e36891d982acaa5b12e27cf55fae3581e29dd0ef35d0dd98ae93296034b5177e

Resubmissions

17-10-2022 19:36

221017-ybkpeacgf7 10

17-10-2022 17:27

221017-v1ye1scfdl 8

17-10-2022 14:10

221017-rg6qhacbgq 8

Analysis

max time kernel
146s
max time network
1803s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-10-2022 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Yandex.exe
Size

2.4MB
MD5

09bb3df23630c9111a5860cb96bde6ad
SHA1

217d78e392e7ef295596862175eb353977a85738
SHA256

e36891d982acaa5b12e27cf55fae3581e29dd0ef35d0dd98ae93296034b5177e
SHA512

8a216eac67b5d4bc54781a166cd48ab8a68e0b983fb346c14030eca060046fe7484f76fa4eb006164c5781684cad82f7d29afaf9514e70c81feffe70df402f31
SSDEEP

49152:CsEpJsMKSCZrcPEGuW9Q+iA5H5u8QeuL:CsEpuBZrcPEGuWMxt

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 24 IoCs

Processes:

yb4155.tmpsetup.exesetup.exesetup.exeservice_update.exeservice_update.exeservice_update.exeservice_update.exeservice_update.exeservice_update.exeservice_update.exeYandex.execlidmgr.execlidmgr.execlidmgr.execlidmgr.exeSEARCHBAND.EXEsearchbandapp.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exe

pid	process
1700	yb4155.tmp
1992	setup.exe
828	setup.exe
576	setup.exe
1932	service_update.exe
1440	service_update.exe
1708	service_update.exe
1472	service_update.exe
592	service_update.exe
1772	service_update.exe
1764	service_update.exe
1624	Yandex.exe
556	clidmgr.exe
1268	clidmgr.exe
636	clidmgr.exe
1572	clidmgr.exe
1624	SEARCHBAND.EXE
1756	searchbandapp.exe
1964	browser.exe
936	browser.exe
268	browser.exe
1912	browser.exe
1000	browser.exe
2104	browser.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

searchbandapp.exebrowser.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	searchbandapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	browser.exe

Loads dropped DLL 49 IoCs

Processes:

Yandex.exeYandex.exeyb4155.tmpsetup.exesetup.exeservice_update.exeservice_update.exeservice_update.exeYandex.exeMsiExec.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exe

pid	process
2012	Yandex.exe
2012	Yandex.exe
2012	Yandex.exe
1956	Yandex.exe
1700	yb4155.tmp
1992	setup.exe
1992	setup.exe
1992	setup.exe
828	setup.exe
828	setup.exe
828	setup.exe
1932	service_update.exe
1932	service_update.exe
1932	service_update.exe
1932	service_update.exe
1932	service_update.exe
1708	service_update.exe
1708	service_update.exe
592	service_update.exe
1708	service_update.exe
828	setup.exe
828	setup.exe
828	setup.exe
828	setup.exe
828	setup.exe
1624	Yandex.exe
828	setup.exe
828	setup.exe
828	setup.exe
828	setup.exe
828	setup.exe
268	MsiExec.exe
268	MsiExec.exe
268	MsiExec.exe
268	MsiExec.exe
268	MsiExec.exe
268	MsiExec.exe
1964	browser.exe
936	browser.exe
1964	browser.exe
1964	browser.exe
1912	browser.exe
268	browser.exe
1912	browser.exe
268	browser.exe
1000	browser.exe
1000	browser.exe
2104	browser.exe
2104	browser.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

browser.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\YandexBrowserAutoLaunch_45886AE68CD319C7351FF54A1DBD4B87 = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --shutdown-if-not-closed-by-system-restart"	browser.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 11 IoCs

Processes:

service_update.exeservice_update.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\BC46QNCI.txt	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\BC46QNCI.txt	service_update.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Yandex\ui	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_BD3730E24B5091FBD030C756E510C3A2	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_BD3730E24B5091FBD030C756E510C3A2	service_update.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\_[1].js	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	service_update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	service_update.exe

Drops file in Program Files directory 3 IoCs

Processes:

service_update.exeservice_update.exe

description	ioc	process
File created	C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe	service_update.exe
File opened for modification	C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe	service_update.exe
File opened for modification	C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\debug.log	service_update.exe

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exeservice_update.exeservice_update.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI43E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6e3c37.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4446.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4724.tmp	msiexec.exe
File created	C:\Windows\Installer\6e3c3b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6e3c39.ipi	msiexec.exe
File created	C:\Windows\Tasks\Update for Yandex Browser.job	service_update.exe
File created	C:\Windows\Tasks\Repairing Yandex Browser update service.job	service_update.exe
File opened for modification	C:\Windows\Installer\MSI4B4C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B8B.tmp	msiexec.exe
File created	C:\Windows\Tasks\System update for Yandex Browser.job	service_update.exe
File created	C:\Windows\Installer\6e3c37.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41A5.tmp	msiexec.exe
File created	C:\Windows\Installer\6e3c39.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI481F.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

browser.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	browser.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

service_update.exeservice_update.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B3D965A-12AD-41FF-9B63-AD9FA062CEA5}\WpadDecision = "0"	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	service_update.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	service_update.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B3D965A-12AD-41FF-9B63-AD9FA062CEA5}\WpadDecisionTime = b04b23e35ee2d801	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Yandex	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Yandex	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-6c-ae-48-c1-36	service_update.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	service_update.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	service_update.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	service_update.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B3D965A-12AD-41FF-9B63-AD9FA062CEA5}	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-6c-ae-48-c1-36\WpadDecisionReason = "1"	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Yandex\UICreated_SYSTEM = "1"	service_update.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-6c-ae-48-c1-36\WpadDecisionTime = b04b23e35ee2d801	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-6c-ae-48-c1-36\WpadDecision = "0"	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B3D965A-12AD-41FF-9B63-AD9FA062CEA5}\WpadDecisionReason = "1"	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B3D965A-12AD-41FF-9B63-AD9FA062CEA5}\c6-6c-ae-48-c1-36	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	service_update.exe

Modifies registry class 64 IoCs

Processes:

setup.exebrowser.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexFB2.L5W3RHVM4G72LK3XVS2RJZEJ54\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexCSS.L5W3RHVM4G72LK3XVS2RJZEJ54\shell\open	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexSWF.L5W3RHVM4G72LK3XVS2RJZEJ54\shell	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\yabrowser\shell\open\ddeexec	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexFB2.L5W3RHVM4G72LK3XVS2RJZEJ54\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-122"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexJPEG.L5W3RHVM4G72LK3XVS2RJZEJ54\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexSWF.L5W3RHVM4G72LK3XVS2RJZEJ54\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexINFE.L5W3RHVM4G72LK3XVS2RJZEJ54\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexJPEG.L5W3RHVM4G72LK3XVS2RJZEJ54	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexXML.L5W3RHVM4G72LK3XVS2RJZEJ54\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.tif\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.tiff\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexBrowser.crx\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexWEBM.L5W3RHVM4G72LK3XVS2RJZEJ54\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-132"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexXML.L5W3RHVM4G72LK3XVS2RJZEJ54\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-134"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexTIFF.L5W3RHVM4G72LK3XVS2RJZEJ54\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-119"	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexPDF.L5W3RHVM4G72LK3XVS2RJZEJ54\DefaultIcon	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexPDF.L5W3RHVM4G72LK3XVS2RJZEJ54\shell	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\http\shell\open\ddeexec	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.html\ = "YandexHTML.L5W3RHVM4G72LK3XVS2RJZEJ54"	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexCRX.L5W3RHVM4G72LK3XVS2RJZEJ54\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexTXT.L5W3RHVM4G72LK3XVS2RJZEJ54\shell	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexXML.L5W3RHVM4G72LK3XVS2RJZEJ54\shell	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexGIF.L5W3RHVM4G72LK3XVS2RJZEJ54\ = "Yandex Browser GIF Document"	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexGIF.L5W3RHVM4G72LK3XVS2RJZEJ54\DefaultIcon	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexXML.L5W3RHVM4G72LK3XVS2RJZEJ54\shell\open	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexGIF.L5W3RHVM4G72LK3XVS2RJZEJ54	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexSWF.L5W3RHVM4G72LK3XVS2RJZEJ54\ = "Yandex Browser SWF Document"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.gif\OpenWithProgids	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexBrowser.crx\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.jpeg\OpenWithProgids\YandexJPEG.L5W3RHVM4G72LK3XVS2RJZEJ54	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.xhtml	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexINFE.L5W3RHVM4G72LK3XVS2RJZEJ54\shell	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexXML.L5W3RHVM4G72LK3XVS2RJZEJ54\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-134"	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexJPEG.L5W3RHVM4G72LK3XVS2RJZEJ54\ = "Yandex Browser JPEG Document"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexPNG.L5W3RHVM4G72LK3XVS2RJZEJ54\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexBrowser.crx\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\",0"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexGIF.L5W3RHVM4G72LK3XVS2RJZEJ54\ = "Yandex Browser GIF Document"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.pdf	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexHTML.L5W3RHVM4G72LK3XVS2RJZEJ54\shell\open\command	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexFB2.L5W3RHVM4G72LK3XVS2RJZEJ54\shell	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexGIF.L5W3RHVM4G72LK3XVS2RJZEJ54\shell\open\command	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexPDF.L5W3RHVM4G72LK3XVS2RJZEJ54\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-112"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.css\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.png	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\https\shell\ = "open"	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexXML.L5W3RHVM4G72LK3XVS2RJZEJ54\ = "Yandex Browser XML Document"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.tif	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.shtml\OpenWithProgids\YandexHTML.L5W3RHVM4G72LK3XVS2RJZEJ54	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.css	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.xhtml	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\ftp\shell	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexEPUB.L5W3RHVM4G72LK3XVS2RJZEJ54\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.pdf\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexCRX.L5W3RHVM4G72LK3XVS2RJZEJ54\shell	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.gif\ = "YandexGIF.L5W3RHVM4G72LK3XVS2RJZEJ54"	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.fb2\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexCSS.L5W3RHVM4G72LK3XVS2RJZEJ54\ = "Yandex Browser CSS Document"	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.webp\OpenWithProgids\YandexWEBP.L5W3RHVM4G72LK3XVS2RJZEJ54	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.shtml	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexPDF.L5W3RHVM4G72LK3XVS2RJZEJ54\shell\open\command	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.swf\OpenWithProgids\YandexSWF.L5W3RHVM4G72LK3XVS2RJZEJ54	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\YandexEPUB.L5W3RHVM4G72LK3XVS2RJZEJ54\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-121"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.htm	setup.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Yandex.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Yandex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Yandex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Yandex.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Yandex.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

setup.exeservice_update.exeservice_update.exeservice_update.exeservice_update.exeservice_update.exeservice_update.exeSEARCHBAND.EXEmsiexec.exesearchbandapp.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exe

pid	process
828	setup.exe
1932	service_update.exe
1440	service_update.exe
1708	service_update.exe
1708	service_update.exe
592	service_update.exe
1772	service_update.exe
1764	service_update.exe
828	setup.exe
1624	SEARCHBAND.EXE
1724	msiexec.exe
1724	msiexec.exe
1756	searchbandapp.exe
828	setup.exe
1964	browser.exe
1912	browser.exe
268	browser.exe
1000	browser.exe
2104	browser.exe
1964	browser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SEARCHBAND.EXEmsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1624	SEARCHBAND.EXE
Token: SeIncreaseQuotaPrivilege	1624	SEARCHBAND.EXE
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeSecurityPrivilege	1724	msiexec.exe
Token: SeCreateTokenPrivilege	1624	SEARCHBAND.EXE
Token: SeAssignPrimaryTokenPrivilege	1624	SEARCHBAND.EXE
Token: SeLockMemoryPrivilege	1624	SEARCHBAND.EXE
Token: SeIncreaseQuotaPrivilege	1624	SEARCHBAND.EXE
Token: SeMachineAccountPrivilege	1624	SEARCHBAND.EXE
Token: SeTcbPrivilege	1624	SEARCHBAND.EXE
Token: SeSecurityPrivilege	1624	SEARCHBAND.EXE
Token: SeTakeOwnershipPrivilege	1624	SEARCHBAND.EXE
Token: SeLoadDriverPrivilege	1624	SEARCHBAND.EXE
Token: SeSystemProfilePrivilege	1624	SEARCHBAND.EXE
Token: SeSystemtimePrivilege	1624	SEARCHBAND.EXE
Token: SeProfSingleProcessPrivilege	1624	SEARCHBAND.EXE
Token: SeIncBasePriorityPrivilege	1624	SEARCHBAND.EXE
Token: SeCreatePagefilePrivilege	1624	SEARCHBAND.EXE
Token: SeCreatePermanentPrivilege	1624	SEARCHBAND.EXE
Token: SeBackupPrivilege	1624	SEARCHBAND.EXE
Token: SeRestorePrivilege	1624	SEARCHBAND.EXE
Token: SeShutdownPrivilege	1624	SEARCHBAND.EXE
Token: SeDebugPrivilege	1624	SEARCHBAND.EXE
Token: SeAuditPrivilege	1624	SEARCHBAND.EXE
Token: SeSystemEnvironmentPrivilege	1624	SEARCHBAND.EXE
Token: SeChangeNotifyPrivilege	1624	SEARCHBAND.EXE
Token: SeRemoteShutdownPrivilege	1624	SEARCHBAND.EXE
Token: SeUndockPrivilege	1624	SEARCHBAND.EXE
Token: SeSyncAgentPrivilege	1624	SEARCHBAND.EXE
Token: SeEnableDelegationPrivilege	1624	SEARCHBAND.EXE
Token: SeManageVolumePrivilege	1624	SEARCHBAND.EXE
Token: SeImpersonatePrivilege	1624	SEARCHBAND.EXE
Token: SeCreateGlobalPrivilege	1624	SEARCHBAND.EXE
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

Yandex.exebrowser.exe

pid	process
2012	Yandex.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

browser.exe

pid	process
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe
1964	browser.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Yandex.exebrowser.exe

pid process

2012 Yandex.exe
1964 browser.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Yandex.exeYandex.exeyb4155.tmpsetup.exesetup.exeservice_update.exeservice_update.exeservice_update.exe

description	pid	process	target process
PID 2012 wrote to memory of 1956	2012	Yandex.exe	Yandex.exe
PID 2012 wrote to memory of 1956	2012	Yandex.exe	Yandex.exe
PID 2012 wrote to memory of 1956	2012	Yandex.exe	Yandex.exe
PID 2012 wrote to memory of 1956	2012	Yandex.exe	Yandex.exe
PID 2012 wrote to memory of 1956	2012	Yandex.exe	Yandex.exe
PID 2012 wrote to memory of 1956	2012	Yandex.exe	Yandex.exe
PID 2012 wrote to memory of 1956	2012	Yandex.exe	Yandex.exe
PID 1956 wrote to memory of 1700	1956	Yandex.exe	yb4155.tmp
PID 1956 wrote to memory of 1700	1956	Yandex.exe	yb4155.tmp
PID 1956 wrote to memory of 1700	1956	Yandex.exe	yb4155.tmp
PID 1956 wrote to memory of 1700	1956	Yandex.exe	yb4155.tmp
PID 1956 wrote to memory of 1700	1956	Yandex.exe	yb4155.tmp
PID 1956 wrote to memory of 1700	1956	Yandex.exe	yb4155.tmp
PID 1956 wrote to memory of 1700	1956	Yandex.exe	yb4155.tmp
PID 1700 wrote to memory of 1992	1700	yb4155.tmp	setup.exe
PID 1700 wrote to memory of 1992	1700	yb4155.tmp	setup.exe
PID 1700 wrote to memory of 1992	1700	yb4155.tmp	setup.exe
PID 1700 wrote to memory of 1992	1700	yb4155.tmp	setup.exe
PID 1700 wrote to memory of 1992	1700	yb4155.tmp	setup.exe
PID 1700 wrote to memory of 1992	1700	yb4155.tmp	setup.exe
PID 1700 wrote to memory of 1992	1700	yb4155.tmp	setup.exe
PID 1992 wrote to memory of 828	1992	setup.exe	setup.exe
PID 1992 wrote to memory of 828	1992	setup.exe	setup.exe
PID 1992 wrote to memory of 828	1992	setup.exe	setup.exe
PID 1992 wrote to memory of 828	1992	setup.exe	setup.exe
PID 1992 wrote to memory of 828	1992	setup.exe	setup.exe
PID 1992 wrote to memory of 828	1992	setup.exe	setup.exe
PID 1992 wrote to memory of 828	1992	setup.exe	setup.exe
PID 828 wrote to memory of 576	828	setup.exe	setup.exe
PID 828 wrote to memory of 576	828	setup.exe	setup.exe
PID 828 wrote to memory of 576	828	setup.exe	setup.exe
PID 828 wrote to memory of 576	828	setup.exe	setup.exe
PID 828 wrote to memory of 576	828	setup.exe	setup.exe
PID 828 wrote to memory of 576	828	setup.exe	setup.exe
PID 828 wrote to memory of 576	828	setup.exe	setup.exe
PID 828 wrote to memory of 1932	828	setup.exe	service_update.exe
PID 828 wrote to memory of 1932	828	setup.exe	service_update.exe
PID 828 wrote to memory of 1932	828	setup.exe	service_update.exe
PID 828 wrote to memory of 1932	828	setup.exe	service_update.exe
PID 828 wrote to memory of 1932	828	setup.exe	service_update.exe
PID 828 wrote to memory of 1932	828	setup.exe	service_update.exe
PID 828 wrote to memory of 1932	828	setup.exe	service_update.exe
PID 1932 wrote to memory of 1440	1932	service_update.exe	service_update.exe
PID 1932 wrote to memory of 1440	1932	service_update.exe	service_update.exe
PID 1932 wrote to memory of 1440	1932	service_update.exe	service_update.exe
PID 1932 wrote to memory of 1440	1932	service_update.exe	service_update.exe
PID 1932 wrote to memory of 1440	1932	service_update.exe	service_update.exe
PID 1932 wrote to memory of 1440	1932	service_update.exe	service_update.exe
PID 1932 wrote to memory of 1440	1932	service_update.exe	service_update.exe
PID 1708 wrote to memory of 1472	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 1472	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 1472	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 1472	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 1472	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 1472	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 1472	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 592	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 592	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 592	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 592	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 592	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 592	1708	service_update.exe	service_update.exe
PID 1708 wrote to memory of 592	1708	service_update.exe	service_update.exe
PID 592 wrote to memory of 1772	592	service_update.exe	service_update.exe

C:\Users\Admin\AppData\Local\Temp\Yandex.exe
"C:\Users\Admin\AppData\Local\Temp\Yandex.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\Yandex.exe
"C:\Users\Admin\AppData\Local\Temp\Yandex.exe" --parent-installer-process-id=2012 --run-as-admin --setup-cmd-line="fake_browser_arc --abt-config-resource-file=\"C:\Users\Admin\AppData\Local\Temp\abt_config_resource\" --abt-update-path=\"C:\Users\Admin\AppData\Local\Temp\3933fb73-9bfe-4f13-a541-c3970000079e.tmp\" --brand-name=yandex --create-alice-shortcut-in-taskbar --distr-info-file=\"C:\Users\Admin\AppData\Local\Temp\distrib_info\" --make-browser-default-after-import --ok-button-pressed-time=616830500 --progress-window=327964 --send-statistics --variations-update-path=\"C:\Users\Admin\AppData\Local\Temp\88502295-6f69-43e7-88d0-2bb1a4664d35.tmp\" --verbose-logging"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\yb4155.tmp
"C:\Users\Admin\AppData\Local\Temp\yb4155.tmp" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\3933fb73-9bfe-4f13-a541-c3970000079e.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --clids-searchband-file="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml" --create-alice-shortcut-in-taskbar --distr-info-file="C:\Users\Admin\AppData\Local\Temp\distrib_info" --histogram-download-time=31 --install-start-time-no-uac=617984900 --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --make-browser-default-after-import --ok-button-pressed-time=616830500 --progress-window=327964 --send-statistics --source=lite --variations-update-path="C:\Users\Admin\AppData\Local\Temp\88502295-6f69-43e7-88d0-2bb1a4664d35.tmp" --verbose-logging
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\BROWSER.PACKED.7Z" --searchband-file="C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\SEARCHBAND.EXE" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\3933fb73-9bfe-4f13-a541-c3970000079e.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --clids-searchband-file="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml" --create-alice-shortcut-in-taskbar --distr-info-file="C:\Users\Admin\AppData\Local\Temp\distrib_info" --histogram-download-time=31 --install-start-time-no-uac=617984900 --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --make-browser-default-after-import --ok-button-pressed-time=616830500 --progress-window=327964 --send-statistics --source=lite --variations-update-path="C:\Users\Admin\AppData\Local\Temp\88502295-6f69-43e7-88d0-2bb1a4664d35.tmp" --verbose-logging
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\BROWSER.PACKED.7Z" --searchband-file="C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\SEARCHBAND.EXE" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\3933fb73-9bfe-4f13-a541-c3970000079e.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --clids-searchband-file="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml" --create-alice-shortcut-in-taskbar --distr-info-file="C:\Users\Admin\AppData\Local\Temp\distrib_info" --histogram-download-time=31 --install-start-time-no-uac=617984900 --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --make-browser-default-after-import --ok-button-pressed-time=616830500 --progress-window=327964 --send-statistics --source=lite --variations-update-path="C:\Users\Admin\AppData\Local\Temp\88502295-6f69-43e7-88d0-2bb1a4664d35.tmp" --verbose-logging --verbose-logging --run-as-admin --target-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application" --child-setup-process --restart-as-admin-time=691039700
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe
C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=a3028db1baffc0578427f8e443889a44 --annotation=main_process_pid=828 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.9.3.891 --initial-client-data=0x1a4,0x1a8,0x1ac,0x178,0x1b0,0x14721d8,0x14721e8,0x14721f4
6⤵
- Executes dropped EXE
PID:576

C:\Windows\TEMP\sdwra_828_582232958\service_update.exe
"C:\Windows\TEMP\sdwra_828_582232958\service_update.exe" --setup
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe" --install
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1440

C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Temp\clids.xml"
6⤵
- Executes dropped EXE
PID:556

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\source828_1065602085\Browser-bin\clids_yandex.xml"
6⤵
- Executes dropped EXE
PID:1268

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=searchband --vendor-xml-path="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml"
6⤵
- Executes dropped EXE
PID:636

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=searchband --vendor-xml-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\source828_1065602085\Browser-bin\clids_searchband.xml"
6⤵
- Executes dropped EXE
PID:1572

C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\SEARCHBAND.EXE
"C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\SEARCHBAND.EXE" /forcequiet
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe" --run-as-service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=a3028db1baffc0578427f8e443889a44 --annotation=main_process_pid=1708 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.9.3.891 --initial-client-data=0x12c,0x130,0x134,0x100,0x138,0x1107ae8,0x1107af8,0x1107b04
2⤵
- Executes dropped EXE
PID:1472

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe" --update-scheduler
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe" --update-background-scheduler
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1772

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe" --statistics=https://api.browser.yandex.ru/installstats/send/dtype=stred/pid=457/cid=72992/path=extended_stat/vars=-action=version_folder_files_check_unused,-brand_id=unknown,-error=FONT_NOT_FOUND,-files_mask=66977119,-installer_type=service_audit,-launched=false,-old_style=0,-old_ver=,-result=0,-stage=error,-target=version_folder_files_check,-ui=3851E0C4_B78C_4AEF_9949_9C89D698CFF0/*
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 86631C05E9C122CF43B6333C00A717D7
2⤵
- Loads dropped DLL
PID:268

C:\Users\Admin\AppData\Local\Yandex\SearchBand\Installer\searchbandapp.exe
"C:\Users\Admin\AppData\Local\Yandex\SearchBand\Installer\searchbandapp.exe" /install
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1756

C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\searchbandapp64.exe
"C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\searchbandapp64.exe" /auto
2⤵
PID:2596

C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\crashreporter64.exe
C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\crashreporter64.exe
3⤵
PID:2636

C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\searchbandapp64.exe
"C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\searchbandapp64.exe" /update-check
3⤵
PID:1608

C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.5.0.1923\searchbandapp64.exe
"C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.5.0.1923\searchbandapp64.exe" /update-install
4⤵
PID:2272

C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.5.0.1923\searchbandapp64.exe
"C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.5.0.1923\searchbandapp64.exe" /auto
5⤵
PID:2296

C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.5.0.1923\crashreporter64.exe
C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.5.0.1923\crashreporter64.exe
6⤵
PID:2332

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --progress-window=327964 --ok-button-pressed-time=616830500 --install-start-time-no-uac=617984900
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id= --annotation=main_process_pid=1964 --annotation=metrics_client_id=b04e1797fa144ea3b795edb907ada89b --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.9.3.891 --initial-client-data=0xe4,0xe8,0xec,0xb8,0xf0,0x7326a3b0,0x7326a3c0,0x7326a3cc
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=3EF16BFC-DA46-4A21-9AC7-6C25F7B7ED53 --brand-id=yandex --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1072 --field-trial-handle=1168,i,7984165323736420694,15697135467326736199,131072 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:268

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=3EF16BFC-DA46-4A21-9AC7-6C25F7B7ED53 --brand-id=yandex --process-name="Network Service" --mojo-platform-channel-handle=1388 --field-trial-handle=1168,i,7984165323736420694,15697135467326736199,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=ru --service-sandbox-type=utility --user-id=3EF16BFC-DA46-4A21-9AC7-6C25F7B7ED53 --brand-id=yandex --process-name="Storage Service" --mojo-platform-channel-handle=1628 --field-trial-handle=1168,i,7984165323736420694,15697135467326736199,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1000

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=ru --service-sandbox-type=audio --user-id=3EF16BFC-DA46-4A21-9AC7-6C25F7B7ED53 --brand-id=yandex --process-name="Audio Service" --mojo-platform-channel-handle=2016 --field-trial-handle=1168,i,7984165323736420694,15697135467326736199,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=3EF16BFC-DA46-4A21-9AC7-6C25F7B7ED53 --brand-id=yandex --extension-process --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --display-capture-permissions-policy-allowed --enable-instaserp --enable-ignition --allow-prefetch --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2088 --field-trial-handle=1168,i,7984165323736420694,15697135467326736199,131072 /prefetch:1
2⤵
PID:2308

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\22.9.3.891\browser_diagnostics.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\22.9.3.891\browser_diagnostics.exe" --uninstall
2⤵
PID:2536

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2748

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2336

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --broupdater-stat-bits --broupdater-stat-name=install --bits_job_guid={BACFC4F1-56DD-4084-A811-F422411AB43D}
1⤵
PID:1696

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" --url=https://crash-reports.browser.yandex.net/submit --annotation=install_date=1666035022 --annotation=last_update_date=0 --annotation=launches_after_update=0 --annotation=machine_id=a3028db1baffc0578427f8e443889a44 --annotation=main_process_pid=1696 --annotation=metrics_client_id=b04e1797fa144ea3b795edb907ada89b --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.9.3.891 --initial-client-data=0xe8,0xec,0xf0,0xbc,0xf4,0x7326a3b0,0x7326a3c0,0x7326a3cc
2⤵
PID:1684

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=3EF16BFC-DA46-4A21-9AC7-6C25F7B7ED53 --brand-id=yandex --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1160 --field-trial-handle=1344,i,2399330048580320347,7281019970743754712,131072 /prefetch:2
2⤵
PID:1192

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=3EF16BFC-DA46-4A21-9AC7-6C25F7B7ED53 --brand-id=yandex --process-name="Network Service" --mojo-platform-channel-handle=1392 --field-trial-handle=1344,i,2399330048580320347,7281019970743754712,131072 /prefetch:8
2⤵
PID:1920

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --broupdater --bits_job_guid={AE049053-DD96-46CE-9D59-F3826D4D4FEC}
1⤵
PID:2632

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" --url=https://crash-reports.browser.yandex.net/submit --annotation=install_date=1666035022 --annotation=last_update_date=1666035022 --annotation=launches_after_update=2 --annotation=machine_id=a3028db1baffc0578427f8e443889a44 --annotation=main_process_pid=2632 --annotation=metrics_client_id=b04e1797fa144ea3b795edb907ada89b --annotation=micromode=broupdater --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.9.3.891 --initial-client-data=0xe8,0xec,0xf0,0xbc,0xf4,0x7326a3b0,0x7326a3c0,0x7326a3cc
2⤵
PID:2792

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=3EF16BFC-DA46-4A21-9AC7-6C25F7B7ED53 --brand-id=yandex --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1216 --field-trial-handle=1304,i,3505185740305133243,15533693894872617270,131072 /prefetch:2
2⤵
PID:1556

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=3EF16BFC-DA46-4A21-9AC7-6C25F7B7ED53 --brand-id=yandex --process-name="Network Service" --mojo-platform-channel-handle=1396 --field-trial-handle=1304,i,3505185740305133243,15533693894872617270,131072 /prefetch:8
2⤵
PID:2940

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --broupdater-stat-bits --broupdater-stat-name=dayuse --bits_job_guid={8BF10DCD-52F1-48A6-8927-D6FB59FEAF8C}
1⤵
PID:520

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" --url=https://crash-reports.browser.yandex.net/submit --annotation=install_date=1666035022 --annotation=last_update_date=1666035022 --annotation=launches_after_update=2 --annotation=machine_id=a3028db1baffc0578427f8e443889a44 --annotation=main_process_pid=520 --annotation=metrics_client_id=b04e1797fa144ea3b795edb907ada89b --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.9.3.891 --initial-client-data=0xe8,0xec,0xf0,0xbc,0xf4,0x7326a3b0,0x7326a3c0,0x7326a3cc
2⤵
PID:796

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=3EF16BFC-DA46-4A21-9AC7-6C25F7B7ED53 --brand-id=yandex --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1208 --field-trial-handle=1300,i,15333022479268555402,3273807175472921499,131072 /prefetch:2
2⤵
PID:2996

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=3EF16BFC-DA46-4A21-9AC7-6C25F7B7ED53 --brand-id=yandex --process-name="Network Service" --mojo-platform-channel-handle=1396 --field-trial-handle=1300,i,15333022479268555402,3273807175472921499,131072 /prefetch:8
2⤵
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
C:\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
C:\ProgramData\Yandex\YandexBrowser\service_update.log
Filesize
535B

MD5
66a0aca3c8c4cc66070f8e9a986b0db9

SHA1
1e229e37bdb786dfd0a1865aac71a63d748a81ae

SHA256
d706f001d2078af7693a74d7aa3bf3c6302645694f3404293784c93c58d32684

SHA512
28c669976427e0f88ddd851ccf3aa4226f827125f0fb85883432bf513c3c467acd6cacb26a75be611c1d9de468530d7ffb255c0055fb20623dae9479dc20e384

Download Submit
C:\ProgramData\Yandex\YandexBrowser\service_update.log
Filesize
1KB

MD5
06b0530a96d1f936990f0ada665ee44d

SHA1
766c0c6946a414e3f1bf652f8f407784af03a538

SHA256
a6d3f35e0cafe2c46c3c3b08bc96c4ca2f8eb567a5c85b4c6759db70f1ad275d

SHA512
554e14a7333d672f95b97bea8bfa427d20463c7dfff613038301d204254e49feac80180c4adff252bf649adb095bbd84a395e99d473776133fc148207dde7e7b

Download Submit
C:\ProgramData\Yandex\YandexBrowser\service_update.log
Filesize
2KB

MD5
2715f8902e550df00eef6b158f471c22

SHA1
66e55881c9ff3826b4c6f7fade534ed5442e58df

SHA256
27a90cadced74463ecc88c5cc137401246bc0a6e958f2c4132230e877cb53b18

SHA512
26d14d796e0c8e5a0fefe7c4bee51f37d0012b40a9606fa945f75d03e7d93afe5090712f6698f5233f7bb78550b9f07c7f0d53e0977bd2ef21ead028e77013cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
Filesize
1KB

MD5
968706091b00f62e2ee54190fe913380

SHA1
7dcd60d17fc861a273074fc9c6652e6e0cc2c182

SHA256
a51a7a851222d45c068ce2120e495b217f504b87d1a6d982feeeeb252d4aa80d

SHA512
fb7521dab16a95317c88d31763e0eca697d040cee09c91fd59c59a12bfb8e8e2d12df75a7bf461ab99b08af58ebdf0be8ace473692357182d86ef3cbb19c2bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_BD3730E24B5091FBD030C756E510C3A2
Filesize
1KB

MD5
561d528943d237443a8da3a93beb4723

SHA1
ce6a59eec2e4bf0fcfe6ff827c8ee18bb92fb18b

SHA256
2479868222ef9898a1b967705ea80a35e720923ec6322823adee8f822bf26f6c

SHA512
6dcd34595b40b33f8caad18b8b940823ea78c17d18a335bc8b563b7c0df2825495e48deea32c289b922f9bbaf0197deffbc8c55a778bada84a3d1a036684ef03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2
Filesize
727B

MD5
3dc4181e96e768b9f4bbf41d1afa1dc1

SHA1
9ee79c2f26bf520c4e8a3b36daff9ce8e6e3cca8

SHA256
a72e1936399b803b5c282aa625b1dd2e3c924897ba728887035ebd30a4e9eae4

SHA512
8c6c6ec2b6513697995aac13b9f946a7f5442cea77d0d3053ae9cf0d7dedd6942c8eceabfcd0380156403002bea026b3b18d4926fec92a146faf41f0144a7958

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize
471B

MD5
da5a9f149955d936a31dc5e456666aac

SHA1
195238d41c1e13448f349f43bb295ef2d55cb47a

SHA256
79ac574c7c45144bb35b59ff79c78dc59b66592715dea01b389e3620db663224

SHA512
60d7d1f5405470ba1e6b80066af2e78240acbea8db58b5a03660874605178aebaa9ce342ca97f17798109e7411e82466db5af064e39eaddc05410f2abe672f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
Filesize
1KB

MD5
2d9b3451bf865eebf9d53a173b4683c5

SHA1
911426c1b05e1b4a9e3ce0d2da4485d4e8bd6692

SHA256
5605e792857829ce294da76fc4f36d42e958759fe0e10d262aa7ecb86429b2f2

SHA512
031b3e3ad77cb274376be3dd2f3033cceb698c1634211c8a8b2ce6918026bdf2fae3282dfc76f3820b74c8ee2487d6270ecda4697a4dba74adc276a4945deb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560
Filesize
1KB

MD5
e94fb54871208c00df70f708ac47085b

SHA1
4efc31460c619ecae59c1bce2c008036d94c84b8

SHA256
7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

SHA512
2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB
Filesize
727B

MD5
e48b6e4b5351b7f68acc6375f58b4832

SHA1
b17b7199b60c22b91a3df390d7a1c7874c7892a9

SHA256
fed4553c22581ce3e71b78d3d45bddc8137beb99d2ff71a5423da909d6848d8c

SHA512
5f3af281f1ec2292f0a0a905ad24a07c793c8e8ac0be9a0c86e9c1588b7f9cd6028c70433d7c228d60c7c9dbe1a1d3dd0afd3bf3795b388b6d48444edb1444b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
Filesize
508B

MD5
a50545366f21b66fab32f8a712ee7a9f

SHA1
388546b6ecf67e2422cda91aac4ebba4ba0bcdc2

SHA256
2a9197b2c2df0cdab5cc1051fb40e0216afe80be794e52fd81f7c0312224eeeb

SHA512
d8a04d08f54bd0b01f39186c7d555b59758e955dd411385e2099edfb12f067c6bb05211532a5d25ba6506621066d81f1166cdb5c36a34657531d6b114ff62ace

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_BD3730E24B5091FBD030C756E510C3A2
Filesize
536B

MD5
24b134a9a328fff6aeab3549ef9a44bd

SHA1
4be5fc8f9230ed6cbdfa4efa50c4028dc93cd3e7

SHA256
8383150de598f9928f97bb2121e8ed8760261d9c2199a3cd3f7e8ba463beef38

SHA512
6a9da2175022f3e4bc7ca210539b45bb90bcbb88014853a4f16d9a754fe580fe01e7290a2fd332013d47d6acc4aaab6e940f8ba21f5bf63dece765982a0e07b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2
Filesize
434B

MD5
08eb6d6cee9b3456162cc085c90de40e

SHA1
e4f7b44acea5e7faefed14ee2106daa8d807721a

SHA256
34fe7b3d329ddd31d2928a226edc1609d2283459fd7a25ad38211597aed3ce30

SHA512
18c4facf8f10b6c448cdcb3f5529bbb296dd686934c9f0b98e3122814adb03c16ac051fa1de16062d304c601589130bff343c99f95df3ab850ddac5a9c8af4b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize
430B

MD5
a9a8a135b379aed717282c40407dd01b

SHA1
c07b9f0214632b76fc5190440470d26ad876007c

SHA256
eeac8101b2928809b0d2853b565da77ddf167c0abc0c16e2c5ed723b8fca8bcb

SHA512
4b87ee4425eeb61206f960cc2b9050003ed5debce9590dba8d75ef55ed9a63ecbebaf440cde4f5aa3ab3dd2ec3311182ad795c3376da8fe1a566839fe3435340

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dd447eba969a7ed90b3f835ba26b46d0

SHA1
c50f081df6c6138bd38bc9db014889cddd6c5928

SHA256
abc6c83dbe1e62c09befc9b51fe08d63bb73d61f0abc7652853839bc94bb707d

SHA512
ebcdeab1b7169ba30242dd69cf9f8e03d7baf4d959a0208e71a82e660c724409d1682f0f7ed9ae3b5f15943574849273fdb9df5c448938ce122fa1c54c250533

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
Filesize
506B

MD5
51f946ac734b5440a85049938f9ea050

SHA1
b9a1e5b3b1222c58f87375c11949c54a02978474

SHA256
26db5833e3c5bbdfbf06be150ee894deb234831aac0be9008305b3fa58933db6

SHA512
e593da07b26c2d25f036922be12a3cf7e067b443eace90d974c0331a5b0b2a656bc4d526ab327af9e22900df0bfb3eb41dc1c3140e40047b42afe7ac8865d071

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560
Filesize
264B

MD5
b88556030df19016584c8bda3b76ee9b

SHA1
916d48d66deeee1a69ded77f984d50d24363c686

SHA256
4c878a7a954e50646348cfb47c77cbd2fb2f9f927a5de76b5678b7b071181165

SHA512
4dfec485e614ddadfe8e9bd30cc7afa3a0742ffe0f2542b49139f7d8cf1b1504d0705226802a97551f6481a7212d8cca5c561a5f0c15d36ea3cc20aeb827fa27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB
Filesize
442B

MD5
6329860c0bc5d914b56073ce5bab9b1a

SHA1
c4fd97a36ef4625007f9f3fec2ecb1e8503cf972

SHA256
60b472a9d992b63985ec03fa26845a2d90c9745ed2a0348554869df45e670eff

SHA512
09feb8f828854598b7cbbc13cdff400b76a320dcd5a555f1eab6f8fec5c6b271217079211d8b051269f17170ae20f88205002ee62a2442e76f8016d01afe7e8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
139adfcf16af789145a04f7f20eac302

SHA1
74b1c1a9c686dc6ed18d415de888af7b0e957a1c

SHA256
2935efe3c751e1449604430b5df299baa6edf410be44f0332bf3e260b820eb51

SHA512
e2baf9f6fa639a0c6a174d72ce44c6c6a0b6ee001c9c55063e977a5cd8d96d1fc0b614e06c08f74a52ac45205422f69c8d5b2d0cf8bd54bdf9e7680cdc2a4ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\BRAND_COMMON
Filesize
23.3MB

MD5
105d3263b0bca342b425fc45702c8856

SHA1
00180722d29af289bb7d2138a52b9d784ce367da

SHA256
7547bc1f22cb361a4e644f899f8494faa013e15f05b75b77e1ea596532dc4fee

SHA512
f6d3a7a25af1c10bbf5fb18b406f30c2c7d92778731f6b6d3eb6f181bc7854e920f99e1f55d2fdc0484bd1bd9bb13942ef13da85d1823c1f5cba16568cb45efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\BROWSER.PACKED.7Z
Filesize
90.8MB

MD5
5e99de825a34c299b8eef00c8d475e3d

SHA1
6fc1d9ef19f3d2aae0fb4ac596afbb24b408d83d

SHA256
6f945efb7783b3ba9b8b48ffef9dc62322d11d51c401bbeaa1cf0aebf768b4ed

SHA512
dd272ce4dd7f4529fb4b4a182cab7fa63bae0f455ea5bf843888c59d9fc13d1564b0f436b5afcd2c3d449979dcd82e0c71f45b6ae54e41e1ebbb649dd060e68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\brand_yandex
Filesize
2.1MB

MD5
cff7f43a37e2081aa5271b2e42e20699

SHA1
9d50fec6b4b583e6b90cbc6906bb6838ded606d8

SHA256
58ee5e657246dadd99f6194ffe082a27a8896aaa4500ff6773054a3929a912fd

SHA512
4eb33ae0d9c9afb8116c9454b1ce06cefc6f59f21463ba9c04d45ed09b3fe61d1ef3aee1570e92d2657d4f6d33a603288f5ff5c04464bb6da75e16002763e2de

Download Submit
C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe
Filesize
3.9MB

MD5
7600b48ce4fb19c29eae3079d826c699

SHA1
9306e894d2645f71a49a3006b5046896a9917ef9

SHA256
f5e44bb904f6fe2b59ca129b53c44d7e25f6ce0b65a51203a4a23a6dfe40871b

SHA512
1a11be3bc8487f1ec7168d7843674a5192b737f28be66a91fe073d824d69605608633b0ca7fad845dedb22f46849b89619f547e10f360f32ff49998fd9daff6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe
Filesize
3.9MB

MD5
7600b48ce4fb19c29eae3079d826c699

SHA1
9306e894d2645f71a49a3006b5046896a9917ef9

SHA256
f5e44bb904f6fe2b59ca129b53c44d7e25f6ce0b65a51203a4a23a6dfe40871b

SHA512
1a11be3bc8487f1ec7168d7843674a5192b737f28be66a91fe073d824d69605608633b0ca7fad845dedb22f46849b89619f547e10f360f32ff49998fd9daff6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe
Filesize
3.9MB

MD5
7600b48ce4fb19c29eae3079d826c699

SHA1
9306e894d2645f71a49a3006b5046896a9917ef9

SHA256
f5e44bb904f6fe2b59ca129b53c44d7e25f6ce0b65a51203a4a23a6dfe40871b

SHA512
1a11be3bc8487f1ec7168d7843674a5192b737f28be66a91fe073d824d69605608633b0ca7fad845dedb22f46849b89619f547e10f360f32ff49998fd9daff6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe
Filesize
3.9MB

MD5
7600b48ce4fb19c29eae3079d826c699

SHA1
9306e894d2645f71a49a3006b5046896a9917ef9

SHA256
f5e44bb904f6fe2b59ca129b53c44d7e25f6ce0b65a51203a4a23a6dfe40871b

SHA512
1a11be3bc8487f1ec7168d7843674a5192b737f28be66a91fe073d824d69605608633b0ca7fad845dedb22f46849b89619f547e10f360f32ff49998fd9daff6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\distrib_info
Filesize
293B

MD5
5ff4663cf4ed5b1c4c7e84ae7a26484b

SHA1
738deb4f237c34acab7ecf6a2899c7bd94ecd34a

SHA256
f69eb6cd9983e819f7c1273598046ace4ef35c97cc651b89b460bb05dbd58c81

SHA512
f9f7a15bd4d811d0a0a986d24b18d76434f89f81f6554cf0f707a0298a26f0732389e85394d186dd22a6c0306b8568c94d5583891196328e0e3945f44af59bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log
Filesize
12KB

MD5
ad13591ebe34f2a28859c1eac858a855

SHA1
f7ccd3d8e58f0975c57a9c7328d164a98a991f55

SHA256
1ea01b7cd54b0147b320f791c7c925da8461c9a9b01b5b3a90cafd9ce3413bf0

SHA512
79ae31acebe9a1d2d91851327415c69988ab434aa5c21707f2a3032d6e12f2c6a6b584556c7f95cfbe9208bef6b2bffab38724f717edbe444d566e43bcdbfa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log
Filesize
12KB

MD5
eb09982ca255a5d1cc143dbed756605f

SHA1
85e6917348d982e9911ab8c9f55c698a432082de

SHA256
f60f8309a8a82a5824dbe766a9ec581f0155252f08886453b0b316222c0b8900

SHA512
f3eeaee26048c7959bf71fecdc8d10289927a595bd37b9a6aedc3cdc356b9a1864c0a68f776ffc4fd2360f1314a75d3384ff725a99c9c1fceeddde98147bc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log
Filesize
25KB

MD5
52d9f61a26df3fa2823df5c70539e492

SHA1
34506175d99e341b9eb69089b7ca9b9786fca55b

SHA256
5141903287e6de120ed19ea6c810adc5a6be95b2b1d18a882c78fe7f27f51210

SHA512
e9ad7c58722c56475e0d8de175dfc57bdf5160acb8309567040a91464e218c354c61afb53f46026eb8fc3f3483f13863a04c7e2edb5dde1c4029def933baaf81

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log
Filesize
26KB

MD5
9dd69e086ea059f46a6da4607f914c0f

SHA1
51e4b2674ea7d62997b97020f6e5309f08f84ac5

SHA256
9e300807cfdeddeddbf5fc647bda079a86e26539ae27c4adeb03fb1dbd77db99

SHA512
6d762a8494b22b2b0f41c126dd99cd1f3738210a8787e066a84710346128b41e3af78de818bcbe832754fd05b1717a418875b9ef4dafe30abdb2621b0395d922

Download Submit
C:\Users\Admin\AppData\Local\Temp\master_preferences
Filesize
129KB

MD5
517cebb5d922c6be230ce63948323b5e

SHA1
42cdd2f94dd6258441645e831552fc609e801e44

SHA256
fdd8fee19d1fb229f1bd4e6cdf703c69cda41278191165f337af6542c66847da

SHA512
c43e59415c5d8f3d0a842f273326348cc3593226183285bf006c4772a21430907c675e50451e3d6f4c72bc3febff1d34a57654bd8bc6c8e59da1bcc6e84d6a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\master_preferences
Filesize
129KB

MD5
517cebb5d922c6be230ce63948323b5e

SHA1
42cdd2f94dd6258441645e831552fc609e801e44

SHA256
fdd8fee19d1fb229f1bd4e6cdf703c69cda41278191165f337af6542c66847da

SHA512
c43e59415c5d8f3d0a842f273326348cc3593226183285bf006c4772a21430907c675e50451e3d6f4c72bc3febff1d34a57654bd8bc6c8e59da1bcc6e84d6a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\website.ico
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yandex_browser_installer.log
Filesize
5KB

MD5
ad0948aad8b8f6d8ed89472580890eae

SHA1
dc0ac88481cbf92b4bbd2037ac92aeb50df6c124

SHA256
3736d317c3b00e1ad7ea7ba8a96911ffa0b7cd77e77d2b27b9b9ba8ee0390506

SHA512
e44a87067335569f9de8ff9a671d9f17dc0b22f7c83d754994f3647a34baefd3dc2ec0521903179a561d0aca157e6b16e8b0682f72beb58b93cb561b30dafea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yb4155.tmp
Filesize
149.8MB

MD5
ff228e3e10f4d98d961e8a361861180d

SHA1
30fb83fafd7e79ed0ecd11a5231773d46a83e9f7

SHA256
b64ea939b798557ffe48495520fb4a0e249a30d316cefc8c4ceca021b4b091ad

SHA512
1763b1fc773aa4a3f6e34157751b7707467916ffee91d0ddf2096fe2bc5bffe677229de1ed35a47d35af4c25139d624189a8d5c418de8174126aef0f0bfc85e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yb4155.tmp
Filesize
149.8MB

MD5
ff228e3e10f4d98d961e8a361861180d

SHA1
30fb83fafd7e79ed0ecd11a5231773d46a83e9f7

SHA256
b64ea939b798557ffe48495520fb4a0e249a30d316cefc8c4ceca021b4b091ad

SHA512
1763b1fc773aa4a3f6e34157751b7707467916ffee91d0ddf2096fe2bc5bffe677229de1ed35a47d35af4c25139d624189a8d5c418de8174126aef0f0bfc85e9

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui
Filesize
38B

MD5
7a669a42bb89921e8ee964a3ad314ef5

SHA1
03d4bd5e2d0769b94305dd22d02d8366d5b22391

SHA256
a42a121e2f3d57041c0f983a1598fb14acad2ff940fcb6aa3c381b45311f39ae

SHA512
0529276a8e8c9528c30428d0811c27254c966f0cb6004274d7bd0bcdadae025879f04fb50c132cbbbcc3150a561ad18c66b78c6b5156ae97f9044b2802ddc131

Download Submit
C:\Windows\TEMP\sdwra_828_582232958\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
C:\Windows\Temp\sdwra_828_582232958\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
\Program Files (x86)\Yandex\YandexBrowser\22.9.3.891\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe
Filesize
3.9MB

MD5
7600b48ce4fb19c29eae3079d826c699

SHA1
9306e894d2645f71a49a3006b5046896a9917ef9

SHA256
f5e44bb904f6fe2b59ca129b53c44d7e25f6ce0b65a51203a4a23a6dfe40871b

SHA512
1a11be3bc8487f1ec7168d7843674a5192b737f28be66a91fe073d824d69605608633b0ca7fad845dedb22f46849b89619f547e10f360f32ff49998fd9daff6c

Download Submit
\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe
Filesize
3.9MB

MD5
7600b48ce4fb19c29eae3079d826c699

SHA1
9306e894d2645f71a49a3006b5046896a9917ef9

SHA256
f5e44bb904f6fe2b59ca129b53c44d7e25f6ce0b65a51203a4a23a6dfe40871b

SHA512
1a11be3bc8487f1ec7168d7843674a5192b737f28be66a91fe073d824d69605608633b0ca7fad845dedb22f46849b89619f547e10f360f32ff49998fd9daff6c

Download Submit
\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe
Filesize
3.9MB

MD5
7600b48ce4fb19c29eae3079d826c699

SHA1
9306e894d2645f71a49a3006b5046896a9917ef9

SHA256
f5e44bb904f6fe2b59ca129b53c44d7e25f6ce0b65a51203a4a23a6dfe40871b

SHA512
1a11be3bc8487f1ec7168d7843674a5192b737f28be66a91fe073d824d69605608633b0ca7fad845dedb22f46849b89619f547e10f360f32ff49998fd9daff6c

Download Submit
\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe
Filesize
3.9MB

MD5
7600b48ce4fb19c29eae3079d826c699

SHA1
9306e894d2645f71a49a3006b5046896a9917ef9

SHA256
f5e44bb904f6fe2b59ca129b53c44d7e25f6ce0b65a51203a4a23a6dfe40871b

SHA512
1a11be3bc8487f1ec7168d7843674a5192b737f28be66a91fe073d824d69605608633b0ca7fad845dedb22f46849b89619f547e10f360f32ff49998fd9daff6c

Download Submit
\Users\Admin\AppData\Local\Temp\YB_C1656.tmp\setup.exe
Filesize
3.9MB

MD5
7600b48ce4fb19c29eae3079d826c699

SHA1
9306e894d2645f71a49a3006b5046896a9917ef9

SHA256
f5e44bb904f6fe2b59ca129b53c44d7e25f6ce0b65a51203a4a23a6dfe40871b

SHA512
1a11be3bc8487f1ec7168d7843674a5192b737f28be66a91fe073d824d69605608633b0ca7fad845dedb22f46849b89619f547e10f360f32ff49998fd9daff6c

Download Submit
\Users\Admin\AppData\Local\Temp\yb4155.tmp
Filesize
149.8MB

MD5
ff228e3e10f4d98d961e8a361861180d

SHA1
30fb83fafd7e79ed0ecd11a5231773d46a83e9f7

SHA256
b64ea939b798557ffe48495520fb4a0e249a30d316cefc8c4ceca021b4b091ad

SHA512
1763b1fc773aa4a3f6e34157751b7707467916ffee91d0ddf2096fe2bc5bffe677229de1ed35a47d35af4c25139d624189a8d5c418de8174126aef0f0bfc85e9

Download Submit
\Users\Admin\AppData\Local\Temp\yb4155.tmp
Filesize
149.8MB

MD5
ff228e3e10f4d98d961e8a361861180d

SHA1
30fb83fafd7e79ed0ecd11a5231773d46a83e9f7

SHA256
b64ea939b798557ffe48495520fb4a0e249a30d316cefc8c4ceca021b4b091ad

SHA512
1763b1fc773aa4a3f6e34157751b7707467916ffee91d0ddf2096fe2bc5bffe677229de1ed35a47d35af4c25139d624189a8d5c418de8174126aef0f0bfc85e9

Download Submit
\Users\Admin\AppData\Local\Temp\yb4155.tmp
Filesize
149.8MB

MD5
ff228e3e10f4d98d961e8a361861180d

SHA1
30fb83fafd7e79ed0ecd11a5231773d46a83e9f7

SHA256
b64ea939b798557ffe48495520fb4a0e249a30d316cefc8c4ceca021b4b091ad

SHA512
1763b1fc773aa4a3f6e34157751b7707467916ffee91d0ddf2096fe2bc5bffe677229de1ed35a47d35af4c25139d624189a8d5c418de8174126aef0f0bfc85e9

Download Submit
\Users\Admin\AppData\Local\Temp\yb4155.tmp
Filesize
149.8MB

MD5
ff228e3e10f4d98d961e8a361861180d

SHA1
30fb83fafd7e79ed0ecd11a5231773d46a83e9f7

SHA256
b64ea939b798557ffe48495520fb4a0e249a30d316cefc8c4ceca021b4b091ad

SHA512
1763b1fc773aa4a3f6e34157751b7707467916ffee91d0ddf2096fe2bc5bffe677229de1ed35a47d35af4c25139d624189a8d5c418de8174126aef0f0bfc85e9

Download Submit
\Windows\Temp\sdwra_828_582232958\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
\Windows\Temp\sdwra_828_582232958\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
\Windows\Temp\sdwra_828_582232958\service_update.exe
Filesize
2.6MB

MD5
f5aef523c78f170e1c01c7d2bd80d207

SHA1
97a966c3941a7202d7e62979c21b2244e853d1b1

SHA256
48ac6ff5c8bd6bca8428cb03badd8ec91ea1ff32ee2720958b7806d5c2e6cae0

SHA512
f5d0cde11c38fc9f56911cd376003c17972e5724edb9b424ea3bf2da08bbd054cc830c16c16bdd5d3de463956ef686ef1b89c00f97eb3736f4c2588642a1d868

Download Submit
memory/268-194-0x0000000000000000-mapping.dmp

Download
memory/268-155-0x0000000000000000-mapping.dmp

Download
memory/556-144-0x0000000000000000-mapping.dmp

Download
memory/576-85-0x0000000000000000-mapping.dmp

Download
memory/592-135-0x0000000000000000-mapping.dmp

Download
memory/636-148-0x0000000000000000-mapping.dmp

Download
memory/796-386-0x0000000000000000-mapping.dmp

Download
memory/828-79-0x0000000000000000-mapping.dmp

Download
memory/936-159-0x0000000000000000-mapping.dmp

Download
memory/1000-233-0x0000000000000000-mapping.dmp

Download
memory/1192-329-0x0000000000000000-mapping.dmp

Download
memory/1268-146-0x0000000000000000-mapping.dmp

Download
memory/1440-122-0x0000000000000000-mapping.dmp

Download
memory/1472-129-0x0000000000000000-mapping.dmp

Download
memory/1556-375-0x0000000000000000-mapping.dmp

Download
memory/1572-150-0x0000000000000000-mapping.dmp

Download
memory/1608-285-0x0000000000000000-mapping.dmp

Download
memory/1624-152-0x0000000000000000-mapping.dmp

Download
memory/1624-142-0x0000000000000000-mapping.dmp

Download
memory/1684-294-0x0000000000000000-mapping.dmp

Download
memory/1700-68-0x0000000000000000-mapping.dmp

Download
memory/1724-154-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download
memory/1764-140-0x0000000000000000-mapping.dmp

Download
memory/1772-138-0x0000000000000000-mapping.dmp

Download
memory/1912-196-0x0000000000000000-mapping.dmp

Download
memory/1920-330-0x0000000000000000-mapping.dmp

Download
memory/1932-113-0x0000000000000000-mapping.dmp

Download
memory/1956-56-0x0000000000000000-mapping.dmp

Download
memory/1992-71-0x0000000000000000-mapping.dmp

Download
memory/2012-55-0x0000000074131000-0x0000000074133000-memory.dmp

Filesize
8KB

Download
memory/2012-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/2104-268-0x0000000000000000-mapping.dmp

Download
memory/2272-287-0x0000000000000000-mapping.dmp

Download
memory/2296-289-0x0000000000000000-mapping.dmp

Download
memory/2332-291-0x0000000000000000-mapping.dmp

Download
memory/2536-278-0x0000000000000000-mapping.dmp

Download
memory/2596-280-0x0000000000000000-mapping.dmp

Download
memory/2636-282-0x0000000000000000-mapping.dmp

Download
memory/2748-284-0x0000000065B01000-0x0000000065B03000-memory.dmp

Filesize
8KB

Download
memory/2792-340-0x0000000000000000-mapping.dmp

Download
memory/2940-376-0x0000000000000000-mapping.dmp

Download
memory/2996-421-0x0000000000000000-mapping.dmp

Download
memory/3044-422-0x0000000000000000-mapping.dmp

Download