File name:

YandexPackLoader.exe

Full analysis: https://app.any.run/tasks/5698c839-6bd8-41d3-b49c-10b912f55a65
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 15, 2024, 11:58:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
stealer
possible-phishing-ml
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0F1F619E0539E8786C2A7C8DF4C60BA5

SHA1:

F756D939060B5F0BF86637B92EC9684901FA8AA9

SHA256:

A531DF85F805CA5BE16DE924EEA1DFFC97D82A62390E7A0FC7E5064078ABAE92

SSDEEP:

6144:BTM6qtgn0I+4i5tucngwZXp+V44zPOfBOLzh:BdTcscgwQ44zWZwh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • lite_installer.exe (PID: 4784)
      • seederexe.exe (PID: 2700)
      • setup.exe (PID: 608)
      • setup.exe (PID: 3296)

    • Steals credentials from Web Browsers

      • seederexe.exe (PID: 2700)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • YandexPackLoader.exe (PID: 5284)
      • Yandex.exe (PID: 6112)
      • lite_installer.exe (PID: 4784)
      • ybDE81.tmp (PID: 876)

    • Reads security settings of Internet Explorer

      • YandexPackLoader.exe (PID: 5284)
      • lite_installer.exe (PID: 4784)
      • Yandex.exe (PID: 6112)
      • explorer.exe (PID: 2576)
      • {8E2383A4-D765-4402-A19C-4464EE841AC6}.exe (PID: 6912)
      • YandexWorking.exe (PID: 2576)
      • setup.exe (PID: 608)

    • Potential Corporate Privacy Violation

      • YandexPackLoader.exe (PID: 5284)
      • lite_installer.exe (PID: 4784)

    • Checks Windows Trust Settings

      • YandexPackLoader.exe (PID: 5284)
      • msiexec.exe (PID: 4644)
      • lite_installer.exe (PID: 4784)
      • {8E2383A4-D765-4402-A19C-4464EE841AC6}.exe (PID: 6912)
      • setup.exe (PID: 608)

    • Starts a Microsoft application from unusual location

      • YandexPackSetup.exe (PID: 488)

    • Process requests binary or script from the Internet

      • YandexPackLoader.exe (PID: 5284)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4644)

    • Reads Mozilla Firefox installation path

      • seederexe.exe (PID: 2700)

    • Changes the Home page of Internet Explorer

      • seederexe.exe (PID: 2700)

    • Changes the title of the Internet Explorer window

      • seederexe.exe (PID: 2700)

    • Starts itself from another location

      • Yandex.exe (PID: 6112)

    • The process creates files with name similar to system file names

      • Yandex.exe (PID: 6112)

    • Creates a software uninstall entry

      • Yandex.exe (PID: 6112)

    • Application launched itself

      • YandexPackLoader.exe (PID: 5284)
      • setup.exe (PID: 608)

    • Starts application with an unusual extension

      • {8E2383A4-D765-4402-A19C-4464EE841AC6}.exe (PID: 6912)

  • INFO

    • Checks proxy server information

      • YandexPackLoader.exe (PID: 5284)
      • lite_installer.exe (PID: 4784)
      • {8E2383A4-D765-4402-A19C-4464EE841AC6}.exe (PID: 6912)
      • setup.exe (PID: 608)

    • Create files in a temporary directory

      • YandexPackLoader.exe (PID: 5284)
      • YandexPackSetup.exe (PID: 488)
      • msiexec.exe (PID: 3812)
      • seederexe.exe (PID: 2700)
      • lite_installer.exe (PID: 4784)
      • Yandex.exe (PID: 6112)
      • sender.exe (PID: 1288)
      • YandexPackLoader.exe (PID: 1480)
      • {8E2383A4-D765-4402-A19C-4464EE841AC6}.exe (PID: 6912)
      • ybDE81.tmp (PID: 876)
      • setup.exe (PID: 608)

    • Reads the computer name

      • YandexPackLoader.exe (PID: 5284)
      • msiexec.exe (PID: 4644)
      • msiexec.exe (PID: 3812)
      • seederexe.exe (PID: 2700)
      • lite_installer.exe (PID: 4784)
      • YandexPackLoader.exe (PID: 1480)
      • explorer.exe (PID: 2576)
      • Yandex.exe (PID: 6112)
      • YandexPackSetup.exe (PID: 488)
      • sender.exe (PID: 1288)
      • {8E2383A4-D765-4402-A19C-4464EE841AC6}.exe (PID: 6912)
      • identity_helper.exe (PID: 4088)
      • YandexWorking.exe (PID: 2576)
      • ybDE81.tmp (PID: 876)
      • setup.exe (PID: 608)
      • identity_helper.exe (PID: 1920)

    • Checks supported languages

      • YandexPackLoader.exe (PID: 5284)
      • msiexec.exe (PID: 4644)
      • msiexec.exe (PID: 3812)
      • lite_installer.exe (PID: 4784)
      • seederexe.exe (PID: 2700)
      • explorer.exe (PID: 2576)
      • Yandex.exe (PID: 6112)
      • sender.exe (PID: 1288)
      • YandexPackSetup.exe (PID: 488)
      • {8E2383A4-D765-4402-A19C-4464EE841AC6}.exe (PID: 6912)
      • YandexPackLoader.exe (PID: 1480)
      • identity_helper.exe (PID: 4088)
      • YandexWorking.exe (PID: 2576)
      • identity_helper.exe (PID: 1920)
      • ybDE81.tmp (PID: 876)
      • setup.exe (PID: 608)
      • setup.exe (PID: 3296)

    • Creates files or folders in the user directory

      • YandexPackLoader.exe (PID: 5284)
      • msiexec.exe (PID: 3812)
      • msiexec.exe (PID: 4644)
      • lite_installer.exe (PID: 4784)
      • seederexe.exe (PID: 2700)
      • Yandex.exe (PID: 6112)
      • explorer.exe (PID: 2576)
      • {8E2383A4-D765-4402-A19C-4464EE841AC6}.exe (PID: 6912)
      • setup.exe (PID: 3296)
      • setup.exe (PID: 608)

    • Reads the machine GUID from the registry

      • YandexPackLoader.exe (PID: 5284)
      • msiexec.exe (PID: 4644)
      • seederexe.exe (PID: 2700)
      • lite_installer.exe (PID: 4784)
      • {8E2383A4-D765-4402-A19C-4464EE841AC6}.exe (PID: 6912)
      • setup.exe (PID: 608)

    • The process uses the downloaded file

      • YandexPackLoader.exe (PID: 5284)

    • Process checks computer location settings

      • YandexPackLoader.exe (PID: 5284)
      • msiexec.exe (PID: 3812)
      • explorer.exe (PID: 2576)
      • Yandex.exe (PID: 6112)

    • Reads the software policy settings

      • YandexPackLoader.exe (PID: 5284)
      • msiexec.exe (PID: 4644)
      • lite_installer.exe (PID: 4784)
      • {8E2383A4-D765-4402-A19C-4464EE841AC6}.exe (PID: 6912)
      • setup.exe (PID: 608)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4644)
      • msiexec.exe (PID: 3812)

    • Sends debugging messages

      • msiexec.exe (PID: 3812)
      • YandexPackLoader.exe (PID: 1480)
      • YandexPackSetup.exe (PID: 488)

    • Manual execution by a user

      • {8E2383A4-D765-4402-A19C-4464EE841AC6}.exe (PID: 6912)
      • Taskmgr.exe (PID: 2080)
      • Taskmgr.exe (PID: 2268)
      • YandexWorking.exe (PID: 2576)

    • Reads Environment values

      • identity_helper.exe (PID: 4088)
      • identity_helper.exe (PID: 1920)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 2268)

    • Application launched itself

      • msedge.exe (PID: 740)
      • msedge.exe (PID: 7680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:05:19 13:34:48+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 143360
InitializedDataSize: 84992
UninitializedDataSize: -
EntryPoint: 0x74a6
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.1.0.33
ProductVersionNumber: 0.1.0.33
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
FileDescription: Setup Downloader
FileVersion: 0.1.0.33
InternalName: download
LegalCopyright: Copyright (C) 2015 Yandex LLC
OriginalFileName: downloader.exe
ProductName: Setup Downloader
ProductVersion: 0.1.0.33
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
210
Monitored processes
73
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start yandexpackloader.exe yandexpacksetup.exe yandexpackloader.exe msiexec.exe msiexec.exe lite_installer.exe seederexe.exe yandex.exe explorer.exe no specs sender.exe {8e2383a4-d765-4402-a19c-4464ee841ac6}.exe taskmgr.exe no specs taskmgr.exe yandexworking.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ybde81.tmp setup.exe setup.exe

Process information

PID
CMD
Path
Indicators
Parent process
400"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6828 --field-trial-handle=2080,i,5917117055417762654,13192308404476626151,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
488"C:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /passive /msicl "VID=193 YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y "C:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
YandexPackLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Software Installer
Exit code:
0
Version:
3.0.5419.0
Modules
Images
c:\users\admin\appdata\local\temp\7f4987fb1a6e43d69e3e94b29eb75926\yandexpacksetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
608"C:\Users\admin\AppData\Local\Temp\YB_9F5A1.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Temp\YB_9F5A1.tmp\BROWSER.PACKED.7Z" --abt-config-resource-file="C:\Users\admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\admin\AppData\Local\Temp\86a9fd74-a60a-4361-8b55-c9834a68a2d3.tmp" --brand-name=yandex --brand-package="C:\Users\admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=1236591691 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{1C9CAD5E-2159-472F-B1CA-AA16D2A8AF22} --local-path="C:\Users\admin\AppData\Local\Temp\{8E2383A4-D765-4402-A19C-4464EE841AC6}.exe" --partner-package="C:\Users\admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2840689-193&ui=77528274-11B4-4988-BFC3-D60D93605e19 --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\admin\AppData\Local\Temp\2d7e86e3-f707-4b82-953d-455036989f15.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\admin\AppData\Local\Temp\website.ico"C:\Users\admin\AppData\Local\Temp\YB_9F5A1.tmp\setup.exe
ybDE81.tmp
User:
admin
Company:
YANDEX LLC
Integrity Level:
MEDIUM
Description:
Yandex
Version:
24.7.2.1100
Modules
Images
c:\users\admin\appdata\local\temp\yb_9f5a1.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
740"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ya.ru/?win=663&clid=2840719-193&from=dist_pinC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
YandexWorking.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
876"C:\Users\admin\AppData\Local\Temp\ybDE81.tmp" --abt-config-resource-file="C:\Users\admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\admin\AppData\Local\Temp\86a9fd74-a60a-4361-8b55-c9834a68a2d3.tmp" --brand-name=yandex --brand-package="C:\Users\admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=1236591691 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{1C9CAD5E-2159-472F-B1CA-AA16D2A8AF22} --local-path="C:\Users\admin\AppData\Local\Temp\{8E2383A4-D765-4402-A19C-4464EE841AC6}.exe" --partner-package="C:\Users\admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2840689-193&ui=77528274-11B4-4988-BFC3-D60D93605e19 --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\admin\AppData\Local\Temp\2d7e86e3-f707-4b82-953d-455036989f15.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\admin\AppData\Local\Temp\website.ico"C:\Users\admin\AppData\Local\Temp\ybDE81.tmp
{8E2383A4-D765-4402-A19C-4464EE841AC6}.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
MEDIUM
Description:
Yandex Installer
Version:
24.7.2.1100
Modules
Images
c:\users\admin\appdata\local\temp\ybde81.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1280"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6256 --field-trial-handle=2080,i,5917117055417762654,13192308404476626151,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1288C:\Users\admin\AppData\Local\Temp\C7F095D5-A766-4B25-87E8-2B21E780083D\sender.exe --send "/status.xml?clid=2840711-193&uuid=77528274-11B4-4988-BFC3-D60D93605e19&vnt=Windows 10x64&file-no=8%0A10%0A11%0A12%0A13%0A15%0A17%0A18%0A20%0A21%0A22%0A25%0A36%0A40%0A42%0A45%0A58%0A59%0A89%0A103%0A111%0A123%0A124%0A125%0A129%0A"C:\Users\admin\AppData\Local\Temp\C7F095D5-A766-4B25-87E8-2B21E780083D\sender.exe
seederexe.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
Yandex Statistics
Exit code:
0
Version:
0.0.2.14
Modules
Images
c:\users\admin\appdata\local\temp\c7f095d5-a766-4b25-87e8-2b21e780083d\sender.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1480C:\Users\admin\AppData\Local\Temp\YandexPackLoader.exe --stat dwnldr/p=126279/cnt=0/dt=7/ct=0/rt=0 --dh 2400 --st 1726401530C:\Users\admin\AppData\Local\Temp\YandexPackLoader.exe
YandexPackLoader.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup Downloader
Exit code:
0
Version:
0.1.0.33
Modules
Images
c:\users\admin\appdata\local\temp\yandexpackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1780"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2736 --field-trial-handle=2080,i,5917117055417762654,13192308404476626151,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1920"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4908 --field-trial-handle=2380,i,12213109374462790691,10229662416183283561,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
Total events
28 334
Read events
28 147
Write events
165
Delete events
22

Modification events

(PID) Process:(5284) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5284) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5284) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4644) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
24120000076B66A16607DB01
(PID) Process:(4644) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
FB43B6157E1328992865FE4005225A2B429A24C95820B3E31D2528C46662088D
(PID) Process:(4644) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(4784) lite_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Yandex
Operation:writeName:UICreated_admin
Value:
1
(PID) Process:(4784) lite_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4784) lite_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4784) lite_installer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
40
Suspicious files
700
Text files
272
Unknown types
7

Dropped files

PID
Process
Filename
Type
488YandexPackSetup.exeC:\Users\admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
MD5:
SHA256:
4644msiexec.exeC:\Windows\Installer\12bd2e.msi
MD5:
SHA256:
5284YandexPackLoader.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\YandexPackSetup[1].exeexecutable
MD5:E0124B2FDD38219357A84FE0243A6952
SHA256:577E4E76C3A84FF3A8D26504DEBCF31811C55DB0BAABA94B97F6AC353D762E83
4644msiexec.exeC:\Windows\Installer\MSIBFB0.tmpexecutable
MD5:E6FD0E66CF3BFD3CC04A05647C3C7C54
SHA256:669CC0AAE068CED3154ACAECB0C692C4C5E61BC2CA95B40395A3399E75FCB9B2
5284YandexPackLoader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7binary
MD5:30ACF1D9E2B4B1BA0EC272D93FDFC61C
SHA256:F2599E13185E055C0FB1B0EF38CB0879677EC04B49F92DDB327B3245556D383F
5284YandexPackLoader.exeC:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exeexecutable
MD5:E0124B2FDD38219357A84FE0243A6952
SHA256:577E4E76C3A84FF3A8D26504DEBCF31811C55DB0BAABA94B97F6AC353D762E83
5284YandexPackLoader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7binary
MD5:8A53E991BBAE4FA7DDA76F2162D1E935
SHA256:AF9616FE9DED4FDD2814BB87A302B5FA73D4E40421C4E822A6FC7A8EFE3B254B
4644msiexec.exeC:\Windows\Installer\MSIBFE0.tmpexecutable
MD5:0C80A997D37D930E7317D6DAC8BB7AE1
SHA256:A5DD2F97C6787C335B7807FF9B6966877E9DD811F9E26326837A7D2BD224DE86
5284YandexPackLoader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:EB06D1FAC7AD680EDA7A3F60A0719BDC
SHA256:10A9D89773D789CEA63FD588BABFAFD3046A2597B0649ABEC37EE2EF3FB0375D
4644msiexec.exeC:\Windows\Installer\MSIBF71.tmpexecutable
MD5:E6FD0E66CF3BFD3CC04A05647C3C7C54
SHA256:669CC0AAE068CED3154ACAECB0C692C4C5E61BC2CA95B40395A3399E75FCB9B2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
152
DNS requests
126
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5284
YandexPackLoader.exe
GET
302
5.45.205.242:80
http://downloader.yandex.net/yandex-pack/126279/YandexPackSetup.exe
RU
whitelisted
5284
YandexPackLoader.exe
GET
200
5.45.247.52:80
http://cachev2-ams02.cdn.yandex.net/downloader.yandex.net/yandex-pack/126279/YandexPackSetup.exe?lid=289
RU
executable
10.1 Mb
whitelisted
5284
YandexPackLoader.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
binary
1.67 Kb
whitelisted
5284
YandexPackLoader.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDG8SbJzCh95FjOiQ9g%3D%3D
unknown
binary
1.65 Kb
whitelisted
3652
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
4784
lite_installer.exe
GET
302
5.45.205.242:80
http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2840689-193&ui=77528274-11B4-4988-BFC3-D60D93605e19
RU
whitelisted
4784
lite_installer.exe
GET
200
213.180.204.14:80
http://clck.yandex.ru/click/dtype=stred/pid=198/cid=73002/path=0.winapi_download/ui=77528274-11B4-4988-BFC3-D60D93605e19/clid1=2840689-193/dt=0/ds=0/bits=7_8_19041_3636/bver=0_0_0_0/prod_version=1_0_1_9/result=ok/*
RU
image
43 b
whitelisted
4784
lite_installer.exe
GET
200
5.45.247.11:80
http://cachev2-ams15.cdn.yandex.net/downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2840689-193&ui=77528274-11B4-4988-BFC3-D60D93605e19&lid=300
RU
executable
10.7 Mb
whitelisted
6056
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
1480
YandexPackLoader.exe
GET
213.180.204.14:80
http://clck.yandex.ru/click/dtype=stred/pid=12/cid=72435/path=dwnldr/p=126279/cnt=0/dt=7/ct=0/rt=3/imp=0/*
RU
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6248
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6056
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5284
YandexPackLoader.exe
5.45.205.242:80
downloader.yandex.net
YANDEX LLC
RU
whitelisted
5284
YandexPackLoader.exe
5.45.247.52:80
cachev2-ams02.cdn.yandex.net
YANDEX LLC
RU
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5284
YandexPackLoader.exe
104.18.21.226:80
ocsp.globalsign.com
CLOUDFLARENET
whitelisted
3652
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3652
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
downloader.yandex.net
  • 5.45.205.242
  • 5.45.205.244
  • 5.45.205.243
  • 5.45.205.241
  • 5.45.205.245
whitelisted
cachev2-ams02.cdn.yandex.net
  • 5.45.247.52
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
  • 151.101.194.133
  • 151.101.66.133
  • 151.101.2.133
  • 151.101.130.133
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.136
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.68
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 20.73.194.208
whitelisted
clck.yandex.ru
  • 213.180.204.14
  • 87.250.250.14
  • 77.88.21.14
  • 87.250.251.14
  • 213.180.193.14
  • 93.158.134.14
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
5284
YandexPackLoader.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4784
lite_installer.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4784
lite_installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Process
Message
YandexPackSetup.exe
IsAlreadyRun() In
YandexPackSetup.exe
IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe
IsMSISrvFree() In
YandexPackSetup.exe
IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe
IsMSISrvFree() Out ret = 1
YandexPackSetup.exe
GetLoggedCreds_WTSSessionInfo(): szUserName = admin, szDomain = DESKTOP-JGLLJLD, dwSessionId = 1
YandexPackSetup.exe
GetSidFromEnumSess(): LsaGetLogonSessionData(0) err = 5
YandexPackSetup.exe
GetSidFromEnumSess(): LsaGetLogonSessionData(1) err = 5
YandexPackSetup.exe
GetSidFromEnumSess(): ProfileImagePath(2) = C:\Users\admin
YandexPackSetup.exe
GetSidFromEnumSess(): LsaEnumerateLogonSessions() lpszSid = S-1-5-21-1693682860-607145093-2874071422-1001
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
YandexPackLoader.exe