40.136	whitelisted
clients2.googleusercontent.com	142.250.184.225	whitelisted

Threats

PID	Process	Class	Message
7976	msedge.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
—	—	Potentially Bad Traffic	ET INFO HTTP Request to a *.top domain
4460	sihost.exe	Malware Command and Control Activity Detected	ET MALWARE [ANY.RUN] Gh0stRAT.Gen Server Response (SweetSpecter)
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
8816	CefRendererProcess.exe	Misc activity	ET INFO Tencent Cloud Storage Domain in DNS Lookup (myqcloud .com)
8816	CefRendererProcess.exe	Misc activity	ET INFO Tencent Cloud Storage Domain in DNS Lookup (myqcloud .com)
—	—	A Network Trojan was detected	ET USER_AGENTS Aria2 User-Agent
—	—	A Network Trojan was detected	ET USER_AGENTS Aria2 User-Agent
8816	CefRendererProcess.exe	Misc activity	ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI)
8816	CefRendererProcess.exe	Misc activity	ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI)

Add for printing

Process	Message
crashpad_handler.exe	[8976:8968:20251220,081239.899:ERROR filesystem_win.cc:130] GetFileAttributes C:\Users\admin\AppData\Local\Temp\Tencent\Androws\BTrace\7ebaf51295\Trace: The system cannot find the file specified. (2)
crashpad_handler.exe	Bugly: [statistices] find statistices file count:0
crashpad_handler.exe	[8976:8720:20251220,081239.904:INFO bugly_trace_report.cc:322] [Trace] checkReportCacheFile num:0
crashpad_handler.exe	[Trace] checkReportCacheFile num:0
crashpad_handler.exe	[8976:8968:20251220,081239.904:INFO bugly_crash_monitor_statistics.cc:282] Bugly: [statistices] find statistices file count:0
crashpad_handler.exe	Bugly: [statistices] find statistices file count:0
crashpad_handler.exe	[8920:2428:20251220,081240.321:INFO bugly_crash_monitor_statistics.cc:282] Bugly: [statistices] find statistices file count:0
crashpad_handler.exe	[8920:8952:20251220,081240.325:INFO bugly_trace_report.cc:322] [Trace] checkReportCacheFile num:0
crashpad_handler.exe	[Trace] checkReportCacheFile num:0
crashpad_handler.exe	[8920:9004:20251220,081241.420:INFO crash_report_upload_thread.cc:257] On CheckAndReportResiduesCrashReports, status:000007FF76CF29BC80

General Info

https://dhsifbasb.top/sidajingang/hchaem_x64.5.3.zip

8D6149EE6B55D1B84B3730AF34EEDE5B

6EC3024642581A6AD135974DC92DBD9CE5C2F42F

E1A32074343FFFAB3ACEC2D68BECA292A66C2B79EA7CE5FDFA8786392104FF8C

3:N8VLTHANAE0LCiao63kLZn:2dTuAPCiaSZn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Changes Windows Defender settings

Registers / Runs the DLL via REGSVR32.EXE

Changes settings of System certificates

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Script adds exclusion path to Windows Defender

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Uses ICACLS.EXE to modify access control lists

Deletes scheduled task without confirmation

Contacting a server suspected of hosting an CnC

Connects to unusual port

The process verifies whether the antivirus software is installed

Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

Reads security settings of Internet Explorer

Drops a system driver (possible attempt to evade defenses)

Drops 7-zip archiver for unpacking

The process drops C-runtime libraries

Process drops legitimate windows executable

Reads the date of Windows installation

Creates file in the systems drive root

Named pipe usage

Reads the BIOS version

There is functionality for VM detection VirtualBox (YARA)

There is functionality for taking screenshot (YARA)

The process checks if it is being run in the virtual environment

Executes as Windows Service

Creates files in the driver directory

Creates/Modifies COM task schedule object

Windows service management via SC.EXE

Creates or modifies Windows services

Starts SC.EXE for service management

Searches for installed software

There is functionality for VM detection VMWare (YARA)

Adds/modifies Windows certificates

INFO

Reads Environment values

Checks supported languages

Reads the computer name

Manual execution by a user

Application launched itself

Create files in a temporary directory

Creates files or folders in the user directory

The sample compiled with english language support

Reads the machine GUID from the registry

Executes as Windows Service

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Creates files in the program directory

Reads security settings of Internet Explorer

The sample compiled with chinese language support

Checks proxy server information

Process checks computer location settings

Reads Windows Product ID

Reads product name

TeamViewer related mutex has been found

Creates a software uninstall entry

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules