File name:

2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin

Full analysis: https://app.any.run/tasks/72be0d6e-f136-4ea4-9d49-28475ecd6aa6
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 20:57:10
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
evasion
loader
auto
generic
stealer
arch-scr
arch-html
adware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

79E6396D09B77BA472C4D7D1A55FEF6D

SHA1:

B7D48CAC78C10EA4854F57A794C157510FD2908A

SHA256:

2CF016814FF9E4568389E17D7D3F6AB16B92184D17BE701BF4B50C277BFBC21E

SSDEEP:

98304:aYEqiDZtofGXrGdWpRrhFzk0GGExrD3bHh4AOg/vcxDFhBk5fl+FO2lJoFyTnKva:crSe5vCshn6EQ6r5fJH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)

    • Actions looks like stealing of personal data

      • lite_installer.exe (PID: 2064)
      • seederexe.exe (PID: 296)
      • 360TS_Setup.exe (PID: 4424)

    • Steals credentials from Web Browsers

      • seederexe.exe (PID: 296)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • downloader.exe (PID: 5656)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)
      • lite_installer.exe (PID: 2064)
      • Yandex.exe (PID: 1972)
      • explorer.exe (PID: 5872)
      • {8418477F-FAFC-47DF-B9C5-B18517987A82}.exe (PID: 2472)
      • 360TS_Setup.exe (PID: 4424)

    • Reads the Internet Settings

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)
      • lite_installer.exe (PID: 2064)
      • sender.exe (PID: 1304)
      • downloader.exe (PID: 5656)
      • {8418477F-FAFC-47DF-B9C5-B18517987A82}.exe (PID: 2472)
      • 360TS_Setup.exe (PID: 4424)

    • Checks for external IP

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • svchost.exe (PID: 1664)

    • Reads settings of System Certificates

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • downloader.exe (PID: 5656)
      • lite_installer.exe (PID: 2064)
      • {8418477F-FAFC-47DF-B9C5-B18517987A82}.exe (PID: 2472)
      • 360TS_Setup.exe (PID: 4424)

    • Executable content was dropped or overwritten

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • wot_installer.exe (PID: 5952)
      • wot_installer.tmp (PID: 1876)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)
      • downloader.exe (PID: 5656)
      • lite_installer.exe (PID: 2064)
      • Yandex.exe (PID: 1972)
      • 360TS_Setup.exe (PID: 4988)
      • 360TS_Setup.exe (PID: 4424)

    • Process requests binary or script from the Internet

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • downloader.exe (PID: 5656)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)
      • lite_installer.exe (PID: 2064)

    • Searches for installed software

      • wot_installer.tmp (PID: 1876)

    • Reads the Windows owner or organization settings

      • wot_installer.tmp (PID: 1876)
      • msiexec.exe (PID: 4212)

    • Potential Corporate Privacy Violation

      • downloader.exe (PID: 5656)
      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)
      • lite_installer.exe (PID: 2064)

    • Process drops legitimate windows executable

      • downloader.exe (PID: 5656)

    • Starts a Microsoft application from unusual location

      • YandexPackSetup.exe (PID: 924)

    • Adds/modifies Windows certificates

      • downloader.exe (PID: 5656)

    • Application launched itself

      • downloader.exe (PID: 5656)

    • Reads Mozilla Firefox installation path

      • seederexe.exe (PID: 296)

    • Changes the Home page of Internet Explorer

      • seederexe.exe (PID: 296)

    • Changes the title of the Internet Explorer window

      • seederexe.exe (PID: 296)

    • The process creates files with name similar to system file names

      • Yandex.exe (PID: 1972)

    • Starts itself from another location

      • Yandex.exe (PID: 1972)
      • 360TS_Setup.exe (PID: 4988)

    • Creates a software uninstall entry

      • Yandex.exe (PID: 1972)

    • Creates file in the systems drive root

      • 360TS_Setup.exe (PID: 4424)

    • The process verifies whether the antivirus software is installed

      • 360TS_Setup.exe (PID: 4424)

    • Drops 7-zip archiver for unpacking

      • 360TS_Setup.exe (PID: 4424)

  • INFO

    • Checks supported languages

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • downloader.exe (PID: 5656)
      • wot_installer.exe (PID: 5952)
      • wot_installer.tmp (PID: 1876)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)
      • msiexec.exe (PID: 4212)
      • msiexec.exe (PID: 5160)
      • YandexPackSetup.exe (PID: 924)
      • lite_installer.exe (PID: 2064)
      • seederexe.exe (PID: 296)
      • downloader.exe (PID: 364)
      • Yandex.exe (PID: 1972)
      • {8418477F-FAFC-47DF-B9C5-B18517987A82}.exe (PID: 2472)
      • explorer.exe (PID: 5872)
      • sender.exe (PID: 1304)
      • 360TS_Setup.exe (PID: 4988)
      • 360TS_Setup.exe (PID: 4424)

    • Reads the machine GUID from the registry

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • downloader.exe (PID: 5656)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)
      • msiexec.exe (PID: 4212)
      • seederexe.exe (PID: 296)
      • lite_installer.exe (PID: 2064)
      • {8418477F-FAFC-47DF-B9C5-B18517987A82}.exe (PID: 2472)
      • 360TS_Setup.exe (PID: 4424)

    • Reads the computer name

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • downloader.exe (PID: 5656)
      • wot_installer.tmp (PID: 1876)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)
      • YandexPackSetup.exe (PID: 924)
      • msiexec.exe (PID: 4212)
      • msiexec.exe (PID: 5160)
      • lite_installer.exe (PID: 2064)
      • seederexe.exe (PID: 296)
      • downloader.exe (PID: 364)
      • Yandex.exe (PID: 1972)
      • explorer.exe (PID: 5872)
      • {8418477F-FAFC-47DF-B9C5-B18517987A82}.exe (PID: 2472)
      • sender.exe (PID: 1304)
      • 360TS_Setup.exe (PID: 4988)
      • 360TS_Setup.exe (PID: 4424)

    • Creates files in the program directory

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • 360TS_Setup.exe (PID: 4988)
      • 360TS_Setup.exe (PID: 4424)

    • Disables trace logs

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)

    • Checks proxy server information

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • downloader.exe (PID: 5656)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)
      • lite_installer.exe (PID: 2064)
      • {8418477F-FAFC-47DF-B9C5-B18517987A82}.exe (PID: 2472)
      • 360TS_Setup.exe (PID: 4424)

    • Reads the software policy settings

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • downloader.exe (PID: 5656)
      • msiexec.exe (PID: 4212)
      • lite_installer.exe (PID: 2064)
      • {8418477F-FAFC-47DF-B9C5-B18517987A82}.exe (PID: 2472)
      • 360TS_Setup.exe (PID: 4424)

    • Create files in a temporary directory

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • downloader.exe (PID: 5656)
      • wot_installer.tmp (PID: 1876)
      • wot_installer.exe (PID: 5952)
      • YandexPackSetup.exe (PID: 924)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)
      • msiexec.exe (PID: 5160)
      • lite_installer.exe (PID: 2064)
      • seederexe.exe (PID: 296)
      • downloader.exe (PID: 364)
      • Yandex.exe (PID: 1972)
      • {8418477F-FAFC-47DF-B9C5-B18517987A82}.exe (PID: 2472)
      • sender.exe (PID: 1304)
      • 360TS_Setup.exe (PID: 4988)
      • 360TS_Setup.exe (PID: 4424)

    • The sample compiled with russian language support

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • msiexec.exe (PID: 5160)

    • Creates files or folders in the user directory

      • downloader.exe (PID: 5656)
      • wot_installer.tmp (PID: 1876)
      • msiexec.exe (PID: 5160)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)
      • lite_installer.exe (PID: 2064)
      • msiexec.exe (PID: 4212)
      • seederexe.exe (PID: 296)
      • Yandex.exe (PID: 1972)
      • explorer.exe (PID: 5872)
      • {8418477F-FAFC-47DF-B9C5-B18517987A82}.exe (PID: 2472)
      • 360TS_Setup.exe (PID: 4424)

    • Creates a software uninstall entry

      • wot_installer.tmp (PID: 1876)

    • The sample compiled with english language support

      • 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe (PID: 3296)
      • downloader.exe (PID: 5656)
      • 360TS_Setup_Mini_WW_Coin_CPI202236_6.6.0.1054.exe (PID: 5580)
      • lite_installer.exe (PID: 2064)
      • 360TS_Setup.exe (PID: 4424)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4212)
      • msiexec.exe (PID: 5160)

    • Manual execution by a user

      • {8418477F-FAFC-47DF-B9C5-B18517987A82}.exe (PID: 2472)
      • rundll32.exe (PID: 2460)

    • Local mutex for internet shortcut management

      • Yandex.exe (PID: 1972)

    • Yandex updater related mutex has been found

      • {8418477F-FAFC-47DF-B9C5-B18517987A82}.exe (PID: 2472)

    • The sample compiled with chinese language support

      • 360TS_Setup.exe (PID: 4988)
      • 360TS_Setup.exe (PID: 4424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2105:07:11 03:43:35+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 9774080
InitializedDataSize: 176640
UninitializedDataSize: -
EntryPoint: 0x95428e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: PhotoshopInstall
FileVersion: 1.0.0.0
InternalName: PhotoshopInstall.exe
LegalCopyright: Copyright © 2025
LegalTrademarks: -
OriginalFileName: PhotoshopInstall.exe
ProductName: PhotoshopInstall
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
21
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GENERIC 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe svchost.exe downloader.exe wot_installer.exe wot_installer.tmp 360ts_setup_mini_ww_coin_cpi202236_6.6.0.1054.exe yandexpacksetup.exe msiexec.exe msiexec.exe lite_installer.exe seederexe.exe downloader.exe yandex.exe {8418477f-fafc-47df-b9c5-b18517987a82}.exe explorer.exe no specs sender.exe 360ts_setup.exe 360ts_setup.exe msedge.exe no specs rundll32.exe no specs 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
296"C:\Users\admin\AppData\Local\Temp\7C8CC936-8CA1-4B4E-A57A-2BD1B2D5FF61\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=vn" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\admin\AppData\Local\Temp\CBE56724-3140-494A-993A-5B0CB755FBB6\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=1" "--no_opera=n"C:\Users\admin\AppData\Local\Temp\7C8CC936-8CA1-4B4E-A57A-2BD1B2D5FF61\seederexe.exe
msiexec.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
Browser Integration Module
Exit code:
0
Version:
3.7.12.0
Modules
Images
c:\users\admin\appdata\local\temp\7c8cc936-8ca1-4b4e-a57a-2bd1b2d5ff61\seederexe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
364C:\Users\admin\AppData\Local\Temp\downloader.exe --stat dwnldr/p=28178/cnt=0/dt=3/ct=1/rt=4C:\Users\admin\AppData\Local\Temp\downloader.exe
downloader.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup Downloader
Exit code:
0
Version:
0.1.0.33
Modules
Images
c:\users\admin\appdata\local\temp\downloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
924"C:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y VID=943"C:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
downloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Software Installer
Exit code:
0
Version:
3.0.5419.0
Modules
Images
c:\users\admin\appdata\local\temp\7f4987fb1a6e43d69e3e94b29eb75926\yandexpacksetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1304C:\Users\admin\AppData\Local\Temp\CBE56724-3140-494A-993A-5B0CB755FBB6\sender.exe --send "/status.xml?clid=2422900-943&uuid=fe83744c-9692-490A-B19F-25F7A9A1a879&vnt=Windows 11x64&file-no=8%0A10%0A11%0A12%0A13%0A15%0A17%0A18%0A20%0A21%0A22%0A25%0A36%0A40%0A42%0A45%0A57%0A61%0A89%0A103%0A111%0A123%0A124%0A125%0A"C:\Users\admin\AppData\Local\Temp\CBE56724-3140-494A-993A-5B0CB755FBB6\sender.exe
seederexe.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
Yandex Statistics
Exit code:
0
Version:
0.0.2.14
Modules
Images
c:\users\admin\appdata\local\temp\cbe56724-3140-494a-993a-5b0cb755fbb6\sender.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1640"C:\Users\admin\Desktop\2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe" C:\Users\admin\Desktop\2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PhotoshopInstall
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1664C:\Windows\system32\svchost.exe -k NetworkService -pC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1752"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://photoshopinstall.ru/thanks.htmlC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1876"C:\Users\admin\AppData\Local\Temp\is-20HL5.tmp\wot_installer.tmp" /SL5="$202FE,1938865,172032,C:\Users\admin\AppData\Local\Temp\wot_installer.exe" /verysilent /channel_id=35067 /iteration=9 /utm_campaign=testcampaign /link-World-of-TanksC:\Users\admin\AppData\Local\Temp\is-20HL5.tmp\wot_installer.tmp
wot_installer.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-20hl5.tmp\wot_installer.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1972C:\Users\admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=nC:\Users\admin\AppData\Local\Yandex\YaPin\Yandex.exe
seederexe.exe
User:
admin
Integrity Level:
MEDIUM
Description:
YandexPin
Exit code:
0
Version:
3.7.9.0
Modules
Images
c:\users\admin\appdata\local\yandex\yapin\yandex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
2064"C:\Users\admin\AppData\Local\Temp\DDF55C23-45A3-4432-A70C-72C7D9CF0C36\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSERC:\Users\admin\AppData\Local\Temp\DDF55C23-45A3-4432-A70C-72C7D9CF0C36\lite_installer.exe
msiexec.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
YandexBrowserDownloader
Exit code:
0
Version:
1.0.1.9
Modules
Images
c:\users\admin\appdata\local\temp\ddf55c23-45a3-4432-a70c-72c7d9cf0c36\lite_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
23 265
Read events
23 078
Write events
158
Delete events
29

Modification events

(PID) Process:(3296) 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3296) 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3296) 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3296) 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3296) 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3296) 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3296) 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3296) 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3296) 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3296) 2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
65
Suspicious files
456
Text files
247
Unknown types
1

Dropped files

PID
Process
Filename
Type
32962cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeC:\Users\admin\AppData\Local\Temp\downloader.exeexecutable
MD5:B9314504E592D42CB36534415A62B3AF
SHA256:C60C3A7D20B575FDEEB723E12A11C2602E73329DC413FC6D88F72E6F87E38B49
1876wot_installer.tmpC:\Users\admin\AppData\Local\Links\is-KSUU5.tmpimage
MD5:6F05D1EA449BA3BFC87A28AE9F9C778D
SHA256:C325F0525227884A8A7ECFA948BB713BFDE8D987212607B39EF6542DEC418366
1876wot_installer.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\World of Tanks.lnkbinary
MD5:1EAA01F0746874BFC1D9F37D37B67221
SHA256:C59AE8EFDD84ADBEEFA8C4081C24A7878A409BE21810EEFEF53768954426F2D2
5656downloader.exeC:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\seed.txttext
MD5:4EFF0720836A198B6174EECF02CBFDBF
SHA256:6BEB5EB7EEFDD7DADA9588445E3B6485C1F68EAC97D0B105AA18E59ECD0F35B3
32962cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exeC:\Users\admin\AppData\Local\Temp\wot_installer.exeexecutable
MD5:D127ADD62E5A5A864162356C9FE35A4C
SHA256:4DFF5B1DCCB4CBE2DA928E952180253CE1D923D74114514EBDB43387EB4DA7A3
1876wot_installer.tmpC:\Users\admin\AppData\Local\Temp\is-BN3IN.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
924YandexPackSetup.exeC:\Users\admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
MD5:
SHA256:
5656downloader.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\J0KBFYBW\info[1].rssxml
MD5:1624F4A1E637E4A958CA214764AD4D02
SHA256:69E56887CAF622CDA9BA6380BFC46BC08BA2E80361D9B087B79BF12D40B07F75
4212msiexec.exeC:\Windows\Installer\16a9a2.msi
MD5:
SHA256:
5656downloader.exeC:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exeexecutable
MD5:C5034F8DED221842C25669677CAFA482
SHA256:1E650073CE7EB2ED5EE322D6F1B72AE8E4FE23704FCA6F6633F9EA30B30955D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
59
TCP/UDP connections
82
DNS requests
39
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3640
svchost.exe
GET
200
208.89.74.23:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?52cd273b07f1ae1c
unknown
whitelisted
5340
MoUsoCoreWorker.exe
GET
200
208.89.74.23:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e93ffe63a6737cbc
unknown
whitelisted
3828
smartscreen.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3640
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1352
svchost.exe
GET
200
184.24.77.4:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
3296
2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe
GET
302
5.45.205.241:80
http://download.yandex.ru/yandex-pack/downloader/downloader.exe
unknown
whitelisted
3296
2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe
GET
200
5.45.200.105:80
http://cachev2-fra-02.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=326
unknown
whitelisted
5656
downloader.exe
GET
302
5.45.205.241:80
http://download.yandex.ru/yandex-pack/downloader/info.rss
unknown
whitelisted
3296
2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
5656
downloader.exe
GET
302
5.45.205.243:80
http://downloader.yandex.net/yandex-pack/28178/YandexPackSetup.exe
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3640
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
208.89.74.23:80
ctldl.windowsupdate.com
US
whitelisted
5340
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5340
MoUsoCoreWorker.exe
208.89.74.23:80
ctldl.windowsupdate.com
US
whitelisted
3640
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3828
smartscreen.exe
4.231.66.184:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3828
smartscreen.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1352
svchost.exe
184.24.77.24:80
Akamai International B.V.
DE
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted
2200
svchost.exe
23.212.222.21:443
fs.microsoft.com
AKAMAI-AS
AU
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.130
  • 40.126.31.1
  • 20.190.159.71
  • 40.126.31.129
  • 20.190.159.2
  • 40.126.31.2
  • 20.190.159.131
whitelisted
ctldl.windowsupdate.com
  • 208.89.74.23
  • 208.89.74.19
  • 208.89.74.27
  • 208.89.74.17
  • 208.89.74.29
  • 208.89.74.31
  • 208.89.74.21
  • 199.232.214.172
  • 199.232.210.172
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ocsp.digicert.com
  • 23.54.109.203
  • 2.23.77.188
whitelisted
checkappexec.microsoft.com
  • 4.231.66.184
whitelisted
fs.microsoft.com
  • 23.212.222.21
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
download.visualstudio.microsoft.com
  • 23.50.131.87
  • 23.50.131.80
whitelisted
download.yandex.ru
  • 5.45.205.241
  • 5.45.205.245
  • 5.45.205.243
  • 5.45.205.244
  • 5.45.205.242
whitelisted

Threats

PID
Process
Class
Message
1352
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
1664
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
1664
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3296
2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
3296
2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
3296
2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe
Misc activity
ET INFO Packed Executable Download
3296
2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
5656
downloader.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
5656
downloader.exe
Misc activity
ET INFO Packed Executable Download
3296
2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Process
Message
YandexPackSetup.exe
IsAlreadyRun() In
YandexPackSetup.exe
GetSidFromEnumSess(): ProfileImagePath(2) = C:\Users\admin
YandexPackSetup.exe
GetSidFromEnumSess(): LsaEnumerateLogonSessions() lpszSid = S-1-5-21-166304369-59083888-3082702900-1001
YandexPackSetup.exe
GetSidFromEnumSess(): i = 0 : szUserName = Administrator, szDomain = DESKTOP-BFTPUHP, dwSessionId = 0
YandexPackSetup.exe
GetSidFromEnumSess(): i = 1 : szUserName = admin, szDomain = DESKTOP-BFTPUHP, dwSessionId = 0
YandexPackSetup.exe
IsMSISrvFree() In
YandexPackSetup.exe
IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe
IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe
GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = DESKTOP-BFTPUHP, dwSessionId = 1
YandexPackSetup.exe
IsMSISrvFree() Out ret = 1
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2cf016814ff9e4568389e17d7d3f6ab16b92184d17be701bf4b50c277bfbc21e.bin