File name:

Y95 Keyboard Setup v2.0 20240228.exe

Full analysis: https://app.any.run/tasks/91db712c-564d-4521-9235-219b6422227b
Verdict: Malicious activity
Analysis date: May 06, 2024, 06:14:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

39434144621E7AD7B4D4A403E694CDAF

SHA1:

44DED35CECBB94E7914C1400F0F1CF1918671DEB

SHA256:

75CBE0A741758D9C45F00AFC5B119DDDB8BF43BBC4CBB93755865595C1858407

SSDEEP:

98304:OZGLovyJlsZk/NjcXD8ebHlAKYrWgzskloLeYPJ6q3Y48XpWsk5jJjPUepPN6fsb:c/Ql6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Y95 Keyboard Setup v2.0 20240228.exe (PID: 4076)
      • Y95 Keyboard Setup v2.0 20240228.tmp (PID: 4092)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Y95 Keyboard Setup v2.0 20240228.exe (PID: 4076)
      • Y95 Keyboard Setup v2.0 20240228.tmp (PID: 4092)

    • Process drops legitimate windows executable

      • Y95 Keyboard Setup v2.0 20240228.tmp (PID: 4092)

    • Reads the Windows owner or organization settings

      • Y95 Keyboard Setup v2.0 20240228.tmp (PID: 4092)

    • Blank space has been found in the path

      • Y95 Keyboard Setup v2.0 20240228.tmp (PID: 4092)

  • INFO

    • Create files in a temporary directory

      • Y95 Keyboard Setup v2.0 20240228.exe (PID: 4076)
      • Y95 Keyboard Setup v2.0 20240228.tmp (PID: 4092)

    • Checks supported languages

      • Y95 Keyboard Setup v2.0 20240228.exe (PID: 4076)
      • Y95 Keyboard Setup v2.0 20240228.tmp (PID: 4092)
      • OemDrv.exe (PID: 112)

    • Reads the computer name

      • Y95 Keyboard Setup v2.0 20240228.tmp (PID: 4092)
      • OemDrv.exe (PID: 112)

    • Creates files in the program directory

      • Y95 Keyboard Setup v2.0 20240228.tmp (PID: 4092)

    • Creates files or folders in the user directory

      • Y95 Keyboard Setup v2.0 20240228.tmp (PID: 4092)

    • Creates a software uninstall entry

      • Y95 Keyboard Setup v2.0 20240228.tmp (PID: 4092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:08:15 19:29:32+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 86016
InitializedDataSize: 60416
UninitializedDataSize: -
EntryPoint: 0x163c4
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription:
FileVersion:
LegalCopyright:
ProductName:
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start y95 keyboard setup v2.0 20240228.exe y95 keyboard setup v2.0 20240228.tmp oemdrv.exe no specs y95 keyboard setup v2.0 20240228.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
112"C:\Program Files\Y95 Keyboard\OemDrv.exe"C:\Program Files\Y95 Keyboard\OemDrv.exeY95 Keyboard Setup v2.0 20240228.tmp
User:
admin
Integrity Level:
HIGH
Version:
1, 0, 0, 0
Modules
Images
c:\program files\y95 keyboard\oemdrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
3972"C:\Users\admin\AppData\Local\Temp\Y95 Keyboard Setup v2.0 20240228.exe" C:\Users\admin\AppData\Local\Temp\Y95 Keyboard Setup v2.0 20240228.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\y95 keyboard setup v2.0 20240228.exe
c:\windows\system32\ntdll.dll
4076"C:\Users\admin\AppData\Local\Temp\Y95 Keyboard Setup v2.0 20240228.exe" C:\Users\admin\AppData\Local\Temp\Y95 Keyboard Setup v2.0 20240228.exe
explorer.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\y95 keyboard setup v2.0 20240228.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
4092"C:\Users\admin\AppData\Local\Temp\is-JM7IH.tmp\Y95 Keyboard Setup v2.0 20240228.tmp" /SL5="$30138,1846747,140800,C:\Users\admin\AppData\Local\Temp\Y95 Keyboard Setup v2.0 20240228.exe" C:\Users\admin\AppData\Local\Temp\is-JM7IH.tmp\Y95 Keyboard Setup v2.0 20240228.tmp
Y95 Keyboard Setup v2.0 20240228.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1048.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-jm7ih.tmp\y95 keyboard setup v2.0 20240228.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
2 790
Read events
2 776
Write events
14
Delete events
0

Modification events

(PID) Process:(4092) Y95 Keyboard Setup v2.0 20240228.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24C677DA-BB04-46ED-A9C0-F2479B087503}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.3.4 (u)
(PID) Process:(4092) Y95 Keyboard Setup v2.0 20240228.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24C677DA-BB04-46ED-A9C0-F2479B087503}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Y95 Keyboard
(PID) Process:(4092) Y95 Keyboard Setup v2.0 20240228.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24C677DA-BB04-46ED-A9C0-F2479B087503}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Y95 Keyboard\
(PID) Process:(4092) Y95 Keyboard Setup v2.0 20240228.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24C677DA-BB04-46ED-A9C0-F2479B087503}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Y95 Keyboard
(PID) Process:(4092) Y95 Keyboard Setup v2.0 20240228.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24C677DA-BB04-46ED-A9C0-F2479B087503}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(4092) Y95 Keyboard Setup v2.0 20240228.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24C677DA-BB04-46ED-A9C0-F2479B087503}_is1
Operation:writeName:DisplayName
Value:
Y95 Keyboard
(PID) Process:(4092) Y95 Keyboard Setup v2.0 20240228.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24C677DA-BB04-46ED-A9C0-F2479B087503}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\Y95 Keyboard\unins000.exe"
(PID) Process:(4092) Y95 Keyboard Setup v2.0 20240228.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24C677DA-BB04-46ED-A9C0-F2479B087503}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\Y95 Keyboard\unins000.exe" /SILENT
(PID) Process:(4092) Y95 Keyboard Setup v2.0 20240228.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24C677DA-BB04-46ED-A9C0-F2479B087503}_is1
Operation:writeName:DisplayVersion
Value:
2.0
(PID) Process:(4092) Y95 Keyboard Setup v2.0 20240228.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{24C677DA-BB04-46ED-A9C0-F2479B087503}_is1
Operation:writeName:NoModify
Value:
1
Executable files
11
Suspicious files
5
Text files
264
Unknown types
0

Dropped files

PID
Process
Filename
Type
4092Y95 Keyboard Setup v2.0 20240228.tmpC:\Program Files\Y95 Keyboard\is-2CN8C.tmp
MD5:
SHA256:
4092Y95 Keyboard Setup v2.0 20240228.tmpC:\Program Files\Y95 Keyboard\skins\bar_ov.pngimage
MD5:F2D89DA5DF2B6905E9AEA92A8FFA9BFB
SHA256:39ABBC4504208A3DDFD2242EF3E336F42B869C1B1D6AEB7E8E1CBB7936638470
4076Y95 Keyboard Setup v2.0 20240228.exeC:\Users\admin\AppData\Local\Temp\is-JM7IH.tmp\Y95 Keyboard Setup v2.0 20240228.tmpexecutable
MD5:A4CB46C715D6E7B72755EAB92123A3EA
SHA256:686699D59606CD7D2253DFF2C92003380361F00B168305E959E66BAB9BC725C0
4092Y95 Keyboard Setup v2.0 20240228.tmpC:\Program Files\Y95 Keyboard\skins\is-UD753.tmpimage
MD5:7F6993CD644D8EC5D6766613B4BBFB10
SHA256:7FC2904D8EBF6270D0927A2F087949E31F65EF5D34A2A1FDA9CB4B477E764301
4092Y95 Keyboard Setup v2.0 20240228.tmpC:\Program Files\Y95 Keyboard\is-381G9.tmpexecutable
MD5:BFC62858909B3BB6607C20921E7C18F2
SHA256:C008C5F1A87E020EEFB36B676B88B6A11830BB1286AE3AE6E8E3860B0C0EC3F1
4092Y95 Keyboard Setup v2.0 20240228.tmpC:\Users\admin\AppData\Local\Temp\is-99DJA.tmp\InitSetup.dllexecutable
MD5:3BB4A9FD05F14CC833291F7332565843
SHA256:72F5CFE575253EAFF31E27CE8F70B4CAAA079D2C42A4130515EECF7F0967115D
4092Y95 Keyboard Setup v2.0 20240228.tmpC:\Program Files\Y95 Keyboard\unins000.exeexecutable
MD5:BFC62858909B3BB6607C20921E7C18F2
SHA256:C008C5F1A87E020EEFB36B676B88B6A11830BB1286AE3AE6E8E3860B0C0EC3F1
4092Y95 Keyboard Setup v2.0 20240228.tmpC:\Program Files\Y95 Keyboard\skins\is-N9E9R.tmpimage
MD5:979C24742E891539F49A8EC7DD43C25A
SHA256:7EFDA788FE9761722750AD5EB8B7957BC8128E517981AD0E00F4F668DC0915D9
4092Y95 Keyboard Setup v2.0 20240228.tmpC:\Program Files\Y95 Keyboard\skins\audio_bar.pngimage
MD5:7F6993CD644D8EC5D6766613B4BBFB10
SHA256:7FC2904D8EBF6270D0927A2F087949E31F65EF5D34A2A1FDA9CB4B477E764301
4092Y95 Keyboard Setup v2.0 20240228.tmpC:\Program Files\Y95 Keyboard\skins\bar_nr.pngimage
MD5:979C24742E891539F49A8EC7DD43C25A
SHA256:7EFDA788FE9761722750AD5EB8B7957BC8128E517981AD0E00F4F668DC0915D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
Process
Message
Y95 Keyboard Setup v2.0 20240228.tmp
InitSetup: AppData Path = C:\Program Files\Y95 Keyboard\skins.
Y95 Keyboard Setup v2.0 20240228.tmp
InitSetup: AppData Path Not Exists.
Y95 Keyboard Setup v2.0 20240228.tmp
InitSetup: AppData Path Not Exists.
Y95 Keyboard Setup v2.0 20240228.tmp
InitSetup: Remove Folder OK.
Y95 Keyboard Setup v2.0 20240228.tmp
InitSetup: AppData Path = C:\Program Files\Y95 Keyboard\Dev.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Y95 Keyboard Setup v2.0 20240228.exe