File name:

Yandex.exe

Full analysis: https://app.any.run/tasks/68019a80-786c-4040-ba1e-e339a12a7f71
Verdict: Malicious activity
Analysis date: November 13, 2023, 12:30:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

01A2A4882BBC24601874CC0C106FE10E

SHA1:

D549A35327C92712E44997DB647B13FBC2807915

SHA256:

7178D6F5BF56513187761DA0A7A8D2594C94EA720770EE5553C55681A55C293A

SSDEEP:

98304:zRKgZwHSILWkL9ueQmFd+0C/hGabdcrv/yZTI59Od514451DRdVOugM6Etv3c/+s:iWQ7kA888j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Yandex.exe (PID: 3228)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Yandex.exe (PID: 3228)

    • Application launched itself

      • Yandex.exe (PID: 3228)

    • Checks Windows Trust Settings

      • Yandex.exe (PID: 3228)

    • Reads settings of System Certificates

      • Yandex.exe (PID: 3228)

    • Reads security settings of Internet Explorer

      • Yandex.exe (PID: 3228)

  • INFO

    • Manual execution by a user

      • Yandex.exe (PID: 3228)
      • wmpnscfg.exe (PID: 3556)

    • Reads the computer name

      • Yandex.exe (PID: 3228)
      • wmpnscfg.exe (PID: 3556)

    • Checks supported languages

      • Yandex.exe (PID: 3228)
      • wmpnscfg.exe (PID: 3556)
      • Yandex.exe (PID: 3948)

    • Create files in a temporary directory

      • Yandex.exe (PID: 3228)

    • Checks proxy server information

      • Yandex.exe (PID: 3228)

    • Creates files or folders in the user directory

      • Yandex.exe (PID: 3228)

    • Reads the machine GUID from the registry

      • Yandex.exe (PID: 3228)
      • wmpnscfg.exe (PID: 3556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.odttf | Obfuscated subsetted Font (92.8)
.exe | Generic Win/DOS Executable (3.5)
.exe | DOS Executable Generic (3.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:03 09:37:23+01:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 1187840
InitializedDataSize: 3922432
UninitializedDataSize: -
EntryPoint: 0xb0110
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 23.9.4.838
ProductVersionNumber: 23.9.4.838
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: YANDEX LLC
FileDescription: Yandex
FileVersion: 23.9.4.838
InternalName: lite_installer
LegalCopyright: Copyright (c) 2012-2023 YANDEX LLC. All Rights Reserved.
ProductName: Yandex
ProductVersion: 23.9.4.838
ProductChromiumVersion: 116.0.5845.228
ProductYandexVersion: 23.9.4.838
CompanyShortName: YANDEX LLC
ProductShortName: Yandex Installer
LastChange: a933882c0978e3b058f02c9853164d400fbb62f8
OfficialBuild: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs yandex.exe wmpnscfg.exe no specs yandex.exe

Process information

PID
CMD
Path
Indicators
Parent process
3228"C:\Users\admin\Desktop\Yandex.exe" C:\Users\admin\Desktop\Yandex.exe
explorer.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
MEDIUM
Description:
Yandex
Exit code:
0
Version:
23.9.4.838
Modules
Images
c:\users\admin\desktop\yandex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3440"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL "C:\Users\admin\Desktop\Yandex.exe.odttf"C:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3556"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3948"C:\Users\admin\Desktop\Yandex.exe" --parent-installer-process-id=3228 --run-as-admin --setup-cmd-line="fake_browser_arc --abt-config-resource-file=\"C:\Users\admin\AppData\Local\Temp\abt_config_resource\" --abt-update-path=\"C:\Users\admin\AppData\Local\Temp\537e1ef5-ab04-4abf-b7ba-7dbbef0d6475.tmp\" --brand-name=yandex --distr-info-file=\"C:\Users\admin\AppData\Local\Temp\distrib_info\" --make-browser-default-after-import --ok-button-pressed-time=1499722656 --progress-window=328082 --send-statistics --variations-update-path=\"C:\Users\admin\AppData\Local\Temp\8b87b487-8aa8-452a-87c1-b2fab22c5d99.tmp\" --verbose-logging"C:\Users\admin\Desktop\Yandex.exe
Yandex.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
HIGH
Description:
Yandex
Exit code:
0
Version:
23.9.4.838
Modules
Images
c:\users\admin\desktop\yandex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
11 272
Read events
11 232
Write events
37
Delete events
3

Modification events

(PID) Process:(3228) Yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3228) Yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000059010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3228) Yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3228) Yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3228) Yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3228) Yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3228) Yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3228) Yandex.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3556) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{20DF0E8B-1552-49E4-BA9C-8F4483F28ED7}\{07975770-3571-410D-8AC5-3920E334A15B}
Operation:delete keyName:(default)
Value:
(PID) Process:(3556) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{20DF0E8B-1552-49E4-BA9C-8F4483F28ED7}
Operation:delete keyName:(default)
Value:
Executable files
3
Suspicious files
22
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
3228Yandex.exeC:\Users\admin\AppData\Local\Temp\website.ico
MD5:
SHA256:
3228Yandex.exeC:\Users\admin\AppData\Local\Temp\distrib_infobinary
MD5:754F6D5E8E031888FD757372E717CAAE
SHA256:18BBE5999E9CB01E8E9611EB8C502CF97BAB07B34171E838820543E04ADCF836
3228Yandex.exeC:\Users\admin\AppData\Local\Temp\clids.xmlxml
MD5:6114476799216A04B18987CB8D4B777E
SHA256:E2C329938240D4870D167EBAD9582BA480CDB03499974718FB06F23D834F4F9D
3228Yandex.exeC:\Users\admin\AppData\Local\Temp\BrandFilecompressed
MD5:213784A7D66181C001A84089A6B07D1C
SHA256:0AA811CF7886832601FAE4EB2DCC39D3FDCEDCB92591C28929B21768614D89FE
3228Yandex.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
3228Yandex.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3binary
MD5:6538934F276ECE6A09D9A73B89CDE9A2
SHA256:0BC32FBB5B639DB78C8E38A56B9D599A2370C1179656312CF6778FFBE16BE439
3228Yandex.exeC:\Users\admin\AppData\Local\Temp\lite_installer.logtext
MD5:2154474C2742FCCB7C9BD3A79CA09D3C
SHA256:2E3ACB0C8203C82A7662B7F0FC37446697155506C780801A12AE5EA3B34334D3
3228Yandex.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3binary
MD5:ECCD077B8D96D0F09B44AF935CFBE62A
SHA256:F4C7F30DF15124DD0D3D86493AFC77A535384125849FC7B3C9F75D665C1F0C57
3228Yandex.exeC:\Users\admin\AppData\Local\Temp\PartnerFilecompressed
MD5:835F5525AE77C06A02CD1E3A9D8B980B
SHA256:18D83E10BE94DC4B43D10BA1D3E9C4FE1001E21C9AB47128861CDAB066699219
3228Yandex.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:E8D43413BA99F9BF619E0FF0D557F497
SHA256:D5CF2C2286218D041410B68A45F0DB79FF4DBA079AB1F0A5ADE77A53992F3EE7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
42
DNS requests
47
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3228
Yandex.exe
GET
200
67.27.235.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9440e809cae90131
unknown
compressed
4.66 Kb
unknown
3228
Yandex.exe
GET
200
151.101.130.133:80
http://ocsp.globalsign.com/gseccovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSTMjK03nNiYoQYvu4Izyfn9OJNdAQUWHuOdSr%2BYYCqkEABrtboB0ZuP0gCDHKTQZ%2FO5eSKKEGG7A%3D%3D
unknown
binary
939 b
unknown
3228
Yandex.exe
GET
200
151.101.130.133:80
http://ocsp.globalsign.com/gsrsaovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRrcGT%2BanRD3C1tW3nsrKeuXC7DPwQU%2BO9%2F8s14Z6jeb48kjYjxhwMCs%2BsCDBp7ql8XxBZU5cVRKg%3D%3D
unknown
binary
1.40 Kb
unknown
3228
Yandex.exe
GET
200
151.101.130.133:80
http://ocsp2.globalsign.com/rootr5/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQiD0S5cIHyfrLTJ1fvAkJWflH%2B2QQUPeYpSJvqB8ohREom3m7e0oPQn1kCDQHuXyKVQkkF%2BQGRqNw%3D
unknown
binary
1.25 Kb
unknown
3228
Yandex.exe
GET
200
151.101.130.133:80
http://ocsp.globalsign.com/gseccovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSTMjK03nNiYoQYvu4Izyfn9OJNdAQUWHuOdSr%2BYYCqkEABrtboB0ZuP0gCDBYdd%2FuNCi1s5vcaPw%3D%3D
unknown
binary
937 b
unknown
3228
Yandex.exe
GET
200
151.101.194.133:80
http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D
unknown
binary
1.41 Kb
unknown
3228
Yandex.exe
GET
200
151.101.130.133:80
http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D
unknown
binary
1.40 Kb
unknown
3228
Yandex.exe
GET
200
67.27.235.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bb4a2a55651288f2
unknown
compressed
4.66 Kb
unknown
3228
Yandex.exe
GET
200
151.101.194.133:80
http://crl.globalsign.com/root.crl
unknown
binary
1.70 Kb
unknown
3228
Yandex.exe
GET
200
67.27.235.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e7d806a2c31342ae
unknown
compressed
4.66 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
868
svchost.exe
95.101.148.135:80
Akamai International B.V.
NL
unknown
4
System
192.168.100.255:138
whitelisted
868
svchost.exe
23.35.228.137:80
armmf.adobe.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:137
whitelisted
3228
Yandex.exe
213.180.193.234:443
api.browser.yandex.net
YANDEX LLC
RU
whitelisted
3228
Yandex.exe
5.45.205.242:443
download.cdn.yandex.net
YANDEX LLC
RU
whitelisted
3228
Yandex.exe
67.27.235.126:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
3228
Yandex.exe
151.101.66.133:80
ocsp.globalsign.com
FASTLY
US
unknown
3228
Yandex.exe
151.101.194.133:80
ocsp.globalsign.com
FASTLY
US
unknown
3228
Yandex.exe
151.101.130.133:80
ocsp.globalsign.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
armmf.adobe.com
  • 23.35.228.137
whitelisted
download.cdn.yandex.net
  • 5.45.205.242
  • 5.45.205.241
  • 5.45.205.245
  • 5.45.205.244
  • 5.45.205.243
whitelisted
api.browser.yandex.net
  • 213.180.193.234
whitelisted
api.browser.yandex.ru
  • 213.180.193.234
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
ctldl.windowsupdate.com
  • 67.27.235.126
  • 67.26.81.254
  • 8.253.95.121
  • 8.248.149.254
  • 67.27.157.126
whitelisted
ocsp.globalsign.com
  • 151.101.66.133
  • 151.101.194.133
  • 151.101.130.133
  • 151.101.2.133
whitelisted
crl.globalsign.com
  • 151.101.194.133
  • 151.101.66.133
  • 151.101.130.133
  • 151.101.2.133
whitelisted
ocsp2.globalsign.com
  • 151.101.130.133
  • 151.101.66.133
  • 151.101.194.133
  • 151.101.2.133
whitelisted
ext-cachev2-itt03.cdn.yandex.net
  • 185.70.202.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Yandex.exe