3f3ed380c397b0219044c5a5d034a57de303fef33c5690f404d078764f0379a7

Analysis

max time kernel
55s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PUABundler;Win32.YandexBundled.exe
Size

21.9MB
MD5

eb097da8c02518caa32dc73e9d25f8ed
SHA1

75b3dd063526967a1d7b1c3d49da2405bf81cb01
SHA256

547e600f946a8aea9386a3e24e01aa9ff179ba172cbf2e753b36e15856263f6d
SHA512

36407173d3ce17de864de1c7a0b6d34d9c2e521a8b5c5aacae12759fa0202273de5e4e7b87f8d91d192350e1f94438cf79f6444ca01c40799584fc30861624d7
SSDEEP

393216:v7W/rMOomNrtrt4NINdh5z5MXzlYbNSNZBdAVaRtedFq7N/EN2otPYfTy1P6eyQg:+n/Nh7B2R0yZahyyMIFpc

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	downloader.exe

Executes dropped EXE 4 IoCs

pid	Process
5084	PUABundler;Win32.YandexBundled.tmp
1096	hitmanpro.exe
3112	downloader.exe
2456	YandexPackSetup.exe

Loads dropped DLL 5 IoCs

pid	Process
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58bcc3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58bcc3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC416.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	downloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	downloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	downloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	downloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	downloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	downloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	downloader.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	45	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
1096	hitmanpro.exe
1096	hitmanpro.exe
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
5084	PUABundler;Win32.YandexBundled.tmp
2456	YandexPackSetup.exe
2456	YandexPackSetup.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2456	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	2456	YandexPackSetup.exe
Token: SeSecurityPrivilege	2620	msiexec.exe
Token: SeCreateTokenPrivilege	2456	YandexPackSetup.exe
Token: SeAssignPrimaryTokenPrivilege	2456	YandexPackSetup.exe
Token: SeLockMemoryPrivilege	2456	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	2456	YandexPackSetup.exe
Token: SeMachineAccountPrivilege	2456	YandexPackSetup.exe
Token: SeTcbPrivilege	2456	YandexPackSetup.exe
Token: SeSecurityPrivilege	2456	YandexPackSetup.exe
Token: SeTakeOwnershipPrivilege	2456	YandexPackSetup.exe
Token: SeLoadDriverPrivilege	2456	YandexPackSetup.exe
Token: SeSystemProfilePrivilege	2456	YandexPackSetup.exe
Token: SeSystemtimePrivilege	2456	YandexPackSetup.exe
Token: SeProfSingleProcessPrivilege	2456	YandexPackSetup.exe
Token: SeIncBasePriorityPrivilege	2456	YandexPackSetup.exe
Token: SeCreatePagefilePrivilege	2456	YandexPackSetup.exe
Token: SeCreatePermanentPrivilege	2456	YandexPackSetup.exe
Token: SeBackupPrivilege	2456	YandexPackSetup.exe
Token: SeRestorePrivilege	2456	YandexPackSetup.exe
Token: SeShutdownPrivilege	2456	YandexPackSetup.exe
Token: SeDebugPrivilege	2456	YandexPackSetup.exe
Token: SeAuditPrivilege	2456	YandexPackSetup.exe
Token: SeSystemEnvironmentPrivilege	2456	YandexPackSetup.exe
Token: SeChangeNotifyPrivilege	2456	YandexPackSetup.exe
Token: SeRemoteShutdownPrivilege	2456	YandexPackSetup.exe
Token: SeUndockPrivilege	2456	YandexPackSetup.exe
Token: SeSyncAgentPrivilege	2456	YandexPackSetup.exe
Token: SeEnableDelegationPrivilege	2456	YandexPackSetup.exe
Token: SeManageVolumePrivilege	2456	YandexPackSetup.exe
Token: SeImpersonatePrivilege	2456	YandexPackSetup.exe
Token: SeCreateGlobalPrivilege	2456	YandexPackSetup.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5084	PUABundler;Win32.YandexBundled.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 5084	2388	PUABundler;Win32.YandexBundled.exe	89
PID 2388 wrote to memory of 5084	2388	PUABundler;Win32.YandexBundled.exe	89
PID 2388 wrote to memory of 5084	2388	PUABundler;Win32.YandexBundled.exe	89
PID 5084 wrote to memory of 1096	5084	PUABundler;Win32.YandexBundled.tmp	98
PID 5084 wrote to memory of 1096	5084	PUABundler;Win32.YandexBundled.tmp	98
PID 5084 wrote to memory of 1096	5084	PUABundler;Win32.YandexBundled.tmp	98
PID 5084 wrote to memory of 3112	5084	PUABundler;Win32.YandexBundled.tmp	99
PID 5084 wrote to memory of 3112	5084	PUABundler;Win32.YandexBundled.tmp	99
PID 5084 wrote to memory of 3112	5084	PUABundler;Win32.YandexBundled.tmp	99
PID 3112 wrote to memory of 2456	3112	downloader.exe	101
PID 3112 wrote to memory of 2456	3112	downloader.exe	101
PID 3112 wrote to memory of 2456	3112	downloader.exe	101
PID 2620 wrote to memory of 3184	2620	msiexec.exe	104
PID 2620 wrote to memory of 3184	2620	msiexec.exe	104
PID 2620 wrote to memory of 3184	2620	msiexec.exe	104

C:\Users\Admin\AppData\Local\Temp\PUABundler;Win32.YandexBundled.exe
"C:\Users\Admin\AppData\Local\Temp\PUABundler;Win32.YandexBundled.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\is-1KJCI.tmp\PUABundler;Win32.YandexBundled.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1KJCI.tmp\PUABundler;Win32.YandexBundled.tmp" /SL5="$601F0,22025264,175104,C:\Users\Admin\AppData\Local\Temp\PUABundler;Win32.YandexBundled.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\K3YnOuuSBX3sKYNOKy\hitmanpro.exe
    "C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\K3YnOuuSBX3sKYNOKy\hitmanpro.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.surfright.nl/downloads/#x64
      4⤵
      PID:4264
- - C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\kQ4NdFnq7TCfM6\downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\kQ4NdFnq7TCfM6\downloader.exe" --sync --partner 26983 --distr /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y VID=14"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y VID=14"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\kQ4NdFnq7TCfM6\downloader.exe
      C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\kQ4NdFnq7TCfM6\downloader.exe --stat dwnldr/p=26983/rid=3e38f679-97b9-463b-b5a0-94f2cbd11f00/sbr=0-0/hrc=200-200/bd=267-10640064/gtpr=1-1-1-255-1/cdr=0-b7-b7-ff-b7/for=3-0/fole=255-0/fwle=255-0/vr=ff-0/vle=ff-0/hovr=ff-ff/hovle=ff-ff/shle=ff-0/vmajor=10/vminor=0/vbuild=19041/distr_type=landing/cnt=0/dt=2/ct=1/rt=10
      4⤵
      PID:2328
- - C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\SswDa\OperaSetup_xdDBbrDAEN.exe
    "C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\SswDa\OperaSetup_xdDBbrDAEN.exe" --silent --allusers=0
    3⤵
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\7zS00620CA8\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS00620CA8\setup.exe --silent --allusers=0 --server-tracking-blob=NDY1Y2M1YTU3M2E1MDM4NWZiOTdjODA4M2YyNDViNjY1MGRiY2M4MzJkNzZhM2I4YjliOTY5NGJiMGFiOWQyZTp7ImNvdW50cnkiOiJGSSIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL2tlZXBicm93c2VyLnJ1L3ByL0FGS3FKdU45Nm4vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZT91dG1fbWVkaXVtPXBiJnV0bV9zb3VyY2U9Z3B3JnV0bV9jYW1wYWlnbj1BRktxSnVOOTZuIiwidGltZXN0YW1wIjoiMTcxNzgwMDE0OS4yODk1IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEwNS4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoiQUZLcUp1Tjk2biIsIm1lZGl1bSI6InBiIiwic291cmNlIjoiZ3B3In0sInV1aWQiOiIyZjE1ZmM3YS0zMmUwLTQ4YTUtYTY3Yy00OWU1MDlmODM4MmEifQ==
      4⤵
      PID:212
    - - C:\Users\Admin\AppData\Local\Temp\7zS00620CA8\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS00620CA8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.64 --initial-client-data=0x320,0x324,0x328,0x31c,0x32c,0x7214f308,0x7214f314,0x7214f320
        5⤵
        
        PID:7056
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        5⤵
        
        PID:7020
    - - C:\Users\Admin\AppData\Local\Temp\7zS00620CA8\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS00620CA8\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=212 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240607224233" --session-guid=8447ab03-f169-4d41-8263-cdabd157e28d --server-tracking-blob="MDZmZGQ1NGI0NzgzN2Y0M2Q2NTgxOWVmYzFlOGRhODI2NjQ1OTI2ZjYwNjA2ODU4MmI1NjA5ZmMzMGM1MzdiODp7ImNvdW50cnkiOiJGSSIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL2tlZXBicm93c2VyLnJ1L3ByL0FGS3FKdU45Nm4vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhIn0sInF1ZXJ5IjoiL29wZXJhL3N0YWJsZT91dG1fbWVkaXVtPXBiJnV0bV9zb3VyY2U9Z3B3JnV0bV9jYW1wYWlnbj1BRktxSnVOOTZuIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE3ODAwMTQ5LjI4OTUiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTA1LjAuMC4wIFNhZmFyaS81MzcuMzYiLCJ1dG0iOnsiY2FtcGFpZ24iOiJBRktxSnVOOTZuIiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJncHcifSwidXVpZCI6IjJmMTVmYzdhLTMyZTAtNDhhNS1hNjdjLTQ5ZTUwOWY4MzgyYSJ9 " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0006000000000000
        5⤵
        
        PID:6800
      - C:\Users\Admin\AppData\Local\Temp\7zS00620CA8\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS00620CA8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.64 --initial-client-data=0x31c,0x32c,0x330,0x2f8,0x334,0x728df308,0x728df314,0x728df320
        6⤵
        
        PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3728 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1104

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B803D8BB0B2E8ACE3B5C0C43F8A701BD
  2⤵
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\29C06BBF-A9F6-4B2F-B91D-7EEF4D531A79\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\29C06BBF-A9F6-4B2F-B91D-7EEF4D531A79\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER
    3⤵
    PID:4084
- - C:\Users\Admin\AppData\Local\Temp\00CC096D-4DFE-4619-A365-2D5D264C38F6\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\00CC096D-4DFE-4619-A365-2D5D264C38F6\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\629F58DE-9010-4176-9EED-DC50A42A02FE\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"
    3⤵
    PID:3204
  - - C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
      C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n
      4⤵
      PID:6084
    - - C:\Users\Admin\AppData\Local\Temp\pin\explorer.exe
        
        C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /pin-path="C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk" --is-pinning
        5⤵
        
        PID:6064
  - - C:\Users\Admin\AppData\Local\Temp\629F58DE-9010-4176-9EED-DC50A42A02FE\sender.exe
      C:\Users\Admin\AppData\Local\Temp\629F58DE-9010-4176-9EED-DC50A42A02FE\sender.exe --send "/status.xml?clid=2413737-14&uuid=4a61ca2d-2c02-46e3-9353-e3083b02f7ec&vnt=Windows 10x64&file-no=8%0A10%0A11%0A12%0A13%0A15%0A17%0A18%0A20%0A21%0A22%0A25%0A36%0A40%0A42%0A43%0A45%0A57%0A61%0A89%0A102%0A103%0A111%0A123%0A124%0A125%0A129%0A"
      4⤵
      PID:6392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4812 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
1⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4864 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
1⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5668 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
1⤵
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5640 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:1
1⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\{C0C1C644-9C58-4592-AFEB-2E26805F3E99}.exe
"C:\Users\Admin\AppData\Local\Temp\{C0C1C644-9C58-4592-AFEB-2E26805F3E99}.exe" --job-name=yBrowserDownloader-{9E6A13AA-95E8-4F66-A1F3-C3BF41F8A196} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{C0C1C644-9C58-4592-AFEB-2E26805F3E99}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2413732-14&ui={4a61ca2d-2c02-46e3-9353-e3083b02f7ec} --use-user-default-locale
1⤵
PID:5972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58bcc6.rbs

Filesize
911B

MD5
e18fe0e090b52eb86d2f5b25f9f2b60d

SHA1
b4d42251d2cae6c8cf466ebe90131560f99eb6dd

SHA256
4629cca6c0970a69717b2a7eeeac601262392a0b56e5a68ca80dd80bf101139a

SHA512
38b7637f892b90b29f1bd6295376c98357f8474c249c91eb1517d8e9412d2f80dd77c8ae1ce14cf202584fb6c25c3dfbab7e45dcc7365e50f318edbcdab2aca1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

Filesize
1KB

MD5
fe18c1402b50e08359f8b8b9633cc48f

SHA1
0be151e84227177dd568f776f534c24b33320bc1

SHA256
14b6894d9ac117b298eb58f8a7b4a0af588d529b6df2e54a81cf5b618b7e034d

SHA512
8905efdb2cdb273fe164f8991d783b370e93377c766016b451e30f97dc1b870d49845539b27f61bac10a3beefd038614b43669a296eaa8523f2409bc8ab51d49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
466ced0c4391616517f3924005913fe6

SHA1
1de4100cb021387655d2d40c52be5372f55b9908

SHA256
e536a2ab5852e639e11107a400e4577c8bfa0ee1b49d81192efd1961ee8e14ea

SHA512
dd0266bc9992453e3b720f8548d6732c5bfe20d25fa054a3b2166a6dea9dc3839b9cb831eaed07980bae7da812ae6e93f5943cbc6d2fcd66c070b51669ddc503

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

Filesize
536B

MD5
14561b24c8e3c6bc513747ac72c16cec

SHA1
a5f05ee3ace0a8bb973c1826d30963bf37d87ea0

SHA256
7d479a5c3b7494698dc44bd10a74cbb74a87847f1e320f5c4434b13897cd8e28

SHA512
a9d7978eff938e0011c7c3bed872685ef1aafddf89b7bfe06a358937c61d7d1a8ec92e9d9804edeb3e1f29929b48dc225049f3d4687bcaf44e82c1bece10595c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
ddecfbe5a9a45a1704b40282c18d581f

SHA1
70756166aeaac4ae186683cb8bc77b8d23d69211

SHA256
f7b5f5bf8a1361abdb3482937289665bf7e056b48c40eaa499e50fe32dbff66f

SHA512
e697402ed825f27d20b173b2093ff858cd59a219fc279e8920e47429aabc73a41fd17332accd3157c66fce80819b67a2736faf96cf20cbc6084f4a001f79b4b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Services\www.ya.ru.ico

Filesize
5KB

MD5
a6f6261de61d910e0b828040414cee02

SHA1
d9df5043d0405b3f5ddaacb74db36623dd3969dc

SHA256
6bb91f1d74389b18bce6e71772e4c5573648c1a4823338193f700afdf8216be5

SHA512
20cb7b646c160c942e379c6e7a1a8981a09f520361c0205052c1d66e2fdb76333ffaaf0ca1dfc779754f0e844b9946900fbd5690d01869e1607abc1fda6dffab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\thumbnails\d6c80a7a62f02edd126868586819425b

Filesize
15KB

MD5
af80a936c10e18de168538a0722d6319

SHA1
9b1c84a1cf7330a698c89b9d7f33b17b4ba35536

SHA256
2435c0376fca765b21d43e897f4baa52daa0958a7015d04103488c606c99d1d3

SHA512
9a1325c8ce05806e5c161a4cf47239f62baad8f79650fbd713e74928fce8171ced10ba7f24fac46c548e1dbf3f64106270cb25ca88c836c870107f5dc1f97879

Download Submit
C:\Users\Admin\AppData\Local\Temp\00CC096D-4DFE-4619-A365-2D5D264C38F6\seederexe.exe

Filesize
8.6MB

MD5
225ba20fa3edd13c9c72f600ff90e6cb

SHA1
5f1a9baa85c2afe29619e7cc848036d9174701e4

SHA256
35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797

SHA512
97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\29C06BBF-A9F6-4B2F-B91D-7EEF4D531A79\lite_installer.exe

Filesize
419KB

MD5
aafdfaa7a989ddb216510fc9ae5b877f

SHA1
41cf94692968a7d511b6051b7fe2b15c784770cb

SHA256
688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc

SHA512
6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe

Filesize
10.1MB

MD5
1b2ec29408245114da00769d9aa821af

SHA1
216896b4749250a7c3cb09322b40f7aecc9649f1

SHA256
e103d79e4951dee6ec3069a3017b2214c790f9b1301a2c1464622077a95e86b2

SHA512
e671adef6a471db8a4901bcb43e5eb75d427787d6450a828aee751e6fb63203a32f913bf4739352829891aec337306f23e04fcb2b41f363a344309d0033e7e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS00620CA8\setup.exe

Filesize
5.2MB

MD5
b0850e9c32b789196a6c8682e3410122

SHA1
a420cf36e183fd3dd9960acc5805b5e6f2b3b732

SHA256
a78f5891edeb5de4ed9a7f3221518a216938ea5eaaef8a50a258a65fb5aecd2f

SHA512
636f4cf68c7ff2ba773b61cf17b58d028621c982f6634ad16534e8b3f6c80dd91c93a9579405798111710e1d3fb46a584ae41ac193d592365b20a57ecc35992f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_240607224229841212.dll

Filesize
4.7MB

MD5
2ada940614c61329829fb101f3dd100b

SHA1
4441a58c0726a26ba05dad9541413219d6ef6d84

SHA256
ad63ddb2395cc0661fdf61aee5d968c00c833fe9a0ea533a570c2f8b5dddae10

SHA512
d1987ec85374013afb76179cb222c6ffcf2888c8c201e79b3e353c17ac140a6f5200bdfdf2955fbed1f877f871dd08794dce69087cf965e8851ccd619dfbc05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WrpYGF74DrEm.ini

Filesize
55B

MD5
cdc0d996271e24c4c8ee641b86d4263f

SHA1
46193cf9553115ec69ea674ee928d3d95fda7349

SHA256
dcdfb7620a8c503b474ad3bf232704a94b355c878807c5ad523b9fbadfb9aabb

SHA512
91f826b12d220cca764168e24bac97d789dea910e58067499cd9fa855fba6b0528b4f1cbca789a39d629172db524c2d62f6d766d69bb75171301720d043d58c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

Filesize
1KB

MD5
be683c5cb5e2bbd882c5cd954db21bdc

SHA1
84f7424ab7efad20705a08415be1d2cfca9838ff

SHA256
7162a663c88d1c33a77ded010a5aac90439f103df3bb203cd23a6b734b1db93b

SHA512
e0d6b519b3c54079cafe3f45e4cc586e9336b3df031a878f83397d1c02581a50eb63e13ecbac51d1990aefd2213b968132ac79445d1e5e6ce9792bca58bbbcd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

Filesize
692B

MD5
3e83f361a771d46680d2b390ff28c292

SHA1
1e6263cd9fdda80b1b6098e359585d8570afe36b

SHA256
f1cc027a2a2c2c18fbb4113d39e867b08f4422fd083c4de02f7b1b54dd90570c

SHA512
0f82efd1f75339eb60a28db7a2237441b83ccc7f03b8779285ec28644f0909bec1c75669dff189d6b31d63cd1eb51f0ce95f3a50acb4dc4ce818fe95c745032b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1KJCI.tmp\PUABundler;Win32.YandexBundled.tmp

Filesize
1.2MB

MD5
909560b6836c74692cd921b7fc5ddeb3

SHA1
3efd29c6984a92668d8ef05a30f505728e461e2b

SHA256
8622a3854fe3234c9564ebdfbaf1751f39ba54b4bae324e3cc5f12511e86e894

SHA512
e6d484d79c503aa4e12bda8e65786be917e6d4ea4d7b807bca5e939c4d2faafc70d70d170b30cdfdb69cea8b3967405bf4ab08e19fb4299256bb39304d2aefcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\CallbackCtrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\J0MJ8PeLy6C\Background_100.png

Filesize
57KB

MD5
492b73c9cda482f4528559b50ffa2263

SHA1
ed9962e4e5b38f8b14d7a87c90be9b50f80adca9

SHA256
087f71ccb844c086ca60580ff07a81ac6e7e1034d6c5011e036fcdeabdcb8a6e

SHA512
a75529f9c4cf6e0610d557faf90bf8fce8ccf679d602f35330c1a79e1d814c38d7597db74bf383ca8e41d8c5a84ec5cbdd13c3d9dd5cac353f4fe04ca3356b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\J0MJ8PeLy6C\Background_125.png

Filesize
82KB

MD5
2fa4ac66fb7e6686ea292dc12ebf40d1

SHA1
a78fbba72c74085f4cf10138f933eb4c7425d5be

SHA256
4510bb05768b4e3dae4a28af8b8da89487e4e45e16f7bd58ff136b79873f6c20

SHA512
d933c79310cfe0f8eeb92a257068e672f1535f0bdc452783ab670cda1aa11f1603eadecc90bd06232d87a289e3b3ea66257f0949b5359ddc3726abb995bec58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\J0MJ8PeLy6C\Background_150.png

Filesize
102KB

MD5
190f1abe88857f402ca203c4995342f2

SHA1
aca8bf75ed8bce4469b653833a674ed2fb437145

SHA256
97c0e39dfa425be1fcc3762a9758c4598b6da9ed038a0d72d2f27ccfe45ebc43

SHA512
ef4a3a40e5c555f806088eb629902cbfdb3adc44e8955422832d3be5270f17bfa8618d3ffd7d58de8ace10bb5961927710a1dbb1c0d0d07f19312450ddd9a268

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\J0MJ8PeLy6C\Background_175.png

Filesize
122KB

MD5
9637b76d9e077c385a0a9c91807c01d4

SHA1
3c2ad50e05c6385bfb85e11aa7c925dbda906af7

SHA256
98ea08beec8e8c7f97b9cf713796c70db877b5c1347fedf7384e0d96c65f5a8b

SHA512
c4fe4b6606be7fcffcf22e7fd0ddbaf7c6be6d9978a7695b90b35e822ce476be33fed46f7d8f9198f91e58a4780c843e3f9407ffd8ce4472412763552b9cf2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\J0MJ8PeLy6C\Background_200.png

Filesize
58KB

MD5
5e09cd379378c9b7279a5d346bcf0dd7

SHA1
72176562de231f8c63eef5e80eae045d0c2d4236

SHA256
8f8771601518f64facc88566a0414946ba7cf6b195b4cd3e0b8d600b380a83f3

SHA512
89402fddc11608e18e60dcbd084a7fbcc78a23bbd08bdfe39d30c68e9fddc3b76a27371926f3e2b9bdd9c161bb663ff8b271c9920c59715d36c33656f606aecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\J0MJ8PeLy6C\Checkboxes_100.png

Filesize
2KB

MD5
bd1ed4527fac3a8f592070d4b74737e8

SHA1
322f893670ac3784090b89e97bd6fbd13afb5538

SHA256
9cd4f84f874a5f40a448e3b0fd62d8a6684d407d29d718157258a23ca4ce66e2

SHA512
ce7ef5c9ed73a2fccf4ddc0d32061e6f449a2e2810e6a39bb2e8c53d596a3403d0003a89d6f9410b16841b1c547aba4491899eb4ff3120e1a12a4367716c12ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\K3YnOuuSBX3sKYNOKy\hitmanpro.exe

Filesize
10.5MB

MD5
48bd71ad990ac3d326a4894166d6d0d6

SHA1
c83d55f64596b008b620481dc202ca09e87f5aa7

SHA256
8480c5c816e96037bc2cfdea6e2d4a647f9f8bee5b5fec9b58b1b7def412c729

SHA512
236d98659369b7b7d8d13bf67e1853feb9dbc8b7350515f2adef27eb36a8ff4fef0167f8fe5f4c67d75a607bf9799fd27a467f87ddcf71232e5a46c962c49ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\SswDa\Logo.png

Filesize
15KB

MD5
ffc376bd1c694155c7e078447426a7c2

SHA1
cd03a96217a86a7ddffc66d8806b7cd006289d85

SHA256
06d80a2fdaa5d85ab8a15dbc00147f8294bee5b2076969be7cb0e94a227c20be

SHA512
c9f3fecceb16afe3a4b340f86bb7e87de93135cdf509e910f5565e58bb9ee4d1b79ecbdaa23c609205c1d39f0cb5a38a14e4a6f05c356ff5236c2df9e0c444cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\SswDa\OperaSetup_xdDBbrDAEN.exe

Filesize
2.0MB

MD5
ff2a51a63a17603815b41f48b0932fe8

SHA1
8b00700fcf4e46834082f0f3382b3b6718f13b16

SHA256
6076d16a466507e97ebfc4ba0544165b0f00e4e309bc823e5663829cc01327c9

SHA512
5c74c0083a37a7a689169b4488712d2d22c8daf62609192ab03c758144aa2b479ddccf7f1f84c3dfe90f2a0fe7d9856874db7b9ec509792755ac6631e92af3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\botva2.dll

Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\is-2M16H.ini

Filesize
6KB

MD5
3c40110fc02fb170d7b9d8f060a25744

SHA1
7e6ec81e8a1ae19c42ac3b232889169b5c60f8c6

SHA256
e43bb1cbab95b46a5f2caad6d7582a89d23f55f8bfa67f45965e63b3d9991de1

SHA512
c3a119fe08e0bff57bad6778315ece8c59e503c508f5548f5e05569e075eb6d6340f096e625f17cbdc6701f9d39cbfae0d5c822c7e352fb9071a8b0bb0fb9896

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\kQ4NdFnq7TCfM6\Logo.png

Filesize
9KB

MD5
f6d369ca0401028a9d6400fa33b6569a

SHA1
7d4d5220a8e82f8cdf62cb5bf8ae4553f88c1559

SHA256
625112b42752867093ef31a9d556b3a3b1954e67b4c8e3ee2caf8c0bb92013a1

SHA512
b5c3bd04d99c2c429ff83a5298c8a7109e4006540abf28f4ed05525bb108d91f8f3a79c8c362b26ca42b46c237f690b72755c3c87e5962b941080908a23e005c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\kQ4NdFnq7TCfM6\downloader.exe

Filesize
726KB

MD5
2b0d2f77d8abade07a3dd9a8152ad111

SHA1
e7c0ad498f361e3c2d5a0ffa225ee112ed3c5bdb

SHA256
85ddc30b6b53ebe529688528e74bcfd74df0b93ea29ee1693d7d9aeec4d48776

SHA512
d48a3b9d9d3f83f1b0498103ee1f78467dc84254c762227081ba3218bd2212c1e3c29d2d94737101d55f5793f3d7dca8bdedc7d527cdb701733a6cbc74c938fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-31UEP.tmp\o1X2kSHgNDV_wIHQ\GroupLogo.png

Filesize
48KB

MD5
920c4150cc42cc8fa965f0d6b9af31ae

SHA1
9d327cb2cbe2e4b81c178c5379252f7a7e7f385a

SHA256
1a337bd09186900ce1e65627a2d5cc96d45198227d2925a56e0d8036879b1f90

SHA512
be439d64a673071dd1a793389656bccf730341d9055f4f66b8cd944ac7875f0b528a04836f7ba59403b4257d439cf1de46c879b1368700ef5d62e02061ef6eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
8KB

MD5
0d34fffaf599562857081717fe684592

SHA1
7892708b7aecb3aff76ee04a58ffd744686ff176

SHA256
11dabd2f15413bbc2c89025990ba0e715a423222cceda025b2dda433fae5f07c

SHA512
e87c866e17290070cc65e47aa338fa3d48f1a70965f84c282ae0033d62a091a4f4560f2417b9ea9bfe51e5c0296f9691c2dafbad46d7c6418fcdc25dbdae564a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
11KB

MD5
db3369988c9f4bdb5836b0f542575082

SHA1
e3da10b04f490dcf14950d967aba3e9de407852f

SHA256
5b6130b6f9219dc95857c58cf0779a78123273e747b29c111f0d144e6080d0eb

SHA512
01a1c03d05224de9802b7ff660252e6c9f811a06aeea3109ea81615a20b81c99ae405a256d69d8351ff4c40c0d6907f3639c503fbd2b9fb9913139cbb979a847

Download Submit
C:\Users\Admin\AppData\Local\Temp\omnija-20244207.zip

Filesize
41.3MB

MD5
44f43835c48d0441c83eb30feb273d56

SHA1
7f4fe46044e38f28e39b7dd642ae648b4af4e6c3

SHA256
cd79270f3aec1a88c6cab113c0b5ce827e000785074987ef2720ae106d22a0cd

SHA512
280e0662bf59de9b9911d01f7f73efa09ef534f2ec8dc0d1e31fc5cc1199097e43c7a34ba171e9b87f663525cf993a07703f07117ab5e36c1e45e6286a7fdf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

Filesize
509B

MD5
504bfe9121fbae34dbfdf5fd740cbf70

SHA1
d0c9bc8ea497eeef4657a3c58e53b336fc18d2d8

SHA256
22ccf6d8a73d8b67348165d3403d7f1987322e0f91c504c51ed314412ebfc1c3

SHA512
dc5056f21e78e3d0819683d6bce47cb006ed5cac2da3be5b238fbc3b36ce651c4e0c1d1ddfd25d502cca3ba3e0565bf1d64248f2d403a60363409d86ce59607a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

Filesize
9.8MB

MD5
32bf2aeb949828b5b228353174287879

SHA1
7186dc7afd5afa994ffb8e2008cc7729b2aa03a7

SHA256
69e608700f74ded9d68badda096ebce8f524c0919f4268cf5273eaab09e5c1b7

SHA512
b39d63f620ed1f2244c2a1749f1a9ac09de513e9ea030c9ae4854c0543e9e1a9fc4fab98631c377306aca40ba91cce0299d53cc65f79020617b7555dc28cbe67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C0C1C644-9C58-4592-AFEB-2E26805F3E99}.exe

Filesize
10.4MB

MD5
d454cfd8343eed174988c952e9828f4d

SHA1
dea2383c9dc9071ac88052a5cda7ee4ea7c9377c

SHA256
87719630422cf17f1c538afe530bd87b253be6086a620035f53144e024e464fd

SHA512
cc1dddfb37b4e0f6a2bf62b60c32494ee73c781c99cdcbaac03278f8d1f1bd9d474c134b393b499c588669311b390515a375a2d4da29970632cf8280b00833b2

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe

Filesize
397KB

MD5
95828ee007d3586792d53ace50b2357e

SHA1
3501ccad7573fd467911f207155318db3a1a1554

SHA256
8c4be5f1bc4e2f73d4396af48a31bf10362006472e9b28f40aa91f73a3815f12

SHA512
9896eccb178fd772fc92e5793340bdbc1bd6169465d9a739df06c1154edbce16f6db5dd50df426ccbc40d8410d4ef170c3fb0bc700e7778149ff2168409638e7

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk

Filesize
2KB

MD5
31413d872b6bcc748c6bd3737888f659

SHA1
1c843a6d60c98fd8581cc2f15fbc90f3371ebe9d

SHA256
4d6f83d9c8c5677c15b682c575d3af9501ab433e834b411fcb5aab21c4150d6b

SHA512
80055f902d91aa00a2e94440bf3a7bba71912eeea5175d0116a8bfc78b13ce1a7d9ffe346768c25bf6f574cc314038b1b66744b0ba6cbd50ccaa9f090f688bb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Яндекс.website

Filesize
514B

MD5
b8719f11e188c37e6ad64a869d605725

SHA1
e3bf131ed39ad9663d47a494222a0c880007f8a2

SHA256
8f455046d561f5460d1d3e8bf0db27bdb0c6c0a5f213e2ded5ba19238d20f838

SHA512
620c8a35307a3e16c1b0b0ff8de9ab66ae3dd6733dfc3be2e72bdc91f538932244ca5a345287755f6820547592401a4483e178c1742fba521f9f86fdf360cf3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xvu9bdak.Admin\places.sqlite-20240607224231.414868.backup

Filesize
68KB

MD5
314cb7ffb31e3cc676847e03108378ba

SHA1
3667d2ade77624e79d9efa08a2f1d33104ac6343

SHA256
b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1

SHA512
dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks

Filesize
2KB

MD5
4e6fc7cd557cd0f97cb4697b020d0db0

SHA1
4b7d8dc19cd7336f8f78de897e3f5b579d71054d

SHA256
1c9e12323fdf43244d41c98dc5015339efc1b2221d9593f8fd32ab8f1de2d737

SHA512
c8d4067dc8ac3eaf7cebafbb6868d400f58a78eddbfd691e59df89500b4b3d87185d42f999623cf9e86459cc75830e975f8c93a9bb3de9314ca638e4b58703d3

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240607224232.698791.backup

Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\BookmarksExtras

Filesize
19KB

MD5
a8c235b3b5095f2ef1d4cefd698fad7a

SHA1
725349c76ac3470fa8b8a160a6f2dd2af060259a

SHA256
1c2061f117dc3c308eeca442a5e118523b65518e0cec9d144b740bf213611081

SHA512
c6e4d1e149607fe4603e648966caaaa98e49693ca3e7c0582303149521af35595c321b224fb6f4e5069bcd41d23924b2a01991edbb1980349354f5a28f143607

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
14de42cb56332cbcfeb637258e2c871f

SHA1
0205de864f306c47eb3041bc5a0a4aef58bb0cf9

SHA256
dc02951fee7cf96c3625fd610965f257578f9257136a0dd326784ff772914154

SHA512
176faf7a47127814f3455e1739bc57ab2180eea6b6348edc55d0601c9c7e4e6096fcc7547c62fedd760920ce4a638d8756bc84c59e218cd2c7cbb0c5202bf0ab

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences

Filesize
317B

MD5
c33c6a041771e129f1361d97922075a1

SHA1
6b6126f445ec26c14c379095f15178e419bd49b4

SHA256
fcbd7ce19e717bac99061ee29abc64a4377576e7ccc67f6aa230a6e483fdaf28

SHA512
b692398667b2831046b8ff90ef6769fa73e0717870e260acb8d97c42e7ad48bc48a3076d856ea2242a5c5aad6923b11a6cc40f0e910d2252b800b63f8833997f

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\clids-yabrowser.xml

Filesize
675B

MD5
e94ea6f20e1970d797907339b5d8c60c

SHA1
d6e3dcbd27e1946b46804d5142ce3e19576eec66

SHA256
d1800551f0663174e7d190ff11bf6f09cc967c26af26567dc84bd428e62d1dc4

SHA512
82b9daee23fd02230c9e6690ec260652e921004f356eb068288091b07cbab736ff69533cfafe0201dd786dd07c464010686e99b30b71dd1a1c6f795e20a3e267

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui

Filesize
38B

MD5
6bb6fe8c8a637b2a8cac7b7cbd2041f5

SHA1
c6b306dbb2212350e9ec622b2a8f8aeea5b6728a

SHA256
e25d11dcb7e9f8a1f82d2970eea187e65f465a600d582eee5c1574003dfe95b8

SHA512
d2614c9d8b801585edde9c1141cdf5de7d0c4cd34cee0e9e5e52d93836ba65e1c4b3312f6c260b8d8f4a587cd88b44d303eb0838338307d42638d5084b43fe0c

Download Submit
C:\Windows\Installer\MSIC416.tmp

Filesize
181KB

MD5
0c80a997d37d930e7317d6dac8bb7ae1

SHA1
018f13dfa43e103801a69a20b1fab0d609ace8a5

SHA256
a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86

SHA512
fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

Download Submit
C:\Windows\Installer\MSIC55F.tmp

Filesize
189KB

MD5
e6fd0e66cf3bfd3cc04a05647c3c7c54

SHA1
6a1b7f1a45fb578de6492af7e2fede15c866739f

SHA256
669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2

SHA512
fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

Download Submit
memory/2388-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2388-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2388-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5084-2097-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/5084-2098-0x0000000006210000-0x000000000621F000-memory.dmp

Filesize
60KB

Download
memory/5084-6-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/5084-17-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/5084-2085-0x0000000006210000-0x000000000621F000-memory.dmp

Filesize
60KB

Download
memory/5084-2180-0x0000000006210000-0x000000000621F000-memory.dmp

Filesize
60KB

Download
memory/5084-2179-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/5084-15-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/5084-2169-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/5084-2168-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/5084-2167-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/5084-2165-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download