File name:

ВАСЯ диагност 1.1.exe

Full analysis: https://app.any.run/tasks/e19585fa-3dd9-4127-b0e3-c1093d400f96
Verdict: Malicious activity
Analysis date: August 12, 2022, 16:05:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

84EB8B45ADF54CD9F364C347421FCE75

SHA1:

84075EFFD993E3450BDB898ADC6943DFBDC87599

SHA256:

03A3EDB161597BDA64D7A734AF85F936D8961A7DB151CC14C9D72A482281593C

SSDEEP:

196608:QUHkek8H+/rRhBy9K88FR9O/fuFyj1R4Yqdt:9Hkekj/VhAy9O/fuchRqdt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • ВАСЯ диагност 1.1.exe (PID: 3160)

    • Drops executable file immediately after starts

      • ВАСЯ диагност 1.1.exe (PID: 3160)
      • ВАСЯ диагност 1.1.exe (PID: 340)

  • SUSPICIOUS

    • Checks supported languages

      • ВАСЯ диагност 1.1.exe (PID: 3160)
      • ВАСЯ диагност 1.1.exe (PID: 340)
      • msiexec.exe (PID: 1336)
      • MsiExec.exe (PID: 1436)

    • Reads the computer name

      • ВАСЯ диагност 1.1.exe (PID: 3160)
      • ВАСЯ диагност 1.1.exe (PID: 340)
      • msiexec.exe (PID: 1336)
      • MsiExec.exe (PID: 1436)

    • Application launched itself

      • ВАСЯ диагност 1.1.exe (PID: 3160)

    • Executable content was dropped or overwritten

      • ВАСЯ диагност 1.1.exe (PID: 3160)
      • ВАСЯ диагност 1.1.exe (PID: 340)

    • Drops a file with a compile date too recent

      • ВАСЯ диагност 1.1.exe (PID: 3160)
      • ВАСЯ диагност 1.1.exe (PID: 340)

    • Reads Windows owner or organization settings

      • ВАСЯ диагност 1.1.exe (PID: 340)

    • Reads the Windows organization settings

      • ВАСЯ диагност 1.1.exe (PID: 340)

    • Executed via COM

      • DllHost.exe (PID: 4048)

    • Creates a directory in Program Files

      • DllHost.exe (PID: 4048)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 1336)

    • Checks supported languages

      • DllHost.exe (PID: 4048)

    • Reads the computer name

      • DllHost.exe (PID: 4048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

ProductVersion: 1.1.0
ProductName: ВАСЯ диагност
OriginalFileName: vd_1.1.0_setup.exe
LegalCopyright: Copyright (C) Car2diag
InternalName: vd_1.1.0_setup
FileVersion: 1.1.0
FileDescription: Эта база данных содержит все необходимое для установки ВАСЯ диагност.
CompanyName: Car2diag
CharacterSet: Unicode
LanguageCode: Russian
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Win32
FileFlags: Debug
FileFlagsMask: 0x003f
ProductVersionNumber: 1.1.0.0
FileVersionNumber: 1.1.0.0
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x993d9
UninitializedDataSize: -
InitializedDataSize: 382464
CodeSize: 812544
LinkerVersion: 9
PEType: PE32
TimeStamp: 2011:08:16 11:35:51+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Aug-2011 09:35:51
Detected languages:
  • English - United States
  • Russian - Russia
Debug artifacts:
  • D:\BranchAI\win\Release\stubs\x86u\ExternalUi.pdb
CompanyName: Car2diag
FileDescription: Эта база данных содержит все необходимое для установки ВАСЯ диагност.
FileVersion: 1.1.0
InternalName: vd_1.1.0_setup
LegalCopyright: Copyright (C) Car2diag
OriginalFileName: vd_1.1.0_setup.exe
ProductName: ВАСЯ диагност
ProductVersion: 1.1.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 16-Aug-2011 09:35:51
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000C653E
0x000C6600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.62726
.rdata
0x000C8000
0x00030CB2
0x00030E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.4147
.data
0x000F9000
0x00008EC4
0x00002E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.22785
.rsrc
0x00102000
0x000163BC
0x00016400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.53486
.reloc
0x00119000
0x00013574
0x00013600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.12346

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.22953
845
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.08438
744
Latin 1 / Western European
Russian - Russia
RT_ICON
3
3.20315
488
Latin 1 / Western European
Russian - Russia
RT_ICON
4
3.08623
296
Latin 1 / Western European
Russian - Russia
RT_ICON
5
5.59298
3752
Latin 1 / Western European
Russian - Russia
RT_ICON
6
6.02092
2216
Latin 1 / Western European
Russian - Russia
RT_ICON
7
6.00379
1736
Latin 1 / Western European
Russian - Russia
RT_ICON
8
4.59129
1384
Latin 1 / Western European
Russian - Russia
RT_ICON
9
3.96518
1114
Latin 1 / Western European
Russian - Russia
RT_STRING
10
4.22341
2032
Latin 1 / Western European
Russian - Russia
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
MSIMG32.dll
NETAPI32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start вася диагност 1.1.exe вася диагност 1.1.exe msiexec.exe no specs msiexec.exe no specs Copy/Move/Rename/Delete/Link Object no specs

Process information

PID
CMD
Path
Indicators
Parent process
340 /i "C:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\ВАСЯ.msi" AI_SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp\"C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe
ВАСЯ диагност 1.1.exe
User:
admin
Company:
Car2diag
Integrity Level:
MEDIUM
Description:
Эта база данных содержит все необходимое для установки ВАСЯ диагност.
Exit code:
0
Version:
1.1.0
Modules
Images
c:\users\admin\appdata\local\temp\вася диагност 1.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1336C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1436C:\Windows\system32\MsiExec.exe -Embedding A11231D9D9534D1517C08DA8C4DDC0CF CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
3160"C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe" C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe
Explorer.EXE
User:
admin
Company:
Car2diag
Integrity Level:
MEDIUM
Description:
Эта база данных содержит все необходимое для установки ВАСЯ диагност.
Exit code:
0
Version:
1.1.0
Modules
Images
c:\users\admin\appdata\local\temp\вася диагност 1.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
4048C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
Total events
6 560
Read events
6 390
Write events
165
Delete events
5

Modification events

(PID) Process:(340) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(340) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
01000000020000000D0000000C000000000000000B00000007000000060000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(340) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0
Operation:writeName:MRUListEx
Value:
010000000000000002000000040000000500000003000000FFFFFFFF
(PID) Process:(340) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell
Operation:writeName:SniffedFolderType
Value:
Generic
(PID) Process:(340) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(340) ВАСЯ диагност 1.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:writeName:4
Value:
1204100421042F04200034043804300433043D043E0441044204200031002E0031002E0065007800650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005010000510000008503000031020000000000000000000000000000000000000100000000000000
(PID) Process:(340) ВАСЯ диагност 1.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:delete valueName:4
Value:
1204100421042F04200034043804300433043D043E0441044204200031002E0031002E0065007800650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005010000510000008503000031020000000000000000000000000000000000000100000000000000
(PID) Process:(340) ВАСЯ диагност 1.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:writeName:4
Value:
1204100421042F04200034043804300433043D043E0441044204200031002E0031002E0065007800650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020100003B000000FD030000790200000000000000000000000000000000000005010000510000008503000031020000000000000000000000000000000000000100000000000000
(PID) Process:(340) ВАСЯ диагност 1.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Operation:writeName:MRUListEx
Value:
0400000000000000030000000200000001000000FFFFFFFF
(PID) Process:(340) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Operation:writeName:Mode
Value:
4
Executable files
25
Suspicious files
15
Text files
1 200
Unknown types
6

Dropped files

PID
Process
Filename
Type
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\CDM20814_Setup.exeexecutable
MD5:080C9F252D15D67540C7F82173D5A135
SHA256:35F4B0FB91145D56BDED0E71A2EAF8D713C3676971F79BC3A7201333D951DFB7
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\ftd2xx.htext
MD5:30C72676B95D747E80C54F096DD231BB
SHA256:90432B8FB114EF0AD4519588172C60D9ABFA477E4A68ABDE05A37E9052A6C338
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\decoder.dllexecutable
MD5:49B60B1C3414C85D69DDF03FAD42A6B2
SHA256:511595CDEEF5C40093D66F532BA4C207AC343439AA82049162B18E6B5E293173
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Debug\ReadMe.txttext
MD5:4A329D42AB14E1FD61014B5FB050C485
SHA256:9B32937F7CE4E53FE1FAC78293CE4FA34FEFE3AD698F663A6A764699C363FD80
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\AutoScan.txttext
MD5:212F36431702AD0C3FFFC33F50B2B8F1
SHA256:1DACA662E49C44FC72E78E1986CE18A3EF03D6BD36C59165A19D04F862F93F97
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Labels\LabelVer.txttext
MD5:1848E47B498F59C8ED4CFC4F1DAF454A
SHA256:B4AA1DCA3E768E547FF8E20D6E803E86855F0CF1A3AD16DB734E619FAF155FE1
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\TDIGraph.exeexecutable
MD5:E61266337921315B198D64D888CDE42C
SHA256:0492FBA45C9592B59D7A078C4B7A09A578730669D82E92950A5698B5D06D8944
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Logs\ReadMe.txttext
MD5:E97EF5822F44877AB466A8E6CAA980ED
SHA256:3A38202C0028B4B135C6C1C160E26AD371A285F47D563490EF602DE6CFB4CDF9
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\LCode.initext
MD5:91A94C7D3811C24D42E5C6E6893B28CC
SHA256:08A18FAFC251B88A90BB106F60C5FA7C69CFD0EC00ABA094579FAD533341F2B7
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\vd.exeexecutable
MD5:E845FC9FD35FB60D9B7CD57E290BE0B1
SHA256:08AF36C7963B3D0DD349A0D8E599099C6A934118BCCD9342814459AFC6FBE858
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ВАСЯ диагност 1.1.exe