guerrilla | 86e78c5424bca2e9f9b84c50e251118573dc22bcee6ff908362b6b0e37205bdc

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YandexBrowserAutoLaunch_45886AE68CD319C7351FF54A1DBD4B87 = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --shutdown-if-not-closed-by-system-restart"	browser.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	anydesk-8-0-9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	LDPlayer9_ru_25567197_ld.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	anydesk-8-0-9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	YD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	service_update.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Yandex\ui	service_update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ldplayer9box\bldRTLdrCheckImports.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5OpenGL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9VMMR0.r0	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\concrt140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-profile-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-processthreads-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-datetime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-timezone-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\host_manager2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDTrace.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxGuestPropSvc.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libOpenglRender.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\comregister.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxRT.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-errorhandling-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-libraryloader-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVMREQ.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSharedClipboard.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-namedpipe-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\DbgPlugInDiggers.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-stdio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-util-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\capi.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-rtlsupport-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-synch-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Gui.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-sysinfo-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libssl-1_1-x64.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Core.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\regsvr32_x64.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxBugReport.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxNetLwf.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxManage.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxTestOGL.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-conio-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstInt.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libeay32.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\ldutils.dll	dnrepairer.exe
File opened for modification	C:\Program Files\ldplayer9box\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\libcrypto-1_1-x64.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstPDMAsyncCompletionStress.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\padlock.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\UICommon.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDDU.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxRes.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\padlock.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-convert-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\load.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\EGL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-util-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-handle-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxNetNAT.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcp100.dll	dnrepairer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File created	C:\Windows\Tasks\System update for Yandex Browser.job	service_update.exe
File created	C:\Windows\Tasks\Update for Yandex Browser.job	service_update.exe
File created	C:\Windows\Tasks\Repairing Yandex Browser update service.job	service_update.exe
File created	C:\Windows\Tasks\Обновление Браузера Яндекс.job	browser.exe

Executes dropped EXE 64 IoCs

pid	Process
4548	YD.exe
5048	YandexPackSetup.exe
5000	YD.exe
2276	lite_installer.exe
3212	seederexe.exe
10300	explorer.exe
10128	explorer.exe
10060	sender.exe
8380	{BCB21D0C-CD75-48BE-950A-B2A2A1F1BA38}.exe
11680	LDPlayer.exe
1456	yb118A.tmp
15160	setup.exe
15044	setup.exe
14964	setup.exe
14752	dnrepairer.exe
15652	dismhost.exe
6652	service_update.exe
6820	service_update.exe
7008	service_update.exe
7048	service_update.exe
7220	service_update.exe
16388	service_update.exe
16712	Ld9BoxSVC.exe
7660	clidmgr.exe
7772	clidmgr.exe
7880	browser.exe
7932	browser.exe
9548	browser.exe
9524	browser.exe
9484	browser.exe
9460	browser.exe
9056	browser.exe
9288	browser.exe
9060	browser.exe
9008	browser.exe
8844	browser.exe
11400	browser.exe
11828	browser.exe
11348	browser.exe
4864	browser.exe
3416	browser.exe
15436	browser.exe
15368	browser.exe
15108	browser.exe
14636	browser.exe
14564	browser.exe
14268	browser.exe
14276	browser.exe
2060	browser.exe
5004	browser.exe
13120	browser.exe
812	driverconfig.exe
5396	dnplayer.exe
7300	Ld9BoxSVC.exe
17112	vbox-img.exe
17012	vbox-img.exe
16900	vbox-img.exe
17304	vmware-vdiskmanager.exe
12336	dnmultiplayerex.exe
12580	dnplayer.exe
12604	dnplayer.exe
12704	dnplayer.exe
12856	dnplayer.exe
12996	Ld9BoxSVC.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5648	sc.exe
7316	sc.exe
16644	sc.exe
13020	sc.exe
1728	sc.exe
920	sc.exe
5692	sc.exe
5736	sc.exe
8284	sc.exe
9812	sc.exe
16508	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
14752	dnrepairer.exe
14752	dnrepairer.exe
14752	dnrepairer.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
15652	dismhost.exe
16712	Ld9BoxSVC.exe
16712	Ld9BoxSVC.exe
16712	Ld9BoxSVC.exe
16712	Ld9BoxSVC.exe
16712	Ld9BoxSVC.exe
16712	Ld9BoxSVC.exe
16712	Ld9BoxSVC.exe
16712	Ld9BoxSVC.exe
16712	Ld9BoxSVC.exe
7520	regsvr32.exe
7520	regsvr32.exe
7520	regsvr32.exe
7520	regsvr32.exe
7520	regsvr32.exe
7520	regsvr32.exe
7520	regsvr32.exe
7520	regsvr32.exe
7708	regsvr32.exe
7708	regsvr32.exe
7708	regsvr32.exe
7708	regsvr32.exe
7708	regsvr32.exe
7708	regsvr32.exe
7708	regsvr32.exe
7708	regsvr32.exe
7768	regsvr32.exe
7768	regsvr32.exe
7768	regsvr32.exe
7768	regsvr32.exe
7768	regsvr32.exe
7768	regsvr32.exe
7768	regsvr32.exe
7768	regsvr32.exe
7880	browser.exe
7932	browser.exe
7900	regsvr32.exe
7900	regsvr32.exe
7900	regsvr32.exe
7900	regsvr32.exe
7900	regsvr32.exe
7900	regsvr32.exe
7900	regsvr32.exe

Registers COM server for autorun 1 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayer9box\\Ld9BoxSVC.exe\""	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxProxyStub.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	anydesk-8-0-9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	anydesk-8-0-9.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	browser.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
11368	taskkill.exe
11448	taskkill.exe
11512	taskkill.exe
11576	taskkill.exe
5424	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\YaCreationDate = "2024-43-02"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\SuggestionsURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconURL = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Яндекс"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "https://www.ya.ru/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "https://yandex.ru/search/?win=640&clid=2832701&text={searchTerms}"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\NTURL = "https://yandex.ru/search/?win=640&clid=2832703&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\YaCreationDate = "2024-43-02"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\FaviconURL = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\MINIE	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ShowSearchSuggestionsInAddressGlobal = "1"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\URL = "https://yandex.ru/search/?win=640&clid=2832701&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\DisplayName = "Bing"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconURLFallback = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\DisplayName = "Bing"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\FaviconURLFallback = "https://www.ya.ru/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "https://yandex.ru/search/?win=640&clid=2832703&text={searchTerms}"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ad916efa-f0ee-11ee-9d1a-d28c415b03fa\DisplayName = "Яндекс"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\buffer\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	seederexe.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.ya.ru/?win=640&clid=2832700"	seederexe.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133565357942414519"	browser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Yandex	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Yandex\UICreated_SYSTEM = "1"	service_update.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	browser.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00C2-4484-0077-C057003D9C90}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A227-4F23-8278-2F675EEA1BB2}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7997-4595-A731-3A509DB604E5}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9B2D-4377-BFE6-9702E881516B}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\YandexWEBP.D6QJ7CTONDSGESVWSGUXPBOKMM\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\YandexXML.D6QJ7CTONDSGESVWSGUXPBOKMM\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C927-11E7-B788-33C248E71FC7}\NumMethods\ = "15"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C196-4D26-B8DB-4C8C389F1F82}\NumMethods\ = "22"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\.gif	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-800A-40F8-87A6-170D02249A55}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0C60-11EA-A0EA-07EB0D1C4EAD}\NumMethods\ = "49"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.Session\CurVer\ = "VirtualBox.Session.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2f05-4d28-855f-488f96bad2b2}	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3618-4EBC-B038-833BA829B4B2}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\YandexJPEG.D6QJ7CTONDSGESVWSGUXPBOKMM\shell\open\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7006-40D4-B339-472EE3801844}\ = "IGuestKeyboardEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4A9B-1727-BEE2-5585105B9EED}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4974-A19C-4DC6-CC98C2269626}\NumMethods\ = "24"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC87-4F6E-A0E9-47BB7F2D4BE5}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-81A9-4005-9D52-FC45A78BF3F5}\ = "IUSBDevice"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-659C-488B-835C-4ECA7AE71C6C}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-B7F1-4A5A-A4EF-A11DD9C2A458}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44DE-1653-B717-2EBF0CA9B664}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5409-414B-BD16-77DF7BA3451E}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\SystemFileAssociations\.gif\shell\image_search\command	browser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-057D-4391-B928-F14B06B710C5}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6E0B-492A-A8D0-968472A94DC7}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F1F8-4590-941A-CDB66075C5BF}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E5DB-4D2C-BAAA-C71053A6236D}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00B1-4E9D-0000-11FA00F9D583}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\.js	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7556-4CBC-8C04-043096B02D82}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E1B7-4339-A549-F0878115596E}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BCB2-4905-A7AB-CC85448A742B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-80F6-4266-8E20-16371F68FA25}\NumMethods\ = "14"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2354-4267-883F-2F417D216519}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-AA82-4720-BC84-BD097B2B13B8}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-6679-422A-B629-51B06B0C6D93}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-486F-40DB-9150-DEEE3FD24189}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-07DA-41EC-AC4A-3DD99DB35594}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxProxyStub.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3E8A-11E9-825C-AB7B2CABCE23}\NumMethods\ = "37"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-42DA-C94B-8AEC-21968E08355D}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-8079-447A-A33E-47A69C7980DB}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-34b8-42d3-acfb-7e96daf77c22}	Ld9BoxSVC.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\yabrowser	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08A7-4C8F-910D-47AABD67253A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FEBE-4049-B476-1292A8E45B09}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-735F-4FDE-8A54-427D49409B5F}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ldmnq.ldbk	LDPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FEBE-4049-B476-1292A8E45B09}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\YandexCRX.D6QJ7CTONDSGESVWSGUXPBOKMM	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4974-A19C-4DC6-CC98C2269626}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-057D-4391-B928-F14B06B710C5}\NumMethods\ = "14"	regsvr32.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	YD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	YD.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	YD.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\anydesk-8-0-9.exe:Zone.Identifier	firefox.exe

Runs net.exe

Runs regedit.exe 1 IoCs

pid	Process
15228	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6620	anydesk-8-0-9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5048	YandexPackSetup.exe
5048	YandexPackSetup.exe
2276	lite_installer.exe
2276	lite_installer.exe
3212	seederexe.exe
3212	seederexe.exe
3212	seederexe.exe
3212	seederexe.exe
3212	seederexe.exe
3212	seederexe.exe
3212	seederexe.exe
3212	seederexe.exe
3212	seederexe.exe
3212	seederexe.exe
10060	sender.exe
10060	sender.exe
2276	lite_installer.exe
2276	lite_installer.exe
11680	LDPlayer.exe
11680	LDPlayer.exe
11680	LDPlayer.exe
11680	LDPlayer.exe
11680	LDPlayer.exe
11680	LDPlayer.exe
11680	LDPlayer.exe
11680	LDPlayer.exe
14752	dnrepairer.exe
14752	dnrepairer.exe
6652	service_update.exe
6652	service_update.exe
6820	service_update.exe
6820	service_update.exe
7008	service_update.exe
7008	service_update.exe
7220	service_update.exe
7220	service_update.exe
16388	service_update.exe
16388	service_update.exe
15044	setup.exe
15044	setup.exe
15044	setup.exe
15044	setup.exe
9688	powershell.exe
9688	powershell.exe
7880	browser.exe
7880	browser.exe
9688	powershell.exe
4860	powershell.exe
4860	powershell.exe
3712	LDPlayer9_ru_25567197_ld.exe
3712	LDPlayer9_ru_25567197_ld.exe
11680	LDPlayer.exe
11680	LDPlayer.exe
15196	powershell.exe
15196	powershell.exe
15196	powershell.exe
4860	powershell.exe
17304	vmware-vdiskmanager.exe
17304	vmware-vdiskmanager.exe
14756	msedge.exe
14756	msedge.exe
8028	msedge.exe
8028	msedge.exe
5616	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5396	dnplayer.exe
12580	dnplayer.exe
13604	taskmgr.exe
15228	regedit.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
7880	browser.exe
7880	browser.exe
7880	browser.exe
7880	browser.exe
7880	browser.exe
7880	browser.exe
7880	browser.exe
7880	browser.exe
7880	browser.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5048	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	5048	YandexPackSetup.exe
Token: SeCreateTokenPrivilege	5048	YandexPackSetup.exe
Token: SeAssignPrimaryTokenPrivilege	5048	YandexPackSetup.exe
Token: SeLockMemoryPrivilege	5048	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	5048	YandexPackSetup.exe
Token: SeMachineAccountPrivilege	5048	YandexPackSetup.exe
Token: SeTcbPrivilege	5048	YandexPackSetup.exe
Token: SeSecurityPrivilege	5048	YandexPackSetup.exe
Token: SeTakeOwnershipPrivilege	5048	YandexPackSetup.exe
Token: SeLoadDriverPrivilege	5048	YandexPackSetup.exe
Token: SeSystemProfilePrivilege	5048	YandexPackSetup.exe
Token: SeSystemtimePrivilege	5048	YandexPackSetup.exe
Token: SeProfSingleProcessPrivilege	5048	YandexPackSetup.exe
Token: SeIncBasePriorityPrivilege	5048	YandexPackSetup.exe
Token: SeCreatePagefilePrivilege	5048	YandexPackSetup.exe
Token: SeCreatePermanentPrivilege	5048	YandexPackSetup.exe
Token: SeBackupPrivilege	5048	YandexPackSetup.exe
Token: SeRestorePrivilege	5048	YandexPackSetup.exe
Token: SeShutdownPrivilege	5048	YandexPackSetup.exe
Token: SeDebugPrivilege	5048	YandexPackSetup.exe
Token: SeAuditPrivilege	5048	YandexPackSetup.exe
Token: SeSystemEnvironmentPrivilege	5048	YandexPackSetup.exe
Token: SeChangeNotifyPrivilege	5048	YandexPackSetup.exe
Token: SeRemoteShutdownPrivilege	5048	YandexPackSetup.exe
Token: SeUndockPrivilege	5048	YandexPackSetup.exe
Token: SeSyncAgentPrivilege	5048	YandexPackSetup.exe
Token: SeEnableDelegationPrivilege	5048	YandexPackSetup.exe
Token: SeManageVolumePrivilege	5048	YandexPackSetup.exe
Token: SeImpersonatePrivilege	5048	YandexPackSetup.exe
Token: SeCreateGlobalPrivilege	5048	YandexPackSetup.exe
Token: SeDebugPrivilege	11368	taskkill.exe
Token: SeDebugPrivilege	11448	taskkill.exe
Token: SeDebugPrivilege	11512	taskkill.exe
Token: SeDebugPrivilege	11576	taskkill.exe
Token: SeTakeOwnershipPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe
Token: SeDebugPrivilege	11680	LDPlayer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
10300	explorer.exe
10128	explorer.exe
3712	LDPlayer9_ru_25567197_ld.exe
7880	browser.exe
7880	browser.exe
5396	dnplayer.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5396	dnplayer.exe
12580	dnplayer.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
14088	firefox.exe
13604	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5396	dnplayer.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5616	msedge.exe
5396	dnplayer.exe
12580	dnplayer.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
14088	firefox.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe
14088	firefox.exe
14088	firefox.exe
13604	taskmgr.exe
13604	taskmgr.exe
13604	taskmgr.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
7880	browser.exe
14088	firefox.exe
14088	firefox.exe
14088	firefox.exe
14088	firefox.exe
14088	firefox.exe
14088	firefox.exe
14088	firefox.exe
14088	firefox.exe
14088	firefox.exe
14088	firefox.exe
13932	anydesk-8-0-9.exe
13932	anydesk-8-0-9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 4548	3712	LDPlayer9_ru_25567197_ld.exe	97
PID 3712 wrote to memory of 4548	3712	LDPlayer9_ru_25567197_ld.exe	97
PID 3712 wrote to memory of 4548	3712	LDPlayer9_ru_25567197_ld.exe	97
PID 4548 wrote to memory of 5048	4548	YD.exe	98
PID 4548 wrote to memory of 5048	4548	YD.exe	98
PID 4548 wrote to memory of 5048	4548	YD.exe	98
PID 4548 wrote to memory of 5000	4548	YD.exe	99
PID 4548 wrote to memory of 5000	4548	YD.exe	99
PID 4548 wrote to memory of 5000	4548	YD.exe	99
PID 3544 wrote to memory of 2276	3544	MsiExec.exe	103
PID 3544 wrote to memory of 2276	3544	MsiExec.exe	103
PID 3544 wrote to memory of 2276	3544	MsiExec.exe	103
PID 3544 wrote to memory of 3212	3544	MsiExec.exe	105
PID 3544 wrote to memory of 3212	3544	MsiExec.exe	105
PID 3544 wrote to memory of 3212	3544	MsiExec.exe	105
PID 3212 wrote to memory of 10392	3212	seederexe.exe	107
PID 3212 wrote to memory of 10392	3212	seederexe.exe	107
PID 3212 wrote to memory of 10392	3212	seederexe.exe	107
PID 10392 wrote to memory of 10300	10392	Yandex.exe	108
PID 10392 wrote to memory of 10300	10392	Yandex.exe	108
PID 10392 wrote to memory of 10300	10392	Yandex.exe	108
PID 3212 wrote to memory of 10220	3212	seederexe.exe	109
PID 3212 wrote to memory of 10220	3212	seederexe.exe	109
PID 3212 wrote to memory of 10220	3212	seederexe.exe	109
PID 10220 wrote to memory of 10128	10220	Yandex.exe	110
PID 10220 wrote to memory of 10128	10220	Yandex.exe	110
PID 10220 wrote to memory of 10128	10220	Yandex.exe	110
PID 3212 wrote to memory of 10060	3212	seederexe.exe	111
PID 3212 wrote to memory of 10060	3212	seederexe.exe	111
PID 3212 wrote to memory of 10060	3212	seederexe.exe	111
PID 3712 wrote to memory of 11368	3712	LDPlayer9_ru_25567197_ld.exe	112
PID 3712 wrote to memory of 11368	3712	LDPlayer9_ru_25567197_ld.exe	112
PID 3712 wrote to memory of 11368	3712	LDPlayer9_ru_25567197_ld.exe	112
PID 3712 wrote to memory of 11448	3712	LDPlayer9_ru_25567197_ld.exe	114
PID 3712 wrote to memory of 11448	3712	LDPlayer9_ru_25567197_ld.exe	114
PID 3712 wrote to memory of 11448	3712	LDPlayer9_ru_25567197_ld.exe	114
PID 3712 wrote to memory of 11512	3712	LDPlayer9_ru_25567197_ld.exe	116
PID 3712 wrote to memory of 11512	3712	LDPlayer9_ru_25567197_ld.exe	116
PID 3712 wrote to memory of 11512	3712	LDPlayer9_ru_25567197_ld.exe	116
PID 3712 wrote to memory of 11576	3712	LDPlayer9_ru_25567197_ld.exe	118
PID 3712 wrote to memory of 11576	3712	LDPlayer9_ru_25567197_ld.exe	118
PID 3712 wrote to memory of 11576	3712	LDPlayer9_ru_25567197_ld.exe	118
PID 3712 wrote to memory of 11680	3712	LDPlayer9_ru_25567197_ld.exe	120
PID 3712 wrote to memory of 11680	3712	LDPlayer9_ru_25567197_ld.exe	120
PID 3712 wrote to memory of 11680	3712	LDPlayer9_ru_25567197_ld.exe	120
PID 8380 wrote to memory of 1456	8380	{BCB21D0C-CD75-48BE-950A-B2A2A1F1BA38}.exe	122
PID 8380 wrote to memory of 1456	8380	{BCB21D0C-CD75-48BE-950A-B2A2A1F1BA38}.exe	122
PID 8380 wrote to memory of 1456	8380	{BCB21D0C-CD75-48BE-950A-B2A2A1F1BA38}.exe	122
PID 1456 wrote to memory of 15160	1456	yb118A.tmp	128
PID 1456 wrote to memory of 15160	1456	yb118A.tmp	128
PID 1456 wrote to memory of 15160	1456	yb118A.tmp	128
PID 15160 wrote to memory of 15044	15160	setup.exe	129
PID 15160 wrote to memory of 15044	15160	setup.exe	129
PID 15160 wrote to memory of 15044	15160	setup.exe	129
PID 15044 wrote to memory of 14964	15044	setup.exe	130
PID 15044 wrote to memory of 14964	15044	setup.exe	130
PID 15044 wrote to memory of 14964	15044	setup.exe	130
PID 11680 wrote to memory of 14752	11680	LDPlayer.exe	131
PID 11680 wrote to memory of 14752	11680	LDPlayer.exe	131
PID 11680 wrote to memory of 14752	11680	LDPlayer.exe	131
PID 14752 wrote to memory of 14680	14752	dnrepairer.exe	132
PID 14752 wrote to memory of 14680	14752	dnrepairer.exe	132
PID 14752 wrote to memory of 14680	14752	dnrepairer.exe	132
PID 14680 wrote to memory of 14628	14680	net.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ru_25567197_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ru_25567197_ld.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3712
- C:\LDPlayer\LDPlayer9\YD.exe
  "C:\LDPlayer\LDPlayer9\YD.exe" --partner 124047 --distr /quiet /msicl "YAHOMEPAGE=y YAQSEARCH=y YABROWSER=y"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "YAHOMEPAGE=y YAQSEARCH=y YABROWSER=y"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\LDPlayer\LDPlayer9\YD.exe
    C:\LDPlayer\LDPlayer9\YD.exe --stat dwnldr/p=124047/cnt=0/dt=5/ct=0/rt=0 --dh 2336 --st 1712061824
    3⤵
    - Executes dropped EXE
    PID:5000
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:11368
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnmultiplayer.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:11448
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM dnupdate.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:11512
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM bugreport.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:11576
- C:\LDPlayer\LDPlayer9\LDPlayer.exe
  "C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=25567197 -language=ru -path="C:\LDPlayer\LDPlayer9\"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:11680
- - C:\LDPlayer\LDPlayer9\dnrepairer.exe
    "C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=393688
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:14752
  - - C:\Windows\SysWOW64\net.exe
      "net" start cryptsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:14680
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start cryptsvc
        5⤵
        
        PID:14628
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Softpub.dll /s
      4⤵
      Manipulates Digital Signatures
      PID:14612
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Wintrust.dll /s
      4⤵
      Manipulates Digital Signatures
      PID:14604
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" Initpki.dll /s
      4⤵
      PID:14580
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32" Initpki.dll /s
      4⤵
      PID:14560
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" dssenh.dll /s
      4⤵
      PID:14544
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" rsaenh.dll /s
      4⤵
      PID:14536
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" cryptdlg.dll /s
      4⤵
      Manipulates Digital Signatures
      PID:14516
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:14500
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:14452
  - - C:\Windows\SysWOW64\takeown.exe
      "takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:14404
  - - C:\Windows\SysWOW64\icacls.exe
      "icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:14360
  - - C:\Windows\SysWOW64\dism.exe
      C:\Windows\system32\dism.exe /Online /English /Get-Features
      4⤵
      Drops file in Windows directory
      PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\DFB3072F-9E18-4EDF-873B-DC3F0E7854FE\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\DFB3072F-9E18-4EDF-873B-DC3F0E7854FE\dismhost.exe {86C08B40-57D8-4484-B600-D097303DB12F}
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:15652
  - - C:\Windows\SysWOW64\sc.exe
      sc query HvHost
      4⤵
      Launches sc.exe
      PID:5648
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmms
      4⤵
      Launches sc.exe
      PID:5692
  - - C:\Windows\SysWOW64\sc.exe
      sc query vmcompute
      4⤵
      Launches sc.exe
      PID:5736
  - - C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
      "C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:16712
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
      4⤵
      Loads dropped DLL
      PID:7520
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
      4⤵
      Loads dropped DLL
      PID:7708
  - - C:\Windows\SYSTEM32\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:7768
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:7900
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
      4⤵
      Launches sc.exe
      PID:8284
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\system32\sc" start Ld9BoxSup
      4⤵
      Launches sc.exe
      PID:9812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:9688
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:15196
- - C:\LDPlayer\LDPlayer9\driverconfig.exe
    "C:\LDPlayer\LDPlayer9\driverconfig.exe"
    3⤵
    - Executes dropped EXE
    PID:812
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5468
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:16436
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\\dnplayer.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5396
- - C:\Windows\SysWOW64\sc.exe
    sc query HvHost
    3⤵
    - Launches sc.exe
    PID:7316
- - C:\Windows\SysWOW64\sc.exe
    sc query vmms
    3⤵
    - Launches sc.exe
    PID:16644
- - C:\Windows\SysWOW64\sc.exe
    sc query vmcompute
    3⤵
    - Launches sc.exe
    PID:16508
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
    3⤵
    - Executes dropped EXE
    PID:17112
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
    3⤵
    - Executes dropped EXE
    PID:17012
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
    3⤵
    - Executes dropped EXE
    PID:16900
- - C:\LDPlayer\LDPlayer9\vmware-vdiskmanager.exe
    "C:\LDPlayer\LDPlayer9\vmware-vdiskmanager.exe" -R C:\LDPlayer\LDPlayer9\system.vmdk
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:17304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ru.ldplayer.net/blog/how-to-enable-vt.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf82c46f8,0x7ffdf82c4708,0x7ffdf82c4718
      4⤵
      PID:17396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11248899557218964111,16904452873454770380,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1500 /prefetch:2
      4⤵
      PID:15032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,11248899557218964111,16904452873454770380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:14756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,11248899557218964111,16904452873454770380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
      4⤵
      PID:15048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11248899557218964111,16904452873454770380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:9964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11248899557218964111,16904452873454770380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:9960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11248899557218964111,16904452873454770380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
      4⤵
      PID:12272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11248899557218964111,16904452873454770380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
      4⤵
      PID:9040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,11248899557218964111,16904452873454770380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
      4⤵
      PID:10144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ru.ldplayer.net/blog/how-to-enable-vt.html
    3⤵
    PID:7596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf82c46f8,0x7ffdf82c4708,0x7ffdf82c4718
      4⤵
      PID:7616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12204597511518159650,7851664973691158739,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
      4⤵
      PID:8056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12204597511518159650,7851664973691158739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:8028
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM ldcurl.exe /T
  2⤵
  - Kills process with taskkill
  PID:5424

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3192
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B44E9D68985EF0716CC0AA0C995760A9
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\055CC29A-FEC8-47B2-8197-3A08824FA9F9\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\055CC29A-FEC8-47B2-8197-3A08824FA9F9\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\4A2FFA66-B8FD-4EC0-B5D2-DD19391037C9\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\4A2FFA66-B8FD-4EC0-B5D2-DD19391037C9\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\1C4D5341-B9F5-481E-9249-250A58968A0A\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
      C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n
      4⤵
      Suspicious use of WriteProcessMemory
      PID:10392
    - - C:\Users\Admin\AppData\Local\Temp\pin\explorer.exe
        
        C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /pin-path="C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk" --is-pinning
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:10300
  - - C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
      C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /website-path="C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Taskbar\Яндекс Маркет.website" /icon-path="C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Services\MARKET~1.ICO" /site-id="2AE68B04.8A85F169"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:10220
    - - C:\Users\Admin\AppData\Local\Temp\pin\explorer.exe
        
        C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /website-path="C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Taskbar\Яндекс Маркет.website" /icon-path="C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Services\MARKET~1.ICO" /site-id="2AE68B04.8A85F169" /pin-path="C:\Users\Admin\AppData\Local\Yandex\YaPin\2AE68B04.8A85F169\Яндекс Маркет.lnk" --is-pinning
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:10128
  - - C:\Users\Admin\AppData\Local\Temp\1C4D5341-B9F5-481E-9249-250A58968A0A\sender.exe
      C:\Users\Admin\AppData\Local\Temp\1C4D5341-B9F5-481E-9249-250A58968A0A\sender.exe --send "/status.xml?clid=2832699&uuid=afa5bd8b-c9ae-400c-b1ec-3e6294457eca&vnt=Windows 10x64&file-no=8%0A10%0A11%0A12%0A13%0A15%0A17%0A18%0A20%0A21%0A22%0A25%0A36%0A38%0A40%0A42%0A43%0A45%0A57%0A61%0A89%0A102%0A103%0A111%0A123%0A124%0A125%0A129%0A"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:10060

C:\Users\Admin\AppData\Local\Temp\{BCB21D0C-CD75-48BE-950A-B2A2A1F1BA38}.exe
"C:\Users\Admin\AppData\Local\Temp\{BCB21D0C-CD75-48BE-950A-B2A2A1F1BA38}.exe" --job-name=yBrowserDownloader-{EA1A032D-06AF-4762-8DC0-DE868F61E5F8} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{BCB21D0C-CD75-48BE-950A-B2A2A1F1BA38}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2832672&ui={afa5bd8b-c9ae-400c-b1ec-3e6294457eca} --use-user-default-locale
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8380
- C:\Users\Admin\AppData\Local\Temp\yb118A.tmp
  "C:\Users\Admin\AppData\Local\Temp\yb118A.tmp" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\3df26552-1eeb-4842-b834-19104e0b3bde.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=572831778 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{EA1A032D-06AF-4762-8DC0-DE868F61E5F8} --local-path="C:\Users\Admin\AppData\Local\Temp\{BCB21D0C-CD75-48BE-950A-B2A2A1F1BA38}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2832672&ui={afa5bd8b-c9ae-400c-b1ec-3e6294457eca} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\389025c7-c3bf-4736-81d6-467751fa7d11.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\YB_8B575.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\YB_8B575.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_8B575.tmp\BROWSER.PACKED.7Z" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\3df26552-1eeb-4842-b834-19104e0b3bde.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=572831778 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{EA1A032D-06AF-4762-8DC0-DE868F61E5F8} --local-path="C:\Users\Admin\AppData\Local\Temp\{BCB21D0C-CD75-48BE-950A-B2A2A1F1BA38}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2832672&ui={afa5bd8b-c9ae-400c-b1ec-3e6294457eca} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\389025c7-c3bf-4736-81d6-467751fa7d11.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:15160
  - - C:\Users\Admin\AppData\Local\Temp\YB_8B575.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\YB_8B575.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_8B575.tmp\BROWSER.PACKED.7Z" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\3df26552-1eeb-4842-b834-19104e0b3bde.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=572831778 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{EA1A032D-06AF-4762-8DC0-DE868F61E5F8} --local-path="C:\Users\Admin\AppData\Local\Temp\{BCB21D0C-CD75-48BE-950A-B2A2A1F1BA38}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2832672&ui={afa5bd8b-c9ae-400c-b1ec-3e6294457eca} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\389025c7-c3bf-4736-81d6-467751fa7d11.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico" --verbose-logging --run-as-admin --target-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application" --child-setup-process --restart-as-admin-time=619324985
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:15044
    - - C:\Users\Admin\AppData\Local\Temp\YB_8B575.tmp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\YB_8B575.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=15044 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.1.5.738 --initial-client-data=0x338,0x33c,0x340,0x318,0x344,0x745768,0x745774,0x745780
        5⤵
        Executes dropped EXE
        
        PID:14964
    - - C:\Windows\TEMP\sdwra_15044_1493117275\service_update.exe
        
        "C:\Windows\TEMP\sdwra_15044_1493117275\service_update.exe" --setup
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:6652
      - C:\Program Files (x86)\Yandex\YandexBrowser\24.1.5.738\service_update.exe
        
        "C:\Program Files (x86)\Yandex\YandexBrowser\24.1.5.738\service_update.exe" --install
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:6820
    - - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
        
        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Temp\clids.xml"
        5⤵
        Executes dropped EXE
        
        PID:7660
    - - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
        
        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\source15044_181663379\Browser-bin\clids_yandex_second.xml"
        5⤵
        Executes dropped EXE
        
        PID:7772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:14056

C:\Program Files (x86)\Yandex\YandexBrowser\24.1.5.738\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\24.1.5.738\service_update.exe" --run-as-service
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:7008
- C:\Program Files (x86)\Yandex\YandexBrowser\24.1.5.738\service_update.exe
  "C:\Program Files (x86)\Yandex\YandexBrowser\24.1.5.738\service_update.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=7008 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.1.5.738 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0xf7efe0,0xf7efec,0xf7eff8
  2⤵
  - Executes dropped EXE
  PID:7048
- C:\Program Files (x86)\Yandex\YandexBrowser\24.1.5.738\service_update.exe
  "C:\Program Files (x86)\Yandex\YandexBrowser\24.1.5.738\service_update.exe" --update-scheduler
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:7220
- - C:\Program Files (x86)\Yandex\YandexBrowser\24.1.5.738\service_update.exe
    "C:\Program Files (x86)\Yandex\YandexBrowser\24.1.5.738\service_update.exe" --update-background-scheduler
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:16388

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --progress-window=0 --install-start-time-no-uac=572831778
1⤵
- Adds Run key to start application
- Checks computer location settings
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:7880
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id= --annotation=main_process_pid=7880 --annotation=metrics_client_id=f8e4284361df4beb9c6a39996291ca1e --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.1.5.738 --initial-client-data=0x184,0x188,0x18c,0x160,0x190,0x71d232cc,0x71d232d8,0x71d232e4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:7932
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --gpu-process-kind=sandboxed --mojo-platform-channel-handle=2476 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:9548
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --gpu-process-kind=trampoline --mojo-platform-channel-handle=2796 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:9524
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Network Service" --mojo-platform-channel-handle=3680 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:9484
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=ru --service-sandbox-type=service --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Storage Service" --mojo-platform-channel-handle=3720 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:9460
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=ru --service-sandbox-type=audio --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Audio Service" --mojo-platform-channel-handle=3764 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:9288
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=ru --service-sandbox-type=none --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Video Capture" --mojo-platform-channel-handle=4528 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:9056
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --extension-process --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --first-renderer-process --allow-prefetch --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4556 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:9060
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=4732 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:9008
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --allow-prefetch --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4616 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:8844
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=ru --service-sandbox-type=none --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Импорт профилей" --mojo-platform-channel-handle=4628 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:11400
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5164 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:11828
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=5372 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:11348
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=uwp_cookie_provider.mojom.UwpCookieProvider --lang=ru --service-sandbox-type=utility --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name=uwp_cookie_provider.mojom.UwpCookieProvider --mojo-platform-channel-handle=5620 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=5604 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --ya-custo-process --enable-instaserp --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4352 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:15436
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5600 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:15368
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4592 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:15108
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=ru --service-sandbox-type=none --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Утилиты Windows" --mojo-platform-channel-handle=3612 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:14636
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=ru --service-sandbox-type=none --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Утилиты Windows" --mojo-platform-channel-handle=4720 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:14564
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=ru --service-sandbox-type=none --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Импорт профилей" --mojo-platform-channel-handle=2124 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:14268
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5632 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:14276
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=uwp_cookie_provider.mojom.UwpCookieProvider --lang=ru --service-sandbox-type=utility --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --process-name=uwp_cookie_provider.mojom.UwpCookieProvider --mojo-platform-channel-handle=3404 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.1.5.738 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --ya-custo-process --enable-instaserp --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4092 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5004
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=afa5bd8b-c9ae-400c-b1ec-3e6294457eca --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6352 --field-trial-handle=2500,i,14074100289721531489,3012380097746252033,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:13120

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x294 0x4c4
1⤵
PID:2632

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:7300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:10752

C:\LDPlayer\ldmutiplayer\dnmultiplayerex.exe
"C:\LDPlayer\ldmutiplayer\dnmultiplayerex.exe"
1⤵
- Executes dropped EXE
PID:12336
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\dnplayer.exe" index=0|
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:12580
- - C:\Windows\SysWOW64\sc.exe
    sc query HvHost
    3⤵
    - Launches sc.exe
    PID:13020
- - C:\Windows\SysWOW64\sc.exe
    sc query vmms
    3⤵
    - Launches sc.exe
    PID:1728
- - C:\Windows\SysWOW64\sc.exe
    sc query vmcompute
    3⤵
    - Launches sc.exe
    PID:920
- - C:\Program Files\ldplayer9box\vbox-img.exe
    "C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
    3⤵
    PID:13272
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\dnplayer.exe" index=0|
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  PID:12604
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\dnplayer.exe" index=0|
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  PID:12704
- C:\LDPlayer\LDPlayer9\dnplayer.exe
  "C:\LDPlayer\LDPlayer9\dnplayer.exe" index=0|
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  PID:12856

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:12996
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  PID:13292
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  PID:4288
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  PID:9012
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  PID:1324
- C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
  "C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
  2⤵
  PID:4372

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:13604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:13744
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:14088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.0.1409241220\376100613" -parentBuildID 20221007134813 -prefsHandle 2080 -prefMapHandle 2056 -prefsLen 21302 -prefMapSize 233560 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69aac54d-dd88-419c-930a-4b592c23fa4a} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 2160 226425fc858 gpu
    3⤵
    PID:7452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.1.897454004\240447371" -parentBuildID 20221007134813 -prefsHandle 2544 -prefMapHandle 2540 -prefsLen 21338 -prefMapSize 233560 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cef7a115-f158-416a-b6b3-14c4304c2d3f} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 2556 22643106e58 socket
    3⤵
    PID:9208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.2.1908168003\2083480431" -childID 1 -isForBrowser -prefsHandle 3476 -prefMapHandle 3472 -prefsLen 21459 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07dbf2d9-e976-4c19-b154-c0393cf60ea5} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 3488 226459cf258 tab
    3⤵
    PID:15204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.3.1013734514\442384487" -childID 2 -isForBrowser -prefsHandle 3292 -prefMapHandle 3096 -prefsLen 22342 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {280d33a2-9028-4dd3-8e35-4a389da6864d} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 3324 22646fcbd58 tab
    3⤵
    PID:3796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.4.1278968318\1695533521" -childID 3 -isForBrowser -prefsHandle 4944 -prefMapHandle 4940 -prefsLen 26864 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3762147-9bd0-4ca9-baf8-dc49892f3e3c} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 4960 22648d55158 tab
    3⤵
    PID:15328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.5.1506620007\2014231175" -childID 4 -isForBrowser -prefsHandle 5416 -prefMapHandle 5300 -prefsLen 26945 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c8eb65d-36dd-479e-bc99-4ffe86837314} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 5464 2264379a358 tab
    3⤵
    PID:13596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.6.1412018803\1711673402" -childID 5 -isForBrowser -prefsHandle 5404 -prefMapHandle 5440 -prefsLen 26945 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa5de2d2-0935-4914-9c28-c3919089b051} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 5380 22646fcdb58 tab
    3⤵
    PID:1936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.7.6212358\797138389" -childID 6 -isForBrowser -prefsHandle 5580 -prefMapHandle 5380 -prefsLen 26945 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55d41d4b-8116-43fb-83b0-3d771fc46a8f} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 5688 22647138258 tab
    3⤵
    PID:13324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.8.231635593\1072782667" -childID 7 -isForBrowser -prefsHandle 4400 -prefMapHandle 5760 -prefsLen 27464 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4091c2a4-b895-4044-9eb6-0414dbc5c80c} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 3860 226471afe58 tab
    3⤵
    PID:5296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.9.404958046\1561668551" -childID 8 -isForBrowser -prefsHandle 5784 -prefMapHandle 6280 -prefsLen 27464 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c92c3b4-699e-4862-83b8-f974ea73ac01} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 5656 2264af74b58 tab
    3⤵
    PID:10036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.10.1829233460\1291873022" -childID 9 -isForBrowser -prefsHandle 6572 -prefMapHandle 6520 -prefsLen 27464 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de714b9f-d2fa-4633-bf3a-d962b73a658a} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 6576 2264b47df58 tab
    3⤵
    PID:16472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.11.2141199117\1784851808" -childID 10 -isForBrowser -prefsHandle 6768 -prefMapHandle 5232 -prefsLen 28204 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e40cec7-0e06-4d64-8d18-810b607b1be4} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 6824 2264a8f5958 tab
    3⤵
    PID:1032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.12.1153674327\328280507" -childID 11 -isForBrowser -prefsHandle 6176 -prefMapHandle 6220 -prefsLen 28204 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {670636aa-3465-4306-9429-e3a967f70d0e} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 6312 2264ca75758 tab
    3⤵
    PID:12536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.13.1496210793\782848245" -childID 12 -isForBrowser -prefsHandle 6948 -prefMapHandle 6952 -prefsLen 28269 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0817fa65-2748-4bdb-ae7b-800b258f6635} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 6940 22648f30558 tab
    3⤵
    PID:4468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.14.1004153681\518645470" -childID 13 -isForBrowser -prefsHandle 7192 -prefMapHandle 7216 -prefsLen 28269 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eebab90e-d1d4-4cdd-96a4-08b96959d6da} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 7220 2264b13dc58 tab
    3⤵
    PID:9276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14088.15.1397833415\1089192868" -childID 14 -isForBrowser -prefsHandle 6116 -prefMapHandle 4760 -prefsLen 28269 -prefMapSize 233560 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aecb3e86-9eb7-432d-95f9-3061b3923cd6} 14088 "\\.\pipe\gecko-crash-server-pipe.14088" 11388 2264b6bef58 tab
    3⤵
    PID:2528
- - C:\Users\Admin\Downloads\anydesk-8-0-9.exe
    "C:\Users\Admin\Downloads\anydesk-8-0-9.exe"
    3⤵
    - Checks processor information in registry
    PID:13240
  - - C:\Users\Admin\Downloads\anydesk-8-0-9.exe
      "C:\Users\Admin\Downloads\anydesk-8-0-9.exe" --local-service
      4⤵
      Checks computer location settings
      PID:5208
    - - C:\Users\Admin\Downloads\anydesk-8-0-9.exe
        
        "C:\Users\Admin\Downloads\anydesk-8-0-9.exe" --backend
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:13932
  - - C:\Users\Admin\Downloads\anydesk-8-0-9.exe
      "C:\Users\Admin\Downloads\anydesk-8-0-9.exe" --local-control
      4⤵
      Checks computer location settings
      Suspicious behavior: AddClipboardFormatListener
      PID:6620

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:15228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery