Malware analysis install.exe Malicious activity | ANY.RUN

Add for printing

File name:	install.exe
Full analysis:	https://app.any.run/tasks/32796976-6e11-4ffe-a86b-b78079c6b834
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 22, 2025, 14:29:58
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	6971695B5893E9952C35F0653BB192C3
SHA1:	42F496F742BA2DADB49151CE9539D4F2EA99AA28
SHA256:	D15035A9341BEA4A659674B6E79B038B38F0CD1B01C537E82BE57B1035C5E5F0
SSDEEP:	6144:BTM6qtgn0I+4i5tucngwZXp+V44zPOfBOLzh:BdTcscgwQ44zWZwh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Steals credentials from Web Browsers
  - seederexe.exe (PID: 6848)
- Actions looks like stealing of personal data
  - seederexe.exe (PID: 6848)
  - lite_installer.exe (PID: 6696)
SUSPICIOUS
- Executable content was dropped or overwritten
  - install.exe (PID: 372)
  - lite_installer.exe (PID: 6696)
  - Yandex.exe (PID: 4500)
  - ybB307.tmp (PID: 7024)
- Checks Windows Trust Settings
  - install.exe (PID: 372)
  - msiexec.exe (PID: 6420)
  - lite_installer.exe (PID: 6696)
  - {D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe (PID: 7060)
- Reads security settings of Internet Explorer
  - install.exe (PID: 372)
  - lite_installer.exe (PID: 6696)
  - {D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe (PID: 7060)
- Starts a Microsoft application from unusual location
  - YandexPackSetup.exe (PID: 6360)
- Application launched itself
  - install.exe (PID: 372)
  - setup.exe (PID: 6356)
- Reads Mozilla Firefox installation path
  - seederexe.exe (PID: 6848)
- Potential Corporate Privacy Violation
  - install.exe (PID: 372)
  - lite_installer.exe (PID: 6696)
- Changes the title of the Internet Explorer window
  - seederexe.exe (PID: 6848)
- Changes the Home page of Internet Explorer
  - seederexe.exe (PID: 6848)
- Starts application with an unusual extension
  - {D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe (PID: 7060)
- Starts itself from another location
  - Yandex.exe (PID: 4500)
INFO
- The sample compiled with russian language support
  - install.exe (PID: 372)
  - msiexec.exe (PID: 6572)
- Reads the computer name
  - install.exe (PID: 372)
  - msiexec.exe (PID: 6572)
  - YandexPackSetup.exe (PID: 6360)
  - msiexec.exe (PID: 6420)
  - lite_installer.exe (PID: 6696)
  - install.exe (PID: 6368)
  - seederexe.exe (PID: 6848)
  - Yandex.exe (PID: 4500)
  - {D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe (PID: 7060)
  - sender.exe (PID: 3208)
  - explorer.exe (PID: 3680)
  - setup.exe (PID: 6356)
- Create files in a temporary directory
  - install.exe (PID: 372)
  - YandexPackSetup.exe (PID: 6360)
  - lite_installer.exe (PID: 6696)
  - seederexe.exe (PID: 6848)
  - {D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe (PID: 7060)
- Checks proxy server information
  - install.exe (PID: 372)
  - lite_installer.exe (PID: 6696)
  - {D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe (PID: 7060)
- Reads the machine GUID from the registry
  - install.exe (PID: 372)
  - msiexec.exe (PID: 6420)
  - lite_installer.exe (PID: 6696)
  - {D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe (PID: 7060)
  - seederexe.exe (PID: 6848)
- Creates files or folders in the user directory
  - install.exe (PID: 372)
  - seederexe.exe (PID: 6848)
  - {D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe (PID: 7060)
  - Yandex.exe (PID: 4500)
- Process checks computer location settings
  - install.exe (PID: 372)
  - msiexec.exe (PID: 6572)
  - Yandex.exe (PID: 4500)
  - explorer.exe (PID: 3680)
- Checks supported languages
  - install.exe (PID: 372)
  - msiexec.exe (PID: 6572)
  - lite_installer.exe (PID: 6696)
  - install.exe (PID: 6368)
  - YandexPackSetup.exe (PID: 6360)
  - msiexec.exe (PID: 6420)
  - {D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe (PID: 7060)
  - seederexe.exe (PID: 6848)
  - Yandex.exe (PID: 4500)
  - explorer.exe (PID: 3680)
  - sender.exe (PID: 3208)
  - setup.exe (PID: 6356)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 6420)
  - msiexec.exe (PID: 6572)
- Reads the software policy settings
  - install.exe (PID: 372)
  - lite_installer.exe (PID: 6696)
  - {D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe (PID: 7060)
- Manual execution by a user
  - {D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe (PID: 7060)
- Yandex updater related mutex has been found
  - {D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe (PID: 7060)
- Local mutex for internet shortcut management
  - Yandex.exe (PID: 4500)
- The sample compiled with english language support
  - ybB307.tmp (PID: 7024)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:05:19 13:34:48+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	143360
InitializedDataSize:	84992
UninitializedDataSize:	-
EntryPoint:	0x74a6
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	0.1.0.33
ProductVersionNumber:	0.1.0.33
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Russian
CharacterSet:	Unicode
FileDescription:	Setup Downloader
FileVersion:	0.1.0.33
InternalName:	download
LegalCopyright:	Copyright (C) 2015 Yandex LLC
OriginalFileName:	downloader.exe
ProductName:	Setup Downloader
ProductVersion:	0.1.0.33

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

140

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

372

"C:\Users\admin\AppData\Local\Temp\install.exe"

C:\Users\admin\AppData\Local\Temp\install.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Setup Downloader

Exit code:

Version:

0.1.0.33

Modules

Images
c:\users\admin\appdata\local\temp\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

3208

C:\Users\admin\AppData\Local\Temp\AC95D2F2-88E5-4D23-B364-A353C3199411\sender.exe --send "/status.xml?clid=9183476-678&uuid=7b384021-1ca9-40d9-b38a-ccb5ce7a0ddb&vnt=Windows 10x64&file-no=8%0A10%0A12%0A15%0A17%0A18%0A20%0A21%0A22%0A25%0A36%0A40%0A42%0A45%0A58%0A59%0A89%0A102%0A103%0A111%0A123%0A124%0A125%0A129%0A"

C:\Users\admin\AppData\Local\Temp\AC95D2F2-88E5-4D23-B364-A353C3199411\sender.exe

seederexe.exe

User:

admin

Company:

Yandex

Integrity Level:

MEDIUM

Description:

Yandex Statistics

Exit code:

Version:

0.0.2.14

Modules

Images
c:\users\admin\appdata\local\temp\ac95d2f2-88e5-4d23-b364-a353c3199411\sender.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

3680

C:\Users\admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /pin-path="C:\Users\admin\AppData\Local\Yandex\YaPin\Yandex.lnk" --is-pinning

C:\Users\admin\AppData\Local\Temp\pin\explorer.exe

—

Yandex.exe

User:

admin

Integrity Level:

MEDIUM

Description:

YandexPin

Exit code:

Version:

3.7.9.0

Modules

Images
c:\users\admin\appdata\local\temp\pin\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll

4500

C:\Users\admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n

C:\Users\admin\AppData\Local\Yandex\YaPin\Yandex.exe

seederexe.exe

User:

admin

Integrity Level:

MEDIUM

Description:

YandexPin

Exit code:

Version:

3.7.9.0

Modules

Images
c:\users\admin\appdata\local\yandex\yapin\yandex.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll

6356

"C:\Users\admin\AppData\Local\Temp\YB_804E1.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Temp\YB_804E1.tmp\BROWSER.PACKED.7Z" --abt-config-resource-file="C:\Users\admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\admin\AppData\Local\Temp\e6fdc3aa-663a-4509-b2dc-ec51a2f07482.tmp" --brand-name=yandex --brand-package="C:\Users\admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=1290891612 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{1E9B5500-404A-4A99-A0C7-267BF7A69816} --local-path="C:\Users\admin\AppData\Local\Temp\{D906CF49-2AF9-4AE3-99DE-2466D0D26D84}.exe" --partner-package="C:\Users\admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=9183405-678&ui={7b384021-1ca9-40d9-b38a-ccb5ce7a0ddb} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\admin\AppData\Local\Temp\fa5d7bdb-dfa8-4b68-9f52-3ba2fee27b24.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\admin\AppData\Local\Temp\website.ico"

C:\Users\admin\AppData\Local\Temp\YB_804E1.tmp\setup.exe

ybB307.tmp

User:

admin

Company:

YANDEX LLC

Integrity Level:

MEDIUM

Description:

Yandex

Version:

24.12.3.780

Modules

Images
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\gdi32full.dll
c:\windows\syswow64\msvcp_win.dll

6360

"C:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /passive /msicl "VID=678 YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y "

C:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe

install.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Software Installer

Exit code:

Version:

3.0.5419.0

Modules

Images
c:\users\admin\appdata\local\temp\7f4987fb1a6e43d69e3e94b29eb75926\yandexpacksetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll

6368

C:\Users\admin\AppData\Local\Temp\install.exe --stat dwnldr/p=635487/cnt=0/dt=5/ct=0/rt=0 --dh 2404 --st 1737556211

C:\Users\admin\AppData\Local\Temp\install.exe

install.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Setup Downloader

Exit code:

Version:

0.1.0.33

Modules

Images
c:\users\admin\appdata\local\temp\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6420

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6572

C:\Windows\syswow64\MsiExec.exe -Embedding F989E2F57BE8D03ADB6B9EB388F0B9CC

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6696

"C:\Users\admin\AppData\Local\Temp\B09B1B2C-4DE8-49FE-988C-2DFBD0622359\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER

C:\Users\admin\AppData\Local\Temp\B09B1B2C-4DE8-49FE-988C-2DFBD0622359\lite_installer.exe

msiexec.exe

User:

admin

Company:

Yandex

Integrity Level:

MEDIUM

Description:

YandexBrowserDownloader

Exit code:

Version:

1.0.1.9

Modules

Images
c:\users\admin\appdata\local\temp\b09b1b2c-4de8-49fe-988c-2dfbd0622359\lite_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

18 570

Read events

18 436

Write events

113

Delete events

Modification events


(PID) Process:	(372) install.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(372) install.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(372) install.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6420) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 14190000FCCB0126DA6CDB01
(PID) Process:	(6420) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: F3917DF3442F46BFEC24F8CC75F1E82FAE4551D0C804B43EC3483484CF18AA56
(PID) Process:	(6420) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(6420) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Config.Msi\
Value:
(PID) Process:	(6420) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\1395ae.rbs
Value: 31157466
(PID) Process:	(6420) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\1395ae.rbsLow
Value: 667308064
(PID) Process:	(6420) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Users\admin\AppData\Roaming\Microsoft\Installer\
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6360	YandexPackSetup.exe	C:\Users\admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi		—
		MD5:—	SHA256:—
6420	msiexec.exe	C:\Windows\Installer\1395ac.msi		—
		MD5:—	SHA256:—
6420	msiexec.exe	C:\Windows\Installer\MSI9BD9.tmp		executable
		MD5:0C80A997D37D930E7317D6DAC8BB7AE1	SHA256:A5DD2F97C6787C335B7807FF9B6966877E9DD811F9E26326837A7D2BD224DE86
372	install.exe	C:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe		executable
		MD5:DE5CC8B280F3A924E2C3F269FE7618A0	SHA256:167398F1384B8322E60810EAA3CF147E2884580063CB12E19DAB484F63A4BBD6
6572	msiexec.exe	C:\Users\admin\AppData\Local\Temp\clids-yasearch.xml		xml
		MD5:56F2D021C5BF8F4D4F828F7B7ADDA0F7	SHA256:469A2B59DCC1B8CE8F9298FDEF3A6FD79EAF85557CE4C1F25BAA3E32CF99B792
372	install.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7		binary
		MD5:FCAD212CF08CD4E8A3BD93E1B55DD374	SHA256:A70BFE0953F66CDE550D088A09B5F4A4E2DE40FFA2B1A7396C90690F67E84994
6420	msiexec.exe	C:\Windows\Installer\MSI9B5B.tmp		executable
		MD5:E6FD0E66CF3BFD3CC04A05647C3C7C54	SHA256:669CC0AAE068CED3154ACAECB0C692C4C5E61BC2CA95B40395A3399E75FCB9B2
6420	msiexec.exe	C:\Windows\Installer\MSI9AEC.tmp		executable
		MD5:E6FD0E66CF3BFD3CC04A05647C3C7C54	SHA256:669CC0AAE068CED3154ACAECB0C692C4C5E61BC2CA95B40395A3399E75FCB9B2
6572	msiexec.exe	C:\Users\admin\AppData\Local\Temp\vendor00000.xml		xml
		MD5:C528466BA6D4F66966AA31021AA339DC	SHA256:546E928B7127A4515B089F0B913078404B664A5DF33C928A281888C25B03760F
372	install.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E		binary
		MD5:27C71A3295D673345F3B8257D802F2A9	SHA256:03986BABEE893169A7C611E98EF045E24128CF6C7E0D87936BE87EFF4A0E8A55

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
372	install.exe	GET	—	5.45.192.4:80	http://cachev2-rad-01.cdn.yandex.net/downloader.yandex.net/yandex-pack/635487/YandexPackSetup.exe?lid=309	unknown	—	—	whitelisted
372	install.exe	GET	302	5.45.205.243:80	http://downloader.yandex.net/yandex-pack/635487/YandexPackSetup.exe	unknown	—	—	whitelisted
372	install.exe	GET	200	151.101.130.133:80	http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D	unknown	—	—	whitelisted
372	install.exe	GET	200	151.101.130.133:80	http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDG8SbJzCh95FjOiQ9g%3D%3D	unknown	—	—	whitelisted
6696	lite_installer.exe	GET	302	5.45.205.243:80	http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=9183405-678&ui={7b384021-1ca9-40d9-b38a-ccb5ce7a0ddb}	unknown	—	—	whitelisted
6696	lite_installer.exe	GET	200	77.88.21.14:80	http://clck.yandex.ru/click/dtype=stred/pid=198/cid=73002/path=0.winapi_download/ui=%7B7b384021-1ca9-40d9-b38a-ccb5ce7a0ddb%7D/clid1=9183405-678/dt=0/ds=0/bits=7_8_19041_3636/bver=0_0_0_0/prod_version=1_0_1_9/result=ok/*	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6368	install.exe	GET	200	77.88.21.14:80	http://clck.yandex.ru/click/dtype=stred/pid=12/cid=72435/path=dwnldr/p=635487/cnt=0/dt=5/ct=0/rt=6/imp=0/*	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6696	lite_installer.exe	GET	200	77.88.21.14:80	http://clck.yandex.ru/click/dtype=stred/pid=198/cid=73002/path=1.run_dist/ui=%7B7b384021-1ca9-40d9-b38a-ccb5ce7a0ddb%7D/clid1=9183405-678/dt=32272015/ds=9290672/bits=7_8_19041_3636/bver=24_12_3_780/prod_version=1_0_1_9/result=ok/*	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
372	install.exe	5.45.205.243:80	downloader.yandex.net	YANDEX LLC	RU	whitelisted
372	install.exe	5.45.192.4:80	cachev2-rad-01.cdn.yandex.net	YANDEX LLC	RU	whitelisted
372	install.exe	151.101.130.133:80	ocsp.globalsign.com	FASTLY	US	whitelisted
5064	SearchApp.exe	104.126.37.128:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1076	svchost.exe	23.213.166.81:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted
1176	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1176	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
3160	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6696	lite_installer.exe	77.88.21.14:80	clck.yandex.ru	YANDEX LLC	RU	whitelisted

DNS requests

Domain	IP	Reputation
downloader.yandex.net	5.45.205.243 5.45.205.241 5.45.205.244 5.45.205.245 5.45.205.242	whitelisted
cachev2-rad-01.cdn.yandex.net	5.45.192.4	whitelisted
ocsp.globalsign.com	151.101.130.133 151.101.194.133 151.101.66.133 151.101.2.133	whitelisted
www.bing.com	104.126.37.128 104.126.37.185 104.126.37.178 104.126.37.131 104.126.37.144 104.126.37.153 104.126.37.139 104.126.37.146 104.126.37.179	whitelisted
go.microsoft.com	23.213.166.81	whitelisted
login.live.com	40.126.32.134 40.126.32.140 20.190.160.14 40.126.32.74 20.190.160.17 40.126.32.68 40.126.32.76 40.126.32.136	whitelisted
ocsp.digicert.com	2.17.190.73 2.23.77.188	whitelisted
clck.yandex.ru	77.88.21.14 87.250.250.14 93.158.134.14 213.180.204.14 213.180.193.14 87.250.251.14	whitelisted
cachev2-fra-02.cdn.yandex.net	5.45.200.105	whitelisted
api.browser.yandex.ru	213.180.193.234	whitelisted

Threats

PID	Process	Class	Message
372	install.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
372	install.exe	Misc activity	ET INFO Packed Executable Download
6696	lite_installer.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6696	lite_installer.exe	Misc activity	ET INFO EXE - Served Attached HTTP

Add for printing

Process	Message
YandexPackSetup.exe	IsAlreadyRun() In
YandexPackSetup.exe	IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe	IsMSISrvFree() In
YandexPackSetup.exe	IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe	IsMSISrvFree() Out ret = 1
YandexPackSetup.exe	GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = DESKTOP-JGLLJLD, dwSessionId = 1
YandexPackSetup.exe	GetSidFromEnumSess(): LsaGetLogonSessionData(0) err = 5
YandexPackSetup.exe	GetSidFromEnumSess(): ProfileImagePath(1) = C:\Users\admin
YandexPackSetup.exe	GetSidFromEnumSess(): LsaEnumerateLogonSessions() lpszSid = S-1-5-21-1693682860-607145093-2874071422-1001
YandexPackSetup.exe	GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = DESKTOP-JGLLJLD, dwSessionId = 1

General Info

install.exe

6971695B5893E9952C35F0653BB192C3

42F496F742BA2DADB49151CE9539D4F2EA99AA28

D15035A9341BEA4A659674B6E79B038B38F0CD1B01C537E82BE57B1035C5E5F0

6144:BTM6qtgn0I+4i5tucngwZXp+V44zPOfBOLzh:BdTcscgwQ44zWZwh

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Starts a Microsoft application from unusual location

Application launched itself

Reads Mozilla Firefox installation path

Potential Corporate Privacy Violation

Changes the title of the Internet Explorer window

Changes the Home page of Internet Explorer

Starts application with an unusual extension

Starts itself from another location

INFO

The sample compiled with russian language support

Reads the computer name

Create files in a temporary directory

Checks proxy server information

Reads the machine GUID from the registry

Creates files or folders in the user directory

Process checks computer location settings

Checks supported languages

Executable content was dropped or overwritten

Reads the software policy settings

Manual execution by a user

Yandex updater related mutex has been found

Local mutex for internet shortcut management

The sample compiled with english language support

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats