d7477652d77ff2b1f2197a092401adad10ac22e4325ecfa488f64b2f06affa52

Analysis

max time kernel
63s
max time network
128s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
24-08-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloads.zip
Size

109KB
MD5

0ad80fb187c66cc654335155c4ed0172
SHA1

c91dba5a5493a091f5b532023e87f6ba63789351
SHA256

d7477652d77ff2b1f2197a092401adad10ac22e4325ecfa488f64b2f06affa52
SHA512

c901eea53772c8efaecebdf97ff69a1f09838a908fa23196a7d7f8feff3ac8b53ee9c1478f9cf706b412eff2f8a3ae4ba5d435c7616152418bfb70f674311c61
SSDEEP

3072:kb+l9G91POxiykJ1NktvU5NLcc9EMGgUkBW8snW5DTty:zbGCs1NkuLf9ENQXJDQ

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	Yandex.exe

Executes dropped EXE 6 IoCs

pid	Process
4364	YandexPackSetup.exe
4920	lite_installer.exe
4636	seederexe.exe
7116	Yandex.exe
6892	{3BE5A52C-DFBB-4A46-81B0-2CA76A6D2A9A}.exe
3464	explorer.exe

Loads dropped DLL 10 IoCs

pid	Process
3836	MsiExec.exe
3836	MsiExec.exe
3836	MsiExec.exe
3836	MsiExec.exe
3836	MsiExec.exe
3836	MsiExec.exe
3836	MsiExec.exe
3836	MsiExec.exe
3836	MsiExec.exe
3836	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI8819.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI877C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8AAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C05.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CE1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DCC.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}	msiexec.exe
File opened for modification	C:\Windows\Installer\e5880d3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8972.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	seederexe.exe
File opened for modification	C:\Windows\Installer\MSI8623.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8FC1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9214.tmp	msiexec.exe
File created	C:\Windows\Installer\e5880d3.msi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lite_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seederexe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BE5A52C-DFBB-4A46-81B0-2CA76A6D2A9A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YandexPackSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yandex.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\FaviconURL = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\DisplayName = "Яндекс"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\NTURL = "https://yandex.ru/search/?win=660&clid=2470977-731&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\DisplayName = "Bing"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "https://www.ya.ru/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\NTTopResultURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconURLFallback = "http://www.bing.com/favicon.ico"	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\YaCreationDate = "2024-56-24"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\FaviconURLFallback = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "https://yandex.ru/search/?win=660&clid=2470975-731&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\DisplayName = "Bing"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\SuggestionsURL	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\FaviconURLFallback = "https://www.ya.ru/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconURL = "http://www.bing.com/favicon.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "https://yandex.ru/search/?win=660&clid=2470977-731&text={searchTerms}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\MINIE	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\YaCreationDate = "2024-56-24"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Яндекс"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\3ef7297e-6242-11ef-83d5-fa732297e4b8\URL = "https://yandex.ru/search/?win=660&clid=2470975-731&text={searchTerms}"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\SearchScopes\ShowSearchSuggestionsInAddressGlobal = "1"	seederexe.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.ya.ru/?win=660&clid=2470974-731"	seederexe.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Yandex.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	seederexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\HomeButtonPage = "https://www.ya.ru/?win=660&clid=2470974-731"	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\HomeButtonEnabled = "1"	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\FavBarCache	seederexe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\FavBarCache	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LinksBar	seederexe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LinksBar\Enabled = "1"	seederexe.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	lite_installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	lite_installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	lite_installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	lite_installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	lite_installer.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4364	YandexPackSetup.exe
4364	YandexPackSetup.exe
2956	msiexec.exe
2956	msiexec.exe
4920	lite_installer.exe
4920	lite_installer.exe
4920	lite_installer.exe
4920	lite_installer.exe
4636	seederexe.exe
4636	seederexe.exe
4636	seederexe.exe
4636	seederexe.exe
4636	seederexe.exe
4636	seederexe.exe
4636	seederexe.exe
4636	seederexe.exe
4636	seederexe.exe
4636	seederexe.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4364	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	4364	YandexPackSetup.exe
Token: SeSecurityPrivilege	2956	msiexec.exe
Token: SeCreateTokenPrivilege	4364	YandexPackSetup.exe
Token: SeAssignPrimaryTokenPrivilege	4364	YandexPackSetup.exe
Token: SeLockMemoryPrivilege	4364	YandexPackSetup.exe
Token: SeIncreaseQuotaPrivilege	4364	YandexPackSetup.exe
Token: SeMachineAccountPrivilege	4364	YandexPackSetup.exe
Token: SeTcbPrivilege	4364	YandexPackSetup.exe
Token: SeSecurityPrivilege	4364	YandexPackSetup.exe
Token: SeTakeOwnershipPrivilege	4364	YandexPackSetup.exe
Token: SeLoadDriverPrivilege	4364	YandexPackSetup.exe
Token: SeSystemProfilePrivilege	4364	YandexPackSetup.exe
Token: SeSystemtimePrivilege	4364	YandexPackSetup.exe
Token: SeProfSingleProcessPrivilege	4364	YandexPackSetup.exe
Token: SeIncBasePriorityPrivilege	4364	YandexPackSetup.exe
Token: SeCreatePagefilePrivilege	4364	YandexPackSetup.exe
Token: SeCreatePermanentPrivilege	4364	YandexPackSetup.exe
Token: SeBackupPrivilege	4364	YandexPackSetup.exe
Token: SeRestorePrivilege	4364	YandexPackSetup.exe
Token: SeShutdownPrivilege	4364	YandexPackSetup.exe
Token: SeDebugPrivilege	4364	YandexPackSetup.exe
Token: SeAuditPrivilege	4364	YandexPackSetup.exe
Token: SeSystemEnvironmentPrivilege	4364	YandexPackSetup.exe
Token: SeChangeNotifyPrivilege	4364	YandexPackSetup.exe
Token: SeRemoteShutdownPrivilege	4364	YandexPackSetup.exe
Token: SeUndockPrivilege	4364	YandexPackSetup.exe
Token: SeSyncAgentPrivilege	4364	YandexPackSetup.exe
Token: SeEnableDelegationPrivilege	4364	YandexPackSetup.exe
Token: SeManageVolumePrivilege	4364	YandexPackSetup.exe
Token: SeImpersonatePrivilege	4364	YandexPackSetup.exe
Token: SeCreateGlobalPrivilege	4364	YandexPackSetup.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe
Token: SeRestorePrivilege	2956	msiexec.exe
Token: SeTakeOwnershipPrivilege	2956	msiexec.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4516	4552	cmd.exe	79
PID 4552 wrote to memory of 4516	4552	cmd.exe	79
PID 4552 wrote to memory of 4516	4552	cmd.exe	79
PID 4516 wrote to memory of 4364	4516	downloader.exe	80
PID 4516 wrote to memory of 4364	4516	downloader.exe	80
PID 4516 wrote to memory of 4364	4516	downloader.exe	80
PID 4516 wrote to memory of 2616	4516	downloader.exe	81
PID 4516 wrote to memory of 2616	4516	downloader.exe	81
PID 4516 wrote to memory of 2616	4516	downloader.exe	81
PID 2956 wrote to memory of 3836	2956	msiexec.exe	84
PID 2956 wrote to memory of 3836	2956	msiexec.exe	84
PID 2956 wrote to memory of 3836	2956	msiexec.exe	84
PID 3836 wrote to memory of 4920	3836	MsiExec.exe	85
PID 3836 wrote to memory of 4920	3836	MsiExec.exe	85
PID 3836 wrote to memory of 4920	3836	MsiExec.exe	85
PID 3836 wrote to memory of 4636	3836	MsiExec.exe	88
PID 3836 wrote to memory of 4636	3836	MsiExec.exe	88
PID 3836 wrote to memory of 4636	3836	MsiExec.exe	88
PID 4636 wrote to memory of 7116	4636	seederexe.exe	89
PID 4636 wrote to memory of 7116	4636	seederexe.exe	89
PID 4636 wrote to memory of 7116	4636	seederexe.exe	89
PID 7116 wrote to memory of 3464	7116	Yandex.exe	91
PID 7116 wrote to memory of 3464	7116	Yandex.exe	91
PID 7116 wrote to memory of 3464	7116	Yandex.exe	91

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Downloads.zip
1⤵
PID:4436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Downloads\ydx.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\Desktop\Downloads\downloader.exe
  downloader.exe --partner 39445 --distr /quiet /msicl "YAHOMEPAGE=y YAQSEARCH=y YABROWSER=y VID=731"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "YAHOMEPAGE=y YAQSEARCH=y YABROWSER=y VID=731"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- - C:\Users\Admin\Desktop\Downloads\downloader.exe
    C:\Users\Admin\Desktop\Downloads\downloader.exe --stat dwnldr/p=39445/cnt=0/dt=4/ct=1/rt=0 --dh 2168 --st 1724522195
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 53E4D3827BBCA6309BD740CE48CB5571
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Users\Admin\AppData\Local\Temp\F0AA0854-FA34-4FD1-808E-EBE7A9710845\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\F0AA0854-FA34-4FD1-808E-EBE7A9710845\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:4920
- - C:\Users\Admin\AppData\Local\Temp\67752217-B8A6-4DD6-9683-05871A3B7DBB\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\67752217-B8A6-4DD6-9683-05871A3B7DBB\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\5FFD01D5-DFF3-4D7D-88A6-0498A34FC565\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
      C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:7116
    - - C:\Users\Admin\AppData\Local\Temp\pin\explorer.exe
        
        C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /pin-path="C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk" --is-pinning
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\5FFD01D5-DFF3-4D7D-88A6-0498A34FC565\sender.exe
      C:\Users\Admin\AppData\Local\Temp\5FFD01D5-DFF3-4D7D-88A6-0498A34FC565\sender.exe --send "/status.xml?clid=2470973-731&uuid=8e545c07-e89e-42dc-8a4c-612778e46151&vnt=Windows 10x64&file-no=10%0A11%0A12%0A13%0A14%0A15%0A17%0A18%0A20%0A21%0A22%0A23%0A25%0A28%0A36%0A40%0A42%0A43%0A45%0A54%0A57%0A61%0A89%0A102%0A103%0A111%0A123%0A124%0A125%0A129%0A"
      4⤵
      PID:2632
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1AD4AF7081FCEC3C791C256F3D0CBB9
  2⤵
  PID:5712
- - C:\Users\Admin\AppData\Local\Temp\39F6926C-898D-4F0E-A996-2A08F03F3C5D\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\39F6926C-898D-4F0E-A996-2A08F03F3C5D\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER
    3⤵
    PID:6780
- - C:\Users\Admin\AppData\Local\Temp\4353F9C9-446B-4C12-99C6-54523BA322AB\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\4353F9C9-446B-4C12-99C6-54523BA322AB\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\FAFD83B3-31B2-4293-8B06-B6438BFA9C1D\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"
    3⤵
    PID:6492
  - - C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
      C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n
      4⤵
      PID:7884
  - - C:\Users\Admin\AppData\Local\Temp\FAFD83B3-31B2-4293-8B06-B6438BFA9C1D\sender.exe
      C:\Users\Admin\AppData\Local\Temp\FAFD83B3-31B2-4293-8B06-B6438BFA9C1D\sender.exe --send "/status.xml?clid=2470973-731&uuid=%7B8e545c07-e89e-42dc-8a4c-612778e46151%7D&vnt=Windows 10x64&file-no=13%0A14%0A15%0A18%0A23%0A25%0A42%0A43%0A45%0A49%0A50%0A54%0A57%0A61%0A103%0A111%0A123%0A124%0A125%0A"
      4⤵
      PID:7812
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5A311C5AC2A0CB628C05EB79049EB5F1
  2⤵
  PID:7256
- - C:\Users\Admin\AppData\Local\Temp\F00ECE3C-DBAA-4DCD-9A0A-1E3F844D8262\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\F00ECE3C-DBAA-4DCD-9A0A-1E3F844D8262\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER
    3⤵
    PID:4628
- - C:\Users\Admin\AppData\Local\Temp\19D85BB3-DE98-486D-AF1B-C3AFD0C4DDBF\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\19D85BB3-DE98-486D-AF1B-C3AFD0C4DDBF\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\27A6BD92-CE6F-48F7-A629-68F6786E87D4\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"
    3⤵
    PID:9012
  - - C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
      C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n
      4⤵
      PID:5160
  - - C:\Users\Admin\AppData\Local\Temp\27A6BD92-CE6F-48F7-A629-68F6786E87D4\sender.exe
      C:\Users\Admin\AppData\Local\Temp\27A6BD92-CE6F-48F7-A629-68F6786E87D4\sender.exe --send "/status.xml?clid=2470973-731&uuid=%7B8e545c07-e89e-42dc-8a4c-612778e46151%7D&vnt=Windows 10x64&file-no=13%0A14%0A15%0A18%0A23%0A25%0A42%0A43%0A45%0A49%0A50%0A54%0A57%0A61%0A103%0A111%0A123%0A124%0A125%0A"
      4⤵
      PID:5024

C:\Users\Admin\AppData\Local\Temp\{3BE5A52C-DFBB-4A46-81B0-2CA76A6D2A9A}.exe
"C:\Users\Admin\AppData\Local\Temp\{3BE5A52C-DFBB-4A46-81B0-2CA76A6D2A9A}.exe" --job-name=yBrowserDownloader-{8154E618-6428-4825-BA83-AA2F7ADE6224} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{3BE5A52C-DFBB-4A46-81B0-2CA76A6D2A9A}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2470956-731&ui={8e545c07-e89e-42dc-8a4c-612778e46151} --use-user-default-locale
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6892
- C:\Users\Admin\AppData\Local\Temp\ybC52F.tmp
  "C:\Users\Admin\AppData\Local\Temp\ybC52F.tmp" --abt-config-resource-file="C:\Users\Admin\AppData\Local\Temp\abt_config_resource" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\49a43f9a-0d42-4595-8470-c9637db4c1e9.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=552705083 --installer-brand-id=yandex --installer-partner-id=pseudoportal-ru --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{8154E618-6428-4825-BA83-AA2F7ADE6224} --local-path="C:\Users\Admin\AppData\Local\Temp\{3BE5A52C-DFBB-4A46-81B0-2CA76A6D2A9A}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2470956-731&ui={8e545c07-e89e-42dc-8a4c-612778e46151} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\d9277235-ff81-41af-ae45-3be6a690e136.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico"
  2⤵
  PID:6344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Luno\ydx.bat" "
1⤵
PID:5656
- C:\Luno\downloader.exe
  downloader.exe --partner 39445 --distr /quiet /msicl "YAHOMEPAGE=y YAQSEARCH=y YABROWSER=y VID=731"
  2⤵
  PID:6428
- - C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "YAHOMEPAGE=y YAQSEARCH=y YABROWSER=y VID=731"
    3⤵
    PID:5088
- - C:\Luno\downloader.exe
    C:\Luno\downloader.exe --stat dwnldr/p=39445/cnt=0/dt=6/ct=0/rt=0 --dh 2036 --st 1724522227
    3⤵
    PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Luno\ydx.bat" "
1⤵
PID:5500
- C:\Luno\downloader.exe
  downloader.exe --partner 39445 --distr /quiet /msicl "YAHOMEPAGE=y YAQSEARCH=y YABROWSER=y VID=731"
  2⤵
  PID:6640
- - C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "YAHOMEPAGE=y YAQSEARCH=y YABROWSER=y VID=731"
    3⤵
    PID:7680
- - C:\Luno\downloader.exe
    C:\Luno\downloader.exe --stat dwnldr/p=39445/cnt=1/dt=10/ct=0/rt=0 --dh 2060 --st 1724522255
    3⤵
    PID:8068

C:\Users\Admin\AppData\Local\Temp\{B85410A6-8001-4C1D-9DC5-0DD0CFE974DA}.exe
"C:\Users\Admin\AppData\Local\Temp\{B85410A6-8001-4C1D-9DC5-0DD0CFE974DA}.exe" --job-name=yBrowserDownloader-{235C31AB-5BC8-41F1-9DA1-6941E865E833} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{B85410A6-8001-4C1D-9DC5-0DD0CFE974DA}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2470956-731&ui={8e545c07-e89e-42dc-8a4c-612778e46151} --use-user-default-locale
1⤵
PID:7592

C:\Users\Admin\AppData\Local\Temp\{70AC99BA-490C-4082-B3B8-1BC833927E63}.exe
"C:\Users\Admin\AppData\Local\Temp\{70AC99BA-490C-4082-B3B8-1BC833927E63}.exe" --job-name=yBrowserDownloader-{181728EA-8B2E-4FA2-8F63-068E50435527} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{70AC99BA-490C-4082-B3B8-1BC833927E63}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2470956-731&ui={8e545c07-e89e-42dc-8a4c-612778e46151} --use-user-default-locale
1⤵
PID:7348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5880d6.rbs

Filesize
916B

MD5
9c7143a35a1886426b9a3587b88c18d4

SHA1
870d6c02ded920458e00b99e0a75a20adcaa5992

SHA256
0ce4756406e186a3eaf4794ec6b9175d112731967c01935a69d3d348d3979f25

SHA512
fb4b6c6ae1e6ae65eb3a520f8b75587fdc32e56a2fb06f84d7b994095f116461fa18da8baec68842dcbb58239c8f43696b0204530b3d06e3531fee973ca295ad

Download Submit
C:\Config.Msi\e5880da.rbs

Filesize
1KB

MD5
94f0d5e153e0ae284f3bbaa48e525a1a

SHA1
6411116b4e433b6737d5eb0c207c80061f45fac8

SHA256
88ae0fd2c9d1c5b6416b2423cdf4c3daf670f00360784c033058bdf7c118af91

SHA512
a5217f21c7dd9856913b8bebc43b865095f42cac36fa394bfd514125f2a78e172d97401714817a1d5116db5471aa458e9857e1f5daa4e7dcec0c01a0bcdf5076

Download Submit
C:\Config.Msi\e5880de.rbs

Filesize
1KB

MD5
7683e61dd33f14a2d5bc09e1b4a58759

SHA1
dabcbb1eb5c544de6b2864dfb07c064e680da72e

SHA256
e3b60320baaa77844257f97080abf01fea8a2ff4a9390c127911591fe87f09be

SHA512
c44ee484cd7ee13ada3b8a5004bed72a057ed2a4257939a3c865350f6c75a87cc3b9674bd684a4d9507960b6570a2a9821ee253c106a2358a0b3e0eb544038a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

Filesize
1KB

MD5
00ac77617ce1cc2ddeb85418e479aa25

SHA1
e042ff5a50fc7467f737eb4626ac87ddf17ec4a9

SHA256
f2320c6197512979cfcc9036f08e27dff44d7c4731e712f06c727f6e7e3a025d

SHA512
a106c924a0d328698d793b087ad6130ecf39da3fb884d2f30ec0c476de839df5fa7acaa4fb7f95af42128271d44414adbe78f673830958d86e5e34134f5f605a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
77b24bb996c2b458a38d4c6b49ff8ed4

SHA1
32a3e49dd0598380852414f709ee8917a9bac002

SHA256
39fc8ec37abcc26237eff907b62d91d486da1104ddb1d08cea9f636ab38f26d3

SHA512
9122792eab258b1149bfb7656650b6d05c984b79fd3f8c0f582303ded9e42b23c0d7eff7f194763f138011ff3ab581414330bcdf1ad9b692fe8ad828d60735db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

Filesize
536B

MD5
2d2ac77945c099cb723d7dafee803a41

SHA1
f01be2ac885b4abc621de055de669ac3d6d1b8b4

SHA256
739ec3b063e0a00386de786281e776ef816fdb8cac937e37815ba1e35d1f3456

SHA512
6d9ddacc785124f278e7a58a67ba67b13c0ee80f63217b8c2ffbc4b22df94d49fb76971eb3bac34c5936d1d309a08292eb4652e0a5370c1a175463a9631b57ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
551d8ae9a26f3804b85bee38204fce36

SHA1
99d8fc5393a0dac91c556579e1e299514525dc2b

SHA256
d6b70e5c085e76522f01d7eeb05eba27fd051d524dd1dddc61fd763b64a0ebec

SHA512
d3b8ab2d4d6989d19db1f640d417a15b86fcc0792245aeefa615053aeb29d1ec80d1ce4b0a939f92601e459acd160e1c32b6fd061429f71b6f5db3332a910955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Services\www.ya.ru.ico

Filesize
5KB

MD5
a6f6261de61d910e0b828040414cee02

SHA1
d9df5043d0405b3f5ddaacb74db36623dd3969dc

SHA256
6bb91f1d74389b18bce6e71772e4c5573648c1a4823338193f700afdf8216be5

SHA512
20cb7b646c160c942e379c6e7a1a8981a09f520361c0205052c1d66e2fdb76333ffaaf0ca1dfc779754f0e844b9946900fbd5690d01869e1607abc1fda6dffab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\119NURWM\info[1].rss

Filesize
267B

MD5
1624f4a1e637e4a958ca214764ad4d02

SHA1
4cc8a668178c5ed1b3b40077a9cc890f2d7920e9

SHA256
69e56887caf622cda9ba6380bfc46bc08ba2e80361d9b087b79bf12d40b07f75

SHA512
239c21bc060b10eb350d4a69700189d61136f09278c1d41004310d151973ad8e56e62a39bb2700481390b4a11904c727dd4ac555b43f56d3046535052db1d551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\48MIK6Y9.cookie

Filesize
282B

MD5
bf916ee993c54a940ad2237b0a1ce0ac

SHA1
9be8bff340c4f57fea767197948ce6adf0f2e28f

SHA256
65c82e28d3d02d54ff0c1f188de6bd5882b11ad619858127206e3c4f38e595c0

SHA512
7b1f605bf219c4a127d1b1efc19cb75539dde3070353a470d4402876ea995cf7ba3008f09be2c536e8ce623c27888ddbf234fc81b8e6338e76ab7f3bb9b28703

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\thumbnails\0dd350dc4ce9f0a5038fbfdbd3bd7916

Filesize
14KB

MD5
998228b70e357630b290d2d8816c25b1

SHA1
216440afe56e95a003802aeb28412b8302334c26

SHA256
a61c9c82b6cf7b583bf6c664b343501fc37ac08fa75bf15b01b3aa4ea11297b5

SHA512
53bdae4da0263a09a908ed1c385ca95467d6a6af95b3dc4fbd78c455ef06e71e1668cfaaba7fc9a41a2aaff08aef00ccf3a7f1dc9bb68d846fb0bd8fdf187993

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\thumbnails\9eb9f427dc65798f5268c806dc17a310

Filesize
15KB

MD5
af80a936c10e18de168538a0722d6319

SHA1
9b1c84a1cf7330a698c89b9d7f33b17b4ba35536

SHA256
2435c0376fca765b21d43e897f4baa52daa0958a7015d04103488c606c99d1d3

SHA512
9a1325c8ce05806e5c161a4cf47239f62baad8f79650fbd713e74928fce8171ced10ba7f24fac46c548e1dbf3f64106270cb25ca88c836c870107f5dc1f97879

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
41585762498e067eeee0465f7381b1b1

SHA1
4c35a5c8406480415e3974fb950508ad6324e525

SHA256
f8f94b565a59e44df57c55266b0efe95f96535acfaa92b7870501bbee7c66da3

SHA512
93205408b0ba9909fbd262be75696afa0b8cabd1e9ed82b5f4c129bfc96b145d7c3197a7b460a3ea419b3461fb5471cf4d4252437c74fbd0865cf3cd22b2b9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5FFD01D5-DFF3-4D7D-88A6-0498A34FC565\sender.exe

Filesize
260KB

MD5
f1a8f60c018647902e70cf3869e1563f

SHA1
3caf9c51dfd75206d944d4c536f5f5ff8e225ae9

SHA256
36022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577

SHA512
c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\67752217-B8A6-4DD6-9683-05871A3B7DBB\seederexe.exe

Filesize
8.6MB

MD5
225ba20fa3edd13c9c72f600ff90e6cb

SHA1
5f1a9baa85c2afe29619e7cc848036d9174701e4

SHA256
35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797

SHA512
97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6792f70a-9643-4d5b-adba-d908352c9a71\market-455x256.png

Filesize
5KB

MD5
2d0a37bb716f9ad9fb916eb8b08d34c4

SHA1
48658fb5f716478bcfa239ba635589184edc33cf

SHA256
a08d93fef42579ebf000b3496ae50837ba14024fd07df04304534de480c72a1c

SHA512
15216319722cd68b7e0018cfd360a3ef3ba512a0686646677b51f4926ee8290f984e72fdd5a815dc5fdfc7170e8d9b2f207413574c96c7189291140475fe959b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6792f70a-9643-4d5b-adba-d908352c9a71\realty-455x256.png

Filesize
6KB

MD5
e05d28ab78d61968a7132eafe61f54b4

SHA1
dcf260ab7cdea7b6fc934e54765c964c1a20bd36

SHA256
cbd302b0ea2218f495b9f0a814f34733f2c5f13a6634d74c6e85a5c0863b5621

SHA512
ebea612bf803692fa3c7b2573c58f2e43fba0f7039e01b57203978cf69b6f8ca538b563791a760a7e901bb5e392879bd57bdbdb69b6a3781a3886fc0c01eddc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6792f70a-9643-4d5b-adba-d908352c9a71\ya_favicon.ico

Filesize
17KB

MD5
ea6ee9ae02402932201de0f23615e815

SHA1
17629127d63b37da0a2a2b2b196110d85372707d

SHA256
f7383af8817bac1d59207a2080afc6b0dcb61a091cb1190d25fe18363838f8fb

SHA512
918fe91a99e0e99e9cc6d17fdd5c2c9b3cb03ae8037681c1875faafc73c05d74fb29b612ea5de867ba96c158dc35fb28cf3f39487bf56f8bf4c6f3e6aaa2cf8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe

Filesize
10.1MB

MD5
a8155bd455d44bab1bc051d2298a3deb

SHA1
c224301929c1e9534c26fce2d278242e0d18fcbd

SHA256
b6c692edb83040735ebca483160bb2be4658cb89524ae24d4ec2732328839ee4

SHA512
7f07e41612afe32329b80648a05c2b568834d00a6521007e02086d358fa0127995f7ffd12b07eac4726ab1df80b445e9eb677a7fef20ef3a02963b2de66a5fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\seed.txt

Filesize
5B

MD5
b8d1200c2569eb9ce9c29e1698dbc84e

SHA1
a70e4497c69720663a3690b90e9f1f664c40e86a

SHA256
80267d197b3c108c82c3e2098da25ce0b28270aa91eb4875159c42120c297000

SHA512
4eddf0c82544d8bbe9f1fc59f063e5ac37576c5a0638a8e60293bbb9a7ad756c445ef3ef17d61332e4630ba1abb4310c8825f404fd7f7f3aafc6c98e31190c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\seed.txt

Filesize
5B

MD5
84b077a6d1ec15291624d4ccdfd9dd77

SHA1
e5562088f9a544e8e596d8a82cf8c7d05fa18e6f

SHA256
6a4a3a5aee4e9281ac93c55e773800cefc24f64ddc3c2cf7b5a62ecf2d09ed19

SHA512
6edf1e37fbc53bb1856025fdd3bccbfb80e2fb39063df5a8a4bae437ec284c07b23ac8cbb59799496981f75e747d1d10cd6c0ff91ae28171be7940297b78b9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0AA0854-FA34-4FD1-808E-EBE7A9710845\lite_installer.exe

Filesize
419KB

MD5
aafdfaa7a989ddb216510fc9ae5b877f

SHA1
41cf94692968a7d511b6051b7fe2b15c784770cb

SHA256
688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc

SHA512
6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

Filesize
1KB

MD5
086f272f581841cd3fb6be8adf80fd6e

SHA1
ef5dd0487908dc02d71eaf5e9c22e52092b8dcfa

SHA256
4640cb03ecdbc57133dcf9c51f2f5865651b7adb833e36ca7d29961c89747193

SHA512
0fa17e51722fe66712e43175e649340d052994f3e931446ca30e701d05ea66297cf0bbdf9d4057dfea1ab89148c55625fb29ef338c08e804483e7a23e9636a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00001.log

Filesize
3KB

MD5
2cfebbdc2df17aaa1ca60b6b899bfb58

SHA1
ede3653ae271579613b3cfa8251fb52fa3848b37

SHA256
11421ce96b214938a71795fb6183682893719f6e2c7b51a3adbd79245275cd52

SHA512
1a30eead30c56a614f3bcc5115a1cd21f8c3501de3cb418b4d6e0e6d9dfc87d206a90705cd8233e91d4d27d322c80a7159b42ea581c1eb44806c24bb5208d4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

Filesize
710B

MD5
edf77221f5e7e7a7646a0562fb92eca6

SHA1
251ec447a7357d8a8dfdf5fedd4d6392f41a56e1

SHA256
acb97452b8e5fae29d721e7d45b2788f29ba52ad38a2b96b6d8b144ea57624c1

SHA512
b7d4efeb638a16c46cb4f17cea486000ff10faf78d7ee74edc2c91f2b963d102f52bd392b5558d89622c0c2bd937b0fde4ce75f6899af2e816ee60348abd3485

Download Submit
C:\Users\Admin\AppData\Local\Temp\d83f9704-2bc6-4baa-87a1-acb01d23fff5

Filesize
92KB

MD5
64408bdf8a846d232d7db045b4aa38b1

SHA1
2b004e839e8fc7632c72aa030b99322e1e378750

SHA256
292f45b8c48293c19461f901644572f880933cbbde47aedcc060b5162283a9fe

SHA512
90c169dbae6e15779c67e013007ac7df182a9221395edd9d6072d15e270132a44e43e330dfe0af818cf3c93754086601cd1c401fb9b69d7c9567407e4d08873b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\auto-216x132.gif

Filesize
4KB

MD5
df6acf1731329d34d4d97491d759647f

SHA1
f475e11f4814c105c5199226674f2aad121926b0

SHA256
b11c1c75a3283c8e730168d48a51644b60920c345117d192e06ca4a223cf3c51

SHA512
6d20733f000c49ed04f03d22f2fa185085f6e9ba19988b8fa7e72613b4d0a86d600a1bad89007d36078d7f73fb939a4e73428992945ef07ad234bb6a6d3ad8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\auto-32.png

Filesize
996B

MD5
984514728b611180272468d5743c125d

SHA1
5bcd8e5721f312ab1f70297e4d7b5c207ffba4eb

SHA256
73b3fbe7e75ba1ddc8a4b8c31a0c10276d5416ec6a77cf67b10e652b5ff50f14

SHA512
f9578318dfd421f7f3a3327dc682004c186c11da28080e2d338f8889a975baa3356f114227e803692657327bab8799e8dd0319c13b9a61c0b877ee693517e519

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\context.json

Filesize
24KB

MD5
c438d94784328c60858ccc478e7c4746

SHA1
66a2fe77a40b26308aac7e3c3bf6ef40f0e883d2

SHA256
df9f7640d1d3971c49f00cfba133fbca01592ad2f83c4842f7a9e8c7dad6f7bc

SHA512
691c7b38479a70ac3775efc86a0645c3cb2bb44ae3ce0168d5c0d74fb0e44153a546011d735bec7e7c89710dbb5befba5edc6170a443acbf5aa60a0943d587a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\mail-212x132.gif

Filesize
1KB

MD5
0ce49cdb25e83eda5f8bede63b67a7c4

SHA1
3d9068f52a6177bf7b31ee60bb794f90b0869dbb

SHA256
a76522485f3349ac13cb17adc2245463b1b8098093a1d5da86eaec20fe5e6ca5

SHA512
c9ac341cf45eea350b1ea383eae67d5b0cac05f4cba60004123434a17d0dc58565b144970926b303b25565035b2bf9bc1efdae358481a0b8798aa78a7a9179b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\mail-32.png

Filesize
690B

MD5
b2dd51366fd816db50a8adef7807f359

SHA1
3239124c6acdc9e9bfdd17e71333839482cbd6f0

SHA256
aaa76a714424b813e0113a4ccfa47abeba05f707e3c82f1fd30228f170a57b03

SHA512
3b01030e814521453bd8e30ed2eb83f94d6710a88b3b85fd2826cd9956b7a4201023192bfed26384005af4447ab1f7dae2716e0f33e181453aa0826703b232e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\mail-455x256.png

Filesize
2KB

MD5
32b5af111ed160146c8f538cdf860fb8

SHA1
b745773601d04cdc2f0ebd4154f634480b583595

SHA256
e7c08b6fb7fedeffa2d28bd2063b6667fb76ee46c41c06d907bfb067e740e552

SHA512
248211eff45ef50979724bddb93bda1b109b6c77f2bbd215f27a633fc6f918ef6353f4cfbb2beca5d8f0cd21dd0e16421b5c41a9b6fa7267d052aac81ad4e9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\market-212x132.gif

Filesize
2KB

MD5
78aa6d9b37c2086655ead9201c83e8c6

SHA1
64fc31a0e779852ca8937c9c6185f3b1edc2660b

SHA256
6d041d5b8120c802d3339b743d1f2a3d921247ee36239b60b07b70903d1af3d8

SHA512
0648fc4e68b2be6b5d93be9b695d7e8bc208763e172d6d372db15b14ad5b2b2bae4211fa56824b0f6ed19c9be01d14a6c3bc063171635e7526fc4e3b8a662eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\market-32.png

Filesize
680B

MD5
05cde36de2b2e94d3322fba16554fde5

SHA1
f0e32d221684821669cac6a8523f93c116e40b50

SHA256
ae05465bfbcd33620690011c9d65e976ad4a5a5bea10bf5770922ed565262ee9

SHA512
d61722923e86b684ae47ffd6b6fa22db82828d0b8c20335bc638e90bf49f0fa9cb94838c646365ee1fa22d67d8a30748dab91ac55d0e171d4a6b7fa6a7202c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\morda-16.ru.png

Filesize
493B

MD5
e52b9f8824ee78c44ffff5cd420f4b51

SHA1
56a1a296d4d1b8b3a4503dbf55164902ce71fce8

SHA256
c95bb9cae25cbd9e0cbe8c1d1f81cfcbdbc1e31295dfb34680ba84f4c089202b

SHA512
334fc739e8e676306d74c1deed831744a6abf7d860f2f54ad4fcd2ca711b41902016e1ad3853ce10489b68009072b31f6ca28e85b9c167f3b1fea7f500df7b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\morda-216x132.ru.gif

Filesize
3KB

MD5
cdf6e36ec1cededb4a075a6d487173d6

SHA1
88ba18186c0593c948c607ae8520ac6fa70b4aca

SHA256
4e6237574547ff380b4f1edb192141c535b7e6aed9c3eb884ed07ccbb750a580

SHA512
b0f62d89d5bb7b520b36489f81c7b7fb7af64e8621ae67bc8b430022bfddacaaf475b702885bac974e6f52faaefee1bc2f2326cd7c0d3b38ba8259dab9a617cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\morda-32.ru.png

Filesize
850B

MD5
d590a318360c608704610f973a998c84

SHA1
f2515a4c72c3ce6b04673fb95da420f624d66461

SHA256
069168f466513821ac5a362ef14184ec67d8a12faf6a734c7c5d46ff1913b892

SHA512
ee3aa2413a660b929eed9bd0280a95c9b3993c7095c673866afc6efa483fe9ef55deff72333f09f42d307158e60a339a5faa0105b69c431b5bc75c31f9339790

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\morda-65x26.ru.png

Filesize
1KB

MD5
ae88efb0a3f1e74f8cb2ccccfb1103b2

SHA1
52991757085c2789cd315c91414a0b0e5f932575

SHA256
83c7ab82f9f3e1ca7319deda0fd07047a4f37ea43be030340c516210f820deca

SHA512
a08cdff122808512800cef646cbb0380b9cf91fbdbb1dd7d6e7fb01279cc44cc39818dfed1deeb8a0eb770aa9015ee75ae882b0023f4ec9ae90605c13b289a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\realty-212x132.gif

Filesize
3KB

MD5
e93a8b442a3e31f17a6df25c0a4190d2

SHA1
ff72067852ccbb8c467046732a1ac9ca80a2dfc3

SHA256
a4bcc6d9d004579fdd398f1f68adf13625a9a43fa2bb6b24f3e09c62fe040f13

SHA512
44d92ea6e1deced6e559e9d02afafeb41ef41ee99c653b0c9fcf3f7c7e73c9528a3533ba3591e48af69b058fe04dc0f83a6e2a977d834bcc11f7bfc82124ac20

Download Submit
C:\Users\Admin\AppData\Local\Temp\d920ae4d-f6f5-4b60-8a83-9127d8378ce0\realty-32.png

Filesize
528B

MD5
3c5f9c0b4b180f6d99a26a9258eb1739

SHA1
c0fcdbbe71a9ca838abe0152be259b6922e9a64b

SHA256
11a094a919752219dc5ae1890249c2a661df33bcd4b9164f406aaedd78e74ddc

SHA512
f78563d9323bea0cdce384f251b7db82400c221ccf7fad38e0ff73120320cfd011bb25e63613955b0aa9b1dd1754050fe54d30ae83af3b7c1dbe21ae85f548d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lite_installer.log

Filesize
9KB

MD5
65745fc80ffac5ed0938ca7c1aea339d

SHA1
6a1908ceffdfdee6b4209a88b3bc0aceed77fca4

SHA256
b65048f2b6a77a9596ad03a7e7690105f08a914f1eb449c8f8c2df63b5285db8

SHA512
a2fd5bd654d28f32c26c1acf759cb0cc355a5d6b646e21cf330deac8c629d53b058cf6996950e2d9c2ebab3073aed5c5c6593ea050502bb4b0acd129a25b559d

Download Submit
C:\Users\Admin\AppData\Local\Temp\omnija-20245624.zip

Filesize
12.5MB

MD5
6ed3e42f351a155ac0a4937f5738be5e

SHA1
3fe2435ca7e61e32cb74ee00488de33b502fe8db

SHA256
38cbe2cb904e782d6ef564cd74f810c115ab5c40a6a138ab1de9948e0c6dcb27

SHA512
5d1c99eb3ea2139cdfd773eae08ace4c1786b07ee382ca406b6e10e07157c8c99c34e6d12a51ea00e5c20247e4c8767e27f46f735a145c854824084ef40a61c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9012aaaaaa

Filesize
2.5MB

MD5
fefc3d677388386c29d8720c15b9db3f

SHA1
370f1f40ae5c652d87b3b8f42e67d827af2b1754

SHA256
74d5e8d3cd8d659d8df8e6f306832dfc252e1a6e676bb60334e31b5943deb4fb

SHA512
b462ca1ffb0798bedc39c945daa75ff73e0efbb1c6dfdb262e6b2936158933f514f0b4169e811069df11aaeaebd39c826ce0caf9f6eb6d77de249fca6abe39fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

Filesize
502B

MD5
cc7a69c791772f13646b376a5525585b

SHA1
c15e5c7a5c5b1cc04e654d5370c8a8f8330a8bdb

SHA256
60790e937b6c94f025f9562af0718f3988990ba359c33024d1f6afdcbf20cbc4

SHA512
14fd6700514937c559497c3c2590190d1c7b1ce6b117c882cc6bae95db6fa20e7a75e239d8c4ff71069c645cf0cd8cf802832d2f2c51bf552b6174a2c1182bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

Filesize
177B

MD5
454b0a0eb278e8724622fa52b8f75c72

SHA1
264ba045872641db4f530bb9c09654748783d39b

SHA256
ec676baa1e017598f3cfc632147b7db661e5f354882211fa142897fd68c70572

SHA512
068beedc545125693fc94b8c03d2e784aceee93a76c70205b9d000ee25c00ed679bf6758129114139ee2f7993902b0b128375d09152bcd6819f292bcf1644aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

Filesize
509B

MD5
8c9aea552a2908edfb9b3fc41f71fd40

SHA1
f2942e9a1de78d1fb033c8b41e4bab377d4b6561

SHA256
cdc30ed5b11fdfc3c5f128ae19399d4de1fccb64206cade0fde15a90c6287f6c

SHA512
1f839e632cd72a5c5a96d3841fc975d2bff072163276d3fad99958690002674228249d3c3126fbd44675f47ad1665e6ca8f80f603189c41eefbdce4780b722a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3BE5A52C-DFBB-4A46-81B0-2CA76A6D2A9A}.exe

Filesize
10.7MB

MD5
5ce0ba4d14747ac9fd754f54a46af21d

SHA1
2628f462449b5162d3d2c6af69786c26b40bc3e2

SHA256
9ad667a1bd609a1969a57838ebc0ef41041b540f02b91d8f398abb58a331355d

SHA512
fb7a7cf30609b503528e5889da2f35aeef51e12415c5371181963b4e0dc950f6ebc1724776a4ea12e15f0861978dd7023b707e9cd56a5c475d0b0ee9c95abe0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

Filesize
9.8MB

MD5
0ff8f8e60b32a474b802224d356a97fc

SHA1
27c0ffdd84c39c3eda1733fdf883da4271662f95

SHA256
62180eec1a75fefa474fae487c7a304d10f67f2a6d61b62e111270ad2e46d6a2

SHA512
1a180f611fee1b4909e3644aaf054ef11341ba9ba7cb774e3aa1a24a46df18b857a100575407513c869d10a50e68990133b0f8f17a5d5e2d4bcbe65567f132e8

Download Submit
C:\Users\Admin\AppData\Local\Yandex\BrowserManager\data\SeederTasks\thumbsv1.json.tmp

Filesize
40KB

MD5
0f3ebd14cb9581e878ff746d5e3cd530

SHA1
3f8e62b88e6d2821ae32a63e7105faf006303849

SHA256
1bfaaa3a70075280de0b021b19e01f29c9ebad57263d16679baaee06b2c6e0de

SHA512
87680b76f16388a2d21c8d3aa0a69812e485800db9f33b891129a2183ee290c6b723c9ad3fcddea7acdb13a79bb4ed6b1c909c2969a943e0da23867f4b8a7fe3

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe

Filesize
397KB

MD5
95828ee007d3586792d53ace50b2357e

SHA1
3501ccad7573fd467911f207155318db3a1a1554

SHA256
8c4be5f1bc4e2f73d4396af48a31bf10362006472e9b28f40aa91f73a3815f12

SHA512
9896eccb178fd772fc92e5793340bdbc1bd6169465d9a739df06c1154edbce16f6db5dd50df426ccbc40d8410d4ef170c3fb0bc700e7778149ff2168409638e7

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk

Filesize
2KB

MD5
7b0bf22c84dbb454835aa99f1ca1f609

SHA1
c121f6d7aacbfabc26839e3c61a1ae782640950b

SHA256
488bb2cf8ac270ba2022df54cfa537a5b7bdf2facda0d4b5d6c5891104e1b5b8

SHA512
a3bd4fd013990dcf184fdfe9d7f69c0818b3cfff0b7730234d94a5e4244df7623e7322ae6a401c8c8237d2f968aa2e103a7e521dede802182be8c97b69dfd102

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk

Filesize
2KB

MD5
2f35cfbc1c2134d91cb0c054b3a836c3

SHA1
689ce08f5943587b7b0abb02137916cab248b654

SHA256
a3b867bb9c1dcfa751977b01dd2e15290ebe3ea0ca45d581b6ad5befc4d3f877

SHA512
90613725f71cba3e4c4ac6c2fa7686b3ed4ae7ac478023115fdc36f8102759809688dd9252e636c42c53b3745acc19ad729d18eebca73defa5e0923eb72c15a6

Download Submit
C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk

Filesize
2KB

MD5
355916f47809e856386571b8c23c4612

SHA1
f51370655f1056138fcb742d21f2bc75f3c81e15

SHA256
6ff456a01ecf0522cbca06e4e7c1441e56fe7c88630b53046b94f3a88aa72ba6

SHA512
c18df415c2ba646c1866da39bb49b48bbc37293c27a3353883fef1a671c31cf6e82842a54941ceba6b2793d01366a30fa553357868ad1dccbdefa76f77c4905c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Яндекс.website

Filesize
515B

MD5
9fdc6120a4ac68ba4f22b0b0365ef04f

SHA1
6af63d1209bfc04f7a18d498ab6d647e8e5d2939

SHA256
61a8c272666aecb184d624365b42d707b9e9263e36445ceb54db1c84a5f6abb9

SHA512
16315c54e8dc7d0dc7a452dd2ce80bff4bcf5e50521fdb4c3ac62f30238793a6ed8aeb5a05c42526ae1179773c00682ba18ac027217cc19b6279750beef396a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrz32a8p.Admin\places.sqlite-20240824175651.177388.backup

Filesize
68KB

MD5
314cb7ffb31e3cc676847e03108378ba

SHA1
3667d2ade77624e79d9efa08a2f1d33104ac6343

SHA256
b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1

SHA512
dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrz32a8p.Admin\prefs.js

Filesize
952B

MD5
e8b0fcc08c5ece326e326013ccd0dc24

SHA1
1c4a4c27750987732d0ee660d8130ab90be5498a

SHA256
12612625a75cb0adb03992de138eb6f1f2a0122be9830691de77d84edfd7f5cc

SHA512
9437f3744a90487169595b11e585dbd9cfa23069184d302f01836ab10570849cfeb0f7774e8fb0c28896cc37f43a774e7af99e54146b3ad3870fb2e460995595

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrz32a8p.Admin\xulstore.json

Filesize
82B

MD5
f52b666a313d61688358308814496763

SHA1
6a1ac6b234fd803e6be4f22c7efbdb908ed46523

SHA256
900fd06508d837bed822a58ecad68a452bc54c8532226ca0725726baa9b527c0

SHA512
a8c84222e22e03009ed765d517b4408ef756459dcf3d6994eb485e9b1394fc2faa4ebc53e2f620742c3ddf47ec48d8b4e486bbc33c6ac2a0d3ad2d426ce47d00

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240824175653.583619.backup

Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\BookmarksExtras

Filesize
25KB

MD5
5619d0d1fa35fb3b166212030956a99a

SHA1
76ca0dcbf62ae55d5f46ef7313da25f47a248fe9

SHA256
b4d989cb82f6a5ef1018f7a3b18d1647d266b9a96a0c87282f229e4afe35e216

SHA512
f585278855e900eb1557f3c6bf878272907f2fc0c1e06f42700b396589e1531455b4b4bd703c5e9c9c0fd3bb4fc9182820c2ee988f97372efa4a5c0676697759

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240824175653.583619.backup

Filesize
313B

MD5
af006f1bcc57b11c3478be8babc036a8

SHA1
c3bb4fa8c905565ca6a1f218e39fe7494910891e

SHA256
ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

SHA512
3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240824175653.614882.backup

Filesize
318B

MD5
f584dcb2b2298460c29abc4ba66b6b1b

SHA1
7a008203efff4adeaf8ef94b8e2f45482e3eaf3e

SHA256
5d064f818011a11d9632f75276b614fff477a9650b82525b1c8627d5f689bc10

SHA512
f811ec1d2ca2f716e694efec691e36247517f2b67680bcc1fada7bad5230d6dbc8d82f7c10e3b85235d0831a0df9940b5730e7423b483ecb365852e49e8d0203

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\clids-yabrowser.xml

Filesize
692B

MD5
24548a8dfb10b7f881c415e44ce47ebb

SHA1
5b1bffa5ccc60a490bc09c36330770cde0846312

SHA256
a10c899b7e56a008959a5c2cab14da4b66ee3190c8d91d837c273048cc25f562

SHA512
6b09bb397596db33d63b067c98fedff755194f6e0b6a7e10b8e8c3e8b138a9a8dcef4585bee1d356b79072bb319715600cec801e327b72c46c66f715da554ad0

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui

Filesize
38B

MD5
6e51858a3020887e3c9b7a3dd987e892

SHA1
69eaeded9240a4c6e028f4ee6cfdc2d638f6ca19

SHA256
7486618b9f800f07c44529b9391c53a662d49501ac7df23e7448ff387554f010

SHA512
ce1212dfed98bbeb28d6143679e12971b27e5cf5405b43c0bfd01581dcef7a535d4ebcb101020f03c1c9e18ff8e53e2e076a990ed5e861565b4f1073fee1acc7

Download Submit
C:\Windows\Installer\MSI8623.tmp

Filesize
181KB

MD5
0c80a997d37d930e7317d6dac8bb7ae1

SHA1
018f13dfa43e103801a69a20b1fab0d609ace8a5

SHA256
a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86

SHA512
fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

Download Submit
C:\Windows\Installer\MSI877C.tmp

Filesize
189KB

MD5
e6fd0e66cf3bfd3cc04a05647c3c7c54

SHA1
6a1b7f1a45fb578de6492af7e2fede15c866739f

SHA256
669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2

SHA512
fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

Download Submit
memory/4636-8203-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/4636-8147-0x0000000003BB0000-0x0000000003BC0000-memory.dmp

Filesize
64KB

Download
memory/4636-8174-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4636-8171-0x0000000004D80000-0x0000000004D82000-memory.dmp

Filesize
8KB

Download
memory/4636-8168-0x0000000004D90000-0x0000000004D92000-memory.dmp

Filesize
8KB

Download
memory/4636-8166-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/4636-8165-0x0000000004D90000-0x0000000004D92000-memory.dmp

Filesize
8KB

Download
memory/4636-8186-0x0000000004E30000-0x0000000004E32000-memory.dmp

Filesize
8KB

Download
memory/4636-8141-0x0000000003700000-0x0000000003710000-memory.dmp

Filesize
64KB

Download
memory/4636-8202-0x0000000004E80000-0x0000000004E82000-memory.dmp

Filesize
8KB

Download
memory/4636-8287-0x0000000004E70000-0x0000000004E72000-memory.dmp

Filesize
8KB

Download
memory/4636-8290-0x0000000004E70000-0x0000000004E72000-memory.dmp

Filesize
8KB

Download
memory/4636-8296-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4636-8291-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/4636-8293-0x0000000004E60000-0x0000000004E62000-memory.dmp

Filesize
8KB

Download
memory/6492-16642-0x0000000005650000-0x0000000005652000-memory.dmp

Filesize
8KB

Download