File name:

YandexPackLoader.exe

Full analysis: https://app.any.run/tasks/e19489bb-09a9-49fe-9c58-9ae63d536d21
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 26, 2023, 19:45:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

365E6A3DD47CFDB13E9A4A73D841F879

SHA1:

9100230BC2F8744FB0DCE6535CA3658C7DC1DF8B

SHA256:

CDECBF8D84BB7B5ED08948F9B6D3C9C1B97E7C38BDC636FDC75FE7CCA907A803

SSDEEP:

3072:+x3P/sUhfv9/d7HvEQC2mCE0KMlbq3dVCZbnKvg8t8xtbXe0GjuKnkNrin2j53:S3P/Fv9/d7PzqdCbnKxjUIn2j53

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • YandexPackLoader.exe (PID: 2264)
      • lite_installer.exe (PID: 4912)

    • Actions looks like stealing of personal data

      • lite_installer.exe (PID: 4912)
      • seederexe.exe (PID: 3044)

    • Steals credentials from Web Browsers

      • seederexe.exe (PID: 3044)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 4224)
      • msiexec.exe (PID: 1652)
      • Yandex.exe (PID: 6408)
      • Yandex.exe (PID: 4860)
      • lite_installer.exe (PID: 4912)

    • Process requests binary or script from the Internet

      • YandexPackLoader.exe (PID: 2264)
      • lite_installer.exe (PID: 4912)

    • Checks Windows Trust Settings

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 4224)
      • lite_installer.exe (PID: 4912)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Reads security settings of Internet Explorer

      • YandexPackLoader.exe (PID: 2264)
      • lite_installer.exe (PID: 4912)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Reads settings of System Certificates

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 4224)
      • lite_installer.exe (PID: 4912)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Reads the date of Windows installation

      • YandexPackLoader.exe (PID: 2264)
      • Yandex.exe (PID: 6408)
      • explorer.exe (PID: 4000)
      • Yandex.exe (PID: 4860)
      • explorer.exe (PID: 1840)

    • Application launched itself

      • YandexPackLoader.exe (PID: 2264)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4224)

    • Reads Mozilla Firefox installation path

      • seederexe.exe (PID: 3044)

    • Searches for installed software

      • seederexe.exe (PID: 3044)

    • Changes the title of the Internet Explorer window

      • seederexe.exe (PID: 3044)

    • Changes the Home page of Internet Explorer

      • seederexe.exe (PID: 3044)

    • The process creates files with name similar to system file names

      • Yandex.exe (PID: 6408)
      • Yandex.exe (PID: 4860)

    • Creates executable files that already exist in Windows

      • Yandex.exe (PID: 6408)
      • Yandex.exe (PID: 4860)

    • Starts itself from another location

      • Yandex.exe (PID: 6408)
      • Yandex.exe (PID: 4860)

  • INFO

    • Create files in a temporary directory

      • YandexPackLoader.exe (PID: 2264)
      • YandexPackLoader.exe (PID: 7020)
      • YandexPackSetup.exe (PID: 5308)
      • msiexec.exe (PID: 1652)
      • lite_installer.exe (PID: 4912)
      • seederexe.exe (PID: 3044)
      • Yandex.exe (PID: 6408)
      • Yandex.exe (PID: 4860)
      • sender.exe (PID: 568)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Checks supported languages

      • YandexPackLoader.exe (PID: 2264)
      • YandexPackSetup.exe (PID: 5308)
      • YandexPackLoader.exe (PID: 7020)
      • msiexec.exe (PID: 4224)
      • msiexec.exe (PID: 1652)
      • lite_installer.exe (PID: 4912)
      • seederexe.exe (PID: 3044)
      • Yandex.exe (PID: 6408)
      • explorer.exe (PID: 4000)
      • Yandex.exe (PID: 4860)
      • explorer.exe (PID: 1840)
      • sender.exe (PID: 568)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Reads the computer name

      • YandexPackLoader.exe (PID: 2264)
      • YandexPackSetup.exe (PID: 5308)
      • msiexec.exe (PID: 4224)
      • msiexec.exe (PID: 1652)
      • seederexe.exe (PID: 3044)
      • lite_installer.exe (PID: 4912)
      • YandexPackLoader.exe (PID: 7020)
      • Yandex.exe (PID: 6408)
      • explorer.exe (PID: 4000)
      • Yandex.exe (PID: 4860)
      • explorer.exe (PID: 1840)
      • sender.exe (PID: 568)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • The process checks LSA protection

      • YandexPackLoader.exe (PID: 2264)
      • YandexPackSetup.exe (PID: 5308)
      • msiexec.exe (PID: 4224)
      • msiexec.exe (PID: 1652)
      • lite_installer.exe (PID: 4912)
      • seederexe.exe (PID: 3044)
      • Yandex.exe (PID: 6408)
      • explorer.exe (PID: 4000)
      • Yandex.exe (PID: 4860)
      • explorer.exe (PID: 1840)
      • sender.exe (PID: 568)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Checks proxy server information

      • YandexPackLoader.exe (PID: 2264)
      • lite_installer.exe (PID: 4912)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Creates files or folders in the user directory

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 1652)
      • msiexec.exe (PID: 4224)
      • lite_installer.exe (PID: 4912)
      • seederexe.exe (PID: 3044)
      • Yandex.exe (PID: 6408)
      • explorer.exe (PID: 4000)
      • Yandex.exe (PID: 4860)
      • explorer.exe (PID: 1840)

    • Reads the machine GUID from the registry

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 4224)
      • seederexe.exe (PID: 3044)
      • lite_installer.exe (PID: 4912)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Reads the software policy settings

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 4224)
      • lite_installer.exe (PID: 4912)

    • Process checks computer location settings

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 1652)
      • Yandex.exe (PID: 6408)
      • explorer.exe (PID: 4000)
      • Yandex.exe (PID: 4860)
      • explorer.exe (PID: 1840)

    • Reads Environment values

      • msiexec.exe (PID: 1652)

    • Manual execution by a user

      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)
      • 2AE68B04.exe (PID: 4232)
      • msedge.exe (PID: 7800)

    • Application launched itself

      • msedge.exe (PID: 1260)
      • msedge.exe (PID: 7824)
      • msedge.exe (PID: 7800)
      • msedge.exe (PID: 7264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

ProductVersion: 0.1.0.32
ProductName: Setup Downloader
OriginalFileName: WebDownloader.exe
LegalCopyright: Copyright (C) 2015 Yandex LLC
InternalName: download
FileVersion: 0.1.0.32
FileDescription: Setup Downloader
CharacterSet: Unicode
LanguageCode: Russian
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0017
ProductVersionNumber: 0.1.0.32
FileVersionNumber: 0.1.0.32
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x8eb2
UninitializedDataSize: -
InitializedDataSize: 88576
CodeSize: 151040
LinkerVersion: 14
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2018:12:11 06:24:12+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 11-Dec-2018 06:24:12
Detected languages:
  • English - United States
  • Russian - Russia
Debug artifacts:
  • C:\BuildAgent\work\724ffc1c11fec002\downloader\Release\WebDownloader.pdb
FileDescription: Setup Downloader
FileVersion: 0.1.0.32
InternalName: download
LegalCopyright: Copyright (C) 2015 Yandex LLC
OriginalFilename: WebDownloader.exe
ProductName: Setup Downloader
ProductVersion: 0.1.0.32

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 11-Dec-2018 06:24:12
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00024D1C
0x00024E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.63719
.rdata
0x00026000
0x00009BD4
0x00009C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.96753
.data
0x00030000
0x0000360C
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.64313
.gfids
0x00034000
0x00000134
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.42235
.rsrc
0x00035000
0x000067E8
0x00006800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.1595
.reloc
0x0003C000
0x00001A18
0x00001C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.41306

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.31879
1235
UNKNOWN
English - United States
RT_MANIFEST
2
1.53973
9832
UNKNOWN
Russian - Russia
RT_ICON
3
1.54324
4392
UNKNOWN
Russian - Russia
RT_ICON
4
1.70751
2488
UNKNOWN
Russian - Russia
RT_ICON
5
1.78405
1128
UNKNOWN
Russian - Russia
RT_ICON
107
2.81633
76
UNKNOWN
Russian - Russia
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
Secur32.dll
USER32.dll
VERSION.dll
WINTRUST.dll
WS2_32.dll
WTSAPI32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
198
Monitored processes
63
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start yandexpackloader.exe yandexpacksetup.exe yandexpackloader.exe msiexec.exe msiexec.exe lite_installer.exe seederexe.exe yandex.exe explorer.exe no specs yandex.exe explorer.exe no specs sender.exe {d81eae67-3ded-4f60-85f5-db90075aa3f8}.exe 2ae68b04.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
72"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.149 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.62 --initial-client-data=0x120,0x124,0x128,0xfc,0x134,0x7ffca38ab5f8,0x7ffca38ab608,0x7ffca38ab618C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
308"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3520 --field-trial-handle=2068,i,3375710306770026504,11075592057788442832,131072 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msvcrt.dll
568C:\Users\admin\AppData\Local\Temp\538F0F37-E634-4B80-82EB-B8F2E4604A08\sender.exe --send "/status.xml?clid=2598005-830&uuid=00ed3e44-64a4-413a-91c7-a1dde26836eb&vnt=Windows 10x64&file-no=8%0A10%0A11%0A12%0A13%0A15%0A16%0A17%0A18%0A20%0A21%0A22%0A25%0A28%0A36%0A38%0A40%0A42%0A43%0A54%0A58%0A59%0A89%0A102%0A103%0A123%0A124%0A125%0A129%0A"C:\Users\admin\AppData\Local\Temp\538F0F37-E634-4B80-82EB-B8F2E4604A08\sender.exe
seederexe.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
Yandex Statistics
Exit code:
0
Version:
0.0.2.14
Modules
Images
c:\users\admin\appdata\local\temp\538f0f37-e634-4b80-82eb-b8f2e4604a08\sender.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
832"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5372 --field-trial-handle=2108,i,4409565299443618776,6871094948999987545,131072 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
964"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2180 --field-trial-handle=2068,i,3375710306770026504,11075592057788442832,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1260"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://market.yandex.ru/?win=591&clid=2598017-830&from=dist_taskbarpinC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe2AE68B04.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1652C:\Windows\syswow64\MsiExec.exe -Embedding 26EE7692F9548A14994CCB97EBAABB7CC:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1840C:\Users\admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /website-path="C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Taskbar\Яндекс Маркет.website" /icon-path="C:\Users\admin\AppData\Local\MICROS~1\INTERN~1\Services\MARKET~1.ICO" /site-id="2AE68B04.8A85F169" /pin-path="C:\Users\admin\AppData\Local\Yandex\YaPin\2AE68B04.8A85F169\Яндекс Маркет.lnk" --is-pinningC:\Users\admin\AppData\Local\Temp\pin\explorer.exeYandex.exe
User:
admin
Integrity Level:
MEDIUM
Description:
YandexPin
Exit code:
0
Version:
3.7.9.0
Modules
Images
c:\users\admin\appdata\local\temp\pin\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
2264"C:\Users\admin\AppData\Local\Temp\YandexPackLoader.exe" C:\Users\admin\AppData\Local\Temp\YandexPackLoader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup Downloader
Exit code:
0
Version:
0.1.0.32
Modules
Images
c:\users\admin\appdata\local\temp\yandexpackloader.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2516"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.149 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.62 --initial-client-data=0x120,0x124,0x128,0xfc,0x130,0x7ffca38ab5f8,0x7ffca38ab608,0x7ffca38ab618C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
75 658
Read events
75 394
Write events
236
Delete events
28

Modification events

(PID) Process:(2264) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2264) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2264) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2264) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2264) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2264) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4224) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001_Classes\Local Settings\MuiCache\20\52C64B7E
Operation:delete keyName:(default)
Value:
(PID) Process:(4224) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001_Classes\Local Settings\MuiCache\20
Operation:delete keyName:(default)
Value:
(PID) Process:(4224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:delete valueName:C:\Config.Msi\43415a.rbs
Value:
31029367
(PID) Process:(4224) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
Executable files
84
Suspicious files
744
Text files
550
Unknown types
0

Dropped files

PID
Process
Filename
Type
5308YandexPackSetup.exeC:\Users\admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
MD5:
SHA256:
4224msiexec.exeC:\WINDOWS\Installer\434158.msi
MD5:
SHA256:
2264YandexPackLoader.exeC:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\seed.txttext
MD5:1ED3F6C5E3C6AAD50B5E8A32F3A05D61
SHA256:348AB75CAF2B7E729E604EA827EA7ADB38451E90974A7F8F72767A8DBC693EB9
2264YandexPackLoader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:CF5ECB22152AD194304AB78CFE24291E
SHA256:E56F7ACA3D80E5F3B881DD5A2EB0CCE7DA5FCE291E7C34993BA583DAE5B0A380
2264YandexPackLoader.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\info[1].rssxml
MD5:1624F4A1E637E4A958CA214764AD4D02
SHA256:69E56887CAF622CDA9BA6380BFC46BC08BA2E80361D9B087B79BF12D40B07F75
4224msiexec.exeC:\WINDOWS\Installer\MSI4243.tmpexecutable
MD5:B502C676E82CB196E20DB36601A08ACE
SHA256:BCA6F0BEC828D4F1D9748E78DE826C327A853BDCEB3C432426F1D53994C0D88F
4224msiexec.exeC:\WINDOWS\Installer\MSI42A2.tmpexecutable
MD5:748143DD96F1E6E67E14384D2EDF4DAF
SHA256:EA551D91B1DDB00A266831438B7B0BA4119D479A38BD5FDC254D47BB520A04B9
1652msiexec.exeC:\Users\admin\AppData\Local\Temp\vendor00000.xmlxml
MD5:33B7F01613D444601BA380545467F348
SHA256:E8BA63FDA077FB2A67271A99B45E6C0D7B6D80421ED9CCE82D05B75A4B6FD686
1652msiexec.exeC:\Users\admin\AppData\Local\Temp\clids-yasearch.xmlxml
MD5:68FB54B2B7F9DDE716EB011CBB5E064B
SHA256:DAB6A4A6E379581654CB451D7D42C7E57376D6878CE6B9F25C4504421758F2B4
4224msiexec.exeC:\WINDOWS\Installer\MSI4575.tmpexecutable
MD5:B502C676E82CB196E20DB36601A08ACE
SHA256:BCA6F0BEC828D4F1D9748E78DE826C327A853BDCEB3C432426F1D53994C0D88F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
166
DNS requests
176
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2264
YandexPackLoader.exe
GET
302
5.45.205.242:80
http://downloader.yandex.net/yandex-pack/downloader/info.rss
RU
whitelisted
2264
YandexPackLoader.exe
GET
302
5.45.205.242:80
http://downloader.yandex.net/yandex-pack/70510/YandexPackSetup.exe
RU
whitelisted
4912
lite_installer.exe
GET
302
5.45.205.242:80
http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2597987-830&ui={00ed3e44-64a4-413a-91c7-a1dde26836eb}
RU
whitelisted
7020
YandexPackLoader.exe
GET
87.250.251.14:80
http://clck.yandex.ru/click/dtype=stred/pid=12/cid=72435/path=dwnldr/p=70510/cnt=0/dt=7/ct=0/rt=2/imp=0/*
RU
whitelisted
5700
{D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/gseccovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSTMjK03nNiYoQYvu4Izyfn9OJNdAQUWHuOdSr%2BYYCqkEABrtboB0ZuP0gCDF%2Fn1sfqgtpJxybqEg%3D%3D
US
binary
938 b
whitelisted
2264
YandexPackLoader.exe
GET
200
185.70.202.14:80
http://ext-cachev2-itt02.cdn.yandex.net/downloader.yandex.net/yandex-pack/downloader/info.rss?lid=1529
IT
xml
267 b
whitelisted
2264
YandexPackLoader.exe
GET
200
185.70.202.13:80
http://ext-cachev2-itt01.cdn.yandex.net/downloader.yandex.net/yandex-pack/70510/YandexPackSetup.exe?lid=1529
IT
executable
10.1 Mb
whitelisted
2264
YandexPackLoader.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDHkE0y50%2FEcrZsCKOA%3D%3D
US
binary
1.65 Kb
whitelisted
2264
YandexPackLoader.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
US
binary
1.67 Kb
whitelisted
4912
lite_installer.exe
GET
200
87.250.250.14:80
http://clck.yandex.ru/click/dtype=stred/pid=198/cid=73002/path=0.winapi_download/ui=%7B00ed3e44-64a4-413a-91c7-a1dde26836eb%7D/clid1=2597987-830/dt=0/ds=0/bits=7_8_19041_1266/bver=0_0_0_0/prod_version=1_0_1_88/result=ok/*
RU
image
43 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2264
YandexPackLoader.exe
185.70.202.14:80
TELECOM ITALIA SPARKLE S.p.A.
IT
malicious
2264
YandexPackLoader.exe
5.45.205.242:80
YANDEX LLC
RU
whitelisted
2148
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2264
YandexPackLoader.exe
185.70.202.13:80
TELECOM ITALIA SPARKLE S.p.A.
IT
malicious
5756
svchost.exe
20.190.159.23:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
suspicious
104.103.88.140:80
go.microsoft.com
AKAMAI-AS
AT
suspicious
4912
lite_installer.exe
87.250.250.14:80
clck.yandex.ru
YANDEX LLC
RU
whitelisted
2264
YandexPackLoader.exe
104.18.20.226:80
ocsp.globalsign.com
CLOUDFLARENET
shared
7020
YandexPackLoader.exe
87.250.251.14:80
clck.yandex.ru
YANDEX LLC
RU
whitelisted
4912
lite_installer.exe
5.45.205.242:80
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
downloader.yandex.net
whitelisted
ext-cachev2-itt02.cdn.yandex.net
whitelisted
ext-cachev2-itt01.cdn.yandex.net
whitelisted
officeclient.microsoft.com
  • 52.109.124.153
whitelisted
ocsp.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
clck.yandex.ru
  • 87.250.250.14
  • 213.180.204.14
  • 93.158.134.14
  • 213.180.193.14
  • 77.88.21.14
  • 87.250.251.14
whitelisted
ext-cachev2-itt03.cdn.yandex.net
whitelisted
soft.export.yandex.ru
  • 87.250.254.20
whitelisted
api.browser.yandex.ru
  • 213.180.193.234
whitelisted
download.cdn.yandex.net
whitelisted

Threats

PID
Process
Class
Message
2264
YandexPackLoader.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
7020
YandexPackLoader.exe
Attempted Information Leak
ET POLICY curl User-Agent Outbound
4912
lite_installer.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4912
lite_installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
Misc activity
ET INFO Windows OS Submitting USB Metadata to Microsoft
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
2 ETPRO signatures available at the full report
Process
Message
YandexPackSetup.exe
IsAlreadyRun() In
YandexPackSetup.exe
IsAlreadyRun() In
YandexPackSetup.exe
IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe
IsMSISrvFree() In
YandexPackSetup.exe
IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe
IsMSISrvFree() Out ret = 1
YandexPackSetup.exe
IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe
IsMSISrvFree() In
YandexPackSetup.exe
IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe
IsMSISrvFree() Out ret = 1
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
YandexPackLoader.exe