Malware analysis tanki_install_ru_dfvzlkydtml3.exe Malicious activity

Add for printing

File name:	tanki_install_ru_dfvzlkydtml3.exe
Full analysis:	https://app.any.run/tasks/ca3a4db1-cfcf-4a94-885c-216d6f80d13d
Verdict:	Malicious activity
Analysis date:	April 07, 2026, 12:38:13
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	delphi bittorrent
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 10 sections
MD5:	82EABA23CCE56985AAAB0AE9DD2DF41C
SHA1:	BC7737D3DD5247C10BE408E8CF74D3ED52F79FD9
SHA256:	2DEEDF4DCA8F0B89208CCEB5B59328EDC61222120031CAA43865666BD8793CC6
SSDEEP:	98304:Cg0N1J0lggzrgeIdHUPOJdDZSgDqrtpgmWu4Z+wEBG5unsE98gFzYC+1igM0mn7r:CwzBoL29

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java(TM) SE Development Kit 25.0.2 (64-bit) (25.0.2.0)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - lgc.exe (PID: 7420)
SUSPICIOUS
- Reads the Windows owner or organization settings
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
- Application launched itself
  - lgc.exe (PID: 6592)
  - lgc.exe (PID: 8176)
- Executable content was dropped or overwritten
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
- The process creates files with name similar to system file names
  - 7za.exe (PID: 8176)
- Searches for installed software
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
  - lgc.exe (PID: 7420)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
- The process executes files with name similar to system file names
  - lgc.exe (PID: 7420)
- Potential Corporate Privacy Violation
  - lgc.exe (PID: 7420)
INFO
- Checks supported languages
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
  - tanki_install_ru_dfvzlkydtml3.exe (PID: 7596)
  - 7za.exe (PID: 4112)
  - lgc.exe (PID: 6592)
  - LestaErrorMonitor.exe (PID: 4656)
  - 7za.exe (PID: 8176)
  - lgc.exe (PID: 7420)
  - lgc_renderer_host.exe (PID: 7204)
  - helper_process.exe (PID: 2132)
  - lgc_renderer_host.exe (PID: 7560)
  - lgc_renderer_host.exe (PID: 4308)
  - lgc.exe (PID: 8060)
  - lgc.exe (PID: 8176)
  - LestaErrorMonitor.exe (PID: 7508)
  - helper_process.exe (PID: 1280)
  - helper_process.exe (PID: 6092)
  - helper_process.exe (PID: 552)
- Create files in a temporary directory
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
  - tanki_install_ru_dfvzlkydtml3.exe (PID: 7596)
  - dxdiag.exe (PID: 5696)
- Process checks whether UAC notifications are on
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
  - helper_process.exe (PID: 2132)
- Reads the computer name
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
  - 7za.exe (PID: 8176)
  - 7za.exe (PID: 4112)
  - lgc_renderer_host.exe (PID: 7204)
  - LestaErrorMonitor.exe (PID: 4656)
  - lgc.exe (PID: 7420)
  - lgc_renderer_host.exe (PID: 4308)
  - helper_process.exe (PID: 2132)
  - LestaErrorMonitor.exe (PID: 7508)
  - helper_process.exe (PID: 552)
  - lgc.exe (PID: 8060)
  - helper_process.exe (PID: 6092)
  - helper_process.exe (PID: 1280)
- Reads security settings of Internet Explorer
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
  - dxdiag.exe (PID: 5696)
- Process checks computer location settings
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
  - lgc_renderer_host.exe (PID: 7560)
  - lgc.exe (PID: 7420)
- Compiled with Borland Delphi (YARA)
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
- There is functionality for taking screenshot (YARA)
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
- Creates a software uninstall entry
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
  - lgc.exe (PID: 7420)
  - lgc.exe (PID: 8060)
- Creates files or folders in the user directory
  - tanki_install_ru_dfvzlkydtml3.tmp (PID: 7804)
  - lgc.exe (PID: 7420)
  - dxdiag.exe (PID: 5696)
- Launching a file from a Registry key
  - lgc.exe (PID: 7420)
- Reads the machine GUID from the registry
  - lgc.exe (PID: 7420)
  - lgc_renderer_host.exe (PID: 4308)
- Manual execution by a user
  - lgc.exe (PID: 8176)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 EXE PECompact compressed (generic) (79.7)
.exe	\|	Win32 Executable (generic) (8.6)
.exe	\|	Win16/32 Executable Delphi generic (3.9)
.exe	\|	Generic Win/DOS Executable (3.8)
.exe	\|	DOS Executable Generic (3.8)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:06:23 15:10:45+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, No debug, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	139776
InitializedDataSize:	221696
UninitializedDataSize:	-
EntryPoint:	0x235e0
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	25.3.0.944
ProductVersionNumber:	25.3.0.944
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	©2022-2025 Lesta Games Agency, LLC
FileDescription:	Lesta Game Center
FileVersion:	25.03.00.0944
LegalCopyright:	© Леста Игры, 2022–2025. Все права защищены.
ProductName:	Lesta Game Center
ProductVersion:	25.03.00.0944

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

160

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

552

"C:\ProgramData\Lesta\GameCenter\dlls\helper_process.exe" helper_2E86265942AF7E6C47DFAB8ECF5B0EE5 1

C:\ProgramData\Lesta\GameCenter\dlls\helper_process.exe

—

lgc.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Lesta Game Center

Exit code:

Version:

26.00.02.1046

Modules

Images
c:\programdata\lesta\gamecenter\dlls\helper_process.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

1280

"C:\ProgramData\Lesta\GameCenter\dlls\helper_process.exe" helper_641086078A6F2A7FBCF9E4C6EE3E7ACC 1

C:\ProgramData\Lesta\GameCenter\dlls\helper_process.exe

—

lgc.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Lesta Game Center

Exit code:

Version:

26.00.02.1046

Modules

Images
c:\programdata\lesta\gamecenter\dlls\helper_process.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

1296

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

lgc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1776

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2132

"C:\ProgramData\Lesta\GameCenter\dlls\helper_process.exe" helper_7E0D4237AF8F147B84DE421CCE3FAB03 2

C:\ProgramData\Lesta\GameCenter\dlls\helper_process.exe

—

lgc.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Lesta Game Center

Exit code:

Version:

26.00.02.1046

Modules

Images
c:\programdata\lesta\gamecenter\dlls\helper_process.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

4112

"C:\Users\admin\AppData\Local\Temp\is-6QEPV.tmp\7za.exe" t "C:\Users\admin\AppData\Local\Temp\is-6QEPV.tmp\WGCArchive7z0

C:\Users\admin\AppData\Local\Temp\is-6QEPV.tmp\7za.exe

—

tanki_install_ru_dfvzlkydtml3.tmp

User:

admin

Company:

Igor Pavlov

Integrity Level:

MEDIUM

Description:

7-Zip Standalone Console

Exit code:

Version:

16.04

Modules

Images
c:\users\admin\appdata\local\temp\is-6qepv.tmp\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

4308

"C:\ProgramData\Lesta\GameCenter\dlls\lgc_renderer_host.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,142123819918813749,5140203798144156154,131072 --enable-features=CastMediaRouteProvider --disable-features=CookiesWithoutSameSiteMustBeSecure,OutOfBlinkCors,SameSiteByDefaultCookies,WebRtcHideLocalIpsWithMdns --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\ProgramData\Lesta\GameCenter\logs\cef_20260407_083849_706.log" --log-severity=info --product-version="Chrome/84.0.4147.105 LGC/26.00.02.1046" --lang=en-US --log-file="C:\ProgramData\Lesta\GameCenter\logs\cef_20260407_083849_706.log" --mojo-platform-channel-handle=2584 /prefetch:8

C:\ProgramData\Lesta\GameCenter\dlls\lgc_renderer_host.exe

lgc.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Lesta Game Center

Version:

26.00.02.1046

Modules

Images
c:\programdata\lesta\gamecenter\dlls\lgc_renderer_host.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

4656

"C:\ProgramData\Lesta\GameCenter\LestaErrorMonitor.exe" --pipe "parent_pid_74209e181754-b8f6-43da-82da-a44199e616d2" --superuserid "lgc" --self_crash_handling_folder "C:\ProgramData\Lesta\GameCenter\cat" --self_crash_handling_receiver_url "https://cat-lgc.lstprod.net" --log_files_max_count 5

C:\ProgramData\Lesta\GameCenter\LestaErrorMonitor.exe

lgc.exe

User:

admin

Company:

Lesta Games

Integrity Level:

MEDIUM

Description:

Lesta Games Error Monitor

Version:

04.00.03.0026

Modules

Images
c:\programdata\lesta\gamecenter\lestaerrormonitor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll

5696

C:\WINDOWS\SysWOW64\dxdiag /dontskip /whql:off /t C:\Users\admin\AppData\Local\Temp\dxdiag.txt

C:\Windows\SysWOW64\dxdiag.exe

—

helper_process.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft DirectX Diagnostic Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\dxdiag.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

6092

"C:\ProgramData\Lesta\GameCenter\dlls\helper_process.exe" helper_6162091736FC70E90F7C840D0C5E3523 1

C:\ProgramData\Lesta\GameCenter\dlls\helper_process.exe

—

lgc.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Lesta Game Center

Version:

26.00.02.1046

Modules

Images
c:\programdata\lesta\gamecenter\dlls\helper_process.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

Add for printing

Total events

13 931

Read events

13 747

Write events

167

Delete events

Modification events


(PID) Process:	(7668) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing
(PID) Process:	(4656) LestaErrorMonitor.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Lesta Games\Error Monitor
Operation:	write	Name:	hardware_id
Value: 85486807-5e2b-4234-8d1e-f6c2b034d39d
(PID) Process:	(7804) tanki_install_ru_dfvzlkydtml3.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lesta Game Center
Operation:	write	Name:	Lesta Game Center
Value: Lesta Game Center
(PID) Process:	(7804) tanki_install_ru_dfvzlkydtml3.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lesta Game Center
Operation:	write	Name:	DisplayName
Value: Lesta Game Center
(PID) Process:	(7804) tanki_install_ru_dfvzlkydtml3.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lesta Game Center
Operation:	write	Name:	Publisher
Value: Lesta Games
(PID) Process:	(7804) tanki_install_ru_dfvzlkydtml3.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lesta Game Center
Operation:	write	Name:	DisplayIcon
Value: C:\ProgramData\Lesta\GameCenter\lgc.exe,0
(PID) Process:	(7804) tanki_install_ru_dfvzlkydtml3.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lesta Game Center
Operation:	write	Name:	UninstallString
Value: "C:\ProgramData\Lesta\GameCenter\setup.exe" /IU
(PID) Process:	(7804) tanki_install_ru_dfvzlkydtml3.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lesta Game Center
Operation:	write	Name:	EstimatedSize
Value: 368640
(PID) Process:	(7804) tanki_install_ru_dfvzlkydtml3.tmp	Key:	HKEY_CLASSES_ROOT\lgc
Operation:	write	Name:	URL Protocol
Value:
(PID) Process:	(7804) tanki_install_ru_dfvzlkydtml3.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:	write	Name:	C:\ProgramData\Lesta\GameCenter\dlls\lgc_renderer_host.exe
Value: ~ HIGHDPIAWARE

Add for printing

Executable files

Suspicious files

Text files

Unknown types

396

Dropped files

PID	Process	Filename		Type
7596	tanki_install_ru_dfvzlkydtml3.exe	C:\Users\admin\AppData\Local\Temp\is-V8BHI.tmp\tanki_install_ru_dfvzlkydtml3.tmp		binary
		MD5:F2C2985F71D70AC02586DC7B627486D8	SHA256:884F8E08FE053F4FA199A9A1811C2423A8D117862BBB0E1D24947BFB1DBFF390
7804	tanki_install_ru_dfvzlkydtml3.tmp	C:\Users\admin\AppData\Local\Temp\is-6QEPV.tmp\_isetup\_setup64.tmp		binary
		MD5:526426126AE5D326D0A24706C77D8C5C	SHA256:B20A8D88C550981137ED831F2015F5F11517AEB649C29642D9D61DEA5EBC37D1
7804	tanki_install_ru_dfvzlkydtml3.tmp	C:\ProgramData\Lesta\GameCenter\data\lgc_tracking_id.dat		binary
		MD5:46842DF0B47ED8B496873DB785AD4A65	SHA256:3AEC86DEB1D2B1FDB5C2D1052E94F2EDB74893B18073A6E999043C09863D4DCB
7804	tanki_install_ru_dfvzlkydtml3.tmp	C:\ProgramData\Lesta\GameCenter\data\preset_application_id.dat		binary
		MD5:420EAA4A19AAB1B6B142F27F3E2B960B	SHA256:7255D0F2EAA49EA5DBCCCBD0A80AD93E6D62B91F306E57AF314F686478F9EA09
7804	tanki_install_ru_dfvzlkydtml3.tmp	C:\Users\admin\AppData\Local\Temp\is-6QEPV.tmp\_isetup\_shfoldr.dll		binary
		MD5:92DC6EF532FBB4A5C3201469A5B5EB63	SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
7804	tanki_install_ru_dfvzlkydtml3.tmp	C:\Users\admin\AppData\Local\Temp\is-6QEPV.tmp\title_icon_100.png		binary
		MD5:0892CD24944E40C1DFB4BDEB830D76A2	SHA256:6E06108552B531C505B8A18B9A4DC329523491B0AEF7AF2755743237FE9951A9
7804	tanki_install_ru_dfvzlkydtml3.tmp	C:\Users\admin\AppData\Local\Temp\is-6QEPV.tmp\InnoXmlParser.dll		binary
		MD5:8CD819262956F59BC3D983C24938F961	SHA256:116FC72B550314843110757446E9CAE11F80D89A608D405FF4AA8B80F5C04E51
7804	tanki_install_ru_dfvzlkydtml3.tmp	C:\Users\admin\AppData\Local\Temp\is-6QEPV.tmp\style_100.vsf		binary
		MD5:F131394D6A272A978A54096071EB2D7D	SHA256:9DC1C71B59A6D33F5A1F7279B2DB69465F06121DF77CA11EF598044879DF4A0D
7804	tanki_install_ru_dfvzlkydtml3.tmp	C:\Users\admin\AppData\Local\Temp\is-6QEPV.tmp\art_MT_100.png		binary
		MD5:8A88D597BC343865576F273C5324B0A4	SHA256:CBE255D66B93724D52AA2BDD47075DB25C0775A9C260C56463F128913C2C05BC
7804	tanki_install_ru_dfvzlkydtml3.tmp	C:\Users\admin\AppData\Local\Temp\is-6QEPV.tmp\VclStylesinno.dll		binary
		MD5:E13B9909BF943B66714A85EF6645C4D6	SHA256:D20909FE85F3A1B43A48E529BB35A69F4D0D1CD09FEE9E16AFEBA03397A3AD78

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

1 129

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7804	tanki_install_ru_dfvzlkydtml3.tmp	GET	—	193.17.93.193:443	https://lds.lesta.ru/lgc/prod/lgc_26.00.02.1046_ru/lgc_26.00.02.1046_win32.dspkg	RU	—	—	unknown
7804	tanki_install_ru_dfvzlkydtml3.tmp	POST	200	92.223.33.249:80	http://lstusst-lgcru.lesta.ru/v2/wgc_download_finish_v1	RU	—	—	unknown
7804	tanki_install_ru_dfvzlkydtml3.tmp	POST	200	92.223.33.249:80	http://lstusst-lgcru.lesta.ru/v2/wgc_install_start_v1	RU	—	—	unknown
7804	tanki_install_ru_dfvzlkydtml3.tmp	POST	200	92.223.33.249:80	http://lstusst-lgcru.lesta.ru/v2/wgc_install_finish_v1	RU	—	—	unknown
—	—	GET	200	23.11.41.157:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D	NL	binary	313 b	whitelisted
5316	svchost.exe	POST	200	20.190.160.130:443	https://login.live.com/RST2.srf	US	binary	1.24 Kb	whitelisted
7804	tanki_install_ru_dfvzlkydtml3.tmp	POST	200	92.223.33.249:80	http://lstusst-lgcru.lesta.ru/v2/wgc_installer_launch_v1	RU	—	—	unknown
—	—	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D	US	binary	959 b	whitelisted
5316	svchost.exe	POST	400	20.190.160.130:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	binary	203 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	304	4.231.128.59:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	US	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5276	MoUsoCoreWorker.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
7380	slui.exe	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5532	SearchApp.exe	92.123.104.33:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
3044	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	23.11.41.157:80	ocsp.digicert.com	AKAMAI-AMS	NL	whitelisted
—	—	204.79.197.203:80	oneocsp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
7804	tanki_install_ru_dfvzlkydtml3.tmp	92.223.33.249:80	lstusst-lgcru.lesta.ru	EDGECENTERLLC	RU	unknown
5316	svchost.exe	20.190.160.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
www.bing.com	92.123.104.33 92.123.104.41 92.123.104.47 92.123.104.45 92.123.104.52 92.123.104.34 92.123.104.39 92.123.104.50 92.123.104.37	whitelisted
google.com	142.250.154.138 142.250.154.100 142.250.154.113 142.250.154.139 142.250.154.102 142.250.154.101	whitelisted
ocsp.digicert.com	23.11.41.157	whitelisted
oneocsp.microsoft.com	204.79.197.203	whitelisted
lstusst-lgcru.lesta.ru	92.223.33.249 92.223.33.248	unknown
redirect.lesta.ru	92.223.34.22	whitelisted
login.live.com	20.190.160.130 20.190.160.20 40.126.32.136 20.190.160.131 20.190.160.2 40.126.32.134 40.126.32.140 20.190.160.66	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
ocsp2.globalsign.com	151.101.2.133 151.101.194.133 151.101.130.133 151.101.66.133	whitelisted

Threats

PID	Process	Class	Message
3044	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7420	lgc.exe	Misc activity	INFO [ANY.RUN] P2P BitTorrent Protocol
7420	lgc.exe	Potential Corporate Privacy Violation	GPL P2P BitTorrent announce request
7420	lgc.exe	Potential Corporate Privacy Violation	ET P2P Libtorrent User-Agent
7420	lgc.exe	Potential Corporate Privacy Violation	ET P2P Libtorrent User-Agent
7420	lgc.exe	Potential Corporate Privacy Violation	ET P2P Libtorrent User-Agent
7420	lgc.exe	Potential Corporate Privacy Violation	GPL P2P BitTorrent announce request
7420	lgc.exe	Potential Corporate Privacy Violation	ET P2P Libtorrent User-Agent
7420	lgc.exe	Potential Corporate Privacy Violation	ET P2P Libtorrent User-Agent
7420	lgc.exe	Potential Corporate Privacy Violation	ET P2P Libtorrent User-Agent

Add for printing

Process	Message
lgc.exe	[0407/083850.370:INFO:CONSOLE(1)] "[FE][onLoadContent] injectScrollStyles: insert scroll styles to WGC", source: (1)
lgc.exe	[0407/083850.638:INFO:CONSOLE(1)] "[webChannel] connection established.", source: qrc:/ui/gc.16d791d6aeffbc53fcac.js (1)
lgc.exe	[0407/083850.639:INFO:CONSOLE(1)] "%c[React][initAppTransport] Running script with autotests, autotestSource = lgc color: green", source: qrc:/ui/gc.16d791d6aeffbc53fcac.js (1)
lgc.exe	[0407/083850.666:INFO:CONSOLE(1)] "[PostMessageService] init: start listening messages", source: qrc:/ui/gc.16d791d6aeffbc53fcac.js (1)
lgc.exe	[0407/083850.666:INFO:CONSOLE(1)] "[PostMessageService] init: trustedUrls list [https://tanki.su,https://korabli.su,https://surveys.lesta.games,https://survey.lesta.games]", source: qrc:/ui/gc.16d791d6aeffbc53fcac.js (1)
lgc.exe	[0407/083850.708:INFO:CONSOLE(1)] "%c[React][AppInstallationMonitor] render: appInstallation is empty; ignore color: #cecece", source: qrc:/ui/gc.16d791d6aeffbc53fcac.js (1)
lgc.exe	[0407/083850.711:INFO:CONSOLE(1)] "%c[React][GroupsMonitor] render: selectedGroup or activeGroupId is empty; ignore color: #cecece", source: qrc:/ui/gc.16d791d6aeffbc53fcac.js (1)
lgc.exe	[0407/083850.713:INFO:CONSOLE(1)] "%c[React][GroupsMonitor] cdm: activeGroupId = color: darkcyan", source: qrc:/ui/gc.16d791d6aeffbc53fcac.js (1)
lgc.exe	[0407/083850.714:INFO:CONSOLE(1)] "%c[React][WaitingProvider] cdm: status = 0, message = 'Waiting for response from server...' color: darkcyan", source: qrc:/ui/gc.16d791d6aeffbc53fcac.js (1)
lgc.exe	[0407/083850.716:INFO:CONSOLE(1)] "%c[React][AppInstallationMonitor] render: appInstallation is empty; ignore color: #cecece", source: qrc:/ui/gc.16d791d6aeffbc53fcac.js (1)

General Info

tanki_install_ru_dfvzlkydtml3.exe

82EABA23CCE56985AAAB0AE9DD2DF41C

BC7737D3DD5247C10BE408E8CF74D3ED52F79FD9

2DEEDF4DCA8F0B89208CCEB5B59328EDC61222120031CAA43865666BD8793CC6

98304:Cg0N1J0lggzrgeIdHUPOJdDZSgDqrtpgmWu4Z+wEBG5unsE98gFzYC+1igM0mn7r:CwzBoL29

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Reads the Windows owner or organization settings

Application launched itself

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Searches for installed software

Uses NETSH.EXE to add a firewall rule or allowed programs

The process executes files with name similar to system file names

Potential Corporate Privacy Violation

INFO

Checks supported languages

Create files in a temporary directory

Process checks whether UAC notifications are on

Reads the computer name

Reads security settings of Internet Explorer

Process checks computer location settings

Compiled with Borland Delphi (YARA)

There is functionality for taking screenshot (YARA)

Creates a software uninstall entry

Creates files or folders in the user directory

Launching a file from a Registry key

Reads the machine GUID from the registry

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings