File name:

SkrinshoterSetup_4.76.exe

Full analysis: https://app.any.run/tasks/deff88e5-8db3-40bb-94b3-5cd70365d750
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 18:14:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
inno
installer
delphi
loader
stealer
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

EB4E8609A3B8D548E1115A25920A5B5A

SHA1:

9066A8764D8FD7C2CE696FD9394E40B507B7D602

SHA256:

1EF226FF3E106CC9E3952D56AD097E3A9BA96BD041FE6E88F5C011F4966D8497

SSDEEP:

98304:Arq3BdwKSABgfS2gsBo68VzUWTmt31AsZOe+jG5XlSWcS+Tnx98BryuOTcnwxF3y:qGx+CgperLvNv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6380)
      • powershell.exe (PID: 8692)

    • Changes powershell execution policy (Bypass)

      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • skrinshoter-heybro-installer.tmp (PID: 8364)

    • Changes the autorun value in the registry

      • Skrinshoter.exe (PID: 304)
      • HeyBro.exe (PID: 8844)

    • Actions looks like stealing of personal data

      • seederexe.exe (PID: 7324)
      • lite_installer.exe (PID: 7880)
      • setup.exe (PID: 3580)

    • Steals credentials from Web Browsers

      • seederexe.exe (PID: 7324)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SkrinshoterSetup_4.76.exe (PID: 6680)
      • SkrinshoterSetup_4.76.exe (PID: 188)
      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • skrinshoter-heybro-installer.exe (PID: 8280)
      • skrinshoter-heybro-installer.tmp (PID: 8364)
      • Yandex.exe (PID: 8404)
      • lite_installer.exe (PID: 7880)
      • ybEB79.tmp (PID: 1936)

    • Reads security settings of Internet Explorer

      • SkrinshoterSetup_4.76.tmp (PID: 6532)
      • Skrinshoter.exe (PID: 304)
      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • scrrec.exe (PID: 7480)
      • lite_installer.exe (PID: 7880)
      • SkrinshoterHeyBroDownloader.exe (PID: 4552)
      • explorer.exe (PID: 8440)
      • Yandex.exe (PID: 8404)
      • {B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe (PID: 8560)
      • skrinshoter-heybro-installer.tmp (PID: 8364)
      • setup.exe (PID: 3580)

    • Process drops legitimate windows executable

      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • skrinshoter-heybro-installer.tmp (PID: 8364)

    • The process bypasses the loading of PowerShell profile settings

      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • skrinshoter-heybro-installer.tmp (PID: 8364)

    • The process hide an interactive prompt from the user

      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • skrinshoter-heybro-installer.tmp (PID: 8364)

    • Reads the Windows owner or organization settings

      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • msiexec.exe (PID: 7500)
      • skrinshoter-heybro-installer.tmp (PID: 8364)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 6380)
      • powershell.exe (PID: 8692)

    • Starts POWERSHELL.EXE for commands execution

      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • skrinshoter-heybro-installer.tmp (PID: 8364)

    • The process hides Powershell's copyright startup banner

      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • skrinshoter-heybro-installer.tmp (PID: 8364)

    • The process executes Powershell scripts

      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • skrinshoter-heybro-installer.tmp (PID: 8364)

    • Reads the date of Windows installation

      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • Skrinshoter.exe (PID: 304)
      • SkrinshoterHeyBroDownloader.exe (PID: 4552)

    • Process requests binary or script from the Internet

      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • lite_installer.exe (PID: 7880)

    • Potential Corporate Privacy Violation

      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • lite_installer.exe (PID: 7880)

    • Adds/modifies Windows certificates

      • skrinshoter-yandex-downloader.exe (PID: 2804)

    • Starts a Microsoft application from unusual location

      • YandexPackSetup.exe (PID: 3720)

    • Application launched itself

      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • HeyBro.exe (PID: 8844)
      • setup.exe (PID: 3580)

    • Reads Mozilla Firefox installation path

      • seederexe.exe (PID: 7324)

    • Changes the Home page of Internet Explorer

      • seederexe.exe (PID: 7324)

    • Changes the title of the Internet Explorer window

      • seederexe.exe (PID: 7324)

    • The process creates files with name similar to system file names

      • Yandex.exe (PID: 8404)

    • Starts itself from another location

      • Yandex.exe (PID: 8404)

    • Creates a software uninstall entry

      • Yandex.exe (PID: 8404)

    • Starts application with an unusual extension

      • {B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe (PID: 8560)

  • INFO

    • Checks supported languages

      • SkrinshoterSetup_4.76.exe (PID: 6680)
      • SkrinshoterSetup_4.76.exe (PID: 188)
      • SkrinshoterSetup_4.76.tmp (PID: 6532)
      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • Skrinshoter.exe (PID: 304)
      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • SkrinshoterHeyBroDownloader.exe (PID: 4552)
      • skrfun.exe (PID: 7552)
      • scrrec.exe (PID: 7480)
      • skrinshoter-yandex-downloader.exe (PID: 5928)
      • YandexPackSetup.exe (PID: 3720)
      • lite_installer.exe (PID: 7880)
      • msiexec.exe (PID: 7456)
      • msiexec.exe (PID: 7500)
      • identity_helper.exe (PID: 7352)
      • seederexe.exe (PID: 7324)
      • skrinshoter-heybro-installer.tmp (PID: 8364)
      • Yandex.exe (PID: 8404)
      • skrinshoter-heybro-installer.exe (PID: 8280)
      • explorer.exe (PID: 8440)
      • sender.exe (PID: 8492)
      • {B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe (PID: 8560)
      • HeyBro.exe (PID: 8844)
      • HeyBro.exe (PID: 8936)
      • HeyBro.exe (PID: 9040)
      • setup.exe (PID: 3580)
      • ybEB79.tmp (PID: 1936)
      • HeyBro.exe (PID: 9072)
      • HeyBro.exe (PID: 9200)
      • setup.exe (PID: 5168)

    • Reads the computer name

      • SkrinshoterSetup_4.76.tmp (PID: 6532)
      • SkrinshoterSetup_4.76.exe (PID: 188)
      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • Skrinshoter.exe (PID: 304)
      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • SkrinshoterHeyBroDownloader.exe (PID: 4552)
      • scrrec.exe (PID: 7480)
      • skrfun.exe (PID: 7552)
      • YandexPackSetup.exe (PID: 3720)
      • msiexec.exe (PID: 7500)
      • msiexec.exe (PID: 7456)
      • lite_installer.exe (PID: 7880)
      • identity_helper.exe (PID: 7352)
      • skrinshoter-yandex-downloader.exe (PID: 5928)
      • seederexe.exe (PID: 7324)
      • skrinshoter-heybro-installer.exe (PID: 8280)
      • skrinshoter-heybro-installer.tmp (PID: 8364)
      • Yandex.exe (PID: 8404)
      • explorer.exe (PID: 8440)
      • sender.exe (PID: 8492)
      • {B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe (PID: 8560)
      • HeyBro.exe (PID: 8844)
      • HeyBro.exe (PID: 9040)
      • ybEB79.tmp (PID: 1936)
      • setup.exe (PID: 3580)
      • HeyBro.exe (PID: 9072)

    • Create files in a temporary directory

      • SkrinshoterSetup_4.76.exe (PID: 6680)
      • SkrinshoterSetup_4.76.exe (PID: 188)
      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • SkrinshoterHeyBroDownloader.exe (PID: 4552)
      • skrinshoter-yandex-downloader.exe (PID: 5928)
      • msiexec.exe (PID: 7456)
      • lite_installer.exe (PID: 7880)
      • YandexPackSetup.exe (PID: 3720)
      • seederexe.exe (PID: 7324)
      • skrinshoter-heybro-installer.exe (PID: 8280)
      • skrinshoter-heybro-installer.tmp (PID: 8364)
      • sender.exe (PID: 8492)
      • Yandex.exe (PID: 8404)
      • {B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe (PID: 8560)
      • ybEB79.tmp (PID: 1936)
      • setup.exe (PID: 3580)
      • HeyBro.exe (PID: 8844)

    • Process checks computer location settings

      • SkrinshoterSetup_4.76.tmp (PID: 6532)
      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • Skrinshoter.exe (PID: 304)
      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • msiexec.exe (PID: 7456)
      • SkrinshoterHeyBroDownloader.exe (PID: 4552)
      • Yandex.exe (PID: 8404)
      • explorer.exe (PID: 8440)
      • skrinshoter-heybro-installer.tmp (PID: 8364)
      • HeyBro.exe (PID: 8844)
      • HeyBro.exe (PID: 9200)

    • Creates files in the program directory

      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • Skrinshoter.exe (PID: 304)
      • skrfun.exe (PID: 7552)
      • scrrec.exe (PID: 7480)
      • skrinshoter-heybro-installer.tmp (PID: 8364)

    • The sample compiled with english language support

      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • lite_installer.exe (PID: 7880)
      • skrinshoter-heybro-installer.tmp (PID: 8364)
      • ybEB79.tmp (PID: 1936)

    • Compiled with Borland Delphi (YARA)

      • SkrinshoterSetup_4.76.exe (PID: 6680)
      • SkrinshoterSetup_4.76.tmp (PID: 6532)
      • SkrinshoterSetup_4.76.exe (PID: 188)
      • SkrinshoterSetup_4.76.tmp (PID: 2864)

    • Detects InnoSetup installer (YARA)

      • SkrinshoterSetup_4.76.exe (PID: 6680)
      • SkrinshoterSetup_4.76.tmp (PID: 6532)
      • SkrinshoterSetup_4.76.exe (PID: 188)
      • SkrinshoterSetup_4.76.tmp (PID: 2864)

    • The sample compiled with russian language support

      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • msiexec.exe (PID: 7456)

    • Creates a software uninstall entry

      • SkrinshoterSetup_4.76.tmp (PID: 2864)
      • skrinshoter-heybro-installer.tmp (PID: 8364)

    • Checks proxy server information

      • Skrinshoter.exe (PID: 304)
      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • SkrinshoterHeyBroDownloader.exe (PID: 4552)
      • lite_installer.exe (PID: 7880)
      • {B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe (PID: 8560)
      • HeyBro.exe (PID: 8844)
      • setup.exe (PID: 3580)

    • Reads the software policy settings

      • Skrinshoter.exe (PID: 304)
      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • SkrinshoterHeyBroDownloader.exe (PID: 4552)
      • scrrec.exe (PID: 7480)
      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • msiexec.exe (PID: 7500)
      • lite_installer.exe (PID: 7880)
      • {B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe (PID: 8560)
      • setup.exe (PID: 3580)

    • Application launched itself

      • msedge.exe (PID: 6148)
      • msedge.exe (PID: 432)

    • Reads the machine GUID from the registry

      • Skrinshoter.exe (PID: 304)
      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • SkrinshoterHeyBroDownloader.exe (PID: 4552)
      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • scrrec.exe (PID: 7480)
      • msiexec.exe (PID: 7500)
      • seederexe.exe (PID: 7324)
      • lite_installer.exe (PID: 7880)
      • {B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe (PID: 8560)
      • HeyBro.exe (PID: 8844)
      • setup.exe (PID: 3580)

    • Reads Environment values

      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • Skrinshoter.exe (PID: 304)
      • SkrinshoterHeyBroDownloader.exe (PID: 4552)
      • identity_helper.exe (PID: 7352)
      • HeyBro.exe (PID: 8844)

    • Disables trace logs

      • SkrinshoterYandexDownloader.exe (PID: 2324)
      • SkrinshoterHeyBroDownloader.exe (PID: 4552)
      • Skrinshoter.exe (PID: 304)

    • Creates files or folders in the user directory

      • Skrinshoter.exe (PID: 304)
      • skrinshoter-yandex-downloader.exe (PID: 2804)
      • skrfun.exe (PID: 7552)
      • scrrec.exe (PID: 7480)
      • msiexec.exe (PID: 7456)
      • msiexec.exe (PID: 7500)
      • lite_installer.exe (PID: 7880)
      • seederexe.exe (PID: 7324)
      • Yandex.exe (PID: 8404)
      • explorer.exe (PID: 8440)
      • {B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe (PID: 8560)
      • HeyBro.exe (PID: 8844)
      • HeyBro.exe (PID: 8936)
      • HeyBro.exe (PID: 9072)
      • setup.exe (PID: 5168)
      • setup.exe (PID: 3580)

    • Launching a file from a Registry key

      • Skrinshoter.exe (PID: 304)
      • HeyBro.exe (PID: 8844)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7500)
      • msiexec.exe (PID: 7456)

    • Manual execution by a user

      • {B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe (PID: 8560)

    • Yandex updater related mutex has been found

      • {B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe (PID: 8560)

    • Reads product name

      • HeyBro.exe (PID: 8844)

    • Reads CPU info

      • HeyBro.exe (PID: 8844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:12 07:26:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 171520
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 4.76.0.0
ProductVersionNumber: 4.76.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Online Center ltd
FileDescription: Скриншотер
FileVersion: 4.76
LegalCopyright: © 2022-2025 ООО “СААС”
OriginalFileName:
ProductName: Скриншотер
ProductVersion: 4.76
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
205
Monitored processes
62
Malicious processes
13
Suspicious processes
6

Behavior graph

Click at the process to see the details
start skrinshotersetup_4.76.exe skrinshotersetup_4.76.tmp no specs skrinshotersetup_4.76.exe skrinshotersetup_4.76.tmp powershell.exe no specs conhost.exe no specs skrinshoter.exe no specs skrinshoter.exe msedge.exe no specs msedge.exe skrinshoteryandexdownloader.exe conhost.exe no specs skrinshoter-yandex-downloader.exe skrinshoterheybrodownloader.exe conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs skrfun.exe no specs scrrec.exe no specs scrrec.exe no specs conhost.exe no specs skrfun.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs yandexpacksetup.exe skrinshoter-yandex-downloader.exe msiexec.exe msiexec.exe msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs lite_installer.exe seederexe.exe skrinshoter-heybro-installer.exe skrinshoter-heybro-installer.tmp yandex.exe explorer.exe no specs sender.exe {b15b605a-8c3e-4539-9213-acadb8fd1b82}.exe powershell.exe no specs conhost.exe no specs heybro.exe heybro.exe no specs heybro.exe no specs heybro.exe heybro.exe no specs ybeb79.tmp slui.exe no specs setup.exe setup.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Users\admin\AppData\Local\Temp\SkrinshoterSetup_4.76.exe" /SPAWNWND=$70374 /NOTIFYWND=$60282 C:\Users\admin\AppData\Local\Temp\SkrinshoterSetup_4.76.exe
SkrinshoterSetup_4.76.tmp
User:
admin
Company:
Online Center ltd
Integrity Level:
HIGH
Description:
Скриншотер
Exit code:
0
Version:
4.76
Modules
Images
c:\users\admin\appdata\local\temp\skrinshotersetup_4.76.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
304"C:\Program Files\Skrinshoter\Skrinshoter.exe" C:\Program Files\Skrinshoter\Skrinshoter.exe
SkrinshoterSetup_4.76.tmp
User:
admin
Company:
SААS
Integrity Level:
HIGH
Description:
Скриншотер
Version:
1.0.0.0
Modules
Images
c:\program files\skrinshoter\skrinshoter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
432"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://skrinshoter.ru/spasibo?key={D532D7D4-BD48-43C9-A5C4-5711B1BE68C8}&utm_source=Skrinshoter_Installer&utm_medium=cpc&utm_campaign=Bro_Installed_App_ExtC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1652"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=3968,i,11399078158688607377,3261210396879665103,262144 --variations-seed-version --mojo-platform-channel-handle=3992 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1700\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1872"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2504,i,11399078158688607377,3261210396879665103,262144 --variations-seed-version --mojo-platform-channel-handle=2492 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1936"C:\Users\admin\AppData\Local\Temp\ybEB79.tmp" --abt-config-resource-file="C:\Users\admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\admin\AppData\Local\Temp\073717b3-5934-49d1-8d1e-0bbd2a8dcf54.tmp" --brand-name=yandex --brand-package="C:\Users\admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=1567572865 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{AFB73876-568F-4528-94E4-04A2AE934DE3} --local-path="C:\Users\admin\AppData\Local\Temp\{B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe" --partner-package="C:\Users\admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2219604&ui={0a08b86f-625e-4ec7-b13a-354c708c1bc4} --send-statistics --silent --source=lite --use-user-default-locale --variations-resource-file="C:\Users\admin\AppData\Local\Temp\variations_resource" --variations-update-path="C:\Users\admin\AppData\Local\Temp\b63fa579-8b1b-4fa6-b124-5373d5a412bf.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\admin\AppData\Local\Temp\website.ico"C:\Users\admin\AppData\Local\Temp\ybEB79.tmp
{B15B605A-8C3E-4539-9213-ACADB8FD1B82}.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
MEDIUM
Description:
Yandex Installer
Version:
25.4.4.576
Modules
Images
c:\users\admin\appdata\local\temp\ybeb79.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2192\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSkrinshoterYandexDownloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2324"C:\Users\admin\AppData\Local\Temp\is-S3BVU.tmp\SkrinshoterYandexDownloader.exe" --partner screenshoter-rf --distr /quiet /msicl \"YAHOMEPAGE=y YAQSEARCH=y YABROWSER=y\"C:\Users\admin\AppData\Local\Temp\is-S3BVU.tmp\SkrinshoterYandexDownloader.exe
SkrinshoterSetup_4.76.tmp
User:
admin
Company:
SkrinshoterYandexDownloader
Integrity Level:
HIGH
Description:
SkrinshoterYandexDownloader
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-s3bvu.tmp\skrinshoteryandexdownloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2552"C:\Program Files\Skrinshoter\Skrinshoter.exe" C:\Program Files\Skrinshoter\Skrinshoter.exeSkrinshoterSetup_4.76.tmp
User:
admin
Company:
SААS
Integrity Level:
MEDIUM
Description:
Скриншотер
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\program files\skrinshoter\skrinshoter.exe
c:\windows\system32\ntdll.dll
Total events
47 423
Read events
47 140
Write events
239
Delete events
44

Modification events

(PID) Process:(2864) SkrinshoterSetup_4.76.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\screenshoterRF
Operation:writeName:InstallID
Value:
{D532D7D4-BD48-43C9-A5C4-5711B1BE68C8}
(PID) Process:(2864) SkrinshoterSetup_4.76.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\SkrinshoterRF
Operation:writeName:Icon
Value:
C:\Program Files\Skrinshoter\Skrinshoter.exe
(PID) Process:(2864) SkrinshoterSetup_4.76.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Скриншотер_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.3.3
(PID) Process:(2864) SkrinshoterSetup_4.76.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Скриншотер_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Skrinshoter
(PID) Process:(2864) SkrinshoterSetup_4.76.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Скриншотер_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Skrinshoter\
(PID) Process:(2864) SkrinshoterSetup_4.76.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Скриншотер_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Скриншотер
(PID) Process:(2864) SkrinshoterSetup_4.76.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Скриншотер_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(2864) SkrinshoterSetup_4.76.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Скриншотер_is1
Operation:writeName:Inno Setup: Setup Type
Value:
full
(PID) Process:(2864) SkrinshoterSetup_4.76.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Скриншотер_is1
Operation:writeName:Inno Setup: Selected Components
Value:
yandexbrowser,yandexextensions,yandexquickaccess
(PID) Process:(2864) SkrinshoterSetup_4.76.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Скриншотер_is1
Operation:writeName:Inno Setup: Deselected Components
Value:
Executable files
311
Suspicious files
408
Text files
177
Unknown types
0

Dropped files

PID
Process
Filename
Type
188SkrinshoterSetup_4.76.exeC:\Users\admin\AppData\Local\Temp\is-IC89P.tmp\SkrinshoterSetup_4.76.tmpexecutable
MD5:4DE67C5585E55EAEE5F196CD9E4B4A07
SHA256:49AF895BB795F1DBC9E19CEEAC975848A80046C07AD8561945E3A19C9705BC26
6680SkrinshoterSetup_4.76.exeC:\Users\admin\AppData\Local\Temp\is-USPMF.tmp\SkrinshoterSetup_4.76.tmpexecutable
MD5:4DE67C5585E55EAEE5F196CD9E4B4A07
SHA256:49AF895BB795F1DBC9E19CEEAC975848A80046C07AD8561945E3A19C9705BC26
2864SkrinshoterSetup_4.76.tmpC:\Users\admin\AppData\Local\Temp\is-S3BVU.tmp\logo_Yandex_RU_UA_vertical.icoimage
MD5:F7DB64C70CE253ABE8CD01415D03B818
SHA256:AF6B56449636C17871FDD7AED9848F50515D82FDD6E97BC81DAC0107D839B330
2864SkrinshoterSetup_4.76.tmpC:\Program Files\Skrinshoter\CommunityToolkit.HighPerformance.dllexecutable
MD5:47DC68C5238380F7A4F3F16B2358DE4C
SHA256:2080B45766DA049FA6996F4C89D0DA96D44283BA5E00F3A1CABE3DEADAD33A9B
2864SkrinshoterSetup_4.76.tmpC:\Users\admin\AppData\Local\Temp\is-S3BVU.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
2864SkrinshoterSetup_4.76.tmpC:\Program Files\Skrinshoter\unins000.exeexecutable
MD5:4DE67C5585E55EAEE5F196CD9E4B4A07
SHA256:49AF895BB795F1DBC9E19CEEAC975848A80046C07AD8561945E3A19C9705BC26
2864SkrinshoterSetup_4.76.tmpC:\Program Files\Skrinshoter\AudioVideoCore.dllexecutable
MD5:9CF59162B53C9550312523F8038AD02F
SHA256:DE8A9AA9D0865F3AEE1746079204FF1D45E4E5F0CF81FBF857B5594FB3F0DAB8
2864SkrinshoterSetup_4.76.tmpC:\Program Files\Skrinshoter\CalcBinding.dllexecutable
MD5:AA60EBB3568E4CFB12B29368F348464B
SHA256:8DB0941D1ECBA3B828FA0FA452EB9C7183BC87F81C1A76AB40D32628D65C3A25
2864SkrinshoterSetup_4.76.tmpC:\Program Files\Skrinshoter\is-8MUHG.tmpexecutable
MD5:9CF59162B53C9550312523F8038AD02F
SHA256:DE8A9AA9D0865F3AEE1746079204FF1D45E4E5F0CF81FBF857B5594FB3F0DAB8
2864SkrinshoterSetup_4.76.tmpC:\Users\admin\AppData\Local\Temp\is-S3BVU.tmp\HeyBro.bmpimage
MD5:F3CB4E809CB7A115F39E1910275DA2B9
SHA256:BBD839E98C888B17B25839027467CF3C8C09FB42B0E5C0237AA0E5177BAB3090
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
148
DNS requests
133
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7020
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
304
Skrinshoter.exe
GET
200
151.101.194.133:80
http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D
unknown
whitelisted
304
Skrinshoter.exe
GET
200
151.101.194.133:80
http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2F09F%2BhHVuEUQQU2rONwCSQo2t30wygWd0hZ2R2C3gCDDeu8BMhcM%2Fn5Y745w%3D%3D
unknown
whitelisted
2804
skrinshoter-yandex-downloader.exe
GET
302
37.9.64.225:80
http://downloader.yandex.net/yandex-pack/screenshoter-rf/YandexPackSetup.exe
unknown
whitelisted
2804
skrinshoter-yandex-downloader.exe
GET
302
37.9.64.225:80
http://download.yandex.ru/yandex-pack/downloader/info.rss
unknown
whitelisted
304
Skrinshoter.exe
GET
200
151.101.194.133:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgOhtwj4VKsGchDZBEc%3D
unknown
whitelisted
2804
skrinshoter-yandex-downloader.exe
GET
5.45.192.7:80
http://cloudcdn-rad-02.cdn.yandex.net/downloader.yandex.net/yandex-pack/screenshoter-rf/YandexPackSetup.exe?lid=309
unknown
whitelisted
2804
skrinshoter-yandex-downloader.exe
GET
200
5.45.247.56:80
http://cloudcdn-ams03.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/info.rss?lid=325
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3108
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7020
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2336
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7020
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.131
  • 20.190.159.2
  • 40.126.31.130
  • 40.126.31.128
  • 40.126.31.129
  • 20.190.159.73
  • 40.126.31.73
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
ocsp.globalsign.com
  • 151.101.194.133
  • 151.101.66.133
  • 151.101.2.133
  • 151.101.130.133
whitelisted
cdn.skrinshoter.ru
  • 95.181.182.182
whitelisted

Threats

PID
Process
Class
Message
2804
skrinshoter-yandex-downloader.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2804
skrinshoter-yandex-downloader.exe
Misc activity
ET INFO Packed Executable Download
6520
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6520
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6520
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6520
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6520
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
6520
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7880
lite_installer.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7880
lite_installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Process
Message
YandexPackSetup.exe
IsAlreadyRun() In
YandexPackSetup.exe
IsMSISrvFree() In
YandexPackSetup.exe
IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe
IsMSISrvFree() Out ret = 1
YandexPackSetup.exe
IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe
GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = DESKTOP-JGLLJLD, dwSessionId = 1
YandexPackSetup.exe
GetSidFromEnumSess(): i = 0 : szUserName = Administrator, szDomain = DESKTOP-JGLLJLD, dwSessionId = 0
YandexPackSetup.exe
GetSidFromEnumSess(): LsaEnumerateLogonSessions() lpszSid = S-1-5-21-1693682860-607145093-2874071422-1001
YandexPackSetup.exe
GetSidFromEnumSess(): i = 1 : szUserName = admin, szDomain = DESKTOP-JGLLJLD, dwSessionId = 0
YandexPackSetup.exe
GetSidFromEnumSess(): ProfileImagePath(2) = C:\Users\admin
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SkrinshoterSetup_4.76.exe