e36891d982acaa5b12e27cf55fae3581e29dd0ef35d0dd98ae93296034b5177e

System Information Discovery

Processes:

explorer.exesearchbandapp.exebrowser.exebrowser.exebrowser.exesetup.exeexplorer.exeYandex.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	searchbandapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	Yandex.exe

Loads dropped DLL 34 IoCs

Processes:

MsiExec.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exesearchbandapp64.exe

pid	process
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
5108	browser.exe
4312	browser.exe
5108	browser.exe
5108	browser.exe
3932	browser.exe
4552	browser.exe
4552	browser.exe
3932	browser.exe
4492	browser.exe
3660	browser.exe
348	browser.exe
1524	browser.exe
3492	browser.exe
3932	browser.exe
3932	browser.exe
3932	browser.exe
2712	browser.exe
3932	browser.exe
3932	browser.exe
4492	browser.exe
3660	browser.exe
348	browser.exe
1524	browser.exe
3492	browser.exe
2712	browser.exe
3860	searchbandapp64.exe
2336
3860	searchbandapp64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

browser.exesearchbandapp64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\YandexBrowserAutoLaunch_45886AE68CD319C7351FF54A1DBD4B87 = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --shutdown-if-not-closed-by-system-restart"	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\YandexSearchBand = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\SearchBand\\Application\\5.0.0.1903\\searchbandapp64.exe\" /auto"	searchbandapp64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in System32 directory 17 IoCs

Processes:

service_update.exeservice_update.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_BD3730E24B5091FBD030C756E510C3A2	service_update.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\_[1].js	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	service_update.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Yandex\ui	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_BD3730E24B5091FBD030C756E510C3A2	service_update.exe

Drops file in Program Files directory 3 IoCs

Processes:

service_update.exeservice_update.exe

description	ioc	process
File created	C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe	service_update.exe
File opened for modification	C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe	service_update.exe
File opened for modification	C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\debug.log	service_update.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exeservice_update.exeservice_update.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4D922459-6A2E-4E43-B7A1-86872A9078F3}	msiexec.exe
File created	C:\Windows\Tasks\System update for Yandex Browser.job	service_update.exe
File created	C:\Windows\Tasks\Repairing Yandex Browser update service.job	service_update.exe
File opened for modification	C:\Windows\Installer\e584e3a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51E4.tmp	msiexec.exe
File created	C:\Windows\Installer\e584e3a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A47.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI596C.tmp	msiexec.exe
File created	C:\Windows\Tasks\Update for Yandex Browser.job	service_update.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI54B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI55EE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5456.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5776.tmp	msiexec.exe
File created	C:\Windows\Installer\e584e3d.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

browser.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	browser.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

Processes:

searchbandapp64.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING\searchbandapp64.exe = "1"	searchbandapp64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\searchbandapp64.exe = "1"	searchbandapp64.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	searchbandapp64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\searchbandapp64.exe = "0"	searchbandapp64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\searchbandapp64.exe = "11000"	searchbandapp64.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	searchbandapp64.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING	searchbandapp64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\searchbandapp64.exe = "0"	searchbandapp64.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	searchbandapp64.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

service_update.exeservice_update.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Yandex\UICreated_SYSTEM = "1"	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	service_update.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	service_update.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Yandex	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	service_update.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	service_update.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	service_update.exe

Modifies registry class 64 IoCs

Processes:

setup.exesetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexJPEG.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexPNG.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.html	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexCRX.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.infected\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.png\OpenWithProgids\YandexPNG.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\yabrowser\shell\open\command	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexCSS.AXVJRCRR5DBT2D3MCHX3EXVLBE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-124"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.infected	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexFB2.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexXML.AXVJRCRR5DBT2D3MCHX3EXVLBE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-134"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexXML.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open\command	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.infected\OpenWithProgids\YandexINFE.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexPNG.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexWEBM.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.webm\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexJPEG.AXVJRCRR5DBT2D3MCHX3EXVLBE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-109"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexWEBM.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexGIF.AXVJRCRR5DBT2D3MCHX3EXVLBE\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexPNG.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexSWF.AXVJRCRR5DBT2D3MCHX3EXVLBE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-118"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.webp\OpenWithProgids\YandexWEBP.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexGIF.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexHTML.AXVJRCRR5DBT2D3MCHX3EXVLBE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-108"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexGIF.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexJS.AXVJRCRR5DBT2D3MCHX3EXVLBE\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexWEBP.AXVJRCRR5DBT2D3MCHX3EXVLBE\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexPDF.AXVJRCRR5DBT2D3MCHX3EXVLBE\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexPDF.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexHTML.AXVJRCRR5DBT2D3MCHX3EXVLBE\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,0"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexHTML.AXVJRCRR5DBT2D3MCHX3EXVLBE\Application\ApplicationName = "Yandex"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.gif\OpenWithProgids\YandexGIF.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.xhtml\OpenWithProgids\YandexHTML.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.crx\ = "YandexBrowser.crx"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexJS.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexXML.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.crx	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.tif\OpenWithProgids\YandexTIFF.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexCRX.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexWEBP.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.xml	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.webm\OpenWithProgids\YandexWEBM.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.xml	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexINFE.AXVJRCRR5DBT2D3MCHX3EXVLBE\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.crx\OpenWithProgids\YandexCRX.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.png	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.tiff\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexHTML.AXVJRCRR5DBT2D3MCHX3EXVLBE\AppUserModelId = "Yandex.AXVJRCRR5DBT2D3MCHX3EXVLBE"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexBrowser.crx	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexSWF.AXVJRCRR5DBT2D3MCHX3EXVLBE\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexWEBP.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexHTML.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexHTML.AXVJRCRR5DBT2D3MCHX3EXVLBE\Application\AppUserModelId = "Yandex.AXVJRCRR5DBT2D3MCHX3EXVLBE"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.xht\OpenWithProgids\YandexHTML.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.jpeg	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexTIFF.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexWEBM.AXVJRCRR5DBT2D3MCHX3EXVLBE\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexHTML.AXVJRCRR5DBT2D3MCHX3EXVLBE\ = "Yandex Browser HTML Document"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexINFE.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexWEBM.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexWEBP.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open\command	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\.tiff\OpenWithProgids\YandexTIFF.AXVJRCRR5DBT2D3MCHX3EXVLBE	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\yabrowser\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\YandexGIF.AXVJRCRR5DBT2D3MCHX3EXVLBE\shell\open\command	setup.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

setup.exeYandex.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	Yandex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	Yandex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	Yandex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	setup.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

setup.exeservice_update.exeservice_update.exeservice_update.exeservice_update.exeservice_update.exeservice_update.exeexplorer.exeSEARCHBAND.EXEmsiexec.exesearchbandapp.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exesetup.exe

pid	process
1376	setup.exe
1376	setup.exe
1964	service_update.exe
1964	service_update.exe
3912	service_update.exe
3912	service_update.exe
3180	service_update.exe
3180	service_update.exe
3180	service_update.exe
3180	service_update.exe
4728	service_update.exe
4728	service_update.exe
3292	service_update.exe
3292	service_update.exe
2436	service_update.exe
2436	service_update.exe
2776	explorer.exe
2776	explorer.exe
2776	explorer.exe
2776	explorer.exe
1376	setup.exe
1376	setup.exe
4520	SEARCHBAND.EXE
4520	SEARCHBAND.EXE
1892	msiexec.exe
1892	msiexec.exe
1376	setup.exe
1376	setup.exe
4528	searchbandapp.exe
4528	searchbandapp.exe
5108	browser.exe
5108	browser.exe
3932	browser.exe
4552	browser.exe
4552	browser.exe
4492	browser.exe
3660	browser.exe
348	browser.exe
1524	browser.exe
3492	browser.exe
3492	browser.exe
2712	browser.exe
644	setup.exe
644	setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SEARCHBAND.EXEmsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4520	SEARCHBAND.EXE
Token: SeIncreaseQuotaPrivilege	4520	SEARCHBAND.EXE
Token: SeSecurityPrivilege	1892	msiexec.exe
Token: SeCreateTokenPrivilege	4520	SEARCHBAND.EXE
Token: SeAssignPrimaryTokenPrivilege	4520	SEARCHBAND.EXE
Token: SeLockMemoryPrivilege	4520	SEARCHBAND.EXE
Token: SeIncreaseQuotaPrivilege	4520	SEARCHBAND.EXE
Token: SeMachineAccountPrivilege	4520	SEARCHBAND.EXE
Token: SeTcbPrivilege	4520	SEARCHBAND.EXE
Token: SeSecurityPrivilege	4520	SEARCHBAND.EXE
Token: SeTakeOwnershipPrivilege	4520	SEARCHBAND.EXE
Token: SeLoadDriverPrivilege	4520	SEARCHBAND.EXE
Token: SeSystemProfilePrivilege	4520	SEARCHBAND.EXE
Token: SeSystemtimePrivilege	4520	SEARCHBAND.EXE
Token: SeProfSingleProcessPrivilege	4520	SEARCHBAND.EXE
Token: SeIncBasePriorityPrivilege	4520	SEARCHBAND.EXE
Token: SeCreatePagefilePrivilege	4520	SEARCHBAND.EXE
Token: SeCreatePermanentPrivilege	4520	SEARCHBAND.EXE
Token: SeBackupPrivilege	4520	SEARCHBAND.EXE
Token: SeRestorePrivilege	4520	SEARCHBAND.EXE
Token: SeShutdownPrivilege	4520	SEARCHBAND.EXE
Token: SeDebugPrivilege	4520	SEARCHBAND.EXE
Token: SeAuditPrivilege	4520	SEARCHBAND.EXE
Token: SeSystemEnvironmentPrivilege	4520	SEARCHBAND.EXE
Token: SeChangeNotifyPrivilege	4520	SEARCHBAND.EXE
Token: SeRemoteShutdownPrivilege	4520	SEARCHBAND.EXE
Token: SeUndockPrivilege	4520	SEARCHBAND.EXE
Token: SeSyncAgentPrivilege	4520	SEARCHBAND.EXE
Token: SeEnableDelegationPrivilege	4520	SEARCHBAND.EXE
Token: SeManageVolumePrivilege	4520	SEARCHBAND.EXE
Token: SeImpersonatePrivilege	4520	SEARCHBAND.EXE
Token: SeCreateGlobalPrivilege	4520	SEARCHBAND.EXE
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe
Token: SeRestorePrivilege	1892	msiexec.exe
Token: SeTakeOwnershipPrivilege	1892	msiexec.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Yandex.exeexplorer.exeexplorer.exesearchbandapp.exesearchbandapp64.exe

pid	process
2672	Yandex.exe
2776	explorer.exe
2508	explorer.exe
4528	searchbandapp.exe
4528	searchbandapp.exe
3860	searchbandapp64.exe
3860	searchbandapp64.exe
3860	searchbandapp64.exe
3860	searchbandapp64.exe
3860	searchbandapp64.exe
3860	searchbandapp64.exe
3860	searchbandapp64.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

searchbandapp.exesearchbandapp64.exe

pid	process
4528	searchbandapp.exe
3860	searchbandapp64.exe
3860	searchbandapp64.exe
3860	searchbandapp64.exe
3860	searchbandapp64.exe
3860	searchbandapp64.exe
3860	searchbandapp64.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Yandex.exebrowser.exesearchbandapp64.exe

pid process

2672 Yandex.exe
5108 browser.exe
3860 searchbandapp64.exe
3860 searchbandapp64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Yandex.exeYandex.exeyb763E.tmpsetup.exesetup.exeservice_update.exeservice_update.exeservice_update.exeexplorer.exeYandex.exemsiexec.exe

description	pid	process	target process
PID 2672 wrote to memory of 4280	2672	Yandex.exe	Yandex.exe
PID 2672 wrote to memory of 4280	2672	Yandex.exe	Yandex.exe
PID 2672 wrote to memory of 4280	2672	Yandex.exe	Yandex.exe
PID 2672 wrote to memory of 5116	2672	Yandex.exe	Yandex.exe
PID 2672 wrote to memory of 5116	2672	Yandex.exe	Yandex.exe
PID 2672 wrote to memory of 5116	2672	Yandex.exe	Yandex.exe
PID 5116 wrote to memory of 4672	5116	Yandex.exe	yb763E.tmp
PID 5116 wrote to memory of 4672	5116	Yandex.exe	yb763E.tmp
PID 5116 wrote to memory of 4672	5116	Yandex.exe	yb763E.tmp
PID 4672 wrote to memory of 4684	4672	yb763E.tmp	setup.exe
PID 4672 wrote to memory of 4684	4672	yb763E.tmp	setup.exe
PID 4672 wrote to memory of 4684	4672	yb763E.tmp	setup.exe
PID 4684 wrote to memory of 1376	4684	setup.exe	setup.exe
PID 4684 wrote to memory of 1376	4684	setup.exe	setup.exe
PID 4684 wrote to memory of 1376	4684	setup.exe	setup.exe
PID 1376 wrote to memory of 1888	1376	setup.exe	setup.exe
PID 1376 wrote to memory of 1888	1376	setup.exe	setup.exe
PID 1376 wrote to memory of 1888	1376	setup.exe	setup.exe
PID 1376 wrote to memory of 1964	1376	setup.exe	service_update.exe
PID 1376 wrote to memory of 1964	1376	setup.exe	service_update.exe
PID 1376 wrote to memory of 1964	1376	setup.exe	service_update.exe
PID 1964 wrote to memory of 3912	1964	service_update.exe	service_update.exe
PID 1964 wrote to memory of 3912	1964	service_update.exe	service_update.exe
PID 1964 wrote to memory of 3912	1964	service_update.exe	service_update.exe
PID 3180 wrote to memory of 3236	3180	service_update.exe	service_update.exe
PID 3180 wrote to memory of 3236	3180	service_update.exe	service_update.exe
PID 3180 wrote to memory of 3236	3180	service_update.exe	service_update.exe
PID 3180 wrote to memory of 4728	3180	service_update.exe	service_update.exe
PID 3180 wrote to memory of 4728	3180	service_update.exe	service_update.exe
PID 3180 wrote to memory of 4728	3180	service_update.exe	service_update.exe
PID 4728 wrote to memory of 3292	4728	service_update.exe	service_update.exe
PID 4728 wrote to memory of 3292	4728	service_update.exe	service_update.exe
PID 4728 wrote to memory of 3292	4728	service_update.exe	service_update.exe
PID 1376 wrote to memory of 2776	1376	setup.exe	explorer.exe
PID 1376 wrote to memory of 2776	1376	setup.exe	explorer.exe
PID 1376 wrote to memory of 2776	1376	setup.exe	explorer.exe
PID 2776 wrote to memory of 4148	2776	explorer.exe	explorer.exe
PID 2776 wrote to memory of 4148	2776	explorer.exe	explorer.exe
PID 2776 wrote to memory of 4148	2776	explorer.exe	explorer.exe
PID 3180 wrote to memory of 2436	3180	service_update.exe	service_update.exe
PID 3180 wrote to memory of 2436	3180	service_update.exe	service_update.exe
PID 3180 wrote to memory of 2436	3180	service_update.exe	service_update.exe
PID 1376 wrote to memory of 4548	1376	setup.exe	Yandex.exe
PID 1376 wrote to memory of 4548	1376	setup.exe	Yandex.exe
PID 1376 wrote to memory of 4548	1376	setup.exe	Yandex.exe
PID 4548 wrote to memory of 2508	4548	Yandex.exe	explorer.exe
PID 4548 wrote to memory of 2508	4548	Yandex.exe	explorer.exe
PID 4548 wrote to memory of 2508	4548	Yandex.exe	explorer.exe
PID 1376 wrote to memory of 3556	1376	setup.exe	clidmgr.exe
PID 1376 wrote to memory of 3556	1376	setup.exe	clidmgr.exe
PID 1376 wrote to memory of 3556	1376	setup.exe	clidmgr.exe
PID 1376 wrote to memory of 1020	1376	setup.exe	clidmgr.exe
PID 1376 wrote to memory of 1020	1376	setup.exe	clidmgr.exe
PID 1376 wrote to memory of 1020	1376	setup.exe	clidmgr.exe
PID 1376 wrote to memory of 4608	1376	setup.exe	clidmgr.exe
PID 1376 wrote to memory of 4608	1376	setup.exe	clidmgr.exe
PID 1376 wrote to memory of 4608	1376	setup.exe	clidmgr.exe
PID 1376 wrote to memory of 4312	1376	setup.exe	clidmgr.exe
PID 1376 wrote to memory of 4312	1376	setup.exe	clidmgr.exe
PID 1376 wrote to memory of 4312	1376	setup.exe	clidmgr.exe
PID 1376 wrote to memory of 4520	1376	setup.exe	SEARCHBAND.EXE
PID 1376 wrote to memory of 4520	1376	setup.exe	SEARCHBAND.EXE
PID 1376 wrote to memory of 4520	1376	setup.exe	SEARCHBAND.EXE
PID 1892 wrote to memory of 2684	1892	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\Yandex.exe
"C:\Users\Admin\AppData\Local\Temp\Yandex.exe"
1⤵
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\Yandex.exe
"C:\Users\Admin\AppData\Local\Temp\Yandex.exe" --check-the-interface
2⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\Yandex.exe
"C:\Users\Admin\AppData\Local\Temp\Yandex.exe" --parent-installer-process-id=2672 --run-as-admin --setup-cmd-line="fake_browser_arc --abt-config-resource-file=\"C:\Users\Admin\AppData\Local\Temp\abt_config_resource\" --abt-update-path=\"C:\Users\Admin\AppData\Local\Temp\b00d01ad-5120-4350-8eb0-c1e8510cf69e.tmp\" --brand-name=yandex --create-alice-shortcut-in-taskbar --distr-info-file=\"C:\Users\Admin\AppData\Local\Temp\distrib_info\" --make-browser-default-after-import --ok-button-pressed-time=415274214 --progress-window=589922 --send-statistics --the-interface-availability=150630000 --variations-update-path=\"C:\Users\Admin\AppData\Local\Temp\757df430-617d-46ed-b892-cfcccc2de053.tmp\" --verbose-logging"
2⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Local\Temp\yb763E.tmp
"C:\Users\Admin\AppData\Local\Temp\yb763E.tmp" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\b00d01ad-5120-4350-8eb0-c1e8510cf69e.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --clids-searchband-file="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml" --create-alice-shortcut-in-taskbar --distr-info-file="C:\Users\Admin\AppData\Local\Temp\distrib_info" --histogram-download-time=55 --install-start-time-no-uac=416196213 --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --make-browser-default-after-import --ok-button-pressed-time=415274214 --progress-window=589922 --send-statistics --source=lite --the-interface-availability=150630000 --variations-update-path="C:\Users\Admin\AppData\Local\Temp\757df430-617d-46ed-b892-cfcccc2de053.tmp" --verbose-logging
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672

C:\Users\Admin\AppData\Local\Temp\YB_6F645.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\YB_6F645.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_6F645.tmp\BROWSER.PACKED.7Z" --searchband-file="C:\Users\Admin\AppData\Local\Temp\YB_6F645.tmp\SEARCHBAND.EXE" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\b00d01ad-5120-4350-8eb0-c1e8510cf69e.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --clids-searchband-file="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml" --create-alice-shortcut-in-taskbar --distr-info-file="C:\Users\Admin\AppData\Local\Temp\distrib_info" --histogram-download-time=55 --install-start-time-no-uac=416196213 --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --make-browser-default-after-import --ok-button-pressed-time=415274214 --progress-window=589922 --send-statistics --source=lite --the-interface-availability=150630000 --variations-update-path="C:\Users\Admin\AppData\Local\Temp\757df430-617d-46ed-b892-cfcccc2de053.tmp" --verbose-logging
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\AppData\Local\Temp\YB_6F645.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\YB_6F645.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_6F645.tmp\BROWSER.PACKED.7Z" --searchband-file="C:\Users\Admin\AppData\Local\Temp\YB_6F645.tmp\SEARCHBAND.EXE" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\b00d01ad-5120-4350-8eb0-c1e8510cf69e.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --clids-searchband-file="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml" --create-alice-shortcut-in-taskbar --distr-info-file="C:\Users\Admin\AppData\Local\Temp\distrib_info" --histogram-download-time=55 --install-start-time-no-uac=416196213 --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --make-browser-default-after-import --ok-button-pressed-time=415274214 --progress-window=589922 --send-statistics --source=lite --the-interface-availability=150630000 --variations-update-path="C:\Users\Admin\AppData\Local\Temp\757df430-617d-46ed-b892-cfcccc2de053.tmp" --verbose-logging --verbose-logging --run-as-admin --target-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application" --child-setup-process --restart-as-admin-time=474470442
5⤵
- Executes dropped EXE
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\YB_6F645.tmp\setup.exe
C:\Users\Admin\AppData\Local\Temp\YB_6F645.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=1376 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.9.3.891 --initial-client-data=0x304,0x308,0x30c,0x2e0,0x310,0xda21d8,0xda21e8,0xda21f4
6⤵
- Executes dropped EXE
PID:1888

C:\Windows\TEMP\sdwra_1376_1262164334\service_update.exe
"C:\Windows\TEMP\sdwra_1376_1262164334\service_update.exe" --setup
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe" --install
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3912

C:\Users\Admin\AppData\Local\Temp\scoped_dir1376_1053033923\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\scoped_dir1376_1053033923\explorer.exe" --pttw1="C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yandex.lnk"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\scoped_dir1376_1053033923\explorer.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir1376_1053033923\explorer.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=2776 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.9.3.891 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0xfa21d8,0xfa21e8,0xfa21f4
7⤵
- Executes dropped EXE
PID:4148

C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\AppData\Local\Temp\pin\explorer.exe
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent /pin-path="C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk" --is-pinning
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
PID:2508

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Temp\clids.xml"
6⤵
- Executes dropped EXE
PID:3556

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\source1376_889009417\Browser-bin\clids_yandex.xml"
6⤵
- Executes dropped EXE
PID:1020

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=searchband --vendor-xml-path="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml"
6⤵
- Executes dropped EXE
PID:4608

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=searchband --vendor-xml-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\source1376_889009417\Browser-bin\clids_searchband.xml"
6⤵
- Executes dropped EXE
PID:4312

C:\Users\Admin\AppData\Local\Temp\YB_6F645.tmp\SEARCHBAND.EXE
"C:\Users\Admin\AppData\Local\Temp\YB_6F645.tmp\SEARCHBAND.EXE" /forcequiet
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe" --run-as-service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3180

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=3180 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.9.3.891 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0xf97ae8,0xf97af8,0xf97b04
2⤵
- Executes dropped EXE
PID:3236

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe" --update-scheduler
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4728

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe" --update-background-scheduler
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe" --statistics=https://api.browser.yandex.ru/installstats/send/dtype=stred/pid=457/cid=72992/path=extended_stat/vars=-action=version_folder_files_check_unused,-brand_id=unknown,-error=FONT_NOT_FOUND,-files_mask=66977119,-installer_type=service_audit,-launched=false,-old_style=0,-old_ver=,-result=0,-stage=error,-target=version_folder_files_check,-ui=FA690FF6_B0C9_475A_8DB3_2872E43DD46A/*
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2436

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9F59EB82E258C34D20372570969CE3AA
2⤵
- Loads dropped DLL
PID:2684

C:\Users\Admin\AppData\Local\Yandex\SearchBand\Installer\searchbandapp.exe
"C:\Users\Admin\AppData\Local\Yandex\SearchBand\Installer\searchbandapp.exe" /install
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4528

C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\searchbandapp64.exe
"C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\searchbandapp64.exe" /auto
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3860

C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\crashreporter64.exe
C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\crashreporter64.exe
3⤵
- Executes dropped EXE
PID:4584

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --progress-window=589922 --ok-button-pressed-time=415274214 --install-start-time-no-uac=416196213
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5108

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id= --annotation=main_process_pid=5108 --annotation=metrics_client_id=77ccd3ef794a4a1eac0a761c7440f1b6 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.9.3.891 --initial-client-data=0x154,0x158,0x15c,0x130,0x160,0x716ca3b0,0x716ca3c0,0x716ca3cc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4312

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1276 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3932

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Network Service" --mojo-platform-channel-handle=1916 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4552

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=ru --service-sandbox-type=utility --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Storage Service" --mojo-platform-channel-handle=2164 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4492

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=ru --service-sandbox-type=audio --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Audio Service" --mojo-platform-channel-handle=2676 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3660

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --extension-process --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --display-capture-permissions-policy-allowed --enable-instaserp --allow-prefetch --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3232 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:348

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\22.9.3.891\Installer\setup.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\22.9.3.891\Installer\setup.exe" --set-as-default-browser
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:644

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\22.9.3.891\Installer\setup.exe
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\22.9.3.891\Installer\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=644 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.9.3.891 --initial-client-data=0x304,0x308,0x30c,0x2e0,0x310,0x14221d8,0x14221e8,0x14221f4
3⤵
- Executes dropped EXE
PID:3144

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --extension-process --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --display-capture-permissions-policy-allowed --enable-instaserp --allow-prefetch --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3368 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=ru --service-sandbox-type=none --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Video Capture" --mojo-platform-channel-handle=3380 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=3392 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --display-capture-permissions-policy-allowed --enable-instaserp --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=3968 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:1
2⤵
PID:4196

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=speechkit.mojom.Speechkit --lang=ru --service-sandbox-type=none --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Speechkit Service" --mojo-platform-channel-handle=1700 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:2688

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=4692 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:4264

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=4752 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:1
2⤵
PID:3780

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Network Service" --mojo-platform-channel-handle=4768 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:4704

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=ru --service-sandbox-type=none --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Утилиты Windows" --mojo-platform-channel-handle=4580 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:660

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=ru --service-sandbox-type=none --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Утилиты Windows" --mojo-platform-channel-handle=5224 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:4328

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\22.9.3.891\browser_diagnostics.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\22.9.3.891\browser_diagnostics.exe" --uninstall
2⤵
PID:4040

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4764 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:1
2⤵
PID:4792

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --display-capture-permissions-policy-allowed --ya-custo-process --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=6664 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:1
2⤵
PID:392

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --display-capture-permissions-policy-allowed --ya-custo-process --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=6488 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:1
2⤵
PID:3492

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=ru --service-sandbox-type=none --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Утилиты Windows" --mojo-platform-channel-handle=6568 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:4728

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=5048 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:4068

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=7096 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:2380

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=6260 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:5012

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=6992 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:4948

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=4708 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:1248

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=5364 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:4512

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=7068 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:4452

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=6092 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:208

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=5588 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:2508

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=6988 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:584

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=6440 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:3620

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=5584 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:4464

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=5860 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:4840

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=4620 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:2636

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=5884 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:5184

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=7132 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:5376

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=6028 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:5576

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=5580 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:5788

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=6036 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:5936

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=5992 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:6120

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=5616 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:5132

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=6848 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:5320

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Data Decoder Service" --mojo-platform-channel-handle=7008 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:5540

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=7468 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:1
2⤵
PID:3748

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=8372 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:1
2⤵
PID:5976

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=ru --service-sandbox-type=none --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Импорт профилей" --mojo-platform-channel-handle=9160 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:4616

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=5932 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:1
2⤵
PID:5428

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=ru --service-sandbox-type=none --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Импорт профилей" --mojo-platform-channel-handle=5364 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:1512

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=ru --service-sandbox-type=utility --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Распаковщик файлов" --mojo-platform-channel-handle=1732 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:4588

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=ru --service-sandbox-type=none --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --process-name="Импорт профилей" --mojo-platform-channel-handle=3748 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:8
2⤵
PID:5736

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=D4850B04-8347-4112-BD43-5C30C4A60F18 --brand-id=yandex --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=9116 --field-trial-handle=1780,i,15922563846069539362,11678609785512374335,131072 /prefetch:1
2⤵
PID:3204

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x39c
1⤵
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery