4f128c759e90606c9c7b5546259a7888b2aaaf5ea59d1aa40d5284056366504c

System Information Discovery

Processes:

browser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\Geo\Nation	browser.exe

Executes dropped EXE 64 IoCs

Processes:

yadl.exeyadl.exeYandexPackSetup.exelite_installer.exeseederexe.exeYandex.exesender.exe{C316C553-A46B-4E5D-B058-25B4C7303B24}.exeyb11DC.tmpsetup.exesetup.exesetup.exeservice_update.exeservice_update.exeservice_update.exeservice_update.exeservice_update.exeservice_update.execlidmgr.execlidmgr.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exeKLauncher.exejavaw.exejavaw.exejava.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exe

pid	process
2824	yadl.exe
1248	yadl.exe
1056	YandexPackSetup.exe
1252	lite_installer.exe
2744	seederexe.exe
14904	Yandex.exe
15440	sender.exe
16860	{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe
19036	yb11DC.tmp
19120	setup.exe
19176	setup.exe
19200	setup.exe
20428	service_update.exe
20488	service_update.exe
20552	service_update.exe
20564	service_update.exe
20652	service_update.exe
20700	service_update.exe
21364	clidmgr.exe
21404	clidmgr.exe
2812	browser.exe
2416	browser.exe
1796	browser.exe
2880	browser.exe
2408	browser.exe
320	browser.exe
3484	browser.exe
3800	browser.exe
3792	browser.exe
4196	browser.exe
4004	browser.exe
5432	browser.exe
5324	browser.exe
5864	browser.exe
6376	browser.exe
6592	browser.exe
6952	browser.exe
7448	browser.exe
7780	browser.exe
12620	browser.exe
12752	browser.exe
12856	browser.exe
12972	browser.exe
13104	browser.exe
13212	browser.exe
13484	browser.exe
13348	browser.exe
13596	browser.exe
13744	browser.exe
14020	browser.exe
13908	browser.exe
14108	KLauncher.exe
14832	javaw.exe
14704	javaw.exe
15244	java.exe
14904	browser.exe
17380	browser.exe
17600	browser.exe
18408	browser.exe
18568	browser.exe
2432	browser.exe
2752	browser.exe
1560	browser.exe
288	browser.exe

Loads dropped DLL 64 IoCs

Processes:

KLSetup (1).exeyadl.exeMsiExec.exeseederexe.exeYandex.exelite_installer.exe{C316C553-A46B-4E5D-B058-25B4C7303B24}.exeyb11DC.tmpsetup.exesetup.exeservice_update.exeservice_update.exeservice_update.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exebrowser.exe

pid	process
2220	KLSetup (1).exe
2824	yadl.exe
2824	yadl.exe
1576	MsiExec.exe
1576	MsiExec.exe
1576	MsiExec.exe
1576	MsiExec.exe
1576	MsiExec.exe
1576	MsiExec.exe
1576	MsiExec.exe
1576	MsiExec.exe
1576	MsiExec.exe
1576	MsiExec.exe
1576	MsiExec.exe
1576	MsiExec.exe
2744	seederexe.exe
14904	Yandex.exe
2744	seederexe.exe
1252	lite_installer.exe
1252	lite_installer.exe
16860	{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe
16860	{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe
16860	{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe
16860	{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe
19036	yb11DC.tmp
19120	setup.exe
19120	setup.exe
19120	setup.exe
19176	setup.exe
19176	setup.exe
19176	setup.exe
20428	service_update.exe
20428	service_update.exe
20428	service_update.exe
20428	service_update.exe
20428	service_update.exe
20552	service_update.exe
20552	service_update.exe
20652	service_update.exe
19176	setup.exe
19176	setup.exe
19176	setup.exe
19176	setup.exe
19176	setup.exe
19176	setup.exe
2812	browser.exe
2416	browser.exe
2812	browser.exe
1796	browser.exe
1796	browser.exe
2880	browser.exe
2408	browser.exe
2880	browser.exe
2408	browser.exe
320	browser.exe
320	browser.exe
1796	browser.exe
1796	browser.exe
1796	browser.exe
3484	browser.exe
3484	browser.exe
3800	browser.exe
3792	browser.exe
3792	browser.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

14752 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
14752	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

browser.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\YandexBrowserAutoLaunch_45886AE68CD319C7351FF54A1DBD4B87 = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --shutdown-if-not-closed-by-system-restart"	browser.exe

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

31 1556 msiexec.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
31	1556	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

browser.exebrowser.exebrowser.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	browser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	browser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	browser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	browser.exe

Drops file in System32 directory 1 IoCs

Processes:

service_update.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Yandex\ui service_update.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Yandex\ui	service_update.exe

Drops file in Program Files directory 3 IoCs

Processes:

service_update.exeservice_update.exe

description	ioc	process
File created	C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\service_update.exe	service_update.exe
File opened for modification	C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\service_update.exe	service_update.exe
File opened for modification	C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\debug.log	service_update.exe

Drops file in Windows directory 20 IoCs

Processes:

msiexec.exeservice_update.exebrowser.exeservice_update.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIEA8A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC03.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC74.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEEC8.tmp	msiexec.exe
File created	C:\Windows\Tasks\System update for Yandex Browser.job	service_update.exe
File opened for modification	C:\Windows\Installer\MSIEAF8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e89d.ipi	msiexec.exe
File created	C:\Windows\Tasks\Repairing Yandex Browser update service.job	service_update.exe
File created	C:\Windows\Tasks\Обновление Браузера Яндекс.job	browser.exe
File opened for modification	C:\Windows\Installer\MSIEB38.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC24.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC44.tmp	msiexec.exe
File created	C:\Windows\Tasks\Update for Yandex Browser.job	service_update.exe
File created	C:\Windows\Installer\f76e89a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e89a.msi	msiexec.exe
File created	C:\Windows\Installer\f76e89d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED9E.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

Processes:

browser.exebrowser.exebrowser.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	browser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	browser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	browser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	browser.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	browser.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

Processes:

seederexe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\ShowSearchSuggestionsInAddressGlobal = "1"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\URL = "https://yandex.ru/search/?win=651&clid=6035498-354&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\NTTopResultURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconURLFallback = "http://www.bing.com/favicon.ico"	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "https://yandex.ru/search/?win=651&clid=6035502-354&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Яндекс"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\YaCreationDate = "2024-31-21"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\FaviconURLFallback = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\DisplayName = "Bing"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\SuggestionsURL	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\DisplayName = "Яндекс"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\YaCreationDate = "2024-31-21"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "https://www.ya.ru/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\DisplayName = "Bing"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\NTURL = "https://yandex.ru/search/?win=651&clid=6035502-354&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "https://yandex.ru/search/?win=651&clid=6035498-354&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\d4f81b30-2fc1-11ef-b12f-52e878acfad8\FaviconURLFallback = "https://www.ya.ru/favicon.ico"	seederexe.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

Processes:

seederexe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.ya.ru/?win=651&clid=6035495-354"	seederexe.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

service_update.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Yandex	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	service_update.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Yandex	service_update.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Yandex\UICreated_SYSTEM = "1"	service_update.exe

Modifies registry class 64 IoCs

Processes:

browser.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.tiff\shell\image_search\ = "Поиск по картинке"	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.bmp\shell\image_search\ = "Поиск по картинке"	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexCSS.VCSW6JTLDSYTZUAASZV5YIJDQA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-124"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.png	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.svg\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.webm	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexWEBM.VCSW6JTLDSYTZUAASZV5YIJDQA	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.htm\OpenWithProgids\YandexHTML.VCSW6JTLDSYTZUAASZV5YIJDQA	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.bmp\shell	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.crx	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexCRX.VCSW6JTLDSYTZUAASZV5YIJDQA\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexTIFF.VCSW6JTLDSYTZUAASZV5YIJDQA\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.xhtml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pdf\OpenWithProgids\YandexPDF.VCSW6JTLDSYTZUAASZV5YIJDQA	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\yabrowser\shell	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexSVG.VCSW6JTLDSYTZUAASZV5YIJDQA\ = "Yandex Browser SVG Document"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexSWF.VCSW6JTLDSYTZUAASZV5YIJDQA\DefaultIcon	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.tif	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexCRX.VCSW6JTLDSYTZUAASZV5YIJDQA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-104"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.bmp\shell\image_search\Icon = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,0"	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.tiff	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.txt\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.htm	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.png\shell\image_search\Icon = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,0"	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.bmp\shell\image_search\command	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexJPEG.VCSW6JTLDSYTZUAASZV5YIJDQA\ = "Yandex Browser JPEG Document"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexPDF.VCSW6JTLDSYTZUAASZV5YIJDQA\ = "Yandex Browser PDF Document"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexPDF.VCSW6JTLDSYTZUAASZV5YIJDQA\shell\open	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexCSS.VCSW6JTLDSYTZUAASZV5YIJDQA\ = "Yandex Browser CSS Document"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexFB2.VCSW6JTLDSYTZUAASZV5YIJDQA	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.bmp	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexBrowser.crx\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.xhtml	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\yabrowser\shell\open\ddeexec\	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexPNG.VCSW6JTLDSYTZUAASZV5YIJDQA\shell	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.tiff\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.xht\OpenWithProgids\YandexHTML.VCSW6JTLDSYTZUAASZV5YIJDQA	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexHTML.VCSW6JTLDSYTZUAASZV5YIJDQA\ = "Yandex HTML Document"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexEPUB.VCSW6JTLDSYTZUAASZV5YIJDQA\shell\open\command	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.gif\OpenWithProgids\YandexGIF.VCSW6JTLDSYTZUAASZV5YIJDQA	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.pdf	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.jpg\shell\image_search	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexHTML.VCSW6JTLDSYTZUAASZV5YIJDQA\shell	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexFB2.VCSW6JTLDSYTZUAASZV5YIJDQA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-122"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexHTML.VCSW6JTLDSYTZUAASZV5YIJDQA\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexWEBP.VCSW6JTLDSYTZUAASZV5YIJDQA\ = "Yandex Browser WEBP Document"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexCSS.VCSW6JTLDSYTZUAASZV5YIJDQA\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexJS.VCSW6JTLDSYTZUAASZV5YIJDQA\ = "Yandex Browser JS Document"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexJS.VCSW6JTLDSYTZUAASZV5YIJDQA\shell\open\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.html	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.tiff	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.tif	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexBrowser.crx	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexJPEG.VCSW6JTLDSYTZUAASZV5YIJDQA	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.jpg\shell\image_search\Icon = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,0"	browser.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.svg	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.swf\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.shtml\OpenWithProgids\YandexHTML.VCSW6JTLDSYTZUAASZV5YIJDQA	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.jpeg	browser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexHTML.VCSW6JTLDSYTZUAASZV5YIJDQA\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexTIFF.VCSW6JTLDSYTZUAASZV5YIJDQA\shell	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.crx\OpenWithProgids\YandexCRX.VCSW6JTLDSYTZUAASZV5YIJDQA	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\YandexINFE.VCSW6JTLDSYTZUAASZV5YIJDQA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Yandex\\YandexBrowser\\Application\\browser.exe,-135"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\SystemFileAssociations\.jpeg\shell\image_search	browser.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

yadl.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	yadl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	yadl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	yadl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	yadl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	yadl.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	yadl.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

YandexPackSetup.exemsiexec.exelite_installer.exeseederexe.exesender.exesetup.exebrowser.exe

pid	process
1056	YandexPackSetup.exe
1556	msiexec.exe
1556	msiexec.exe
1252	lite_installer.exe
1252	lite_installer.exe
1252	lite_installer.exe
1252	lite_installer.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
2744	seederexe.exe
15440	sender.exe
15440	sender.exe
19176	setup.exe
19176	setup.exe
2812	browser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

YandexPackSetup.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1056	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	1056	YandexPackSetup.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeSecurityPrivilege	1556	msiexec.exe
Token: SeCreateTokenPrivilege	1056	YandexPackSetup.exe
Token: SeAssignPrimaryTokenPrivilege	1056	YandexPackSetup.exe
Token: SeLockMemoryPrivilege	1056	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	1056	YandexPackSetup.exe
Token: SeMachineAccountPrivilege	1056	YandexPackSetup.exe
Token: SeTcbPrivilege	1056	YandexPackSetup.exe
Token: SeSecurityPrivilege	1056	YandexPackSetup.exe
Token: SeTakeOwnershipPrivilege	1056	YandexPackSetup.exe
Token: SeLoadDriverPrivilege	1056	YandexPackSetup.exe
Token: SeSystemProfilePrivilege	1056	YandexPackSetup.exe
Token: SeSystemtimePrivilege	1056	YandexPackSetup.exe
Token: SeProfSingleProcessPrivilege	1056	YandexPackSetup.exe
Token: SeIncBasePriorityPrivilege	1056	YandexPackSetup.exe
Token: SeCreatePagefilePrivilege	1056	YandexPackSetup.exe
Token: SeCreatePermanentPrivilege	1056	YandexPackSetup.exe
Token: SeBackupPrivilege	1056	YandexPackSetup.exe
Token: SeRestorePrivilege	1056	YandexPackSetup.exe
Token: SeShutdownPrivilege	1056	YandexPackSetup.exe
Token: SeDebugPrivilege	1056	YandexPackSetup.exe
Token: SeAuditPrivilege	1056	YandexPackSetup.exe
Token: SeSystemEnvironmentPrivilege	1056	YandexPackSetup.exe
Token: SeChangeNotifyPrivilege	1056	YandexPackSetup.exe
Token: SeRemoteShutdownPrivilege	1056	YandexPackSetup.exe
Token: SeUndockPrivilege	1056	YandexPackSetup.exe
Token: SeSyncAgentPrivilege	1056	YandexPackSetup.exe
Token: SeEnableDelegationPrivilege	1056	YandexPackSetup.exe
Token: SeManageVolumePrivilege	1056	YandexPackSetup.exe
Token: SeImpersonatePrivilege	1056	YandexPackSetup.exe
Token: SeCreateGlobalPrivilege	1056	YandexPackSetup.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe
Token: SeRestorePrivilege	1556	msiexec.exe
Token: SeTakeOwnershipPrivilege	1556	msiexec.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

browser.exe

pid	process
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

browser.exe

pid	process
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe
2812	browser.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

browser.exejavaw.exe

pid process

2812 browser.exe
14704 javaw.exe
14704 javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

KLSetup (1).exeyadl.exemsiexec.exeMsiExec.exeseederexe.exe{C316C553-A46B-4E5D-B058-25B4C7303B24}.exeyb11DC.tmpsetup.exe

description	pid	process	target process
PID 2220 wrote to memory of 2824	2220	KLSetup (1).exe	yadl.exe
PID 2220 wrote to memory of 2824	2220	KLSetup (1).exe	yadl.exe
PID 2220 wrote to memory of 2824	2220	KLSetup (1).exe	yadl.exe
PID 2220 wrote to memory of 2824	2220	KLSetup (1).exe	yadl.exe
PID 2220 wrote to memory of 2824	2220	KLSetup (1).exe	yadl.exe
PID 2220 wrote to memory of 2824	2220	KLSetup (1).exe	yadl.exe
PID 2220 wrote to memory of 2824	2220	KLSetup (1).exe	yadl.exe
PID 2824 wrote to memory of 1056	2824	yadl.exe	YandexPackSetup.exe
PID 2824 wrote to memory of 1056	2824	yadl.exe	YandexPackSetup.exe
PID 2824 wrote to memory of 1056	2824	yadl.exe	YandexPackSetup.exe
PID 2824 wrote to memory of 1056	2824	yadl.exe	YandexPackSetup.exe
PID 2824 wrote to memory of 1056	2824	yadl.exe	YandexPackSetup.exe
PID 2824 wrote to memory of 1056	2824	yadl.exe	YandexPackSetup.exe
PID 2824 wrote to memory of 1056	2824	yadl.exe	YandexPackSetup.exe
PID 2824 wrote to memory of 1248	2824	yadl.exe	yadl.exe
PID 2824 wrote to memory of 1248	2824	yadl.exe	yadl.exe
PID 2824 wrote to memory of 1248	2824	yadl.exe	yadl.exe
PID 2824 wrote to memory of 1248	2824	yadl.exe	yadl.exe
PID 2824 wrote to memory of 1248	2824	yadl.exe	yadl.exe
PID 2824 wrote to memory of 1248	2824	yadl.exe	yadl.exe
PID 2824 wrote to memory of 1248	2824	yadl.exe	yadl.exe
PID 1556 wrote to memory of 1576	1556	msiexec.exe	MsiExec.exe
PID 1556 wrote to memory of 1576	1556	msiexec.exe	MsiExec.exe
PID 1556 wrote to memory of 1576	1556	msiexec.exe	MsiExec.exe
PID 1556 wrote to memory of 1576	1556	msiexec.exe	MsiExec.exe
PID 1556 wrote to memory of 1576	1556	msiexec.exe	MsiExec.exe
PID 1556 wrote to memory of 1576	1556	msiexec.exe	MsiExec.exe
PID 1556 wrote to memory of 1576	1556	msiexec.exe	MsiExec.exe
PID 1576 wrote to memory of 1252	1576	MsiExec.exe	lite_installer.exe
PID 1576 wrote to memory of 1252	1576	MsiExec.exe	lite_installer.exe
PID 1576 wrote to memory of 1252	1576	MsiExec.exe	lite_installer.exe
PID 1576 wrote to memory of 1252	1576	MsiExec.exe	lite_installer.exe
PID 1576 wrote to memory of 1252	1576	MsiExec.exe	lite_installer.exe
PID 1576 wrote to memory of 1252	1576	MsiExec.exe	lite_installer.exe
PID 1576 wrote to memory of 1252	1576	MsiExec.exe	lite_installer.exe
PID 1576 wrote to memory of 2744	1576	MsiExec.exe	seederexe.exe
PID 1576 wrote to memory of 2744	1576	MsiExec.exe	seederexe.exe
PID 1576 wrote to memory of 2744	1576	MsiExec.exe	seederexe.exe
PID 1576 wrote to memory of 2744	1576	MsiExec.exe	seederexe.exe
PID 2744 wrote to memory of 14904	2744	seederexe.exe	Yandex.exe
PID 2744 wrote to memory of 14904	2744	seederexe.exe	Yandex.exe
PID 2744 wrote to memory of 14904	2744	seederexe.exe	Yandex.exe
PID 2744 wrote to memory of 14904	2744	seederexe.exe	Yandex.exe
PID 2744 wrote to memory of 15440	2744	seederexe.exe	sender.exe
PID 2744 wrote to memory of 15440	2744	seederexe.exe	sender.exe
PID 2744 wrote to memory of 15440	2744	seederexe.exe	sender.exe
PID 2744 wrote to memory of 15440	2744	seederexe.exe	sender.exe
PID 16860 wrote to memory of 19036	16860	{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe	yb11DC.tmp
PID 16860 wrote to memory of 19036	16860	{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe	yb11DC.tmp
PID 16860 wrote to memory of 19036	16860	{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe	yb11DC.tmp
PID 16860 wrote to memory of 19036	16860	{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe	yb11DC.tmp
PID 16860 wrote to memory of 19036	16860	{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe	yb11DC.tmp
PID 16860 wrote to memory of 19036	16860	{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe	yb11DC.tmp
PID 16860 wrote to memory of 19036	16860	{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe	yb11DC.tmp
PID 19036 wrote to memory of 19120	19036	yb11DC.tmp	setup.exe
PID 19036 wrote to memory of 19120	19036	yb11DC.tmp	setup.exe
PID 19036 wrote to memory of 19120	19036	yb11DC.tmp	setup.exe
PID 19036 wrote to memory of 19120	19036	yb11DC.tmp	setup.exe
PID 19036 wrote to memory of 19120	19036	yb11DC.tmp	setup.exe
PID 19036 wrote to memory of 19120	19036	yb11DC.tmp	setup.exe
PID 19036 wrote to memory of 19120	19036	yb11DC.tmp	setup.exe
PID 19120 wrote to memory of 19176	19120	setup.exe	setup.exe
PID 19120 wrote to memory of 19176	19120	setup.exe	setup.exe
PID 19120 wrote to memory of 19176	19120	setup.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\KLSetup (1).exe
"C:\Users\Admin\AppData\Local\Temp\KLSetup (1).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\yadl.exe
"C:\Users\Admin\AppData\Local\Temp\yadl.exe" --partner 418804 --distr /quiet /msicl "YABROWSER=y YAQSEARCH=y YAHOMEPAGE=y VID=354"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
"C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "YABROWSER=y YAQSEARCH=y YAHOMEPAGE=y VID=354"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Users\Admin\AppData\Local\Temp\yadl.exe
C:\Users\Admin\AppData\Local\Temp\yadl.exe --stat dwnldr/p=418804/rid=592b0543-dc31-4eed-88b1-37bf4784221b/sbr=0-0/hrc=200-200/bd=267-10639168/gtpr=1-1-1-255-1/cdr=0-b7-b7-ff-b7/for=3-0/fole=255-0/fwle=255-0/vr=ff-800b0109/vle=ff-800b0109/hovr=ff-0/hovle=ff-0/shle=ff-0/vmajor=6/vminor=1/vbuild=7601/distr_type=landing/cnt=0/dt=1/ct=1/rt=0 --dh 1556 --st 1718969495
3⤵
- Executes dropped EXE
PID:1248

C:\Users\Admin\AppData\Roaming\.minecraft\KLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\KLauncher.exe"
2⤵
- Executes dropped EXE
PID:14108

C:\Users\Admin\AppData\Roaming\.minecraft\java\jre1.8.0_251\bin\javaw.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\java\jre1.8.0_251\bin\javaw.exe" -version
3⤵
- Executes dropped EXE
PID:14832

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
4⤵
- Modifies file permissions
PID:14752

C:\Users\Admin\AppData\Roaming\.minecraft\java\jre1.8.0_251\bin\javaw.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\java\jre1.8.0_251\bin\javaw.exe" -XX:+UseG1GC -Dfile.encoding=UTF-8 -jar "C:\Users\Admin\AppData\Roaming\.minecraft\KLauncher.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:14704

C:\Users\Admin\AppData\Roaming\.minecraft\java\jre1.8.0_251\bin\java.exe
java.exe -version
4⤵
- Executes dropped EXE
PID:15244

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 33DFC217D486BADF1BF5B2741515122E
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\B7A57834-E319-4A1D-BD39-1A9F31CFFAE4\lite_installer.exe
"C:\Users\Admin\AppData\Local\Temp\B7A57834-E319-4A1D-BD39-1A9F31CFFAE4\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1252

C:\Users\Admin\AppData\Local\Temp\F493BB01-E645-4748-AA94-CC453232830F\seederexe.exe
"C:\Users\Admin\AppData\Local\Temp\F493BB01-E645-4748-AA94-CC453232830F\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\85D75EF4-CA70-4150-8719-C60A552EC737\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:14904

C:\Users\Admin\AppData\Local\Temp\85D75EF4-CA70-4150-8719-C60A552EC737\sender.exe
C:\Users\Admin\AppData\Local\Temp\85D75EF4-CA70-4150-8719-C60A552EC737\sender.exe --send "/status.xml?clid=6035492-354&uuid=1b232d30-7D56-49A9-87D6-88473DF34cf5&vnt=Windows 7x64&file-no=6%0A10%0A11%0A12%0A13%0A15%0A17%0A18%0A21%0A22%0A24%0A25%0A40%0A42%0A43%0A45%0A57%0A61%0A89%0A103%0A111%0A123%0A124%0A125%0A129%0A"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:15440

C:\Users\Admin\AppData\Local\Temp\{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe
"C:\Users\Admin\AppData\Local\Temp\{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe" --job-name=yBrowserDownloader-{D61CDF9C-D0F2-4589-A339-0DDD2C921EC7} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=6035461-354&ui=1b232d30-7D56-49A9-87D6-88473DF34cf5 --use-user-default-locale
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:16860

C:\Users\Admin\AppData\Local\Temp\yb11DC.tmp
"C:\Users\Admin\AppData\Local\Temp\yb11DC.tmp" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\975444fa-8688-4b06-96f4-1f5e3a882fbd.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=261600800 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{D61CDF9C-D0F2-4589-A339-0DDD2C921EC7} --local-path="C:\Users\Admin\AppData\Local\Temp\{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=6035461-354&ui=1b232d30-7D56-49A9-87D6-88473DF34cf5 --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\90a78e70-3ce3-42cb-884f-73676b73f2a7.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:19036

C:\Users\Admin\AppData\Local\Temp\YB_8A667.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\YB_8A667.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_8A667.tmp\BROWSER.PACKED.7Z" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\975444fa-8688-4b06-96f4-1f5e3a882fbd.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=261600800 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{D61CDF9C-D0F2-4589-A339-0DDD2C921EC7} --local-path="C:\Users\Admin\AppData\Local\Temp\{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=6035461-354&ui=1b232d30-7D56-49A9-87D6-88473DF34cf5 --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\90a78e70-3ce3-42cb-884f-73676b73f2a7.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:19120

C:\Users\Admin\AppData\Local\Temp\YB_8A667.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\YB_8A667.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_8A667.tmp\BROWSER.PACKED.7Z" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\975444fa-8688-4b06-96f4-1f5e3a882fbd.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=261600800 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{D61CDF9C-D0F2-4589-A339-0DDD2C921EC7} --local-path="C:\Users\Admin\AppData\Local\Temp\{C316C553-A46B-4E5D-B058-25B4C7303B24}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=6035461-354&ui=1b232d30-7D56-49A9-87D6-88473DF34cf5 --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\90a78e70-3ce3-42cb-884f-73676b73f2a7.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico" --verbose-logging --run-as-admin --target-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application" --child-setup-process --restart-as-admin-time=295078400
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:19176

C:\Users\Admin\AppData\Local\Temp\YB_8A667.tmp\setup.exe
C:\Users\Admin\AppData\Local\Temp\YB_8A667.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=2dd7b5e4628752fb0b47757ed5724904 --annotation=main_process_pid=19176 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.6.0.1878 --initial-client-data=0x1b0,0x1b4,0x1b8,0x184,0x1bc,0xf31cbc,0xf31cc8,0xf31cd4
5⤵
- Executes dropped EXE
PID:19200

C:\Windows\TEMP\sdwra_19176_110399698\service_update.exe
"C:\Windows\TEMP\sdwra_19176_110399698\service_update.exe" --setup
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:20428

C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\service_update.exe" --install
6⤵
- Executes dropped EXE
PID:20488

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Temp\clids.xml"
5⤵
- Executes dropped EXE
PID:21364

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\source19176_1370732583\Browser-bin\clids_yandex_second.xml"
5⤵
- Executes dropped EXE
PID:21404

C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\service_update.exe" --run-as-service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:20552

C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\service_update.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=2dd7b5e4628752fb0b47757ed5724904 --annotation=main_process_pid=20552 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.6.0.1878 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0xdeb728,0xdeb734,0xdeb740
2⤵
- Executes dropped EXE
PID:20564

C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\service_update.exe" --update-scheduler
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:20652

C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\service_update.exe
"C:\Program Files (x86)\Yandex\YandexBrowser\24.6.0.1878\service_update.exe" --update-background-scheduler
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:20700

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --progress-window=0 --install-start-time-no-uac=261600800
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks system information in the registry
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id= --annotation=main_process_pid=2812 --annotation=metrics_client_id=e2d9fa6c3c4e4963a739d5840cf1a00e --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.6.0.1878 --initial-client-data=0xf4,0xf8,0xfc,0xc8,0x100,0x73545a28,0x73545a34,0x73545a40
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --gpu-process-kind=sandboxed --field-trial-handle=1868,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=1860 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1796

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --gpu-process-kind=trampoline --field-trial-handle=1736,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=2028 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Network Service" --field-trial-handle=2072,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=1764 --brver=24.6.0.1878 /prefetch:3
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Storage Service" --field-trial-handle=2316,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=2504 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=ru --service-sandbox-type=audio --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Audio Service" --field-trial-handle=2900,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=2884 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3484

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=ru --service-sandbox-type=none --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Импорт профилей" --field-trial-handle=3328,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=3344 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3792

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --extension-process --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --no-appcompat-clear --enable-ignition --allow-prefetch --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3388,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=3384 /prefetch:2
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3800

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=3584,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=3780 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:4004

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --no-appcompat-clear --enable-ignition --allow-prefetch --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3864,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4196

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --no-appcompat-clear --enable-ignition --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3364,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=3360 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5324

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=4052,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=4076 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:5432

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --gpu-process-kind=sandboxed --field-trial-handle=2068,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:2
2⤵
- Executes dropped EXE
PID:5864

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=3576,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=4120 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:6376

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --ya-custo-process --enable-instaserp --no-appcompat-clear --enable-ignition --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4360,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6592

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --ya-custo-process --enable-instaserp --no-appcompat-clear --enable-ignition --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3988,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6952

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://browser.translate.yandex.net/ --enable-instaserp --no-appcompat-clear --enable-ignition --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5008,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5124 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:7448

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Распаковщик файлов" --field-trial-handle=5328,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5336 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:7780

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=2032,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=2176 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:12620

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=2160,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=2164 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:12752

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=5392,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5384 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:12856

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=5508,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5512 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:12972

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=2148,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5624 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:13104

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=5780,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5764 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:13212

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=2864,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5792 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:13348

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=5596,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5864 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:13484

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=5684,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5548 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:13744

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=5724,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=5920 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:13596

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=5740,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=6044 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:14020

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Data Decoder Service" --field-trial-handle=5692,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=6172 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:13908

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=ru --service-sandbox-type=service --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Распаковщик файлов" --field-trial-handle=2904,i,1216092220659813741,6116783679339116397,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=4016 --brver=24.6.0.1878 /prefetch:8
2⤵
- Executes dropped EXE
PID:14904

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --broupdater --broupdater-origin=auto --bits_job_guid={30C4908C-0B76-4E83-B83E-71B16FEFCDD2}
1⤵
- Executes dropped EXE
- Checks system information in the registry
- Enumerates system info in registry
PID:17380

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" --url=https://crash-reports.browser.yandex.net/submit --annotation=install_date=1718969552 --annotation=last_update_date=1718969552 --annotation=launches_after_update=1 --annotation=machine_id=2dd7b5e4628752fb0b47757ed5724904 --annotation=main_process_pid=17380 --annotation=metrics_client_id=e2d9fa6c3c4e4963a739d5840cf1a00e --annotation=micromode=broupdater --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.6.0.1878 --initial-client-data=0xf8,0xfc,0x100,0xcc,0x104,0x73545a28,0x73545a34,0x73545a40
2⤵
- Executes dropped EXE
PID:17600

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --gpu-process-kind=sandboxed --field-trial-handle=1192,i,8151527506677958753,2648374203317935140,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=1180 /prefetch:2
2⤵
- Executes dropped EXE
PID:18408

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Network Service" --field-trial-handle=1444,i,8151527506677958753,2648374203317935140,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=1456 --brver=24.6.0.1878 /prefetch:3
2⤵
- Executes dropped EXE
PID:18568

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:19196

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --broupdater-stat-bits --broupdater-stat-name=install --bits_job_guid={4FC4876E-EA4C-4961-BC43-E078B5F78D53}
1⤵
- Executes dropped EXE
- Checks system information in the registry
- Enumerates system info in registry
PID:2432

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" --url=https://crash-reports.browser.yandex.net/submit --annotation=install_date=1718969552 --annotation=last_update_date=1718969552 --annotation=launches_after_update=2 --annotation=machine_id=2dd7b5e4628752fb0b47757ed5724904 --annotation=main_process_pid=2432 --annotation=metrics_client_id=e2d9fa6c3c4e4963a739d5840cf1a00e --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=24.6.0.1878 --initial-client-data=0xf8,0xfc,0x100,0xcc,0x104,0x73545a28,0x73545a34,0x73545a40
2⤵
- Executes dropped EXE
PID:2752

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --gpu-process-kind=sandboxed --field-trial-handle=1176,i,12158112774239699996,11170532455230707548,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=1164 /prefetch:2
2⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
"C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=1b232d30-7D56-49A9-87D6-88473DF34cf5 --brand-id=yandex --partner-id=pseudoportal-ru --no-appcompat-clear --process-name="Network Service" --field-trial-handle=1440,i,12158112774239699996,11170532455230707548,262144 --enable-features=InstallerNewIdentity2024 --variations-seed-version --mojo-platform-channel-handle=1452 --brver=24.6.0.1878 /prefetch:3
2⤵
- Executes dropped EXE
PID:288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery