File name:

YandexDisk30Setup (2).exe

Full analysis: https://app.any.run/tasks/4d19d204-ad77-4775-8be3-5744ae85a9d4
Verdict: Malicious activity
Analysis date: February 21, 2025, 07:49:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
obfuscated-js
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

C46F2C77578FC2D063AED9B2F0F93FC6

SHA1:

426FDD47D03BC41AD49298597F9DABE68489A872

SHA256:

9C0D410726690EB6A61E5AB4A2271226515144D475836F5863F0AFBCCCC17BEC

SSDEEP:

98304:szs00prqcvT4dYC1RgB7PSHD4OP8cv2GllillSigNVh3pui43gSh/CJl7UotNUH:GRZ2g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • YandexDisk2.exe (PID: 2072)
      • YandexDisk2.exe (PID: 6364)
      • YandexDisk2.exe (PID: 7212)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • YandexDisk30Setup (2).exe (PID: 6464)
      • YandexDisk30Setup_x64.exe (PID: 7008)
      • YandexDisk30Setup_x64.exe (PID: 7164)
      • StartMenuExperienceHost.exe (PID: 7056)
      • YandexDisk2.exe (PID: 6364)

    • Checks Windows Trust Settings

      • YandexDisk30Setup (2).exe (PID: 6464)
      • YandexDisk30Setup_x64.exe (PID: 7008)
      • YandexDisk2.exe (PID: 6364)

    • Reads the date of Windows installation

      • YandexDisk30Setup_x64.exe (PID: 7008)
      • StartMenuExperienceHost.exe (PID: 7056)

    • Application launched itself

      • YandexDisk30Setup_x64.exe (PID: 7008)
      • YandexDisk30Setup (2).exe (PID: 6464)

    • Drops 7-zip archiver for unpacking

      • YandexDisk30Setup_x64.exe (PID: 7008)

    • Executable content was dropped or overwritten

      • YandexDisk30Setup_x64.exe (PID: 7008)
      • 7za.exe (PID: 1224)
      • 7za.exe (PID: 6308)
      • 7za.exe (PID: 6256)
      • 7za.exe (PID: 1856)
      • 7za.exe (PID: 1520)
      • 7za.exe (PID: 1476)
      • 7za.exe (PID: 3696)
      • 7za.exe (PID: 5684)
      • 7za.exe (PID: 6248)
      • 7za.exe (PID: 2972)

    • Process drops SQLite DLL files

      • 7za.exe (PID: 3696)
      • YandexDisk30Setup_x64.exe (PID: 7008)

    • Creates a software uninstall entry

      • YandexDisk30Setup_x64.exe (PID: 7008)

    • Creates/Modifies COM task schedule object

      • YandexDisk30Setup_x64.exe (PID: 7008)

    • Starts itself from another location

      • YandexDisk30Setup_x64.exe (PID: 7008)

  • INFO

    • The sample compiled with russian language support

      • YandexDisk30Setup (2).exe (PID: 6464)
      • 7za.exe (PID: 6248)
      • YandexDisk30Setup_x64.exe (PID: 7008)

    • Checks supported languages

      • YandexDisk30Setup (2).exe (PID: 6464)
      • YandexDisk30Setup_x64.exe (PID: 7008)
      • YandexDisk30Setup_x64.exe (PID: 7164)
      • 7za.exe (PID: 1856)
      • 7za.exe (PID: 3260)
      • 7za.exe (PID: 1520)
      • 7za.exe (PID: 1224)
      • 7za.exe (PID: 6308)
      • 7za.exe (PID: 6256)
      • 7za.exe (PID: 6632)
      • 7za.exe (PID: 1476)
      • 7za.exe (PID: 3696)
      • 7za.exe (PID: 5684)
      • 7za.exe (PID: 4512)
      • 7za.exe (PID: 5316)
      • 7za.exe (PID: 2324)
      • 7za.exe (PID: 6936)
      • 7za.exe (PID: 7148)
      • 7za.exe (PID: 3680)
      • 7za.exe (PID: 6204)
      • 7za.exe (PID: 6348)
      • 7za.exe (PID: 6232)
      • 7za.exe (PID: 6176)
      • 7za.exe (PID: 6248)
      • 7za.exe (PID: 2972)
      • 7za.exe (PID: 6440)
      • YandexDisk2.exe (PID: 2072)
      • StartMenuExperienceHost.exe (PID: 7056)
      • TextInputHost.exe (PID: 6968)
      • SearchApp.exe (PID: 6304)
      • YandexNotes.exe (PID: 4052)
      • YandexDisk30Setup (2).exe (PID: 4112)
      • YandexDisk2.exe (PID: 6364)
      • YandexDisk2.exe (PID: 7212)
      • YandexDisk3Installer-5081.exe (PID: 6880)
      • YandexNotes.exe (PID: 7392)

    • Creates files in the program directory

      • YandexDisk30Setup (2).exe (PID: 6464)

    • Creates files or folders in the user directory

      • YandexDisk30Setup (2).exe (PID: 6464)
      • YandexDisk30Setup_x64.exe (PID: 7008)
      • YandexDisk30Setup (2).exe (PID: 4112)
      • YandexDisk2.exe (PID: 6364)

    • Reads the computer name

      • YandexDisk30Setup (2).exe (PID: 6464)
      • YandexDisk30Setup_x64.exe (PID: 7008)
      • YandexDisk30Setup_x64.exe (PID: 7164)
      • SearchApp.exe (PID: 6304)
      • StartMenuExperienceHost.exe (PID: 7056)
      • TextInputHost.exe (PID: 6968)
      • YandexDisk3Installer-5081.exe (PID: 6880)
      • YandexDisk2.exe (PID: 6364)

    • Reads the machine GUID from the registry

      • YandexDisk30Setup (2).exe (PID: 6464)
      • YandexDisk30Setup_x64.exe (PID: 7008)
      • SearchApp.exe (PID: 6304)
      • YandexDisk30Setup (2).exe (PID: 4112)
      • YandexDisk2.exe (PID: 6364)

    • Checks proxy server information

      • YandexDisk30Setup (2).exe (PID: 6464)
      • YandexDisk30Setup_x64.exe (PID: 7008)
      • SearchApp.exe (PID: 6304)
      • explorer.exe (PID: 6096)
      • YandexDisk2.exe (PID: 6364)

    • Reads the software policy settings

      • YandexDisk30Setup (2).exe (PID: 6464)
      • YandexDisk30Setup_x64.exe (PID: 7008)
      • SearchApp.exe (PID: 6304)
      • YandexDisk2.exe (PID: 6364)
      • explorer.exe (PID: 6096)

    • Process checks computer location settings

      • YandexDisk30Setup_x64.exe (PID: 7008)
      • StartMenuExperienceHost.exe (PID: 7056)
      • SearchApp.exe (PID: 6304)
      • YandexDisk30Setup (2).exe (PID: 4112)

    • The sample compiled with english language support

      • YandexDisk30Setup_x64.exe (PID: 7008)
      • 7za.exe (PID: 1520)
      • 7za.exe (PID: 1856)
      • 7za.exe (PID: 6308)
      • 7za.exe (PID: 6256)
      • 7za.exe (PID: 1476)
      • 7za.exe (PID: 3696)
      • 7za.exe (PID: 5684)

    • Create files in a temporary directory

      • 7za.exe (PID: 3260)
      • 7za.exe (PID: 1520)
      • YandexDisk30Setup_x64.exe (PID: 7008)
      • 7za.exe (PID: 1856)
      • 7za.exe (PID: 6308)
      • 7za.exe (PID: 6256)
      • 7za.exe (PID: 1224)
      • 7za.exe (PID: 6632)
      • 7za.exe (PID: 3696)
      • 7za.exe (PID: 4512)
      • 7za.exe (PID: 1476)
      • 7za.exe (PID: 6936)
      • 7za.exe (PID: 3680)
      • 7za.exe (PID: 7148)
      • 7za.exe (PID: 6204)
      • 7za.exe (PID: 6232)
      • 7za.exe (PID: 6348)
      • 7za.exe (PID: 5684)
      • 7za.exe (PID: 2324)
      • 7za.exe (PID: 5316)
      • 7za.exe (PID: 6176)
      • 7za.exe (PID: 2972)
      • 7za.exe (PID: 6440)
      • 7za.exe (PID: 6248)

    • Failed to create an executable file in Windows directory

      • YandexDisk30Setup_x64.exe (PID: 7008)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 6096)

    • Reads Environment values

      • SearchApp.exe (PID: 6304)

    • Application launched itself

      • msedge.exe (PID: 7636)
      • msedge.exe (PID: 5144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:31 14:08:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 2677760
InitializedDataSize: 1552384
UninitializedDataSize: -
EntryPoint: 0x211f6d
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 3.2.41.5053
ProductVersionNumber: 3.2.41.5053
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: Яндекс
FileDescription: YandexDiskSetup
FileVersion: 3.2.41.5053
InternalName: YandexDiskSetup
LegalCopyright: © 2016-2024 ООО "ЯНДЕКС"
OriginalFileName: YandexDiskSetup.exe
ProductName: Яндекс.Диск
ProductVersion: 3.2.41.5053
Tag040904B0: -
Tag041F04B0: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
241
Monitored processes
108
Malicious processes
2
Suspicious processes
4

Behavior graph

Click at the process to see the details
start yandexdisk30setup (2).exe yandexdisk30setup_x64.exe yandexdisk30setup_x64.exe 7za.exe no specs conhost.exe no specs 7za.exe conhost.exe no specs 7za.exe conhost.exe no specs 7za.exe conhost.exe no specs 7za.exe conhost.exe no specs 7za.exe conhost.exe no specs 7za.exe no specs conhost.exe no specs 7za.exe conhost.exe no specs 7za.exe conhost.exe no specs 7za.exe no specs conhost.exe no specs 7za.exe conhost.exe no specs 7za.exe no specs conhost.exe no specs 7za.exe no specs conhost.exe no specs 7za.exe no specs conhost.exe no specs 7za.exe no specs conhost.exe no specs 7za.exe no specs conhost.exe no specs 7za.exe no specs conhost.exe no specs 7za.exe no specs conhost.exe no specs 7za.exe no specs conhost.exe no specs 7za.exe no specs conhost.exe no specs 7za.exe no specs conhost.exe no specs 7za.exe conhost.exe no specs 7za.exe conhost.exe no specs explorer.exe no specs yandexdisk2.exe yandexnotes.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe yandexdisk3installer-5081.exe no specs yandexdisk30setup (2).exe mobsync.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs yandexdisk2.exe yandexdisk2.exe msedge.exe no specs yandexnotes.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs backgroundtransferhost.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7za.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
848\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7za.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1224"C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\7za.exe" x "C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\libcairo-2.dll.zip" -aoa -o"C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356"C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\7za.exe
YandexDisk30Setup_x64.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\yandexdisk-aa49a50aad3745388a1bd7933848c356\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7za.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1476"C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\7za.exe" x "C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\YandexNotes.exe.zip" -aoa -o"C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356"C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\7za.exe
YandexDisk30Setup_x64.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\yandexdisk-aa49a50aad3745388a1bd7933848c356\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1520"C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\7za.exe" x "C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\YandexDisk3ShellExt.dll.zip" -aoa -o"C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356"C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\7za.exe
YandexDisk30Setup_x64.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\yandexdisk-aa49a50aad3745388a1bd7933848c356\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7za.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1856"C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\7za.exe" x "C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\YandexDiskScreenshotEditor.exe.zip" -aoa -o"C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356"C:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\7za.exe
YandexDisk30Setup_x64.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\yandexdisk-aa49a50aad3745388a1bd7933848c356\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7za.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2040"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3916 --field-trial-handle=2228,i,13113532371580379761,3022777146252102995,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
45 942
Read events
45 561
Write events
345
Delete events
36

Modification events

(PID) Process:(7008) YandexDisk30Setup_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Yandex\Yandex.Disk.2
Operation:delete valueName:PerUserInstallType
Value:
(PID) Process:(7008) YandexDisk30Setup_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Yandex\Yandex.Disk.2
Operation:writeName:TelemostIsSeparateApplication
Value:
1
(PID) Process:(7008) YandexDisk30Setup_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Yandex\Yandex.Disk.2.Installer3
Operation:delete valueName:InstallerPath
Value:
(PID) Process:(7008) YandexDisk30Setup_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YandexDisk2
Operation:delete valueName:UninstallString
Value:
(PID) Process:(7164) YandexDisk30Setup_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Yandex\Yandex.Disk.2.Installer3
Operation:delete valueName:InstallerPath
Value:
(PID) Process:(7164) YandexDisk30Setup_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YandexDisk2
Operation:delete valueName:UninstallString
Value:
(PID) Process:(7164) YandexDisk30Setup_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Yandex\Yandex.Disk.2.Installer3
Operation:delete valueName:InstallerPath
Value:
(PID) Process:(7164) YandexDisk30Setup_x64.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YandexDisk2
Operation:delete valueName:UninstallString
Value:
(PID) Process:(7164) YandexDisk30Setup_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Yandex\Yandex.Disk.2
Operation:delete valueName:PerUserInstallType
Value:
(PID) Process:(7164) YandexDisk30Setup_x64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Yandex\Yandex.Disk.2
Operation:delete valueName:UpdatePath
Value:
Executable files
38
Suspicious files
235
Text files
183
Unknown types
0

Dropped files

PID
Process
Filename
Type
6464YandexDisk30Setup (2).exeC:\ProgramData\Yandex\Yandex.Disk.2\{3FE0EF39-1462-4094-9A42-43B4EE3C383B}\YandexDisk30Setup_x64.exe
MD5:
SHA256:
32607za.exeC:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\YandexDisk2.exe
MD5:
SHA256:
7008YandexDisk30Setup_x64.exeC:\Users\admin\AppData\Roaming\Yandex\YandexDisk2\3.2.43.5081\YandexDisk2.exe
MD5:
SHA256:
6464YandexDisk30Setup (2).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:550C28AEFF3630DEB72921824CF890A8
SHA256:5E4330A83A1DED259AE2F437CCC75D0537248A72CD3EB9C5047E7AF6379487E2
6464YandexDisk30Setup (2).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7binary
MD5:850A66E30AC7ADAE6EB8B278804B150B
SHA256:D34A6BF1D2B279A60E05035CFD8A722B45DF52AD4AA3985EB63ACDD28FBDEDE2
6464YandexDisk30Setup (2).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:014E5487B356B0B5F792F3894D0FF756
SHA256:05500344228DF3690F2A4E04D7B86424373835A7A6FF6EBFE77D3F67D3145D69
7008YandexDisk30Setup_x64.exeC:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\7za.exeexecutable
MD5:42BADC1D2F03A8B1E4875740D3D49336
SHA256:C136B1467D669A725478A6110EBAAAB3CB88A3D389DFA688E06173C066B76FCF
7008YandexDisk30Setup_x64.exeC:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\YandexDisk2.exe.zipcompressed
MD5:198CC193D27756009235CA5D619AC2F1
SHA256:7DD99B5A602D781526515B63EB10E0B38C6458A5AF306D8FF5F6696F069703BD
6464YandexDisk30Setup (2).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7binary
MD5:E3A059D6C22908958933C84A00890629
SHA256:8C02DF903F6C5F72DDD87AEAF66CD032F0ED5F64615CFD38F83EF50B306DD6AB
7008YandexDisk30Setup_x64.exeC:\Users\admin\AppData\Local\Temp\YandexDisk-aa49a50aad3745388a1bd7933848c356\YandexDisk3ShellExt.dll.zipcompressed
MD5:8FE65AE0E63D40459CD2BD0059C0937D
SHA256:416BFF45F96B2C64146F223F6D35F4BD78064B571659A31E6F84C3D30A071890
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
94
DNS requests
72
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6364
YandexDisk2.exe
GET
200
151.101.2.133:80
http://ocsp.globalsign.com/gsrsaovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRrcGT%2BanRD3C1tW3nsrKeuXC7DPwQU%2BO9%2F8s14Z6jeb48kjYjxhwMCs%2BsCDF7GMKCveV6ULugJcg%3D%3D
unknown
whitelisted
6364
YandexDisk2.exe
GET
200
151.101.2.133:80
http://ocsp.globalsign.com/rootr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHUeP1PjGFkz6V8I7O6tApc%3D
unknown
whitelisted
6364
YandexDisk2.exe
GET
200
151.101.2.133:80
http://ocsp.globalsign.com/gseccovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSTMjK03nNiYoQYvu4Izyfn9OJNdAQUWHuOdSr%2BYYCqkEABrtboB0ZuP0gCDF7KUp4b%2BF1Yvpwx4Q%3D%3D
unknown
whitelisted
6364
YandexDisk2.exe
GET
200
151.101.194.133:80
http://ocsp2.globalsign.com/rootr5/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQiD0S5cIHyfrLTJ1fvAkJWflH%2B2QQUPeYpSJvqB8ohREom3m7e0oPQn1kCDQHuXyKVQkkF%2BQGRqNw%3D
unknown
whitelisted
7540
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1920
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.41:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.16.164.41:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.164.41
  • 2.16.164.26
  • 2.16.164.106
  • 2.16.164.113
  • 2.16.164.96
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
google.com
  • 142.250.186.142
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
  • 92.123.104.58
  • 92.123.104.67
  • 92.123.104.61
  • 92.123.104.62
  • 92.123.104.59
  • 92.123.104.54
  • 92.123.104.64
  • 92.123.104.66
  • 92.123.104.65
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
webdav.yandex.ru
  • 213.180.204.148
whitelisted
downloader.disk.yandex.ru
  • 77.88.21.127
whitelisted
login.live.com
  • 40.126.31.2
  • 40.126.31.0
  • 20.190.159.71
  • 40.126.31.69
  • 40.126.31.130
  • 40.126.31.71
  • 20.190.159.128
  • 20.190.159.64
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
YandexDisk30Setup (2).exe