File name:

b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin

Full analysis: https://app.any.run/tasks/8f1015f0-2588-463b-9f61-11ec89685e5d
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: April 26, 2025, 11:26:13
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
adware
innosetup
loader
stealer
delphi
inno
installer
arch-scr
arch-html
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

C7987BAC6C71153D69102164F5136DD4

SHA1:

8C28ED556453195757E2EC99EA9E758F2F438BCB

SHA256:

B32133AB414E970DE653AD8562BCA92936655CC395B3C791AF1502B4A1EF1170

SSDEEP:

98304:9+cD4dngauVrlqhl6PsPXIIHjm12jPRBre68K80bOKwACkbb0FkP0YG05NxLHU5f:MBlf8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • INNOSETUP has been detected (SURICATA)

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)

    • Actions looks like stealing of personal data

      • lite_installer.exe (PID: 2188)
      • seederexe.exe (PID: 3732)

    • Runs injected code in another process

      • sp1.exe (PID: 388)
      • sp1.exe (PID: 1692)
      • sp1.exe (PID: 4988)
      • sp1.exe (PID: 2052)

    • Application was injected by another process

      • explorer.exe (PID: 4220)

    • Steals credentials from Web Browsers

      • seederexe.exe (PID: 3732)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.exe (PID: 2908)
      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • yandex.exe (PID: 2984)
      • lite_installer.exe (PID: 2188)
      • Yandex.exe (PID: 4136)
      • yandex.exe (PID: 2496)
      • lite_installer.exe (PID: 3400)
      • sz1.exe (PID: 5696)
      • setup.exe (PID: 5360)
      • browser.exe (PID: 5828)
      • yb9FEE.tmp (PID: 4136)

    • Reads the Windows owner or organization settings

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • msiexec.exe (PID: 856)

    • Access to an unwanted program domain was detected

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)

    • Reads the Internet Settings

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • yandex.exe (PID: 2984)
      • lite_installer.exe (PID: 2188)
      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)
      • sender.exe (PID: 5892)
      • yandex.exe (PID: 2496)

    • Reads security settings of Internet Explorer

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • yandex.exe (PID: 2984)
      • lite_installer.exe (PID: 2188)
      • Yandex.exe (PID: 4136)
      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)
      • explorer.exe (PID: 5268)
      • yandex.exe (PID: 2496)

    • Potential Corporate Privacy Violation

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • yandex.exe (PID: 2984)
      • lite_installer.exe (PID: 2188)
      • yandex.exe (PID: 2496)
      • lite_installer.exe (PID: 3400)

    • Reads settings of System Certificates

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • yandex.exe (PID: 2984)
      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)
      • lite_installer.exe (PID: 2188)

    • Process requests binary or script from the Internet

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • yandex.exe (PID: 2984)
      • lite_installer.exe (PID: 2188)
      • yandex.exe (PID: 2496)
      • lite_installer.exe (PID: 3400)

    • Starts a Microsoft application from unusual location

      • YandexPackSetup.exe (PID: 2200)
      • YandexPackSetup.exe (PID: 4504)

    • Process drops legitimate windows executable

      • yandex.exe (PID: 2984)
      • sz1.exe (PID: 5696)
      • yandex.exe (PID: 2496)

    • Application launched itself

      • yandex.exe (PID: 2984)
      • yandex.exe (PID: 2496)
      • setup.exe (PID: 5360)
      • explorer.exe (PID: 1212)
      • browser.exe (PID: 3724)
      • browser.exe (PID: 3420)
      • browser.exe (PID: 4632)
      • browser.exe (PID: 2200)

    • Reads Mozilla Firefox installation path

      • seederexe.exe (PID: 3732)

    • Changes the Home page of Internet Explorer

      • seederexe.exe (PID: 3732)

    • Changes the title of the Internet Explorer window

      • seederexe.exe (PID: 3732)

    • The process creates files with name similar to system file names

      • Yandex.exe (PID: 4136)

    • Starts itself from another location

      • Yandex.exe (PID: 4136)
      • setup.exe (PID: 5360)

    • Creates a software uninstall entry

      • Yandex.exe (PID: 4136)

    • Drops 7-zip archiver for unpacking

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)

    • Starts application with an unusual extension

      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)

  • INFO

    • Checks supported languages

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.exe (PID: 2908)
      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • yandex.exe (PID: 2984)
      • YandexPackSetup.exe (PID: 2200)
      • msiexec.exe (PID: 856)
      • msiexec.exe (PID: 5180)
      • seederexe.exe (PID: 3732)
      • lite_installer.exe (PID: 2188)
      • yandex.exe (PID: 3860)
      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)
      • Yandex.exe (PID: 4136)
      • explorer.exe (PID: 5268)
      • sender.exe (PID: 5892)
      • yandex.exe (PID: 2496)
      • sz1.exe (PID: 5696)
      • sp1.exe (PID: 388)
      • sp1.exe (PID: 1692)
      • sp1.exe (PID: 4988)
      • sp1.exe (PID: 2052)

    • Create files in a temporary directory

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.exe (PID: 2908)
      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • yandex.exe (PID: 2984)
      • YandexPackSetup.exe (PID: 2200)
      • yandex.exe (PID: 3860)
      • lite_installer.exe (PID: 2188)
      • msiexec.exe (PID: 5180)
      • seederexe.exe (PID: 3732)
      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)
      • Yandex.exe (PID: 4136)
      • sender.exe (PID: 5892)
      • yandex.exe (PID: 2496)

    • Checks proxy server information

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • yandex.exe (PID: 2984)
      • lite_installer.exe (PID: 2188)
      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)
      • yandex.exe (PID: 2496)

    • The sample compiled with russian language support

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • msiexec.exe (PID: 5180)
      • msiexec.exe (PID: 2576)
      • setup.exe (PID: 5360)

    • Reads the computer name

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • yandex.exe (PID: 2984)
      • YandexPackSetup.exe (PID: 2200)
      • msiexec.exe (PID: 5180)
      • msiexec.exe (PID: 856)
      • lite_installer.exe (PID: 2188)
      • seederexe.exe (PID: 3732)
      • yandex.exe (PID: 3860)
      • Yandex.exe (PID: 4136)
      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)
      • explorer.exe (PID: 5268)
      • sender.exe (PID: 5892)
      • yandex.exe (PID: 2496)
      • sz1.exe (PID: 5696)

    • Reads the software policy settings

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • yandex.exe (PID: 2984)
      • msiexec.exe (PID: 856)
      • lite_installer.exe (PID: 2188)
      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)

    • Creates files or folders in the user directory

      • yandex.exe (PID: 2984)
      • msiexec.exe (PID: 5180)
      • msiexec.exe (PID: 856)
      • lite_installer.exe (PID: 2188)
      • seederexe.exe (PID: 3732)
      • Yandex.exe (PID: 4136)
      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)
      • explorer.exe (PID: 5268)
      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • explorer.exe (PID: 4220)
      • yandex.exe (PID: 2496)
      • sz1.exe (PID: 5696)

    • Reads the machine GUID from the registry

      • yandex.exe (PID: 2984)
      • msiexec.exe (PID: 856)
      • seederexe.exe (PID: 3732)
      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)
      • lite_installer.exe (PID: 2188)

    • The sample compiled with english language support

      • yandex.exe (PID: 2984)
      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)
      • yandex.exe (PID: 2496)
      • lite_installer.exe (PID: 3400)
      • lite_installer.exe (PID: 2188)
      • yb9FEE.tmp (PID: 4136)
      • setup.exe (PID: 5360)
      • browser.exe (PID: 5828)
      • sz1.exe (PID: 5696)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 856)
      • msiexec.exe (PID: 5180)
      • msiexec.exe (PID: 2576)

    • Manual execution by a user

      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)
      • {15BD9B53-1031-48CA-8D8D-5A0AE0686FF2}.exe (PID: 3392)
      • browser.exe (PID: 3724)

    • Yandex updater related mutex has been found

      • {E1DE28F7-0F50-4993-A16E-429D741E2F61}.exe (PID: 5284)

    • Local mutex for internet shortcut management

      • Yandex.exe (PID: 4136)
      • explorer.exe (PID: 4220)

    • Detects InnoSetup installer (YARA)

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.exe (PID: 2908)
      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4220)

    • Creates a software uninstall entry

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)

    • Compiled with Borland Delphi (YARA)

      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.exe (PID: 2908)
      • b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp (PID: 1640)

    • Reads the Internet Settings

      • explorer.exe (PID: 4220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 304128
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: GL
FileDescription: Grant Theft Auto Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: Grant Theft Auto
ProductVersion: 3.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
202
Monitored processes
94
Malicious processes
10
Suspicious processes
7

Behavior graph

Click at the process to see the details
start b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.exe #INNOSETUP b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp yandex.exe yandexpacksetup.exe yandex.exe msiexec.exe msiexec.exe lite_installer.exe seederexe.exe {e1de28f7-0f50-4993-a16e-429d741e2f61}.exe yandex.exe explorer.exe no specs sender.exe sz1.exe conhost.exe no specs yandex.exe sp1.exe no specs conhost.exe no specs sp1.exe no specs conhost.exe no specs sp1.exe no specs conhost.exe no specs sp1.exe no specs conhost.exe no specs yandexpacksetup.exe yandex.exe msiexec.exe lite_installer.exe seederexe.exe yandex.exe no specs sender.exe {15bd9b53-1031-48ca-8d8d-5a0ae0686ff2}.exe no specs yb9fee.tmp setup.exe setup.exe no specs explorer.exe no specs explorer.exe no specs clidmgr.exe conhost.exe no specs clidmgr.exe conhost.exe no specs browser.exe browser.exe no specs browser.exe no specs browser.exe no specs browser.exe browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
388"C:\Users\admin\AppData\Local\Temp\is-TLEAM.tmp\sp1.exe" "C:\Users\admin\AppData\Local\Programs\etowolt\Яндекс.Игры.lnk" 5386C:\Users\admin\AppData\Local\Temp\is-TLEAM.tmp\sp1.exeb32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp
User:
admin
Company:
Technosys Corporation
Integrity Level:
MEDIUM
Description:
Pin To Taskbar
Exit code:
0
Version:
0.99.9.1
Modules
Images
c:\users\admin\appdata\local\temp\is-tleam.tmp\sp1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
704"C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=ed128e4f-851e-4ca1-bdcd-6346b3e344ed --brand-id=yandex --partner-id=pseudoportal-ru --string-annotations --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --allow-prefetch --video-capture-use-gpu-memory-buffer --lang=ru --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --may-use-trampoline-gpu --field-trial-handle=4040,i,3937146285795860581,7712472836614378039,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:1C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exebrowser.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
LOW
Description:
Yandex with voice assistant Alice
Exit code:
0
Version:
25.2.6.697
Modules
Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.2.6.697\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll
856C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
956"C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=ed128e4f-851e-4ca1-bdcd-6346b3e344ed --brand-id=yandex --partner-id=pseudoportal-ru --string-annotations --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=ru --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6320,i,3937146285795860581,7712472836614378039,262144 --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:1C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exebrowser.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
LOW
Description:
Yandex with voice assistant Alice
Version:
25.2.6.697
Modules
Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.2.6.697\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll
976"C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=ru --service-sandbox-type=service --user-id=ed128e4f-851e-4ca1-bdcd-6346b3e344ed --brand-id=yandex --partner-id=pseudoportal-ru --string-annotations --process-name="Распаковщик файлов" --field-trial-handle=808,i,3937146285795860581,7712472836614378039,262144 --variations-seed-version --mojo-platform-channel-handle=5788 --brver=25.2.6.697 /prefetch:14C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exebrowser.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
LOW
Description:
Yandex with voice assistant Alice
Exit code:
0
Version:
25.2.6.697
Modules
Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.2.6.697\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll
1044"C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=ed128e4f-851e-4ca1-bdcd-6346b3e344ed --brand-id=yandex --partner-id=pseudoportal-ru --string-annotations --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --allow-prefetch --video-capture-use-gpu-memory-buffer --lang=ru --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --may-use-trampoline-gpu --field-trial-handle=5252,i,3937146285795860581,7712472836614378039,262144 --variations-seed-version --mojo-platform-channel-handle=5204 /prefetch:1C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exebrowser.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
LOW
Description:
Yandex with voice assistant Alice
Version:
25.2.6.697
Modules
Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.2.6.697\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll
1072"C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=ed128e4f-851e-4ca1-bdcd-6346b3e344ed --brand-id=yandex --partner-id=pseudoportal-ru --string-annotations --process-name="Data Decoder Service" --field-trial-handle=8592,i,3937146285795860581,7712472836614378039,262144 --variations-seed-version --mojo-platform-channel-handle=8596 --brver=25.2.6.697 /prefetch:14C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exebrowser.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
LOW
Description:
Yandex with voice assistant Alice
Exit code:
0
Version:
25.2.6.697
Modules
Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.2.6.697\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll
1104C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Yandex\YandexBrowser\User Data" --url=https://crash-reports.browser.yandex.net/submit --annotation=install_date=1745666902 --annotation=last_update_date=1745666902 --annotation=launches_after_update=3 --annotation=machine_id=97b7721c4994e2556ff6a439510f665d --annotation=main_process_pid=3420 --annotation=metrics_client_id=386686fc07354c43877b617e8a3cfa28 --annotation=plat=Win64 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=25.2.6.697 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffc715058d0,0x7ffc715058dc,0x7ffc715058e8C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exebrowser.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
MEDIUM
Description:
Yandex with voice assistant Alice
Exit code:
0
Version:
25.2.6.697
Modules
Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.2.6.697\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcp_win.dll
1164"C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=ed128e4f-851e-4ca1-bdcd-6346b3e344ed --brand-id=yandex --partner-id=pseudoportal-ru --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --gpu-process-kind=trampoline --field-trial-handle=2156,i,3937146285795860581,7712472836614378039,262144 --variations-seed-version --mojo-platform-channel-handle=2444 /prefetch:6C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exebrowser.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
LOW
Description:
Yandex with voice assistant Alice
Exit code:
0
Version:
25.2.6.697
Modules
Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.2.6.697\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
1212"C:\Users\admin\AppData\Local\Temp\scoped_dir5360_1353863991\explorer.exe" --pttw1="C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yandex.lnk"C:\Users\admin\AppData\Local\Temp\scoped_dir5360_1353863991\explorer.exesetup.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
MEDIUM
Description:
Yandex
Exit code:
0
Version:
25.2.6.697
Modules
Images
c:\users\admin\appdata\local\temp\scoped_dir5360_1353863991\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
Total events
81 844
Read events
80 912
Write events
828
Delete events
104

Modification events

(PID) Process:(4220) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060240
Operation:writeName:VirtualDesktop
Value:
1000000030304456E607A44380CD8749882E4DD2FDAFD763
(PID) Process:(1640) b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
6806000094FB0E089EB6DB01
(PID) Process:(1640) b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
35EACD137966CF2C4C44336B6FD85DB61FA9EBB0862255E419CBB0A5CA3F3A02
(PID) Process:(1640) b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(2984) yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2984) yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2984) yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2984) yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2984) yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2984) yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
79
Suspicious files
1 057
Text files
795
Unknown types
1

Dropped files

PID
Process
Filename
Type
1640b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmpC:\Users\admin\AppData\Local\Temp\is-TLEAM.tmp\tuya.bmp
MD5:
SHA256:
2200YandexPackSetup.exeC:\Users\admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
MD5:
SHA256:
856msiexec.exeC:\Windows\Installer\1680be.msi
MD5:
SHA256:
1640b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmpC:\Users\admin\AppData\Local\Temp\is-TLEAM.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
1640b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmpC:\Users\admin\AppData\Local\Temp\is-TLEAM.tmp\_isetup\_iscrypt.dllexecutable
MD5:A69559718AB506675E907FE49DEB71E9
SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
2984yandex.exeC:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\seed.txttext
MD5:73FB305C6B3819A3E01C5D351E699ABC
SHA256:529B3C8875A85325729E4922927DD75662CF6191ECE3A858CDDD5D63633065EC
2984yandex.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7binary
MD5:DB47E083152A7A3AB23E5749CC505DBC
SHA256:7B2BEC03BC38F89BCEF9D450A39877F8B3BE437D8C11A324B3CF97788505A0D8
2984yandex.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7binary
MD5:EBEFF0D7164A9F4F2ED8724940A6DC5A
SHA256:580756FF58E378328CCEEA91D54046D496DCE1BE7BE56DE1AFC9990A3D010CC0
1640b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmpC:\Users\admin\AppData\Local\Temp\is-TLEAM.tmp\yandex.exeexecutable
MD5:B9314504E592D42CB36534415A62B3AF
SHA256:C60C3A7D20B575FDEEB723E12A11C2602E73329DC413FC6D88F72E6F87E38B49
2984yandex.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\5C651ZXJ\YandexPackSetup[1].exeexecutable
MD5:3FB846D3691F3D98A34E669E1B9B5BF6
SHA256:EAD7A779CABAE642D09BE07283CC99E53C84ECF90349444E0D0AC4BF9901FE47
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
59
TCP/UDP connections
129
DNS requests
104
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
900
smartscreen.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?db44e00653650f81
unknown
whitelisted
1640
b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp
GET
302
5.45.205.244:80
http://download.yandex.ru/yandex-pack/downloader/downloader.exe
unknown
whitelisted
2984
yandex.exe
GET
302
5.45.205.244:80
http://download.yandex.ru/yandex-pack/downloader/info.rss
unknown
whitelisted
3640
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
900
smartscreen.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1640
b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp
GET
200
5.45.247.21:80
http://cachev2-ams20.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=289
unknown
whitelisted
2984
yandex.exe
GET
302
5.45.205.245:80
http://downloader.yandex.net/yandex-pack/418804/YandexPackSetup.exe
unknown
whitelisted
2984
yandex.exe
GET
200
5.45.247.27:80
http://cachev2-ams22.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/info.rss?lid=325
unknown
whitelisted
2984
yandex.exe
GET
200
5.45.200.105:80
http://cachev2-fra-02.cdn.yandex.net/downloader.yandex.net/yandex-pack/418804/YandexPackSetup.exe?lid=328
unknown
whitelisted
1352
svchost.exe
GET
200
2.18.64.200:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
900
smartscreen.exe
48.209.162.134:443
checkappexec.microsoft.com
US
whitelisted
1352
svchost.exe
2.18.64.212:80
Administracion Nacional de Telecomunicaciones
UY
unknown
900
smartscreen.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
900
smartscreen.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5812
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2776
svchost.exe
104.46.162.224:443
v10.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
AU
whitelisted
1640
b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp
5.45.205.244:80
download.yandex.ru
YANDEX LLC
RU
whitelisted
1640
b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp
5.45.247.21:80
cachev2-ams20.cdn.yandex.net
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
checkappexec.microsoft.com
  • 48.209.162.134
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.31.71
  • 40.126.31.2
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.75
  • 40.126.31.67
  • 40.126.31.131
  • 20.190.159.130
whitelisted
v10.events.data.microsoft.com
  • 104.46.162.224
whitelisted
download.yandex.ru
  • 5.45.205.244
  • 5.45.205.243
  • 5.45.205.242
  • 5.45.205.241
  • 5.45.205.245
whitelisted
cachev2-ams20.cdn.yandex.net
  • 5.45.247.21
whitelisted
klodsad.ru
  • 92.53.96.117
unknown

Threats

PID
Process
Class
Message
1640
b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
1640
b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
1640
b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
1640
b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp
Misc activity
ET INFO Packed Executable Download
2984
yandex.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2984
yandex.exe
Misc activity
ET INFO Packed Executable Download
1352
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
2188
lite_installer.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
2188
lite_installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1640
b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
Process
Message
YandexPackSetup.exe
IsAlreadyRun() In
YandexPackSetup.exe
IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe
GetSidFromEnumSess(): ProfileImagePath(2) = C:\Users\admin
YandexPackSetup.exe
GetSidFromEnumSess(): LsaGetLogonSessionData(0) err = 5
YandexPackSetup.exe
GetSidFromEnumSess(): LsaEnumerateLogonSessions() lpszSid = S-1-5-21-166304369-59083888-3082702900-1001
YandexPackSetup.exe
GetSidFromEnumSess(): i = 1 : szUserName = admin, szDomain = DESKTOP-BFTPUHP, dwSessionId = 0
YandexPackSetup.exe
IsMSISrvFree() Out ret = 1
YandexPackSetup.exe
IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe
IsMSISrvFree() In
YandexPackSetup.exe
GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = DESKTOP-BFTPUHP, dwSessionId = 1
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b32133ab414e970de653ad8562bca92936655cc395b3c791af1502b4a1ef1170.bin