analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

download

Full analysis: https://app.any.run/tasks/f0f3db71-ad19-43f2-9970-352f5b07afdd
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 17, 2019, 15:54:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
pup
installcore
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

1F11924E409AA594B0EEF5C54062D603

SHA1:

1095EFBBEEF7F05E75A441BF8762CE75B4F1F991

SHA256:

34D87947995CEC1A96E39EE438BF9825C710F952A3982813ACBA02361ADA0053

SSDEEP:

24576:12w7ClqJ/jUmTl4RcDiAqRSFrRn5qoNdO2:Uw1hjUmKAqRSFrTDb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • file_info_.exe (PID: 3208)
      • vcredist_x86.exe (PID: 2868)
      • Regsvr32.exe (PID: 3796)
      • OperaSetup.exe (PID: 3100)
      • OperaSetup.exe (PID: 3492)
      • OperaSetup.exe (PID: 4008)
      • OperaSetup.exe (PID: 2844)
      • OperaSetup.exe (PID: 3472)
      • instup.exe (PID: 2772)

    • INSTALLCORE was detected

      • file_info_.exe (PID: 3208)

    • Application was dropped or rewritten from another process

      • file_info_.exe (PID: 3208)
      • vcredist_x86.exe (PID: 2276)
      • vcredist_x86.exe (PID: 2868)
      • OperaSetup.exe (PID: 3492)
      • downloader.exe (PID: 3164)
      • OperaSetup.exe (PID: 2844)
      • OperaSetup.exe (PID: 4008)
      • OperaSetup.exe (PID: 3100)
      • OperaSetup.exe (PID: 3472)
      • downloader.exe (PID: 1428)
      • YandexPackSetup.exe (PID: 3392)
      • instup.exe (PID: 2772)
      • seederexe.exe (PID: 3428)
      • lite_installer.exe (PID: 2528)
      • sender.exe (PID: 2228)
      • avast_free_antivirus_setup_online.exe (PID: 2508)

    • Registers / Runs the DLL via REGSVR32.EXE

      • file_info_.exe (PID: 3208)

    • Changes the autorun value in the registry

      • vcredist_x86.exe (PID: 2276)

    • Downloads executable files from the Internet

      • file_info_.exe (PID: 3208)
      • downloader.exe (PID: 3164)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • file_info_.exe (PID: 3208)

    • Reads Environment values

      • file_info_.exe (PID: 3208)
      • MsiExec.exe (PID: 2408)

    • Creates files in the program directory

      • file_info_.exe (PID: 3208)
      • instup.exe (PID: 2772)
      • avast_free_antivirus_setup_online.exe (PID: 2508)
      • OperaSetup.exe (PID: 2844)

    • Reads internet explorer settings

      • file_info_.exe (PID: 3208)

    • Executable content was dropped or overwritten

      • download.exe (PID: 3892)
      • file_info_.exe (PID: 3208)
      • vcredist_x86.exe (PID: 2868)
      • downloader.exe (PID: 3164)
      • OperaSetup.exe (PID: 4008)
      • OperaSetup.exe (PID: 3492)
      • OperaSetup.exe (PID: 2844)
      • OperaSetup.exe (PID: 3472)
      • cmd.exe (PID: 3888)
      • msiexec.exe (PID: 2216)
      • avast_free_antivirus_setup_online.exe (PID: 2508)
      • MsiExec.exe (PID: 2408)
      • instup.exe (PID: 2772)

    • Reads CPU info

      • file_info_.exe (PID: 3208)

    • Searches for installed software

      • vcredist_x86.exe (PID: 2276)

    • Reads Windows Product ID

      • file_info_.exe (PID: 3208)

    • Reads the date of Windows installation

      • file_info_.exe (PID: 3208)

    • Creates a software uninstall entry

      • vcredist_x86.exe (PID: 2276)
      • file_info_.exe (PID: 3208)

    • Creates COM task schedule object

      • Regsvr32.exe (PID: 3796)

    • Creates files in the user directory

      • file_info_.exe (PID: 3208)
      • OperaSetup.exe (PID: 4008)
      • MsiExec.exe (PID: 2408)
      • lite_installer.exe (PID: 2528)
      • seederexe.exe (PID: 3428)

    • Application launched itself

      • OperaSetup.exe (PID: 3492)
      • OperaSetup.exe (PID: 2844)
      • downloader.exe (PID: 3164)
      • cmd.exe (PID: 3080)

    • Starts Internet Explorer

      • file_info_.exe (PID: 3208)

    • Starts itself from another location

      • OperaSetup.exe (PID: 3492)

    • Starts CMD.EXE for commands execution

      • file_info_.exe (PID: 3208)
      • cmd.exe (PID: 3080)

    • Low-level read access rights to disk partition

      • instup.exe (PID: 2772)
      • avast_free_antivirus_setup_online.exe (PID: 2508)

    • Reads Internet Cache Settings

      • file_info_.exe (PID: 3208)

    • Connects to server without host name

      • instup.exe (PID: 2772)

  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2252)

    • Reads settings of System Certificates

      • file_info_.exe (PID: 3208)
      • OperaSetup.exe (PID: 3492)

    • Application launched itself

      • iexplore.exe (PID: 3352)
      • msiexec.exe (PID: 2216)

    • Changes internet zones settings

      • iexplore.exe (PID: 3352)

    • Creates files in the user directory

      • iexplore.exe (PID: 3592)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3592)
      • iexplore.exe (PID: 3352)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3592)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3592)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:07:09 13:26:57+02:00
PEType: PE32
LinkerVersion: 12
CodeSize: 917504
InitializedDataSize: 24576
UninitializedDataSize: 1892352
EntryPoint: 0x2ad9f0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: ROSTPAY LTD.
FileDescription: FileInfo Installer
FileVersion: 1.0.0.0
InternalName: FileInfo Installer.exe
LegalCopyright: ROSTPAY LTD. All rights reserved. 2012
OriginalFileName: FileInfo Installer.exe
ProductName: FileInfo
ProductVersion: 1.0.0.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 09-Jul-2018 11:26:57
Detected languages:
  • English - United States
  • Russian - Russia
TLS Callbacks: 1 callback(s) detected.
CompanyName: ROSTPAY LTD.
FileDescription: FileInfo Installer
FileVersion: 1.0.0.0
InternalName: FileInfo Installer.exe
LegalCopyright: ROSTPAY LTD. All rights reserved. 2012
OriginalFilename: FileInfo Installer.exe
ProductName: FileInfo
ProductVersion: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 09-Jul-2018 11:26:57
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x001CE000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x001CF000
0x000E0000
0x000DF800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99963
.rsrc
0x002AF000
0x00006000
0x00005600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.24803

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.13508
1466
UNKNOWN
English - United States
RT_MANIFEST
2
4.02187
4264
UNKNOWN
Russian - Russia
RT_ICON
3
4.73645
1128
UNKNOWN
Russian - Russia
RT_ICON
4
7.2615
308
UNKNOWN
English - United States
RT_CURSOR
5
6.90002
180
UNKNOWN
English - United States
RT_CURSOR
6
7.344
308
UNKNOWN
English - United States
RT_CURSOR
7
7.29279
308
UNKNOWN
English - United States
RT_CURSOR
8
7.31035
308
UNKNOWN
English - United States
RT_CURSOR
9
7.30868
308
UNKNOWN
English - United States
RT_CURSOR
10
7.35858
308
UNKNOWN
English - United States
RT_CURSOR

Imports

ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
GDI32.dll
IMM32.dll
KERNEL32.DLL
MSIMG32.dll
OLEACC.dll
OLEAUT32.dll
SHELL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
31
Malicious processes
8
Suspicious processes
6

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start download.exe no specs download.exe #INSTALLCORE file_info_.exe vcredist_x86.exe vcredist_x86.exe vssvc.exe no specs drvinst.exe no specs regsvr32.exe no specs downloader.exe operasetup.exe operasetup.exe operasetup.exe no specs operasetup.exe iexplore.exe operasetup.exe yandexpacksetup.exe iexplore.exe downloader.exe msiexec.exe cmd.exe no specs timeout.exe no specs msiexec.exe cmd.exe cmd.exe no specs cmd.exe no specs avast_free_antivirus_setup_online.exe lite_installer.exe seederexe.exe instup.exe sender.exe installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3092"C:\Users\admin\AppData\Local\Temp\download.exe" C:\Users\admin\AppData\Local\Temp\download.exeexplorer.exe
User:
admin
Company:
ROSTPAY LTD.
Integrity Level:
MEDIUM
Description:
FileInfo Installer
Exit code:
3221226540
Version:
1.0.0.0
3892"C:\Users\admin\AppData\Local\Temp\download.exe" C:\Users\admin\AppData\Local\Temp\download.exe
explorer.exe
User:
admin
Company:
ROSTPAY LTD.
Integrity Level:
HIGH
Description:
FileInfo Installer
Exit code:
58765992
Version:
1.0.0.0
3208"C:\Users\admin\AppData\Local\Temp\file_info_.exe" /vid=6 /avastUrl="http://avast.ustab.d.avcdn.net/ustab/avast/mmm_rsp_ppi_003_462_a/avast_free_antivirus_setup_online.exe" /PidDisko="2do" /ap="22" /fusionChannel="3" /installUrl="https://api.az-partners.net/apps/file-info/install?ap=22&offers=" /uninstallUrl="https://api.az-partners.net/apps/file-info/uninstall?ap=22"C:\Users\admin\AppData\Local\Temp\file_info_.exe
download.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2276vcredist_x86.exe /q /norestartC:\Users\admin\AppData\Local\Temp\vcredist_x86.exe
file_info_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
Exit code:
0
Version:
12.0.30501.0
2868"C:\Users\admin\AppData\Local\Temp\vcredist_x86.exe" /q /norestart -burn.unelevated BurnPipe.{AA052C29-8F01-4719-9F78-71868F4B8381} {82E673A3-60A9-43E2-A60B-8AAFE8F00D46} 2276C:\Users\admin\AppData\Local\Temp\vcredist_x86.exe
vcredist_x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
Exit code:
0
Version:
12.0.30501.0
2252C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3792DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000550" "00000330"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3796Regsvr32.exe /s "C:\Program Files\File Info\x86\ShellExtContextMenuHandler.dll"C:\Windows\system32\Regsvr32.exefile_info_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3164C:\Users\admin\AppData\Local\Temp\downloader.exe --partner azfiles-pack --distr /quiet /msicl "YABROWSER=y YBNOLAUNCH=y ILIGHT=1 VID=6"C:\Users\admin\AppData\Local\Temp\downloader.exe
file_info_.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup Downloader
Exit code:
0
Version:
0.1.0.32
3492"C:\Users\admin\AppData\Local\Temp\ns2631FCE2\OperaSetup.exe" --silent --allusers=0C:\Users\admin\AppData\Local\Temp\ns2631FCE2\OperaSetup.exe
file_info_.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Version:
57.0.3098.116
Total events
3 794
Read events
2 614
Write events
0
Delete events
0

Modification events

No data
Executable files
50
Suspicious files
83
Text files
197
Unknown types
15

Dropped files

PID
Process
Filename
Type
3892download.exeC:\Users\admin\AppData\Local\Temp\file_info_.exe
MD5:
SHA256:
3892download.exeC:\Users\admin\AppData\Local\Temp\.txtbinary
MD5:BD28F989DC122E99DFA71567A8286085
SHA256:F4E466B458415AC1853EA6A20A406984A8B67E62F5DACEF3E69E1D7B073AAA41
3208file_info_.exeC:\Users\admin\AppData\Local\Temp\00249878.log
MD5:
SHA256:
3208file_info_.exeC:\Users\admin\AppData\Local\Temp\nsi956C.tmp\nsProcess.dllexecutable
MD5:F0438A894F3A7E01A4AAE8D1B5DD0289
SHA256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
3208file_info_.exeC:\Users\admin\AppData\Local\Temp\nsd23983288898\css\sdk-ui\browse.csstext
MD5:6009D6E864F60AEA980A9DF94C1F7E1C
SHA256:5EF48A8C8C3771B4F233314D50DD3B5AFDCD99DD4B74A9745C8FE7B22207056D
3208file_info_.exeC:\Users\admin\AppData\Local\Temp\nsd23983288898\css\sdk-ui\images\progress-bg-corner.pngimage
MD5:608F1F20CD6CA9936EAA7E8C14F366BE
SHA256:86B6E6826BCDE2955D64D4600A4E01693522C1FDDF156CE31C4BA45B3653A7BD
3208file_info_.exeC:\Users\admin\AppData\Local\Temp\nsd23983288898\css\sdk-ui\images\progress-bg2.pngimage
MD5:B582D9A67BFE77D523BA825FD0B9DAE3
SHA256:AB4EEB3EA1EEF4E84CB61ECCB0BA0998B32108D70B3902DF3619F4D9393F74C3
3208file_info_.exeC:\Users\admin\AppData\Local\Temp\nsi956C.tmp\System.dllexecutable
MD5:BF712F32249029466FA86756F5546950
SHA256:7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF
3208file_info_.exeC:\Users\admin\AppData\Local\Temp\nsd23983288898\css\main.csstext
MD5:9B27E2A266FE15A3AABFE635C29E8923
SHA256:166AA42BC5216C5791388847AE114EC0671A0D97B9952D14F29419B8BE3FB23F
3208file_info_.exeC:\Users\admin\AppData\Local\Temp\nsi956C.tmp\base-translate.initext
MD5:A40E6436E3A2E1E18DCAEB975002C988
SHA256:5A4E716D474EDBBFF1BDCA4C83E0B32BDFB1B88D4980B3D2A1D37F481156B8C5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
77
TCP/UDP connections
76
DNS requests
67
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3208
file_info_.exe
GET
200
209.95.37.242:80
http://img.denonnells.com/img/Rowabobeso/icon2.png
US
image
422 b
malicious
3208
file_info_.exe
POST
200
52.214.73.247:80
http://host.denonnells.com/
IE
malicious
3208
file_info_.exe
POST
200
52.214.73.247:80
http://host.denonnells.com/
IE
malicious
GET
200
72.247.178.16:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
3208
file_info_.exe
POST
200
52.214.73.247:80
http://host.denonnells.com/
IE
malicious
3208
file_info_.exe
POST
200
52.214.73.247:80
http://host.denonnells.com/
IE
malicious
3208
file_info_.exe
POST
200
52.214.73.247:80
http://host.denonnells.com/
IE
malicious
3208
file_info_.exe
POST
200
52.214.73.247:80
http://host.denonnells.com/
IE
malicious
GET
200
72.247.178.18:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOE97R7Kmp7ssd%2BtYfGzWsWcQ%3D%3D
NL
der
527 b
whitelisted
3208
file_info_.exe
POST
200
52.214.73.247:80
http://host.denonnells.com/
IE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
72.247.178.16:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
NL
whitelisted
72.247.178.18:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
NL
whitelisted
3892
download.exe
216.58.207.46:80
www.google-analytics.com
Google Inc.
US
whitelisted
3208
file_info_.exe
52.31.245.195:80
www4.denonnells.com
Amazon.com, Inc.
IE
malicious
3208
file_info_.exe
209.95.37.242:80
img.denonnells.com
WestHost, Inc.
US
suspicious
3892
download.exe
185.22.183.74:443
file-info.ru
JSC RetnNet
RU
suspicious
3208
file_info_.exe
52.214.73.247:80
host.denonnells.com
Amazon.com, Inc.
IE
malicious
3164
downloader.exe
5.45.205.221:80
cache-man01i.cdn.yandex.net
YANDEX LLC
RU
whitelisted
3208
file_info_.exe
185.26.182.111:80
net.geo.opera.com
Opera Software AS
whitelisted
3208
file_info_.exe
85.159.237.103:80
portal.denonnells.com
NForce Entertainment B.V.
NL
malicious

DNS requests

Domain
IP
Reputation
file-info.ru
  • 185.22.183.74
  • 185.22.183.73
malicious
isrg.trustid.ocsp.identrust.com
  • 72.247.178.16
  • 72.247.178.41
whitelisted
ocsp.int-x3.letsencrypt.org
  • 72.247.178.18
  • 72.247.178.16
whitelisted
www4.denonnells.com
  • 52.31.245.195
  • 52.214.236.246
  • 52.31.54.204
malicious
host.denonnells.com
  • 52.214.73.247
  • 54.194.149.175
malicious
img.denonnells.com
  • 209.95.37.242
malicious
net.geo.opera.com
  • 185.26.182.111
  • 185.26.182.112
whitelisted
portal.denonnells.com
  • 85.159.237.103
malicious
downloader.yandex.net
  • 5.45.205.232
  • 5.45.205.235
  • 5.45.205.234
  • 5.45.205.231
  • 5.45.205.233
whitelisted
cache-man01i.cdn.yandex.net
  • 5.45.205.221
whitelisted

Threats

PID
Process
Class
Message
3208
file_info_.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
3208
file_info_.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
3208
file_info_.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3
3208
file_info_.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4
3208
file_info_.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3208
file_info_.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3164
downloader.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1428
downloader.exe
Attempted Information Leak
ET POLICY curl User-Agent Outbound
2528
lite_installer.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2528
lite_installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Process
Message
YandexPackSetup.exe
IsAlreadyRun() In
YandexPackSetup.exe
IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe
IsMSISrvFree() In
YandexPackSetup.exe
IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe
IsMSISrvFree() Out ret = 1
YandexPackSetup.exe
GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = USER-PC, dwSessionId = 1
YandexPackSetup.exe
GetSidFromEnumSess(): i = 0 : szUserName = Administrator, szDomain = USER-PC, dwSessionId = 0
YandexPackSetup.exe
GetSidFromEnumSess(): ProfileImagePath(1) = C:\Users\admin
YandexPackSetup.exe
GetSidFromEnumSess(): LsaEnumerateLogonSessions() lpszSid = S-1-5-21-1302019708-1500728564-335382590-1000
YandexPackSetup.exe
GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = USER-PC, dwSessionId = 1
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
download