bdcd9f5eec736e493ead3ad3a6ea517e4ec3a6525819f6e3761af02828089d5f

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	Yandex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	Yandex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	browser.exe

Executes dropped EXE 44 IoCs

pid	Process
696	yadl.exe
5104	YandexPackSetup.exe
4720	yadl.exe
784	lite_installer.exe
3620	seederexe.exe
3228	KLauncher.exe
3568	javaw.exe
5520	javaw.exe
10184	{1DF11A23-E910-4447-801A-E6D69EA06429}.exe
6584	java.exe
6680	Yandex.exe
7404	explorer.exe
9092	Yandex.exe
7200	explorer.exe
9288	sender.exe
7500	yb198E.tmp
7052	setup.exe
7448	setup.exe
8028	setup.exe
7656	service_update.exe
7212	service_update.exe
9164	service_update.exe
9192	service_update.exe
7072	service_update.exe
9092	service_update.exe
9836	clidmgr.exe
3588	clidmgr.exe
5132	browser.exe
7116	browser.exe
1812	browser.exe
3668	browser.exe
2948	browser.exe
4400	browser.exe
2760	browser.exe
5496	browser.exe
5928	browser.exe
5888	browser.exe
6528	browser.exe
6276	browser.exe
3940	browser.exe
6348	browser.exe
7008	browser.exe
6944	browser.exe
8464	browser.exe

Loads dropped DLL 64 IoCs

pid	Process
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
3568	javaw.exe
3568	javaw.exe
3568	javaw.exe
3568	javaw.exe
3568	javaw.exe
3568	javaw.exe
3568	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe
5520	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4072	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\YandexBrowserAutoLaunch_45886AE68CD319C7351FF54A1DBD4B87 = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --shutdown-if-not-closed-by-system-restart"	browser.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	bcastdvr.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Yandex\ui	service_update.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\debug.log	service_update.exe
File created	C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\service_update.exe	service_update.exe
File opened for modification	C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\service_update.exe	service_update.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Оновлення Браузера Яндекс.job	service_update.exe
File created	C:\Windows\Tasks\Обновление Браузера Яндекс.job	browser.exe
File opened for modification	C:\Windows\Installer\e57e5dc.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB13.tmp	msiexec.exe
File created	C:\Windows\Tasks\System update for Yandex Browser.job	service_update.exe
File opened for modification	C:\Windows\Installer\MSIEAB4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIECCA.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	seederexe.exe
File created	C:\Windows\Tasks\Repairing Yandex Browser update service.job	service_update.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE733.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE87D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA46.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE9B8.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDF4.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e5dc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE83E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE92A.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	GamePanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	GamePanel.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	browser.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "https://yandex.ru/search/?win=644&clid=6035498-354&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "https://yandex.ru/search/?win=644&clid=6035502-354&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\YaCreationDate = "2024-10-30"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Яндекс"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\FaviconURLFallback = "http://www.bing.com/favicon.ico"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\DisplayName = "Яндекс"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\DisplayName = "Bing"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\NTTopResultURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconURL = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\ShowSearchSuggestionsInAddressGlobal = "1"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\MINIE	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\YaCreationDate = "2024-10-30"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\FaviconURLFallback = "https://www.ya.ru/favicon.ico"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\SuggestionsURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\NTURL = "https://yandex.ru/search/?win=644&clid=6035502-354&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconURLFallback = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "https://www.ya.ru/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\DisplayName = "Bing"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\URL = "https://yandex.ru/search/?win=644&clid=6035498-354&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\FaviconURL = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\c4c90302-06c0-11ef-9b14-d67a2d94b13e\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	seederexe.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.ya.ru/?win=644&clid=6035495-354"	seederexe.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Yandex	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Yandex\UICreated_SYSTEM = "1"	service_update.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexPNG.KYPM7RXZHIUIPF5NJUCMUG557A\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexSVG.KYPM7RXZHIUIPF5NJUCMUG557A\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexPDF.KYPM7RXZHIUIPF5NJUCMUG557A\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.jpg\shell\image_search\Icon = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,0"	browser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Yandex.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.fb2	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexJS.KYPM7RXZHIUIPF5NJUCMUG557A\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexJPEG.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexJPEG.KYPM7RXZHIUIPF5NJUCMUG557A\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexHTML.KYPM7RXZHIUIPF5NJUCMUG557A\AppUserModelId = "Yandex.KYPM7RXZHIUIPF5NJUCMUG557A"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.xht\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexWEBM.KYPM7RXZHIUIPF5NJUCMUG557A\shell	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.crx\OpenWithProgids\YandexCRX.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.webp	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.tiff	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.bmp\shell\image_search\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --image-search=\"%1\""	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexCRX.KYPM7RXZHIUIPF5NJUCMUG557A\shell	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexJS.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexPNG.KYPM7RXZHIUIPF5NJUCMUG557A\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-113"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexWEBM.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.css	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.png\OpenWithProgids\YandexPNG.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.html\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.xhtml\OpenWithProgids\YandexHTML.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\yabrowser\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexJPEG.KYPM7RXZHIUIPF5NJUCMUG557A\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexWEBP.KYPM7RXZHIUIPF5NJUCMUG557A\shell	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.xht\OpenWithProgids\YandexHTML.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.xml\OpenWithProgids\YandexXML.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexCRX.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexPNG.KYPM7RXZHIUIPF5NJUCMUG557A\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.bmp\shell\image_search\ = "Поиск по картинке"	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.png\shell	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexWEBP.KYPM7RXZHIUIPF5NJUCMUG557A\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.jpg\OpenWithProgids\YandexJPEG.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.swf\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.jpeg\shell\image_search\command	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.jpg\shell\image_search\ = "Поиск по картинке"	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexFB2.KYPM7RXZHIUIPF5NJUCMUG557A\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexPNG.KYPM7RXZHIUIPF5NJUCMUG557A\shell	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.jpeg\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.png\shell\image_search\ = "Поиск по картинке"	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.tif\shell\image_search\Icon = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,0"	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexCRX.KYPM7RXZHIUIPF5NJUCMUG557A\ = "Yandex Browser CRX Document"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexFB2.KYPM7RXZHIUIPF5NJUCMUG557A\ = "Yandex Browser FB2 Document"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexTIFF.KYPM7RXZHIUIPF5NJUCMUG557A\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexTXT.KYPM7RXZHIUIPF5NJUCMUG557A\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.jpg\shell\image_search\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --image-search=\"%1\""	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexSVG.KYPM7RXZHIUIPF5NJUCMUG557A\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.jpg\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexEPUB.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexSWF.KYPM7RXZHIUIPF5NJUCMUG557A\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.txt\OpenWithProgids\YandexTXT.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.bmp\shell	browser.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LinksBar\Enabled = "1"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexGIF.KYPM7RXZHIUIPF5NJUCMUG557A\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.css\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.jpg\shell	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.tif\shell\image_search\ = "Поиск по картинке"	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\FavBarCache	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexBrowser.crx\ = "Yandex Browser Extra"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\YandexCRX.KYPM7RXZHIUIPF5NJUCMUG557A\shell\open\command	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\.fb2\OpenWithProgids\YandexFB2.KYPM7RXZHIUIPF5NJUCMUG557A	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\SystemFileAssociations\.jpg\shell\image_search\command	browser.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	yadl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	yadl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	yadl.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
5104	YandexPackSetup.exe
5104	YandexPackSetup.exe
3024	msiexec.exe
3024	msiexec.exe
784	lite_installer.exe
784	lite_installer.exe
784	lite_installer.exe
784	lite_installer.exe
3620	seederexe.exe
3620	seederexe.exe
3620	seederexe.exe
3620	seederexe.exe
3620	seederexe.exe
3620	seederexe.exe
3620	seederexe.exe
3620	seederexe.exe
3620	seederexe.exe
3620	seederexe.exe
9288	sender.exe
9288	sender.exe
7448	setup.exe
7448	setup.exe
7448	setup.exe
7448	setup.exe
5132	browser.exe
5132	browser.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5104	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	5104	YandexPackSetup.exe
Token: SeSecurityPrivilege	3024	msiexec.exe
Token: SeCreateTokenPrivilege	5104	YandexPackSetup.exe
Token: SeAssignPrimaryTokenPrivilege	5104	YandexPackSetup.exe
Token: SeLockMemoryPrivilege	5104	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	5104	YandexPackSetup.exe
Token: SeMachineAccountPrivilege	5104	YandexPackSetup.exe
Token: SeTcbPrivilege	5104	YandexPackSetup.exe
Token: SeSecurityPrivilege	5104	YandexPackSetup.exe
Token: SeTakeOwnershipPrivilege	5104	YandexPackSetup.exe
Token: SeLoadDriverPrivilege	5104	YandexPackSetup.exe
Token: SeSystemProfilePrivilege	5104	YandexPackSetup.exe
Token: SeSystemtimePrivilege	5104	YandexPackSetup.exe
Token: SeProfSingleProcessPrivilege	5104	YandexPackSetup.exe
Token: SeIncBasePriorityPrivilege	5104	YandexPackSetup.exe
Token: SeCreatePagefilePrivilege	5104	YandexPackSetup.exe
Token: SeCreatePermanentPrivilege	5104	YandexPackSetup.exe
Token: SeBackupPrivilege	5104	YandexPackSetup.exe
Token: SeRestorePrivilege	5104	YandexPackSetup.exe
Token: SeShutdownPrivilege	5104	YandexPackSetup.exe
Token: SeDebugPrivilege	5104	YandexPackSetup.exe
Token: SeAuditPrivilege	5104	YandexPackSetup.exe
Token: SeSystemEnvironmentPrivilege	5104	YandexPackSetup.exe
Token: SeChangeNotifyPrivilege	5104	YandexPackSetup.exe
Token: SeRemoteShutdownPrivilege	5104	YandexPackSetup.exe
Token: SeUndockPrivilege	5104	YandexPackSetup.exe
Token: SeSyncAgentPrivilege	5104	YandexPackSetup.exe
Token: SeEnableDelegationPrivilege	5104	YandexPackSetup.exe
Token: SeManageVolumePrivilege	5104	YandexPackSetup.exe
Token: SeImpersonatePrivilege	5104	YandexPackSetup.exe
Token: SeCreateGlobalPrivilege	5104	YandexPackSetup.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeRestorePrivilege	3024	msiexec.exe
Token: SeTakeOwnershipPrivilege	3024	msiexec.exe
Token: SeShutdownPrivilege	5132	browser.exe
Token: SeCreatePagefilePrivilege	5132	browser.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
7404	explorer.exe
7200	explorer.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe
5132	browser.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5520	javaw.exe
5520	javaw.exe
5132	browser.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 504 wrote to memory of 696	504	KLSetup.exe	72
PID 504 wrote to memory of 696	504	KLSetup.exe	72
PID 504 wrote to memory of 696	504	KLSetup.exe	72
PID 696 wrote to memory of 5104	696	yadl.exe	74
PID 696 wrote to memory of 5104	696	yadl.exe	74
PID 696 wrote to memory of 5104	696	yadl.exe	74
PID 696 wrote to memory of 4720	696	yadl.exe	75
PID 696 wrote to memory of 4720	696	yadl.exe	75
PID 696 wrote to memory of 4720	696	yadl.exe	75
PID 3024 wrote to memory of 4560	3024	msiexec.exe	78
PID 3024 wrote to memory of 4560	3024	msiexec.exe	78
PID 3024 wrote to memory of 4560	3024	msiexec.exe	78
PID 4560 wrote to memory of 784	4560	MsiExec.exe	79
PID 4560 wrote to memory of 784	4560	MsiExec.exe	79
PID 4560 wrote to memory of 784	4560	MsiExec.exe	79
PID 4560 wrote to memory of 3620	4560	MsiExec.exe	81
PID 4560 wrote to memory of 3620	4560	MsiExec.exe	81
PID 4560 wrote to memory of 3620	4560	MsiExec.exe	81
PID 504 wrote to memory of 3228	504	KLSetup.exe	82
PID 504 wrote to memory of 3228	504	KLSetup.exe	82
PID 504 wrote to memory of 3228	504	KLSetup.exe	82
PID 3228 wrote to memory of 3568	3228	KLauncher.exe	83
PID 3228 wrote to memory of 3568	3228	KLauncher.exe	83
PID 3568 wrote to memory of 4072	3568	javaw.exe	84
PID 3568 wrote to memory of 4072	3568	javaw.exe	84
PID 3228 wrote to memory of 5520	3228	KLauncher.exe	86
PID 3228 wrote to memory of 5520	3228	KLauncher.exe	86
PID 5520 wrote to memory of 6584	5520	javaw.exe	91
PID 5520 wrote to memory of 6584	5520	javaw.exe	91
PID 3620 wrote to memory of 6680	3620	seederexe.exe	93
PID 3620 wrote to memory of 6680	3620	seederexe.exe	93
PID 3620 wrote to memory of 6680	3620	seederexe.exe	93
PID 6680 wrote to memory of 7404	6680	Yandex.exe	95
PID 6680 wrote to memory of 7404	6680	Yandex.exe	95
PID 6680 wrote to memory of 7404	6680	Yandex.exe	95
PID 3620 wrote to memory of 9092	3620	seederexe.exe	96
PID 3620 wrote to memory of 9092	3620	seederexe.exe	96
PID 3620 wrote to memory of 9092	3620	seederexe.exe	96
PID 9092 wrote to memory of 7200	9092	Yandex.exe	97
PID 9092 wrote to memory of 7200	9092	Yandex.exe	97
PID 9092 wrote to memory of 7200	9092	Yandex.exe	97
PID 3620 wrote to memory of 9288	3620	seederexe.exe	98
PID 3620 wrote to memory of 9288	3620	seederexe.exe	98
PID 3620 wrote to memory of 9288	3620	seederexe.exe	98
PID 10184 wrote to memory of 7500	10184	{1DF11A23-E910-4447-801A-E6D69EA06429}.exe	99
PID 10184 wrote to memory of 7500	10184	{1DF11A23-E910-4447-801A-E6D69EA06429}.exe	99
PID 10184 wrote to memory of 7500	10184	{1DF11A23-E910-4447-801A-E6D69EA06429}.exe	99
PID 7500 wrote to memory of 7052	7500	yb198E.tmp	100
PID 7500 wrote to memory of 7052	7500	yb198E.tmp	100
PID 7500 wrote to memory of 7052	7500	yb198E.tmp	100
PID 7052 wrote to memory of 7448	7052	setup.exe	101
PID 7052 wrote to memory of 7448	7052	setup.exe	101
PID 7052 wrote to memory of 7448	7052	setup.exe	101
PID 7448 wrote to memory of 8028	7448	setup.exe	102
PID 7448 wrote to memory of 8028	7448	setup.exe	102
PID 7448 wrote to memory of 8028	7448	setup.exe	102
PID 7448 wrote to memory of 7656	7448	setup.exe	103
PID 7448 wrote to memory of 7656	7448	setup.exe	103
PID 7448 wrote to memory of 7656	7448	setup.exe	103
PID 7656 wrote to memory of 7212	7656	service_update.exe	104
PID 7656 wrote to memory of 7212	7656	service_update.exe	104
PID 7656 wrote to memory of 7212	7656	service_update.exe	104
PID 9164 wrote to memory of 9192	9164	service_update.exe	106
PID 9164 wrote to memory of 9192	9164	service_update.exe	106

C:\Users\Admin\AppData\Local\Temp\KLSetup.exe
"C:\Users\Admin\AppData\Local\Temp\KLSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:504
- C:\Users\Admin\AppData\Local\Temp\yadl.exe
  "C:\Users\Admin\AppData\Local\Temp\yadl.exe" --partner 418804 --distr /quiet /msicl "YABROWSER=y YAQSEARCH=y YAHOMEPAGE=y VID=354"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "YABROWSER=y YAQSEARCH=y YAHOMEPAGE=y VID=354"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
- - C:\Users\Admin\AppData\Local\Temp\yadl.exe
    C:\Users\Admin\AppData\Local\Temp\yadl.exe --stat dwnldr/p=418804/cnt=0/dt=10/ct=1/rt=0 --dh 2156 --st 1714461033
    3⤵
    - Executes dropped EXE
    PID:4720
- C:\Users\Admin\AppData\Roaming\.minecraft\KLauncher.exe
  "C:\Users\Admin\AppData\Roaming\.minecraft\KLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Users\Admin\AppData\Roaming\.minecraft\java\jre1.8.0_251\bin\javaw.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\java\jre1.8.0_251\bin\javaw.exe" -version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:4072
- - C:\Users\Admin\AppData\Roaming\.minecraft\java\jre1.8.0_251\bin\javaw.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\java\jre1.8.0_251\bin\javaw.exe" -XX:+UseG1GC -Dfile.encoding=UTF-8 -jar "C:\Users\Admin\AppData\Roaming\.minecraft\KLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5520
  - - C:\Users\Admin\AppData\Roaming\.minecraft\java\jre1.8.0_251\bin\java.exe
      java.exe -version
      4⤵
      Executes dropped EXE
      PID:6584

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A4F1EAF3DB359A83A9230CBF90F3A9AD
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\CD2EEFB9-3EF6-4549-9249-72F82AA33436\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\CD2EEFB9-3EF6-4549-9249-72F82AA33436\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:784
- - C:\Users\Admin\AppData\Local\Temp\914AA60F-F3E5-4911-BF3F-97FB5F425447\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\914AA60F-F3E5-4911-BF3F-97FB5F425447\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\D20B689F-7FAD-4714-A5CF-CFD2DA555F72\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
      C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:6680
    - - C:\Users\Admin\AppData\Local\Temp\pin\explorer.exe
        
        C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /pin-path="C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk" --is-pinning
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:7404
  - - C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
      C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /website-path="C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Taskbar\Яндекс Маркет.website" /icon-path="C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Services\MARKET~1.ICO" /site-id="2AE68B04.8A85F169"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:9092
    - - C:\Users\Admin\AppData\Local\Temp\pin\explorer.exe
        
        C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /website-path="C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Taskbar\Яндекс Маркет.website" /icon-path="C:\Users\Admin\AppData\Local\MICROS~1\INTERN~1\Services\MARKET~1.ICO" /site-id="2AE68B04.8A85F169" /pin-path="C:\Users\Admin\AppData\Local\Yandex\YaPin\2AE68B04.8A85F169\Яндекс Маркет.lnk" --is-pinning
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:7200
  - - C:\Users\Admin\AppData\Local\Temp\D20B689F-7FAD-4714-A5CF-CFD2DA555F72\sender.exe
      C:\Users\Admin\AppData\Local\Temp\D20B689F-7FAD-4714-A5CF-CFD2DA555F72\sender.exe --send "/status.xml?clid=6035492-354&uuid=eedbd011-88eb-497d-bde8-8b726a8b881e&vnt=Windows 10x64&file-no=10%0A11%0A12%0A13%0A14%0A15%0A17%0A18%0A20%0A21%0A22%0A23%0A25%0A28%0A36%0A38%0A40%0A42%0A43%0A45%0A51%0A57%0A61%0A89%0A102%0A103%0A111%0A123%0A124%0A125%0A129%0A"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:9288

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:1740

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 000000000008021C /startuptips
1⤵
- Checks SCSI registry key(s)
PID:1132

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
- Drops desktop.ini file(s)
PID:4872

C:\Users\Admin\AppData\Local\Temp\{1DF11A23-E910-4447-801A-E6D69EA06429}.exe
"C:\Users\Admin\AppData\Local\Temp\{1DF11A23-E910-4447-801A-E6D69EA06429}.exe" --job-name=yBrowserDownloader-{2E92F150-4998-4073-A576-91E56AEB16ED} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{1DF11A23-E910-4447-801A-E6D69EA06429}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=none&ui={eedbd011-88eb-497d-bde8-8b726a8b881e} --use-user-default-locale
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:10184
- C:\Users\Admin\AppData\Local\Temp\yb198E.tmp
  "C:\Users\Admin\AppData\Local\Temp\yb198E.tmp" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\c131f999-0b40-4061-9aa0-ec41aa878037.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=509712699 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{2E92F150-4998-4073-A576-91E56AEB16ED} --local-path="C:\Users\Admin\AppData\Local\Temp\{1DF11A23-E910-4447-801A-E6D69EA06429}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=none&ui={eedbd011-88eb-497d-bde8-8b726a8b881e} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\6b0b47df-e9e8-4f2c-a847-d3ca147e01bd.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:7500
- - C:\Users\Admin\AppData\Local\Temp\YB_E44E5.tmp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\YB_E44E5.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_E44E5.tmp\BROWSER.PACKED.7Z" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\c131f999-0b40-4061-9aa0-ec41aa878037.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=509712699 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{2E92F150-4998-4073-A576-91E56AEB16ED} --local-path="C:\Users\Admin\AppData\Local\Temp\{1DF11A23-E910-4447-801A-E6D69EA06429}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=none&ui={eedbd011-88eb-497d-bde8-8b726a8b881e} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\6b0b47df-e9e8-4f2c-a847-d3ca147e01bd.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:7052
  - - C:\Users\Admin\AppData\Local\Temp\YB_E44E5.tmp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\YB_E44E5.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_E44E5.tmp\BROWSER.PACKED.7Z" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\c131f999-0b40-4061-9aa0-ec41aa878037.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=509712699 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{2E92F150-4998-4073-A576-91E56AEB16ED} --local-path="C:\Users\Admin\AppData\Local\Temp\{1DF11A23-E910-4447-801A-E6D69EA06429}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=none&ui={eedbd011-88eb-497d-bde8-8b726a8b881e} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\6b0b47df-e9e8-4f2c-a847-d3ca147e01bd.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico" --verbose-logging --run-as-admin --target-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application" --child-setup-process --restart-as-admin-time=547730157
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:7448
    - - C:\Users\Admin\AppData\Local\Temp\YB_E44E5.tmp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\YB_E44E5.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=7448 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.4.1.929 --initial-client-data=0x304,0x308,0x30c,0x2e4,0x310,0x131cce4,0x131ccf0,0x131ccfc
        5⤵
        Executes dropped EXE
        
        PID:8028
    - - C:\Windows\TEMP\sdwra_7448_465100451\service_update.exe
        
        "C:\Windows\TEMP\sdwra_7448_465100451\service_update.exe" --setup
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:7656
      - C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\service_update.exe
        
        "C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\service_update.exe" --install
        6⤵
        Executes dropped EXE
        
        PID:7212
    - - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
        
        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Temp\clids.xml"
        5⤵
        Executes dropped EXE
        
        PID:9836
    - - C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
        
        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\source7448_1355420778\Browser-bin\clids_yandex_second.xml"
        5⤵
        Executes dropped EXE
        
        PID:3588

C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\service_update.exe" --run-as-service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:9164
- C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\service_update.exe
  "C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\service_update.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=9164 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.4.1.929 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0xb93578,0xb93584,0xb93590
  2⤵
  - Executes dropped EXE
  PID:9192
- C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\service_update.exe
  "C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\service_update.exe" --update-scheduler
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:7072
- - C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\service_update.exe
    "C:\Program Files (x86)\Yandex\YandexBrowser\24.4.1.929\service_update.exe" --update-background-scheduler
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:9092

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --progress-window=0 --install-start-time-no-uac=509712699
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5132
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id= --annotation=main_process_pid=5132 --annotation=metrics_client_id=fbc202b013bf4e3787c500b777e2de45 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.4.1.929 --initial-client-data=0x154,0x158,0x15c,0x130,0x160,0x7219a86c,0x7219a878,0x7219a884
  2⤵
  - Executes dropped EXE
  PID:7116
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --gpu-process-kind=sandboxed --mojo-platform-channel-handle=2204 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --gpu-process-kind=trampoline --mojo-platform-channel-handle=2376 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:2
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Network Service" --mojo-platform-channel-handle=2296 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.4.1.929 /prefetch:3
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=ru --service-sandbox-type=service --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Storage Service" --mojo-platform-channel-handle=2896 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.4.1.929 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=ru --service-sandbox-type=audio --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Audio Service" --mojo-platform-channel-handle=3180 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.4.1.929 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=ru --service-sandbox-type=none --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Video Capture" --mojo-platform-channel-handle=3316 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.4.1.929 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5496
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --extension-process --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --no-appcompat-clear --allow-prefetch --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3764 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:2
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5928
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --mojo-platform-channel-handle=3924 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.4.1.929 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:5888
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=ru --service-sandbox-type=none --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Импорт профилей" --mojo-platform-channel-handle=4624 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.4.1.929 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6528
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --no-appcompat-clear --allow-prefetch --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4648 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6276
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --no-appcompat-clear --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4436 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3940
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --mojo-platform-channel-handle=2560 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.4.1.929 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:6348
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --mojo-platform-channel-handle=4684 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.4.1.929 /prefetch:8
  2⤵
  - Executes dropped EXE
  PID:7008
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --ya-custo-process --enable-instaserp --no-appcompat-clear --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4572 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6944
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --ya-custo-process --enable-instaserp --no-appcompat-clear --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2500 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:8464
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --no-appcompat-clear --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5684 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  PID:5372
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://brontp-pre.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --no-appcompat-clear --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5640 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version /prefetch:1
  2⤵
  PID:8848
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=ru --service-sandbox-type=none --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Утилиты Windows" --mojo-platform-channel-handle=5888 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.4.1.929 /prefetch:8
  2⤵
  PID:7504
- C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=ru --service-sandbox-type=none --user-id=eedbd011-88eb-497d-bde8-8b726a8b881e --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Утилиты Windows" --mojo-platform-channel-handle=3872 --field-trial-handle=2208,i,15924462636376564069,14328033345116298779,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --brver=24.4.1.929 /prefetch:8
  2⤵
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery