3f3ed380c397b0219044c5a5d034a57de303fef33c5690f404d078764f0379a7

Analysis

max time kernel
59s
max time network
90s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07-06-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PUABundler;Win32.YandexBundled.exe
Size

21.9MB
MD5

eb097da8c02518caa32dc73e9d25f8ed
SHA1

75b3dd063526967a1d7b1c3d49da2405bf81cb01
SHA256

547e600f946a8aea9386a3e24e01aa9ff179ba172cbf2e753b36e15856263f6d
SHA512

36407173d3ce17de864de1c7a0b6d34d9c2e521a8b5c5aacae12759fa0202273de5e4e7b87f8d91d192350e1f94438cf79f6444ca01c40799584fc30861624d7
SSDEEP

393216:v7W/rMOomNrtrt4NINdh5z5MXzlYbNSNZBdAVaRtedFq7N/EN2otPYfTy1P6eyQg:+n/Nh7B2R0yZahyyMIFpc

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
4360	PUABundler;Win32.YandexBundled.tmp
2688	hitmanpro.exe
3968	downloader.exe
2868	YandexPackSetup.exe

Loads dropped DLL 5 IoCs

pid	Process
4360	PUABundler;Win32.YandexBundled.tmp
4360	PUABundler;Win32.YandexBundled.tmp
4360	PUABundler;Win32.YandexBundled.tmp
4360	PUABundler;Win32.YandexBundled.tmp
4360	PUABundler;Win32.YandexBundled.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e58a999.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58a999.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	downloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	downloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	downloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	downloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	downloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	downloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	downloader.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4360	PUABundler;Win32.YandexBundled.tmp
4360	PUABundler;Win32.YandexBundled.tmp
4360	PUABundler;Win32.YandexBundled.tmp
4360	PUABundler;Win32.YandexBundled.tmp
2688	hitmanpro.exe
2688	hitmanpro.exe
4360	PUABundler;Win32.YandexBundled.tmp
4360	PUABundler;Win32.YandexBundled.tmp
4360	PUABundler;Win32.YandexBundled.tmp
4360	PUABundler;Win32.YandexBundled.tmp
4360	PUABundler;Win32.YandexBundled.tmp
4360	PUABundler;Win32.YandexBundled.tmp
2868	YandexPackSetup.exe
2868	YandexPackSetup.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2868	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	2868	YandexPackSetup.exe
Token: SeSecurityPrivilege	4216	msiexec.exe
Token: SeCreateTokenPrivilege	2868	YandexPackSetup.exe
Token: SeAssignPrimaryTokenPrivilege	2868	YandexPackSetup.exe
Token: SeLockMemoryPrivilege	2868	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	2868	YandexPackSetup.exe
Token: SeMachineAccountPrivilege	2868	YandexPackSetup.exe
Token: SeTcbPrivilege	2868	YandexPackSetup.exe
Token: SeSecurityPrivilege	2868	YandexPackSetup.exe
Token: SeTakeOwnershipPrivilege	2868	YandexPackSetup.exe
Token: SeLoadDriverPrivilege	2868	YandexPackSetup.exe
Token: SeSystemProfilePrivilege	2868	YandexPackSetup.exe
Token: SeSystemtimePrivilege	2868	YandexPackSetup.exe
Token: SeProfSingleProcessPrivilege	2868	YandexPackSetup.exe
Token: SeIncBasePriorityPrivilege	2868	YandexPackSetup.exe
Token: SeCreatePagefilePrivilege	2868	YandexPackSetup.exe
Token: SeCreatePermanentPrivilege	2868	YandexPackSetup.exe
Token: SeBackupPrivilege	2868	YandexPackSetup.exe
Token: SeRestorePrivilege	2868	YandexPackSetup.exe
Token: SeShutdownPrivilege	2868	YandexPackSetup.exe
Token: SeDebugPrivilege	2868	YandexPackSetup.exe
Token: SeAuditPrivilege	2868	YandexPackSetup.exe
Token: SeSystemEnvironmentPrivilege	2868	YandexPackSetup.exe
Token: SeChangeNotifyPrivilege	2868	YandexPackSetup.exe
Token: SeRemoteShutdownPrivilege	2868	YandexPackSetup.exe
Token: SeUndockPrivilege	2868	YandexPackSetup.exe
Token: SeSyncAgentPrivilege	2868	YandexPackSetup.exe
Token: SeEnableDelegationPrivilege	2868	YandexPackSetup.exe
Token: SeManageVolumePrivilege	2868	YandexPackSetup.exe
Token: SeImpersonatePrivilege	2868	YandexPackSetup.exe
Token: SeCreateGlobalPrivilege	2868	YandexPackSetup.exe
Token: SeRestorePrivilege	4216	msiexec.exe
Token: SeTakeOwnershipPrivilege	4216	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4360	PUABundler;Win32.YandexBundled.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 4360	320	PUABundler;Win32.YandexBundled.exe	73
PID 320 wrote to memory of 4360	320	PUABundler;Win32.YandexBundled.exe	73
PID 320 wrote to memory of 4360	320	PUABundler;Win32.YandexBundled.exe	73
PID 4360 wrote to memory of 2688	4360	PUABundler;Win32.YandexBundled.tmp	74
PID 4360 wrote to memory of 2688	4360	PUABundler;Win32.YandexBundled.tmp	74
PID 4360 wrote to memory of 2688	4360	PUABundler;Win32.YandexBundled.tmp	74
PID 4360 wrote to memory of 3968	4360	PUABundler;Win32.YandexBundled.tmp	75
PID 4360 wrote to memory of 3968	4360	PUABundler;Win32.YandexBundled.tmp	75
PID 4360 wrote to memory of 3968	4360	PUABundler;Win32.YandexBundled.tmp	75
PID 3968 wrote to memory of 2868	3968	downloader.exe	76
PID 3968 wrote to memory of 2868	3968	downloader.exe	76
PID 3968 wrote to memory of 2868	3968	downloader.exe	76

C:\Users\Admin\AppData\Local\Temp\PUABundler;Win32.YandexBundled.exe
"C:\Users\Admin\AppData\Local\Temp\PUABundler;Win32.YandexBundled.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\is-3102S.tmp\PUABundler;Win32.YandexBundled.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3102S.tmp\PUABundler;Win32.YandexBundled.tmp" /SL5="$901FC,22025264,175104,C:\Users\Admin\AppData\Local\Temp\PUABundler;Win32.YandexBundled.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\K3YnOuuSBX3sKYNOKy\hitmanpro.exe
    "C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\K3YnOuuSBX3sKYNOKy\hitmanpro.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2688
- - C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\kQ4NdFnq7TCfM6\downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\kQ4NdFnq7TCfM6\downloader.exe" --sync --partner 26983 --distr /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y VID=14"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y VID=14"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\kQ4NdFnq7TCfM6\downloader.exe
      C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\kQ4NdFnq7TCfM6\downloader.exe --stat dwnldr/p=26983/rid=79a6b224-d863-4dc9-9321-aac98ad64095/sbr=0-0/hrc=200-200/bd=267-10640064/gtpr=1-1-1-255-1/cdr=0-b7-b7-ff-b7/for=3-0/fole=255-0/fwle=255-0/vr=ff-0/vle=ff-0/hovr=ff-ff/hovle=ff-ff/shle=ff-0/vmajor=10/vminor=0/vbuild=15063/distr_type=landing/cnt=0/dt=3/ct=1/rt=6
      4⤵
      PID:4820
- - C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\SswDa\OperaSetup_xdDBbrDAEN.exe
    "C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\SswDa\OperaSetup_xdDBbrDAEN.exe" --silent --allusers=0
    3⤵
    PID:3112
  - - C:\Users\Admin\AppData\Local\Temp\7zS82C3ED88\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS82C3ED88\setup.exe --silent --allusers=0 --server-tracking-blob=NDY1Y2M1YTU3M2E1MDM4NWZiOTdjODA4M2YyNDViNjY1MGRiY2M4MzJkNzZhM2I4YjliOTY5NGJiMGFiOWQyZTp7ImNvdW50cnkiOiJGSSIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL2tlZXBicm93c2VyLnJ1L3ByL0FGS3FKdU45Nm4vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZT91dG1fbWVkaXVtPXBiJnV0bV9zb3VyY2U9Z3B3JnV0bV9jYW1wYWlnbj1BRktxSnVOOTZuIiwidGltZXN0YW1wIjoiMTcxNzgwMDE0OS4yODk1IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEwNS4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoiQUZLcUp1Tjk2biIsIm1lZGl1bSI6InBiIiwic291cmNlIjoiZ3B3In0sInV1aWQiOiIyZjE1ZmM3YS0zMmUwLTQ4YTUtYTY3Yy00OWU1MDlmODM4MmEifQ==
      4⤵
      PID:5844
    - - C:\Users\Admin\AppData\Local\Temp\7zS82C3ED88\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS82C3ED88\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.64 --initial-client-data=0x304,0x308,0x30c,0x2e0,0x310,0x7078f308,0x7078f314,0x7078f320
        5⤵
        
        PID:5964
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        5⤵
        
        PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\7zS82C3ED88\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS82C3ED88\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5844 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240607224237" --session-guid=f3911302-c2b7-48a4-8e4a-ac50a82c8444 --server-tracking-blob="MDZmZGQ1NGI0NzgzN2Y0M2Q2NTgxOWVmYzFlOGRhODI2NjQ1OTI2ZjYwNjA2ODU4MmI1NjA5ZmMzMGM1MzdiODp7ImNvdW50cnkiOiJGSSIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL2tlZXBicm93c2VyLnJ1L3ByL0FGS3FKdU45Nm4vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhIn0sInF1ZXJ5IjoiL29wZXJhL3N0YWJsZT91dG1fbWVkaXVtPXBiJnV0bV9zb3VyY2U9Z3B3JnV0bV9jYW1wYWlnbj1BRktxSnVOOTZuIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE3ODAwMTQ5LjI4OTUiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTA1LjAuMC4wIFNhZmFyaS81MzcuMzYiLCJ1dG0iOnsiY2FtcGFpZ24iOiJBRktxSnVOOTZuIiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJncHcifSwidXVpZCI6IjJmMTVmYzdhLTMyZTAtNDhhNS1hNjdjLTQ5ZTUwOWY4MzgyYSJ9 " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2005000000000000
        5⤵
        
        PID:2608
      - C:\Users\Admin\AppData\Local\Temp\7zS82C3ED88\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS82C3ED88\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.64 --initial-client-data=0x2f8,0x2fc,0x300,0x2d4,0x310,0x6fdef308,0x6fdef314,0x6fdef320
        6⤵
        
        PID:7892

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4216
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8D3EF05DA7348D8D154FCE68BA660DBD
  2⤵
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\F4FC1DAA-58FC-4039-8A62-D705F5DCB298\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\F4FC1DAA-58FC-4039-8A62-D705F5DCB298\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER
    3⤵
    PID:2264
- - C:\Users\Admin\AppData\Local\Temp\9F69DD85-7D62-4934-B645-91FDC40C786C\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\9F69DD85-7D62-4934-B645-91FDC40C786C\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\CA09CE84-08DF-4E11-AB4E-DAD0F3BE47E0\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"
    3⤵
    PID:848
  - - C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
      C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n
      4⤵
      PID:5520
    - - C:\Users\Admin\AppData\Local\Temp\pin\explorer.exe
        
        C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /pin-path="C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk" --is-pinning
        5⤵
        
        PID:7160
  - - C:\Users\Admin\AppData\Local\Temp\CA09CE84-08DF-4E11-AB4E-DAD0F3BE47E0\sender.exe
      C:\Users\Admin\AppData\Local\Temp\CA09CE84-08DF-4E11-AB4E-DAD0F3BE47E0\sender.exe --send "/status.xml?clid=2413737-14&uuid=cf2dc8d0-a94e-4402-9abb-f1092b13038b&vnt=Windows 10x64&file-no=10%0A11%0A12%0A13%0A14%0A15%0A17%0A18%0A20%0A21%0A22%0A23%0A25%0A28%0A36%0A40%0A42%0A43%0A45%0A54%0A57%0A61%0A89%0A102%0A103%0A111%0A123%0A124%0A125%0A129%0A"
      4⤵
      PID:7036

C:\Users\Admin\AppData\Local\Temp\{1D676BE1-7DB3-49EF-ACC2-B20A558FFCC0}.exe
"C:\Users\Admin\AppData\Local\Temp\{1D676BE1-7DB3-49EF-ACC2-B20A558FFCC0}.exe" --job-name=yBrowserDownloader-{CD5E50A0-7D05-4866-9C2D-50D15747B408} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{1D676BE1-7DB3-49EF-ACC2-B20A558FFCC0}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2413732-14&ui={cf2dc8d0-a94e-4402-9abb-f1092b13038b} --use-user-default-locale
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58a99c.rbs

Filesize
916B

MD5
5bbae418e7535ca1f430cd832368ac63

SHA1
39dd82f3a3b5d8b2e2a5fecaf0f7b41a0c21b162

SHA256
f939f7f2794783124c9d8349b3a4e70bae4ba0aadf387bbf8cfee2233a60085b

SHA512
54bf30ce47a81f251abb9e9bb7f5c7355002a642f9a09ab6690c223c34134b420ab63857bbb2c72459a90cb6d9f154147e3428004a951d09d61d880f7ae6fb1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

Filesize
1KB

MD5
fe18c1402b50e08359f8b8b9633cc48f

SHA1
0be151e84227177dd568f776f534c24b33320bc1

SHA256
14b6894d9ac117b298eb58f8a7b4a0af588d529b6df2e54a81cf5b618b7e034d

SHA512
8905efdb2cdb273fe164f8991d783b370e93377c766016b451e30f97dc1b870d49845539b27f61bac10a3beefd038614b43669a296eaa8523f2409bc8ab51d49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
466ced0c4391616517f3924005913fe6

SHA1
1de4100cb021387655d2d40c52be5372f55b9908

SHA256
e536a2ab5852e639e11107a400e4577c8bfa0ee1b49d81192efd1961ee8e14ea

SHA512
dd0266bc9992453e3b720f8548d6732c5bfe20d25fa054a3b2166a6dea9dc3839b9cb831eaed07980bae7da812ae6e93f5943cbc6d2fcd66c070b51669ddc503

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

Filesize
536B

MD5
95415367b7d45d281ad25c9f54690171

SHA1
ebad271e210f6484b158599faa9291c342f275ff

SHA256
3ec5e4689071e035470e38d574e7b0f9ed98eeed139b057b131464722f4c1d92

SHA512
bce6e8f256e5278b0eb1473f19a00d040b7f752d9f6670343b96f81216aa90ea1cbf19ec1e971a7139ae45f412dc3af2e7e9fa9dea3bbc27c26b6177883613b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
ac2e9ff0dbb16c2dae9d01ab0642b0ab

SHA1
46a869d5d33ae230b87282ce04cf3a1c4b1b581e

SHA256
0b9a6de7df7b46c516eff4ba9969cb7c1bd133e959203ba4823efa27fb971c4c

SHA512
56975e9654a950611e3b08ebd94bd1b8c8d08cba1087e565e1e73fcc7f5d4920c6fb8d09eae6f683268acf2e34d2ba9bb1007f74740e4cc811dd40970ace83d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Services\www.ya.ru.ico

Filesize
5KB

MD5
a6f6261de61d910e0b828040414cee02

SHA1
d9df5043d0405b3f5ddaacb74db36623dd3969dc

SHA256
6bb91f1d74389b18bce6e71772e4c5573648c1a4823338193f700afdf8216be5

SHA512
20cb7b646c160c942e379c6e7a1a8981a09f520361c0205052c1d66e2fdb76333ffaaf0ca1dfc779754f0e844b9946900fbd5690d01869e1607abc1fda6dffab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\thumbnails\d6c80a7a62f02edd126868586819425b

Filesize
15KB

MD5
af80a936c10e18de168538a0722d6319

SHA1
9b1c84a1cf7330a698c89b9d7f33b17b4ba35536

SHA256
2435c0376fca765b21d43e897f4baa52daa0958a7015d04103488c606c99d1d3

SHA512
9a1325c8ce05806e5c161a4cf47239f62baad8f79650fbd713e74928fce8171ced10ba7f24fac46c548e1dbf3f64106270cb25ca88c836c870107f5dc1f97879

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe

Filesize
10.1MB

MD5
1b2ec29408245114da00769d9aa821af

SHA1
216896b4749250a7c3cb09322b40f7aecc9649f1

SHA256
e103d79e4951dee6ec3069a3017b2214c790f9b1301a2c1464622077a95e86b2

SHA512
e671adef6a471db8a4901bcb43e5eb75d427787d6450a828aee751e6fb63203a32f913bf4739352829891aec337306f23e04fcb2b41f363a344309d0033e7e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82C3ED88\setup.exe

Filesize
5.2MB

MD5
b0850e9c32b789196a6c8682e3410122

SHA1
a420cf36e183fd3dd9960acc5805b5e6f2b3b732

SHA256
a78f5891edeb5de4ed9a7f3221518a216938ea5eaaef8a50a258a65fb5aecd2f

SHA512
636f4cf68c7ff2ba773b61cf17b58d028621c982f6634ad16534e8b3f6c80dd91c93a9579405798111710e1d3fb46a584ae41ac193d592365b20a57ecc35992f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F69DD85-7D62-4934-B645-91FDC40C786C\seederexe.exe

Filesize
8.6MB

MD5
225ba20fa3edd13c9c72f600ff90e6cb

SHA1
5f1a9baa85c2afe29619e7cc848036d9174701e4

SHA256
35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797

SHA512
97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4FC1DAA-58FC-4039-8A62-D705F5DCB298\lite_installer.exe

Filesize
419KB

MD5
aafdfaa7a989ddb216510fc9ae5b877f

SHA1
41cf94692968a7d511b6051b7fe2b15c784770cb

SHA256
688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc

SHA512
6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\WrpYGF74DrEm.ini

Filesize
55B

MD5
347112ab9d92bfd16f24c19d75327f12

SHA1
260d41ba1c7dc21811dfd81fa2920f507984b9fe

SHA256
42332183a4ce5794debfd05500d060343ed097375420d3b51efa31e8139283ef

SHA512
6735952f2d5775c29d6f5300f8c7208ade55612d56930b3c6978dedf57c40e233b1993a1195669d4616cd7c27f499981233f8c6de48b4ef7ad9fd566887e6069

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

Filesize
1KB

MD5
c1ba8e6f9ae80940172f79580b054789

SHA1
0e36e77285ef35e9f64cbf0045791fd061a60e77

SHA256
438e3612a2744b5cee04e90e84799ff7f5afbe3178f0efe1ec279bffb7ff53e5

SHA512
1622d3f78db25efa74b069d46c6ce05697210c3468e96fb1e72e6585b6d443b55432a6c3552d0fedd96aa7d6c7568ac6838d7356baf45028dae9c842ba265d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

Filesize
692B

MD5
3e83f361a771d46680d2b390ff28c292

SHA1
1e6263cd9fdda80b1b6098e359585d8570afe36b

SHA256
f1cc027a2a2c2c18fbb4113d39e867b08f4422fd083c4de02f7b1b54dd90570c

SHA512
0f82efd1f75339eb60a28db7a2237441b83ccc7f03b8779285ec28644f0909bec1c75669dff189d6b31d63cd1eb51f0ce95f3a50acb4dc4ce818fe95c745032b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\J0MJ8PeLy6C\Background_100.png

Filesize
57KB

MD5
492b73c9cda482f4528559b50ffa2263

SHA1
ed9962e4e5b38f8b14d7a87c90be9b50f80adca9

SHA256
087f71ccb844c086ca60580ff07a81ac6e7e1034d6c5011e036fcdeabdcb8a6e

SHA512
a75529f9c4cf6e0610d557faf90bf8fce8ccf679d602f35330c1a79e1d814c38d7597db74bf383ca8e41d8c5a84ec5cbdd13c3d9dd5cac353f4fe04ca3356b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\J0MJ8PeLy6C\Background_125.png

Filesize
82KB

MD5
2fa4ac66fb7e6686ea292dc12ebf40d1

SHA1
a78fbba72c74085f4cf10138f933eb4c7425d5be

SHA256
4510bb05768b4e3dae4a28af8b8da89487e4e45e16f7bd58ff136b79873f6c20

SHA512
d933c79310cfe0f8eeb92a257068e672f1535f0bdc452783ab670cda1aa11f1603eadecc90bd06232d87a289e3b3ea66257f0949b5359ddc3726abb995bec58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\J0MJ8PeLy6C\Background_150.png

Filesize
102KB

MD5
190f1abe88857f402ca203c4995342f2

SHA1
aca8bf75ed8bce4469b653833a674ed2fb437145

SHA256
97c0e39dfa425be1fcc3762a9758c4598b6da9ed038a0d72d2f27ccfe45ebc43

SHA512
ef4a3a40e5c555f806088eb629902cbfdb3adc44e8955422832d3be5270f17bfa8618d3ffd7d58de8ace10bb5961927710a1dbb1c0d0d07f19312450ddd9a268

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\J0MJ8PeLy6C\Background_175.png

Filesize
122KB

MD5
9637b76d9e077c385a0a9c91807c01d4

SHA1
3c2ad50e05c6385bfb85e11aa7c925dbda906af7

SHA256
98ea08beec8e8c7f97b9cf713796c70db877b5c1347fedf7384e0d96c65f5a8b

SHA512
c4fe4b6606be7fcffcf22e7fd0ddbaf7c6be6d9978a7695b90b35e822ce476be33fed46f7d8f9198f91e58a4780c843e3f9407ffd8ce4472412763552b9cf2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\J0MJ8PeLy6C\Background_200.png

Filesize
58KB

MD5
5e09cd379378c9b7279a5d346bcf0dd7

SHA1
72176562de231f8c63eef5e80eae045d0c2d4236

SHA256
8f8771601518f64facc88566a0414946ba7cf6b195b4cd3e0b8d600b380a83f3

SHA512
89402fddc11608e18e60dcbd084a7fbcc78a23bbd08bdfe39d30c68e9fddc3b76a27371926f3e2b9bdd9c161bb663ff8b271c9920c59715d36c33656f606aecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\J0MJ8PeLy6C\Checkboxes_100.png

Filesize
2KB

MD5
bd1ed4527fac3a8f592070d4b74737e8

SHA1
322f893670ac3784090b89e97bd6fbd13afb5538

SHA256
9cd4f84f874a5f40a448e3b0fd62d8a6684d407d29d718157258a23ca4ce66e2

SHA512
ce7ef5c9ed73a2fccf4ddc0d32061e6f449a2e2810e6a39bb2e8c53d596a3403d0003a89d6f9410b16841b1c547aba4491899eb4ff3120e1a12a4367716c12ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\K3YnOuuSBX3sKYNOKy\hitmanpro.exe

Filesize
10.5MB

MD5
48bd71ad990ac3d326a4894166d6d0d6

SHA1
c83d55f64596b008b620481dc202ca09e87f5aa7

SHA256
8480c5c816e96037bc2cfdea6e2d4a647f9f8bee5b5fec9b58b1b7def412c729

SHA512
236d98659369b7b7d8d13bf67e1853feb9dbc8b7350515f2adef27eb36a8ff4fef0167f8fe5f4c67d75a607bf9799fd27a467f87ddcf71232e5a46c962c49ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\SswDa\Logo.png

Filesize
15KB

MD5
ffc376bd1c694155c7e078447426a7c2

SHA1
cd03a96217a86a7ddffc66d8806b7cd006289d85

SHA256
06d80a2fdaa5d85ab8a15dbc00147f8294bee5b2076969be7cb0e94a227c20be

SHA512
c9f3fecceb16afe3a4b340f86bb7e87de93135cdf509e910f5565e58bb9ee4d1b79ecbdaa23c609205c1d39f0cb5a38a14e4a6f05c356ff5236c2df9e0c444cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\SswDa\OperaSetup_xdDBbrDAEN.exe

Filesize
2.0MB

MD5
ff2a51a63a17603815b41f48b0932fe8

SHA1
8b00700fcf4e46834082f0f3382b3b6718f13b16

SHA256
6076d16a466507e97ebfc4ba0544165b0f00e4e309bc823e5663829cc01327c9

SHA512
5c74c0083a37a7a689169b4488712d2d22c8daf62609192ab03c758144aa2b479ddccf7f1f84c3dfe90f2a0fe7d9856874db7b9ec509792755ac6631e92af3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\is-HCD11.ini

Filesize
6KB

MD5
3c40110fc02fb170d7b9d8f060a25744

SHA1
7e6ec81e8a1ae19c42ac3b232889169b5c60f8c6

SHA256
e43bb1cbab95b46a5f2caad6d7582a89d23f55f8bfa67f45965e63b3d9991de1

SHA512
c3a119fe08e0bff57bad6778315ece8c59e503c508f5548f5e05569e075eb6d6340f096e625f17cbdc6701f9d39cbfae0d5c822c7e352fb9071a8b0bb0fb9896

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\kQ4NdFnq7TCfM6\Logo.png

Filesize
9KB

MD5
f6d369ca0401028a9d6400fa33b6569a

SHA1
7d4d5220a8e82f8cdf62cb5bf8ae4553f88c1559

SHA256
625112b42752867093ef31a9d556b3a3b1954e67b4c8e3ee2caf8c0bb92013a1

SHA512
b5c3bd04d99c2c429ff83a5298c8a7109e4006540abf28f4ed05525bb108d91f8f3a79c8c362b26ca42b46c237f690b72755c3c87e5962b941080908a23e005c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\kQ4NdFnq7TCfM6\downloader.exe

Filesize
726KB

MD5
2b0d2f77d8abade07a3dd9a8152ad111

SHA1
e7c0ad498f361e3c2d5a0ffa225ee112ed3c5bdb

SHA256
85ddc30b6b53ebe529688528e74bcfd74df0b93ea29ee1693d7d9aeec4d48776

SHA512
d48a3b9d9d3f83f1b0498103ee1f78467dc84254c762227081ba3218bd2212c1e3c29d2d94737101d55f5793f3d7dca8bdedc7d527cdb701733a6cbc74c938fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\o1X2kSHgNDV_wIHQ\GroupLogo.png

Filesize
48KB

MD5
920c4150cc42cc8fa965f0d6b9af31ae

SHA1
9d327cb2cbe2e4b81c178c5379252f7a7e7f385a

SHA256
1a337bd09186900ce1e65627a2d5cc96d45198227d2925a56e0d8036879b1f90

SHA512
be439d64a673071dd1a793389656bccf730341d9055f4f66b8cd944ac7875f0b528a04836f7ba59403b4257d439cf1de46c879b1368700ef5d62e02061ef6eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3102S.tmp\PUABundler;Win32.YandexBundled.tmp

Filesize
1.2MB

MD5
909560b6836c74692cd921b7fc5ddeb3

SHA1
3efd29c6984a92668d8ef05a30f505728e461e2b

SHA256
8622a3854fe3234c9564ebdfbaf1751f39ba54b4bae324e3cc5f12511e86e894

SHA512
e6d484d79c503aa4e12bda8e65786be917e6d4ea4d7b807bca5e939c4d2faafc70d70d170b30cdfdb69cea8b3967405bf4ab08e19fb4299256bb39304d2aefcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
11KB

MD5
7b37b09d9cbd3194afef41bae3ff401a

SHA1
2218deae71823667e1dfa761d33aa4dd32030d37

SHA256
8b11b8b5fb4b2efb8d7da3e1cc5aa6d8ba9182f31e979d744663f1fdf192191b

SHA512
a2256be3eba46c7d56e16eeb4448555467e8edfbffd31d06acbb3f6864ded17b3c44aa7ef73ff15c8c4df65d95e0ab6dcc979b5ec324244a7861bd8d8514aeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\omnija-20244207.zip

Filesize
41.3MB

MD5
1d6cfd7db58008d1b44328c5a3a4220c

SHA1
8e8304bfd7a73b9ae8415b6cbd273e612868a2b2

SHA256
915e46dcc29d6fee123c4b8e88d846ac95ffd4a6f4eb956dc882d305ee1b8256

SHA512
4c17160aa83abeff897462f981226902dd6694817ad95f246511fc63c637bdffa0989a3db00c4309fa673a13b4993c509df538ddad482d1be8b4058749ee93f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

Filesize
509B

MD5
504bfe9121fbae34dbfdf5fd740cbf70

SHA1
d0c9bc8ea497eeef4657a3c58e53b336fc18d2d8

SHA256
22ccf6d8a73d8b67348165d3403d7f1987322e0f91c504c51ed314412ebfc1c3

SHA512
dc5056f21e78e3d0819683d6bce47cb006ed5cac2da3be5b238fbc3b36ce651c4e0c1d1ddfd25d502cca3ba3e0565bf1d64248f2d403a60363409d86ce59607a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1D676BE1-7DB3-49EF-ACC2-B20A558FFCC0}.exe

Filesize
10.4MB

MD5
d454cfd8343eed174988c952e9828f4d

SHA1
dea2383c9dc9071ac88052a5cda7ee4ea7c9377c

SHA256
87719630422cf17f1c538afe530bd87b253be6086a620035f53144e024e464fd

SHA512
cc1dddfb37b4e0f6a2bf62b60c32494ee73c781c99cdcbaac03278f8d1f1bd9d474c134b393b499c588669311b390515a375a2d4da29970632cf8280b00833b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

Filesize
9.8MB

MD5
32bf2aeb949828b5b228353174287879

SHA1
7186dc7afd5afa994ffb8e2008cc7729b2aa03a7

SHA256
69e608700f74ded9d68badda096ebce8f524c0919f4268cf5273eaab09e5c1b7

SHA512
b39d63f620ed1f2244c2a1749f1a9ac09de513e9ea030c9ae4854c0543e9e1a9fc4fab98631c377306aca40ba91cce0299d53cc65f79020617b7555dc28cbe67

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe

Filesize
397KB

MD5
95828ee007d3586792d53ace50b2357e

SHA1
3501ccad7573fd467911f207155318db3a1a1554

SHA256
8c4be5f1bc4e2f73d4396af48a31bf10362006472e9b28f40aa91f73a3815f12

SHA512
9896eccb178fd772fc92e5793340bdbc1bd6169465d9a739df06c1154edbce16f6db5dd50df426ccbc40d8410d4ef170c3fb0bc700e7778149ff2168409638e7

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk

Filesize
2KB

MD5
1302c4ddb0e1909ea32bf28347fd0a19

SHA1
988643980b9e9c114ce418b34ec310e935629aac

SHA256
b0622466d2fb35c9b174c3e38c3c0d52881821967095ae82fe409a5a437a8c37

SHA512
f4d860cd6812da4d34f81ae245180057e726ec37e3713d0e91bdce10af137bdf16cf8fc9a409f3783630326e4d10384316d60eaee8b9c030eabc9dfea6e42100

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Яндекс.website

Filesize
514B

MD5
b8719f11e188c37e6ad64a869d605725

SHA1
e3bf131ed39ad9663d47a494222a0c880007f8a2

SHA256
8f455046d561f5460d1d3e8bf0db27bdb0c6c0a5f213e2ded5ba19238d20f838

SHA512
620c8a35307a3e16c1b0b0ff8de9ab66ae3dd6733dfc3be2e72bdc91f538932244ca5a345287755f6820547592401a4483e178c1742fba521f9f86fdf360cf3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hd9umw3.Admin\places.sqlite-20240607224233.921980.backup

Filesize
68KB

MD5
314cb7ffb31e3cc676847e03108378ba

SHA1
3667d2ade77624e79d9efa08a2f1d33104ac6343

SHA256
b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1

SHA512
dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240607224239.093848.backup

Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
f46311efe68f77a7e559fc1766969be1

SHA1
665bb7911f981e10eb631b8270e72c763ef24e94

SHA256
e79836f577db35141b8f3a47aa3a0be187a310c06060601781f482dff180e5b0

SHA512
0418141edcb352d80f6ad2857ed3c8593eb0cd9642313bf50d3b780eb835993afbe037ec014c9ec8da329acad94e59467537473df98b49a13971573600ad3941

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences

Filesize
317B

MD5
c33c6a041771e129f1361d97922075a1

SHA1
6b6126f445ec26c14c379095f15178e419bd49b4

SHA256
fcbd7ce19e717bac99061ee29abc64a4377576e7ccc67f6aa230a6e483fdaf28

SHA512
b692398667b2831046b8ff90ef6769fa73e0717870e260acb8d97c42e7ad48bc48a3076d856ea2242a5c5aad6923b11a6cc40f0e910d2252b800b63f8833997f

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\clids-yabrowser.xml

Filesize
675B

MD5
e94ea6f20e1970d797907339b5d8c60c

SHA1
d6e3dcbd27e1946b46804d5142ce3e19576eec66

SHA256
d1800551f0663174e7d190ff11bf6f09cc967c26af26567dc84bd428e62d1dc4

SHA512
82b9daee23fd02230c9e6690ec260652e921004f356eb068288091b07cbab736ff69533cfafe0201dd786dd07c464010686e99b30b71dd1a1c6f795e20a3e267

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui

Filesize
38B

MD5
9cfdeca5312227ece2045742e960044b

SHA1
340ab51b628021fd8040c416d4d61bc2c6c9207b

SHA256
1cb9667f85c64da5246ea999868e18b138aa9c81ed8cee987d7f3cba52943120

SHA512
5fba2a5a2db4de3eb9c7096353665ccf0f95d65d812c5f822134622d6a9de3fb4e201e3023e693bfaf7577a900fa28d5af3859fe3afb35cdb5036821104515ba

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2406072242354685844.dll

Filesize
4.7MB

MD5
2ada940614c61329829fb101f3dd100b

SHA1
4441a58c0726a26ba05dad9541413219d6ef6d84

SHA256
ad63ddb2395cc0661fdf61aee5d968c00c833fe9a0ea533a570c2f8b5dddae10

SHA512
d1987ec85374013afb76179cb222c6ffcf2888c8c201e79b3e353c17ac140a6f5200bdfdf2955fbed1f877f871dd08794dce69087cf965e8851ccd619dfbc05a

Download Submit
\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\CallbackCtrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\botva2.dll

Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-1MJFL.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Windows\Installer\MSIAC29.tmp

Filesize
181KB

MD5
0c80a997d37d930e7317d6dac8bb7ae1

SHA1
018f13dfa43e103801a69a20b1fab0d609ace8a5

SHA256
a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86

SHA512
fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

Download Submit
\Windows\Installer\MSIAD05.tmp

Filesize
189KB

MD5
e6fd0e66cf3bfd3cc04a05647c3c7c54

SHA1
6a1b7f1a45fb578de6492af7e2fede15c866739f

SHA256
669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2

SHA512
fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

Download Submit
memory/320-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/320-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/320-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/848-10392-0x0000000004A70000-0x0000000004A72000-memory.dmp

Filesize
8KB

Download
memory/848-10688-0x0000000004B40000-0x0000000004B42000-memory.dmp

Filesize
8KB

Download
memory/848-10365-0x00000000037A0000-0x00000000037B0000-memory.dmp

Filesize
64KB

Download
memory/848-10691-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/848-10686-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/848-10411-0x0000000004B10000-0x0000000004B12000-memory.dmp

Filesize
8KB

Download
memory/848-10685-0x0000000004B50000-0x0000000004B52000-memory.dmp

Filesize
8KB

Download
memory/848-10398-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/848-10395-0x0000000004A60000-0x0000000004A62000-memory.dmp

Filesize
8KB

Download
memory/848-10390-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/848-10389-0x0000000004A70000-0x0000000004A72000-memory.dmp

Filesize
8KB

Download
memory/848-10371-0x00000000039E0000-0x00000000039F0000-memory.dmp

Filesize
64KB

Download
memory/848-10683-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/848-10682-0x0000000004B50000-0x0000000004B52000-memory.dmp

Filesize
8KB

Download
memory/4360-2166-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4360-2171-0x0000000005320000-0x000000000532F000-memory.dmp

Filesize
60KB

Download
memory/4360-2088-0x0000000005320000-0x000000000532F000-memory.dmp

Filesize
60KB

Download
memory/4360-6-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4360-2170-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4360-15-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4360-10765-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4360-2381-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download