File name:

YandexPackLoader.exe

Full analysis: https://app.any.run/tasks/e19489bb-09a9-49fe-9c58-9ae63d536d21
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 26, 2023, 19:45:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

365E6A3DD47CFDB13E9A4A73D841F879

SHA1:

9100230BC2F8744FB0DCE6535CA3658C7DC1DF8B

SHA256:

CDECBF8D84BB7B5ED08948F9B6D3C9C1B97E7C38BDC636FDC75FE7CCA907A803

SSDEEP:

3072:+x3P/sUhfv9/d7HvEQC2mCE0KMlbq3dVCZbnKvg8t8xtbXe0GjuKnkNrin2j53:S3P/Fv9/d7PzqdCbnKxjUIn2j53

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • YandexPackLoader.exe (PID: 2264)
      • lite_installer.exe (PID: 4912)

    • Actions looks like stealing of personal data

      • lite_installer.exe (PID: 4912)
      • seederexe.exe (PID: 3044)

    • Steals credentials from Web Browsers

      • seederexe.exe (PID: 3044)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 1652)
      • msiexec.exe (PID: 4224)
      • Yandex.exe (PID: 6408)
      • Yandex.exe (PID: 4860)
      • lite_installer.exe (PID: 4912)

    • Checks Windows Trust Settings

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 4224)
      • lite_installer.exe (PID: 4912)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Application launched itself

      • YandexPackLoader.exe (PID: 2264)

    • Process requests binary or script from the Internet

      • YandexPackLoader.exe (PID: 2264)
      • lite_installer.exe (PID: 4912)

    • Reads security settings of Internet Explorer

      • YandexPackLoader.exe (PID: 2264)
      • lite_installer.exe (PID: 4912)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Reads settings of System Certificates

      • msiexec.exe (PID: 4224)
      • YandexPackLoader.exe (PID: 2264)
      • lite_installer.exe (PID: 4912)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4224)

    • Reads the date of Windows installation

      • YandexPackLoader.exe (PID: 2264)
      • Yandex.exe (PID: 6408)
      • explorer.exe (PID: 4000)
      • Yandex.exe (PID: 4860)
      • explorer.exe (PID: 1840)

    • Searches for installed software

      • seederexe.exe (PID: 3044)

    • Reads Mozilla Firefox installation path

      • seederexe.exe (PID: 3044)

    • Changes the title of the Internet Explorer window

      • seederexe.exe (PID: 3044)

    • Changes the Home page of Internet Explorer

      • seederexe.exe (PID: 3044)

    • The process creates files with name similar to system file names

      • Yandex.exe (PID: 6408)
      • Yandex.exe (PID: 4860)

    • Creates executable files that already exist in Windows

      • Yandex.exe (PID: 6408)
      • Yandex.exe (PID: 4860)

    • Starts itself from another location

      • Yandex.exe (PID: 6408)
      • Yandex.exe (PID: 4860)

  • INFO

    • The process checks LSA protection

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 4224)
      • msiexec.exe (PID: 1652)
      • lite_installer.exe (PID: 4912)
      • seederexe.exe (PID: 3044)
      • Yandex.exe (PID: 6408)
      • explorer.exe (PID: 4000)
      • Yandex.exe (PID: 4860)
      • explorer.exe (PID: 1840)
      • YandexPackSetup.exe (PID: 5308)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)
      • sender.exe (PID: 568)

    • Reads the computer name

      • YandexPackLoader.exe (PID: 2264)
      • YandexPackSetup.exe (PID: 5308)
      • msiexec.exe (PID: 4224)
      • msiexec.exe (PID: 1652)
      • lite_installer.exe (PID: 4912)
      • seederexe.exe (PID: 3044)
      • YandexPackLoader.exe (PID: 7020)
      • Yandex.exe (PID: 6408)
      • explorer.exe (PID: 4000)
      • Yandex.exe (PID: 4860)
      • explorer.exe (PID: 1840)
      • sender.exe (PID: 568)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Reads the machine GUID from the registry

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 4224)
      • seederexe.exe (PID: 3044)
      • lite_installer.exe (PID: 4912)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Create files in a temporary directory

      • YandexPackLoader.exe (PID: 2264)
      • YandexPackLoader.exe (PID: 7020)
      • YandexPackSetup.exe (PID: 5308)
      • lite_installer.exe (PID: 4912)
      • seederexe.exe (PID: 3044)
      • Yandex.exe (PID: 6408)
      • Yandex.exe (PID: 4860)
      • sender.exe (PID: 568)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)
      • msiexec.exe (PID: 1652)

    • Reads the software policy settings

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 4224)
      • lite_installer.exe (PID: 4912)

    • Checks supported languages

      • YandexPackSetup.exe (PID: 5308)
      • YandexPackLoader.exe (PID: 7020)
      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 4224)
      • msiexec.exe (PID: 1652)
      • lite_installer.exe (PID: 4912)
      • seederexe.exe (PID: 3044)
      • Yandex.exe (PID: 6408)
      • explorer.exe (PID: 4000)
      • Yandex.exe (PID: 4860)
      • explorer.exe (PID: 1840)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)
      • sender.exe (PID: 568)

    • Reads Environment values

      • msiexec.exe (PID: 1652)

    • Checks proxy server information

      • YandexPackLoader.exe (PID: 2264)
      • lite_installer.exe (PID: 4912)
      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)

    • Creates files or folders in the user directory

      • YandexPackLoader.exe (PID: 2264)
      • msiexec.exe (PID: 1652)
      • msiexec.exe (PID: 4224)
      • lite_installer.exe (PID: 4912)
      • seederexe.exe (PID: 3044)
      • Yandex.exe (PID: 6408)
      • explorer.exe (PID: 4000)
      • Yandex.exe (PID: 4860)
      • explorer.exe (PID: 1840)

    • Process checks computer location settings

      • msiexec.exe (PID: 1652)
      • YandexPackLoader.exe (PID: 2264)
      • Yandex.exe (PID: 6408)
      • explorer.exe (PID: 4000)
      • Yandex.exe (PID: 4860)
      • explorer.exe (PID: 1840)

    • Manual execution by a user

      • {D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe (PID: 5700)
      • 2AE68B04.exe (PID: 4232)
      • msedge.exe (PID: 7800)

    • Application launched itself

      • msedge.exe (PID: 1260)
      • msedge.exe (PID: 7824)
      • msedge.exe (PID: 7800)
      • msedge.exe (PID: 7264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

ProductVersion: 0.1.0.32
ProductName: Setup Downloader
OriginalFileName: WebDownloader.exe
LegalCopyright: Copyright (C) 2015 Yandex LLC
InternalName: download
FileVersion: 0.1.0.32
FileDescription: Setup Downloader
CharacterSet: Unicode
LanguageCode: Russian
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0017
ProductVersionNumber: 0.1.0.32
FileVersionNumber: 0.1.0.32
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x8eb2
UninitializedDataSize: -
InitializedDataSize: 88576
CodeSize: 151040
LinkerVersion: 14
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2018:12:11 06:24:12+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 11-Dec-2018 06:24:12
Detected languages:
  • English - United States
  • Russian - Russia
Debug artifacts:
  • C:\BuildAgent\work\724ffc1c11fec002\downloader\Release\WebDownloader.pdb
FileDescription: Setup Downloader
FileVersion: 0.1.0.32
InternalName: download
LegalCopyright: Copyright (C) 2015 Yandex LLC
OriginalFilename: WebDownloader.exe
ProductName: Setup Downloader
ProductVersion: 0.1.0.32

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 11-Dec-2018 06:24:12
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00024D1C
0x00024E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.63719
.rdata
0x00026000
0x00009BD4
0x00009C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.96753
.data
0x00030000
0x0000360C
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.64313
.gfids
0x00034000
0x00000134
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.42235
.rsrc
0x00035000
0x000067E8
0x00006800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.1595
.reloc
0x0003C000
0x00001A18
0x00001C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.41306

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.31879
1235
UNKNOWN
English - United States
RT_MANIFEST
2
1.53973
9832
UNKNOWN
Russian - Russia
RT_ICON
3
1.54324
4392
UNKNOWN
Russian - Russia
RT_ICON
4
1.70751
2488
UNKNOWN
Russian - Russia
RT_ICON
5
1.78405
1128
UNKNOWN
Russian - Russia
RT_ICON
107
2.81633
76
UNKNOWN
Russian - Russia
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
Secur32.dll
USER32.dll
VERSION.dll
WINTRUST.dll
WS2_32.dll
WTSAPI32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
198
Monitored processes
63
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start yandexpackloader.exe yandexpacksetup.exe yandexpackloader.exe msiexec.exe msiexec.exe lite_installer.exe seederexe.exe yandex.exe explorer.exe no specs yandex.exe explorer.exe no specs sender.exe {d81eae67-3ded-4f60-85f5-db90075aa3f8}.exe 2ae68b04.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
72"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.149 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.62 --initial-client-data=0x120,0x124,0x128,0xfc,0x134,0x7ffca38ab5f8,0x7ffca38ab608,0x7ffca38ab618C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
308"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3520 --field-trial-handle=2068,i,3375710306770026504,11075592057788442832,131072 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msvcrt.dll
568C:\Users\admin\AppData\Local\Temp\538F0F37-E634-4B80-82EB-B8F2E4604A08\sender.exe --send "/status.xml?clid=2598005-830&uuid=00ed3e44-64a4-413a-91c7-a1dde26836eb&vnt=Windows 10x64&file-no=8%0A10%0A11%0A12%0A13%0A15%0A16%0A17%0A18%0A20%0A21%0A22%0A25%0A28%0A36%0A38%0A40%0A42%0A43%0A54%0A58%0A59%0A89%0A102%0A103%0A123%0A124%0A125%0A129%0A"C:\Users\admin\AppData\Local\Temp\538F0F37-E634-4B80-82EB-B8F2E4604A08\sender.exe
seederexe.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
Yandex Statistics
Exit code:
0
Version:
0.0.2.14
Modules
Images
c:\users\admin\appdata\local\temp\538f0f37-e634-4b80-82eb-b8f2e4604a08\sender.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
832"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5372 --field-trial-handle=2108,i,4409565299443618776,6871094948999987545,131072 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
964"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2180 --field-trial-handle=2068,i,3375710306770026504,11075592057788442832,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1260"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://market.yandex.ru/?win=591&clid=2598017-830&from=dist_taskbarpinC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe2AE68B04.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1652C:\Windows\syswow64\MsiExec.exe -Embedding 26EE7692F9548A14994CCB97EBAABB7CC:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1840C:\Users\admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /website-path="C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Taskbar\Яндекс Маркет.website" /icon-path="C:\Users\admin\AppData\Local\MICROS~1\INTERN~1\Services\MARKET~1.ICO" /site-id="2AE68B04.8A85F169" /pin-path="C:\Users\admin\AppData\Local\Yandex\YaPin\2AE68B04.8A85F169\Яндекс Маркет.lnk" --is-pinningC:\Users\admin\AppData\Local\Temp\pin\explorer.exeYandex.exe
User:
admin
Integrity Level:
MEDIUM
Description:
YandexPin
Exit code:
0
Version:
3.7.9.0
Modules
Images
c:\users\admin\appdata\local\temp\pin\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
2264"C:\Users\admin\AppData\Local\Temp\YandexPackLoader.exe" C:\Users\admin\AppData\Local\Temp\YandexPackLoader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup Downloader
Exit code:
0
Version:
0.1.0.32
Modules
Images
c:\users\admin\appdata\local\temp\yandexpackloader.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2516"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.149 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.62 --initial-client-data=0x120,0x124,0x128,0xfc,0x130,0x7ffca38ab5f8,0x7ffca38ab608,0x7ffca38ab618C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
75 658
Read events
75 394
Write events
236
Delete events
28

Modification events

(PID) Process:(2264) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2264) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2264) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2264) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2264) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2264) YandexPackLoader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4224) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001_Classes\Local Settings\MuiCache\20\52C64B7E
Operation:delete keyName:(default)
Value:
(PID) Process:(4224) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001_Classes\Local Settings\MuiCache\20
Operation:delete keyName:(default)
Value:
(PID) Process:(4224) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:delete valueName:C:\Config.Msi\43415a.rbs
Value:
31029367
(PID) Process:(4224) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
Executable files
84
Suspicious files
744
Text files
550
Unknown types
0

Dropped files

PID
Process
Filename
Type
5308YandexPackSetup.exeC:\Users\admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
MD5:
SHA256:
4224msiexec.exeC:\WINDOWS\Installer\434158.msi
MD5:
SHA256:
2264YandexPackLoader.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\info[1].rssxml
MD5:1624F4A1E637E4A958CA214764AD4D02
SHA256:69E56887CAF622CDA9BA6380BFC46BC08BA2E80361D9B087B79BF12D40B07F75
2264YandexPackLoader.exeC:\Users\admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exeexecutable
MD5:D186E1D34741D101419A61CF0427BD72
SHA256:1240B588591E4C8AC9E1B70811733823F3EC3B4F7ED63A42450D2BF053CABB8D
2264YandexPackLoader.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\YandexPackSetup[1].exeexecutable
MD5:D186E1D34741D101419A61CF0427BD72
SHA256:1240B588591E4C8AC9E1B70811733823F3EC3B4F7ED63A42450D2BF053CABB8D
2264YandexPackLoader.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:FC2C97042A5FF73BE03C890362F71BD8
SHA256:E997CF3CDFF19436BB43630B17E6F538D4A061183ED2D9571F6093E5A16111F6
4224msiexec.exeC:\WINDOWS\Installer\MSI437E.tmpexecutable
MD5:B502C676E82CB196E20DB36601A08ACE
SHA256:BCA6F0BEC828D4F1D9748E78DE826C327A853BDCEB3C432426F1D53994C0D88F
1652msiexec.exeC:\Users\admin\AppData\Local\Temp\vendor00000.xmlxml
MD5:33B7F01613D444601BA380545467F348
SHA256:E8BA63FDA077FB2A67271A99B45E6C0D7B6D80421ED9CCE82D05B75A4B6FD686
1652msiexec.exeC:\Users\admin\AppData\Roaming\Yandex\clids-yabrowser.xmlxml
MD5:E4EFC7C8F3ADCADA23E56F88C376C2CB
SHA256:7D2D151234D16B44BA6C03574FCC9D139022C4E29554A646D741759B6B4C2FBF
4224msiexec.exeC:\WINDOWS\Installer\MSI4555.tmpexecutable
MD5:B502C676E82CB196E20DB36601A08ACE
SHA256:BCA6F0BEC828D4F1D9748E78DE826C327A853BDCEB3C432426F1D53994C0D88F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
166
DNS requests
176
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2264
YandexPackLoader.exe
GET
302
5.45.205.242:80
http://downloader.yandex.net/yandex-pack/downloader/info.rss
RU
whitelisted
2264
YandexPackLoader.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
US
binary
1.67 Kb
whitelisted
5700
{D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHUeP1PjGFkz6V8I7O6tApc%3D
US
binary
1.41 Kb
whitelisted
4912
lite_installer.exe
GET
200
87.250.250.14:80
http://clck.yandex.ru/click/dtype=stred/pid=198/cid=73002/path=0.winapi_download/ui=%7B00ed3e44-64a4-413a-91c7-a1dde26836eb%7D/clid1=2597987-830/dt=0/ds=0/bits=7_8_19041_1266/bver=0_0_0_0/prod_version=1_0_1_88/result=ok/*
RU
image
43 b
whitelisted
4736
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
binary
1.47 Kb
whitelisted
4912
lite_installer.exe
GET
200
87.250.250.14:80
http://clck.yandex.ru/click/dtype=stred/pid=198/cid=73002/path=1.run_dist/ui=%7B00ed3e44-64a4-413a-91c7-a1dde26836eb%7D/clid1=2597987-830/dt=25267077/ds=3273624/bits=7_8_19041_1266/bver=23_3_2_802/prod_version=1_0_1_88/result=ok/*
RU
image
43 b
whitelisted
5700
{D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/gsrsaovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRrcGT%2BanRD3C1tW3nsrKeuXC7DPwQU%2BO9%2F8s14Z6jeb48kjYjxhwMCs%2BsCDGwrPrcsY7xGXQFf9A%3D%3D
US
binary
1.40 Kb
whitelisted
568
sender.exe
GET
200
87.250.254.20:80
http://soft.export.yandex.ru/status.xml?clid=2598005-830&uuid=00ed3e44-64a4-413a-91c7-a1dde26836eb&vnt=Windows%2010x64&file-no=8%0A10%0A11%0A12%0A13%0A15%0A16%0A17%0A18%0A20%0A21%0A22%0A25%0A28%0A36%0A38%0A40%0A42%0A43%0A54%0A58%0A59%0A89%0A102%0A103%0A123%0A124%0A125%0A129
RU
xml
64 b
whitelisted
POST
302
104.103.88.140:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
AT
whitelisted
6480
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2072
svchost.exe
192.168.100.2:53
whitelisted
4736
SearchApp.exe
2.16.186.203:443
Akamai International B.V.
DE
whitelisted
2264
YandexPackLoader.exe
5.45.205.242:80
YANDEX LLC
RU
whitelisted
2264
YandexPackLoader.exe
185.70.202.13:80
TELECOM ITALIA SPARKLE S.p.A.
IT
malicious
2264
YandexPackLoader.exe
104.18.20.226:80
ocsp.globalsign.com
CLOUDFLARENET
shared
4912
lite_installer.exe
5.45.205.242:80
YANDEX LLC
RU
whitelisted
3044
seederexe.exe
77.88.21.14:80
clck.yandex.ru
YANDEX LLC
RU
whitelisted
4736
SearchApp.exe
2.23.209.182:443
r.bing.com
Akamai International B.V.
GB
suspicious
5700
{D81EAE67-3DED-4F60-85F5-DB90075AA3F8}.exe
185.70.202.14:443
TELECOM ITALIA SPARKLE S.p.A.
IT
malicious
5756
svchost.exe
20.190.159.4:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
downloader.yandex.net
whitelisted
ext-cachev2-itt02.cdn.yandex.net
whitelisted
ext-cachev2-itt01.cdn.yandex.net
whitelisted
officeclient.microsoft.com
  • 52.109.124.153
whitelisted
ocsp.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
clck.yandex.ru
  • 87.250.250.14
  • 213.180.204.14
  • 93.158.134.14
  • 213.180.193.14
  • 77.88.21.14
  • 87.250.251.14
whitelisted
ext-cachev2-itt03.cdn.yandex.net
whitelisted
soft.export.yandex.ru
  • 87.250.254.20
whitelisted
api.browser.yandex.ru
  • 213.180.193.234
whitelisted
download.cdn.yandex.net
whitelisted

Threats

PID
Process
Class
Message
2264
YandexPackLoader.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
7020
YandexPackLoader.exe
Attempted Information Leak
ET POLICY curl User-Agent Outbound
4912
lite_installer.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4912
lite_installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
Misc activity
ET INFO Windows OS Submitting USB Metadata to Microsoft
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
2 ETPRO signatures available at the full report
Process
Message
YandexPackSetup.exe
IsAlreadyRun() In
YandexPackSetup.exe
IsAlreadyRun() In
YandexPackSetup.exe
IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe
IsMSISrvFree() In
YandexPackSetup.exe
IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe
IsMSISrvFree() Out ret = 1
YandexPackSetup.exe
IsAlreadyRun() Out : ret (BOOL) = 0
YandexPackSetup.exe
IsMSISrvFree() In
YandexPackSetup.exe
IsMSISrvFree() : OpenMutex() err ret = 2
YandexPackSetup.exe
IsMSISrvFree() Out ret = 1
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
YandexPackLoader.exe