Overview

overview

10

Static

static

discord-install.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    755s
  • max time network
    753s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    14-04-2022 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    discord-install.exe

  • Size

    3.1MB

  • MD5

    13d129d5ad4bf7234bcfdc21422e56c0

  • SHA1

    6395582b82d5cf79373ee360eeeaccba7b57e6ef

  • SHA256

    9d4f9aac1933e09f5ab82d1e247c77e624be93d086a81caf116af28555ddcc3c

  • SHA512

    8fefdad0a44e8058def613d464c8b040a969faba3c474ad310bb13f98e957795bdfc1766ceee137a1d91a713ac8092663c8cefe06157b3298682baebed1df412

Score
10/10
metastealerbootkitdiscoveryevasionpersistenceransomwarespywarestealertrojan

Malware Config

Signatures

  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs
    persistence
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Downloads MZ/PE file
  • Drops file in Drivers directory 13 IoCs
  • Executes dropped EXE 64 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 30 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unexpected DNS network traffic destination 18 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 17 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 59 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Writes to the Master Boot Record (MBR) 1 TTPs 12 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 20 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 15 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 13 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies data under HKEY_USERS 26 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 13 IoCs
  • Modifies system certificate store 2 TTPs 64 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 26 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    PID:3024
    • C:\Users\Admin\AppData\Local\Temp\discord-install.exe
      "C:\Users\Admin\AppData\Local\Temp\discord-install.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5028
      • C:\Users\Admin\AppData\Local\Temp\is-CEEKP.tmp\discord-install.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-CEEKP.tmp\discord-install.tmp" /SL5="$B0068,2381405,843264,C:\Users\Admin\AppData\Local\Temp\discord-install.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Loads dropped DLL
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\unzip.exe
          "C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\unzip.exe" -o -qq pack.zip -d "C:\Users\Admin\Unosetup"
          4⤵
          • Executes dropped EXE
          PID:1660
        • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\downloader.exe
          "C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\downloader.exe" --partner 7053 --distr /quiet /msicl "VID=119 YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:424
          • C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
            "C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /quiet /msicl "VID=119 YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:840
          • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\downloader.exe
            C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\downloader.exe --stat dwnldr/p=7053/cnt=0/dt=1/ct=1/rt=0 --dh 2556 --st 1649961715
            5⤵
            • Executes dropped EXE
            PID:3800
        • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\360TS_Setup_Mini_WW_Coin_CPI202205_6.6.0.1054.exe
          "C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\360TS_Setup_Mini_WW_Coin_CPI202205_6.6.0.1054.exe" /S
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1280
          • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\360TS_Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\360TS_Setup.exe" /c:RU.Omgm.CPI202204 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:220
            • C:\Program Files (x86)\1649961748_0\360TS_Setup.exe
              "C:\Program Files (x86)\1649961748_0\360TS_Setup.exe" /c:RU.Omgm.CPI202204 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
              6⤵
              • Drops file in Drivers directory
              • Executes dropped EXE
              • Checks computer location settings
              • Loads dropped DLL
              • Adds Run key to start application
              • Checks for any installed AV software in registry
              • Checks whether UAC is enabled
              • Writes to the Master Boot Record (MBR)
              • Drops file in Program Files directory
              • Checks processor information in registry
              • Modifies system certificate store
              • Suspicious behavior: LoadsDriver
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1392
              • C:\Users\Admin\AppData\Local\Temp\1649961751_00000000_wscreg\WscReg.exe
                /regas:1_1
                7⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:2528
              • C:\Windows\system32\bcdedit.exe
                "C:\Windows\system32\bcdedit.exe" /set {bootmgr} flightsigning on
                7⤵
                • Modifies boot configuration data using bcdedit
                PID:2556
              • C:\Windows\system32\bcdedit.exe
                "C:\Windows\system32\bcdedit.exe" /set flightsigning on
                7⤵
                • Modifies boot configuration data using bcdedit
                PID:3536
              • C:\Windows\SysWOW64\regsvr32.exe
                "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
                7⤵
                • Loads dropped DLL
                PID:3848
                • C:\Windows\system32\regsvr32.exe
                  /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
                  8⤵
                  • Modifies system executable filetype association
                  • Loads dropped DLL
                  • Modifies registry class
                  PID:3824
              • C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe
                "C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe" /flightsigning
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:1268
              • C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
                "C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe" /installsrv
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1184
              • C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
                "C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe" /install
                7⤵
                • Drops file in Drivers directory
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:4404
              • C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe
                "C:\Program Files (x86)\360\Total Security\modules\KB931125-rootsupd.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2820
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe authroots.sst
                  8⤵
                  • Executes dropped EXE
                  • Modifies system certificate store
                  • Suspicious use of SetWindowsHookEx
                  PID:4892
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe updroots.sst
                  8⤵
                  • Executes dropped EXE
                  • Modifies system certificate store
                  • Suspicious use of SetWindowsHookEx
                  PID:3996
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -l roots.sst
                  8⤵
                  • Modifies system certificate store
                  • Suspicious use of SetWindowsHookEx
                  PID:5704
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -d delroots.sst
                  8⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:5784
              • C:\Windows\SysWOW64\regsvr32.exe
                "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll"
                7⤵
                  PID:5904
                  • C:\Windows\system32\regsvr32.exe
                    /s "C:\Program Files (x86)\360\Total Security\safemon\safemon64.dll"
                    8⤵
                      PID:5844
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\Unosetup\run.bat" /build=[discord]"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:964
              • C:\Users\Admin\Unosetup\UnoSetup.exe
                UnoSetup.exe /build=[discord]
                5⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:688
                • C:\Users\Admin\AppData\Local\Temp\is-30DQB.tmp\UnoSetup.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-30DQB.tmp\UnoSetup.tmp" /SL5="$601D6,2626563,897536,C:\Users\Admin\Unosetup\UnoSetup.exe" /build=[discord]
                  6⤵
                  • Executes dropped EXE
                  • Checks computer location settings
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4292
                  • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\unzip.exe
                    "C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\unzip.exe" -o -qq images.zip -d "C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp"
                    7⤵
                    • Executes dropped EXE
                    PID:3776
                  • C:\Users\Admin\Unosetup\Downloads\DiscordSetup.exe
                    "C:\Users\Admin\Unosetup\Downloads\DiscordSetup.exe" -s
                    7⤵
                    • Executes dropped EXE
                    PID:5104
                    • C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
                      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . -s
                      8⤵
                      • Executes dropped EXE
                      • Checks computer location settings
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3200
                      • C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Squirrel.exe
                        "C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
                        9⤵
                        • Executes dropped EXE
                        PID:4300
                      • C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe
                        "C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe" --squirrel-install 0.0.309
                        9⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:4984
                        • C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe
                          C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --no-upload-gzip --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=0.0.309 --annotation=prod=Electron --annotation=ver=9.3.5 --initial-client-data=0x464,0x468,0x46c,0x3f8,0x470,0x58c1038,0x58c1048,0x58c1054
                          10⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:4940
                        • C:\Users\Admin\AppData\Local\Discord\Update.exe
                          C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
                          10⤵
                          • Executes dropped EXE
                          PID:2792
                        • C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe
                          "C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe" --type=gpu-process --field-trial-handle=1588,13535646021843845986,9670541215823860006,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1692 /prefetch:2
                          10⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:3088
                        • C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe
                          "C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe" --type=utility --field-trial-handle=1588,13535646021843845986,9670541215823860006,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2032 /prefetch:8
                          10⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:2184
                        • C:\Windows\SysWOW64\reg.exe
                          C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "C:\Users\Admin\AppData\Local\Discord\Update.exe --processStart Discord.exe" /f
                          10⤵
                          • Adds Run key to start application
                          • Modifies registry key
                          PID:4352
                        • C:\Windows\SysWOW64\reg.exe
                          C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
                          10⤵
                          • Modifies registry key
                          PID:3012
                        • C:\Windows\SysWOW64\reg.exe
                          C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
                          10⤵
                          • Executes dropped EXE
                          • Modifies registry key
                          PID:4612
                        • C:\Windows\SysWOW64\reg.exe
                          C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe\",-1" /f
                          10⤵
                          • Modifies registry key
                          PID:380
                        • C:\Windows\SysWOW64\reg.exe
                          C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe\" --url -- \"%1\"" /f
                          10⤵
                          • Modifies registry key
                          PID:3256
        • C:\Users\Admin\AppData\Local\Temp\{7BA09B21-0AFE-458C-9FA6-2882456C8217}.exe
          "C:\Users\Admin\AppData\Local\Temp\{7BA09B21-0AFE-458C-9FA6-2882456C8217}.exe" --job-name=yBrowserDownloader-{204E3297-AC6C-4C4F-B1EA-AC10DD93B070} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{7BA09B21-0AFE-458C-9FA6-2882456C8217}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2313418-119&ui={9bfc2066-f9a4-4a9c-9cbf-9fc315942247} --use-user-default-locale
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3496
          • C:\Users\Admin\AppData\Local\Temp\ybCCF2.tmp
            "C:\Users\Admin\AppData\Local\Temp\ybCCF2.tmp" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\955f78a2-9277-468b-b717-22f820801e0a.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --clids-searchband-file="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=246180788 --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{204E3297-AC6C-4C4F-B1EA-AC10DD93B070} --local-path="C:\Users\Admin\AppData\Local\Temp\{7BA09B21-0AFE-458C-9FA6-2882456C8217}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2313418-119&ui={9bfc2066-f9a4-4a9c-9cbf-9fc315942247} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\c55e1fd0-60cb-44fa-a08a-81a03f890892.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico"
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4340
            • C:\Users\Admin\AppData\Local\Temp\YB_5D3CC.tmp\setup.exe
              "C:\Users\Admin\AppData\Local\Temp\YB_5D3CC.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_5D3CC.tmp\BROWSER.PACKED.7Z" --searchband-file="C:\Users\Admin\AppData\Local\Temp\YB_5D3CC.tmp\SEARCHBAND.EXE" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\955f78a2-9277-468b-b717-22f820801e0a.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --clids-searchband-file="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=246180788 --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{204E3297-AC6C-4C4F-B1EA-AC10DD93B070} --local-path="C:\Users\Admin\AppData\Local\Temp\{7BA09B21-0AFE-458C-9FA6-2882456C8217}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2313418-119&ui={9bfc2066-f9a4-4a9c-9cbf-9fc315942247} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\c55e1fd0-60cb-44fa-a08a-81a03f890892.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico"
              4⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:4768
              • C:\Users\Admin\AppData\Local\Temp\YB_5D3CC.tmp\setup.exe
                "C:\Users\Admin\AppData\Local\Temp\YB_5D3CC.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\YB_5D3CC.tmp\BROWSER.PACKED.7Z" --searchband-file="C:\Users\Admin\AppData\Local\Temp\YB_5D3CC.tmp\SEARCHBAND.EXE" --abt-update-path="C:\Users\Admin\AppData\Local\Temp\955f78a2-9277-468b-b717-22f820801e0a.tmp" --brand-name=yandex --brand-package="C:\Users\Admin\AppData\Local\Temp\BrandFile" --clids-file="C:\Users\Admin\AppData\Local\Temp\clids.xml" --clids-searchband-file="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml" --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --install-start-time-no-uac=246180788 --installerdata="C:\Users\Admin\AppData\Local\Temp\master_preferences" --job-name=yBrowserDownloader-{204E3297-AC6C-4C4F-B1EA-AC10DD93B070} --local-path="C:\Users\Admin\AppData\Local\Temp\{7BA09B21-0AFE-458C-9FA6-2882456C8217}.exe" --partner-package="C:\Users\Admin\AppData\Local\Temp\PartnerFile" --progress-window=0 --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2313418-119&ui={9bfc2066-f9a4-4a9c-9cbf-9fc315942247} --send-statistics --silent --source=lite --use-user-default-locale --variations-update-path="C:\Users\Admin\AppData\Local\Temp\c55e1fd0-60cb-44fa-a08a-81a03f890892.tmp" --verbose-logging --yabrowser --yandex-website-icon-file="C:\Users\Admin\AppData\Local\Temp\website.ico" --verbose-logging --run-as-admin --target-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application" --child-setup-process --restart-as-admin-time=268371901
                5⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                PID:1540
                • C:\Users\Admin\AppData\Local\Temp\YB_5D3CC.tmp\setup.exe
                  C:\Users\Admin\AppData\Local\Temp\YB_5D3CC.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=1540 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.3.1.896 --initial-client-data=0x334,0x338,0x33c,0x310,0x340,0x633778,0x633788,0x633794
                  6⤵
                  • Executes dropped EXE
                  PID:2032
                • C:\Windows\TEMP\scoped_dir1540_846880601\temp\service_update.exe
                  "C:\Windows\TEMP\scoped_dir1540_846880601\temp\service_update.exe" --setup
                  6⤵
                  • Executes dropped EXE
                  • Checks computer location settings
                  PID:1564
                  • C:\Program Files (x86)\Yandex\YandexBrowser\22.3.1.896\service_update.exe
                    "C:\Program Files (x86)\Yandex\YandexBrowser\22.3.1.896\service_update.exe" --install
                    7⤵
                    • Executes dropped EXE
                    PID:4592
                • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
                  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Temp\clids.xml"
                  6⤵
                  • Executes dropped EXE
                  PID:1196
                • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
                  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=yabrowser --vendor-xml-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\source1540_19114955\Browser-bin\clids_yandex_second.xml"
                  6⤵
                  • Executes dropped EXE
                  PID:4012
                • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
                  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=searchband --vendor-xml-path="C:\Users\Admin\AppData\Local\Temp\clids_searchband.xml"
                  6⤵
                    PID:4612
                  • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe
                    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\clidmgr.exe" --appid=searchband --vendor-xml-path="C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Temp\source1540_19114955\Browser-bin\clids_searchband.xml"
                    6⤵
                    • Executes dropped EXE
                    PID:4800
                  • C:\Users\Admin\AppData\Local\Temp\YB_5D3CC.tmp\SEARCHBAND.EXE
                    "C:\Users\Admin\AppData\Local\Temp\YB_5D3CC.tmp\SEARCHBAND.EXE" /forcequiet
                    6⤵
                      PID:2456
            • C:\Users\Admin\AppData\Local\Yandex\SearchBand\Installer\searchbandapp.exe
              "C:\Users\Admin\AppData\Local\Yandex\SearchBand\Installer\searchbandapp.exe" /install
              2⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:1236
              • C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\searchbandapp64.exe
                "C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\searchbandapp64.exe" /auto
                3⤵
                • Adds Run key to start application
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                PID:5280
                • C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\crashreporter64.exe
                  C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\crashreporter64.exe
                  4⤵
                    PID:5460
                  • C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\searchbandapp64.exe
                    "C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.0.0.1903\searchbandapp64.exe" /update-check
                    4⤵
                    • Modifies Internet Explorer settings
                    PID:3700
                    • C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.5.0.1923\searchbandapp64.exe
                      "C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.5.0.1923\searchbandapp64.exe" /update-install
                      5⤵
                      • Checks computer location settings
                      PID:3208
                      • C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.5.0.1923\searchbandapp64.exe
                        "C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.5.0.1923\searchbandapp64.exe" /auto
                        6⤵
                        • Adds Run key to start application
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        PID:5452
                        • C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.5.0.1923\crashreporter64.exe
                          C:\Users\Admin\AppData\Local\Yandex\SearchBand\Application\5.5.0.1923\crashreporter64.exe
                          7⤵
                            PID:5128
                • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --progress-window=0 --install-start-time-no-uac=246180788
                  2⤵
                  • Executes dropped EXE
                  • Checks computer location settings
                  • Adds Run key to start application
                  • Drops file in Windows directory
                  • Enumerates system info in registry
                  • Modifies registry class
                  • Modifies system certificate store
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  PID:3732
                  • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                    C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id= --annotation=main_process_pid=3732 --annotation=metrics_client_id=54479c31e07c46db97af0635604e3a38 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.3.1.896 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x70f01490,0x70f014a0,0x70f014ac
                    3⤵
                    • Executes dropped EXE
                    PID:4660
                  • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 /prefetch:2
                    3⤵
                    • Executes dropped EXE
                    PID:4320
                  • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=ru --service-sandbox-type=utility --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Storage Service" --mojo-platform-channel-handle=2092 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                    3⤵
                    • Executes dropped EXE
                    PID:4316
                  • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Network Service" --mojo-platform-channel-handle=1908 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                    3⤵
                    • Executes dropped EXE
                    PID:1280
                  • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=ru --service-sandbox-type=audio --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Audio Service" --mojo-platform-channel-handle=2776 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                    3⤵
                      PID:456
                    • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                      "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --extension-process --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://yastatic.net --display-capture-permissions-policy-allowed --enable-instaserp --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3240 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 /prefetch:1
                      3⤵
                      • Checks computer location settings
                      PID:3496
                    • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                      "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=3388 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                      3⤵
                        PID:4468
                      • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=ru --service-sandbox-type=none --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Video Capture" --mojo-platform-channel-handle=3356 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                        3⤵
                          PID:2456
                        • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                          "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --extension-process --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://yastatic.net --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3404 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 /prefetch:1
                          3⤵
                          • Checks computer location settings
                          PID:5140
                        • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                          "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=speechkit.mojom.Speechkit --lang=ru --service-sandbox-type=none --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Speechkit Service" --mojo-platform-channel-handle=3792 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                          3⤵
                            PID:5172
                          • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                            "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=ru --service-sandbox-type=none --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Импорт профилей" --mojo-platform-channel-handle=4500 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                            3⤵
                              PID:5444
                            • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                              "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://yastatic.net --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=4792 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 /prefetch:1
                              3⤵
                              • Checks computer location settings
                              PID:5696
                            • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                              "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://yastatic.net --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=5028 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 /prefetch:1
                              3⤵
                              • Checks computer location settings
                              PID:5724
                            • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                              "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=5064 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                              3⤵
                                PID:5744
                              • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=uwp_cookie_provider.mojom.UwpCookieProvider --lang=ru --service-sandbox-type=utility --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name=uwp_cookie_provider.mojom.UwpCookieProvider --mojo-platform-channel-handle=5704 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                3⤵
                                  PID:5828
                                • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\22.3.1.896\browser_diagnostics.exe
                                  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\22.3.1.896\browser_diagnostics.exe" --uninstall
                                  3⤵
                                    PID:5804
                                  • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://yastatic.net --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=6012 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 /prefetch:1
                                    3⤵
                                      PID:5648
                                    • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                      "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://yastatic.net --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=6196 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 /prefetch:1
                                      3⤵
                                      • Checks computer location settings
                                      PID:5900
                                    • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                      "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=ru --service-sandbox-type=none --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Утилиты Windows" --mojo-platform-channel-handle=6396 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                      3⤵
                                        PID:5184
                                      • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=5928 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                        3⤵
                                          PID:3952
                                        • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                          "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=4528 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                          3⤵
                                            PID:672
                                          • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                            "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=5436 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                            3⤵
                                              PID:4736
                                            • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                              "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=5412 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                              3⤵
                                                PID:5156
                                              • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=5384 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                3⤵
                                                • Executes dropped EXE
                                                PID:2456
                                              • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=5388 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                3⤵
                                                  PID:6116
                                                • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=5452 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                  3⤵
                                                    PID:5656
                                                  • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=5428 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                    3⤵
                                                      PID:5516
                                                    • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                      "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=6656 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                      3⤵
                                                        PID:5416
                                                      • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=6664 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                        3⤵
                                                          PID:6192
                                                        • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                          "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=6680 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                          3⤵
                                                            PID:6272
                                                          • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                            "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=6688 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                            3⤵
                                                              PID:6316
                                                            • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                              "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=6704 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                              3⤵
                                                                PID:6336
                                                              • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=7368 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                                3⤵
                                                                  PID:6412
                                                                • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=6712 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                                  3⤵
                                                                    PID:6352
                                                                  • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=6700 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                                    3⤵
                                                                      PID:6576
                                                                    • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                      "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=8496 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                                      3⤵
                                                                        PID:6628
                                                                      • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=8508 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                                        3⤵
                                                                          PID:6672
                                                                        • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                          "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=8520 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                                          3⤵
                                                                            PID:6712
                                                                          • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                            "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=8500 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                                            3⤵
                                                                              PID:6756
                                                                            • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                              "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=8528 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                                              3⤵
                                                                                PID:6796
                                                                              • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=8452 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                                                3⤵
                                                                                  PID:6592
                                                                                • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --mojo-platform-channel-handle=8312 --field-trial-handle=1844,10734729840142555160,17212201277931937741,131072 --brver=22.3.1.896 /prefetch:8
                                                                                  3⤵
                                                                                    PID:6564
                                                                                • C:\Users\Admin\AppData\Local\Discord\Update.exe
                                                                                  "C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
                                                                                  2⤵
                                                                                    PID:7044
                                                                                    • C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe
                                                                                      "C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe"
                                                                                      3⤵
                                                                                        PID:7156
                                                                                        • C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe
                                                                                          C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --no-upload-gzip --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=0.0.309 --annotation=prod=Electron --annotation=ver=9.3.5 --initial-client-data=0x490,0x494,0x498,0x46c,0x49c,0x58c1038,0x58c1048,0x58c1054
                                                                                          4⤵
                                                                                            PID:6156
                                                                                          • C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe
                                                                                            "C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe" --type=gpu-process --field-trial-handle=1744,9627802523454849813,9314035604894160453,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1752 /prefetch:2
                                                                                            4⤵
                                                                                              PID:6384
                                                                                            • C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe
                                                                                              "C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe" --type=utility --field-trial-handle=1744,9627802523454849813,9314035604894160453,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2260 /prefetch:8
                                                                                              4⤵
                                                                                                PID:6476
                                                                                              • C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe
                                                                                                "C:\Users\Admin\AppData\Local\Discord\app-0.0.309\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1744,9627802523454849813,9314035604894160453,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-0.0.309\resources\app.asar" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2320 /prefetch:1
                                                                                                4⤵
                                                                                                • Checks computer location settings
                                                                                                PID:6548
                                                                                              • C:\Users\Admin\AppData\Local\Discord\Update.exe
                                                                                                C:\Users\Admin\AppData\Local\Discord\Update.exe --check https://discord.com/api/updates/stable
                                                                                                4⤵
                                                                                                  PID:4144
                                                                                                • C:\Users\Admin\AppData\Local\Discord\Update.exe
                                                                                                  C:\Users\Admin\AppData\Local\Discord\Update.exe --update https://discord.com/api/updates/stable
                                                                                                  4⤵
                                                                                                  • Checks computer location settings
                                                                                                  PID:5916
                                                                                                  • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Squirrel.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\Discord\Update.exe
                                                                                                    5⤵
                                                                                                      PID:828
                                                                                                    • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe" --squirrel-updated 0.0.311
                                                                                                      5⤵
                                                                                                        PID:4312
                                                                                                        • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                          C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=0.0.311 --annotation=prod=Electron --annotation=ver=13.4.0 --initial-client-data=0x4b8,0x4bc,0x4c0,0x4b4,0x4c4,0x7c58820,0x7c58830,0x7c5883c
                                                                                                          6⤵
                                                                                                            PID:220
                                                                                                          • C:\Users\Admin\AppData\Local\Discord\Update.exe
                                                                                                            C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico --updateOnly
                                                                                                            6⤵
                                                                                                              PID:5108
                                                                                                            • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe" --type=gpu-process --field-trial-handle=1852,11922624484978454836,6065473519147975898,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
                                                                                                              6⤵
                                                                                                                PID:5516
                                                                                                              • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,11922624484978454836,6065473519147975898,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:8
                                                                                                                6⤵
                                                                                                                  PID:3968
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  C:\Windows\System32\reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord
                                                                                                                  6⤵
                                                                                                                  • Modifies registry key
                                                                                                                  PID:2408
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "C:\Users\Admin\AppData\Local\Discord\Update.exe --processStart Discord.exe" /f
                                                                                                                  6⤵
                                                                                                                  • Adds Run key to start application
                                                                                                                  • Modifies registry key
                                                                                                                  PID:3536
                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    7⤵
                                                                                                                      PID:5648
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
                                                                                                                    6⤵
                                                                                                                    • Modifies registry key
                                                                                                                    PID:4356
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
                                                                                                                    6⤵
                                                                                                                    • Modifies registry key
                                                                                                                    PID:7124
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe\",-1" /f
                                                                                                                    6⤵
                                                                                                                    • Modifies registry key
                                                                                                                    PID:5088
                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      7⤵
                                                                                                                        PID:5804
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe\" --url -- \"%1\"" /f
                                                                                                                      6⤵
                                                                                                                      • Modifies registry class
                                                                                                                      • Modifies registry key
                                                                                                                      PID:5548
                                                                                                                • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                                  4⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                  PID:6108
                                                                                                                  • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=0.0.311 --annotation=prod=Electron --annotation=ver=13.4.0 --initial-client-data=0x4ac,0x4b0,0x4b4,0x4a8,0x4b8,0x7c58820,0x7c58830,0x7c5883c
                                                                                                                    5⤵
                                                                                                                      PID:6220
                                                                                                                    • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe" --type=gpu-process --field-trial-handle=1792,14208882577853647781,16878709068482916025,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1800 /prefetch:2
                                                                                                                      5⤵
                                                                                                                        PID:4144
                                                                                                                      • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1792,14208882577853647781,16878709068482916025,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-0.0.311\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:1
                                                                                                                        5⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        PID:5652
                                                                                                                      • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1792,14208882577853647781,16878709068482916025,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:8
                                                                                                                        5⤵
                                                                                                                          PID:6244
                                                                                                                        • C:\Users\Admin\AppData\Local\Discord\Update.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Discord\Update.exe --check https://discord.com/api/updates/stable
                                                                                                                          5⤵
                                                                                                                            PID:6500
                                                                                                                          • C:\Users\Admin\AppData\Local\Discord\Update.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Discord\Update.exe --check https://discord.com/api/updates/stable
                                                                                                                            5⤵
                                                                                                                              PID:6368
                                                                                                                            • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1792,14208882577853647781,16878709068482916025,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-0.0.311\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1 --enable-node-leakage-in-renderers
                                                                                                                              5⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              • Modifies system certificate store
                                                                                                                              PID:6692
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /q /d /s /c "C:\Program^ Files\NVIDIA^ Corporation\NVSMI\nvidia-smi.exe"
                                                                                                                                6⤵
                                                                                                                                  PID:2360
                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    7⤵
                                                                                                                                      PID:456
                                                                                                                                • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1792,14208882577853647781,16878709068482916025,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3432 /prefetch:8
                                                                                                                                  5⤵
                                                                                                                                    PID:2380
                                                                                                                                  • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1792,14208882577853647781,16878709068482916025,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3492 /prefetch:8
                                                                                                                                    5⤵
                                                                                                                                      PID:5888
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discordapp.com/handoff?rpc=6463&key=f008a6e6-a217-43bb-ada8-230637761d34
                                                                                                                                      5⤵
                                                                                                                                      • Adds Run key to start application
                                                                                                                                      • Enumerates system info in registry
                                                                                                                                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                                                      PID:7068
                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa47146f8,0x7fffa4714708,0x7fffa4714718
                                                                                                                                        6⤵
                                                                                                                                          PID:7044
                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7542993460631333767,16025804564100981766,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
                                                                                                                                          6⤵
                                                                                                                                            PID:1664
                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7542993460631333767,16025804564100981766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2764 /prefetch:3
                                                                                                                                            6⤵
                                                                                                                                              PID:1592
                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,7542993460631333767,16025804564100981766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3156 /prefetch:8
                                                                                                                                              6⤵
                                                                                                                                                PID:6032
                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7542993460631333767,16025804564100981766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
                                                                                                                                                6⤵
                                                                                                                                                  PID:4204
                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7542993460631333767,16025804564100981766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
                                                                                                                                                  6⤵
                                                                                                                                                    PID:7164
                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,7542993460631333767,16025804564100981766,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 /prefetch:8
                                                                                                                                                    6⤵
                                                                                                                                                      PID:5800
                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7542993460631333767,16025804564100981766,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
                                                                                                                                                      6⤵
                                                                                                                                                        PID:6864
                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,7542993460631333767,16025804564100981766,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4068 /prefetch:8
                                                                                                                                                        6⤵
                                                                                                                                                          PID:3632
                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,7542993460631333767,16025804564100981766,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4076 /prefetch:8
                                                                                                                                                          6⤵
                                                                                                                                                            PID:6488
                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                          C:\Windows\System32\reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord
                                                                                                                                                          5⤵
                                                                                                                                                          • Modifies registry key
                                                                                                                                                          PID:5608
                                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                          C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "C:\Users\Admin\AppData\Local\Discord\Update.exe --processStart Discord.exe" /f
                                                                                                                                                          5⤵
                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                          • Modifies registry key
                                                                                                                                                          PID:5624
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Discord\app-0.0.311\Discord.exe" --type=gpu-process --field-trial-handle=1792,14208882577853647781,16878709068482916025,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2456 /prefetch:2
                                                                                                                                                          5⤵
                                                                                                                                                            PID:6360
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe"
                                                                                                                                                      2⤵
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                      PID:5576
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                        C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" --url=https://crash-reports.browser.yandex.net/submit --annotation=install_date=1649961803 --annotation=last_update_date=1649961803 --annotation=launches_after_update=1 --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=5576 --annotation=metrics_client_id=54479c31e07c46db97af0635604e3a38 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.3.1.896 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x69ff1490,0x69ff14a0,0x69ff14ac
                                                                                                                                                        3⤵
                                                                                                                                                          PID:6680
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1880,50995059727692082,13804680137611564486,131072 /prefetch:2
                                                                                                                                                          3⤵
                                                                                                                                                            PID:2376
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Network Service" --mojo-platform-channel-handle=1928 --field-trial-handle=1880,50995059727692082,13804680137611564486,131072 --brver=22.3.1.896 /prefetch:8
                                                                                                                                                            3⤵
                                                                                                                                                              PID:3712
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=ru --service-sandbox-type=utility --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Storage Service" --mojo-platform-channel-handle=2220 --field-trial-handle=1880,50995059727692082,13804680137611564486,131072 --brver=22.3.1.896 /prefetch:8
                                                                                                                                                              3⤵
                                                                                                                                                                PID:6676
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=ru --service-sandbox-type=audio --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Audio Service" --mojo-platform-channel-handle=2424 --field-trial-handle=1880,50995059727692082,13804680137611564486,131072 --brver=22.3.1.896 /prefetch:8
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:7056
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=speechkit.mojom.Speechkit --lang=ru --service-sandbox-type=none --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Speechkit Service" --mojo-platform-channel-handle=2520 --field-trial-handle=1880,50995059727692082,13804680137611564486,131072 --brver=22.3.1.896 /prefetch:8
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:5700
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://yastatic.net --display-capture-permissions-policy-allowed --enable-instaserp --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=3416 --field-trial-handle=1880,50995059727692082,13804680137611564486,131072 /prefetch:1
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                    PID:688
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=ru --service-sandbox-type=none --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Video Capture" --mojo-platform-channel-handle=3340 --field-trial-handle=1880,50995059727692082,13804680137611564486,131072 --brver=22.3.1.896 /prefetch:8
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:5580
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=uwp_cookie_provider.mojom.UwpCookieProvider --lang=ru --service-sandbox-type=utility --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name=uwp_cookie_provider.mojom.UwpCookieProvider --mojo-platform-channel-handle=3876 --field-trial-handle=1880,50995059727692082,13804680137611564486,131072 --brver=22.3.1.896 /prefetch:8
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:1956
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://yastatic.net --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=4660 --field-trial-handle=1880,50995059727692082,13804680137611564486,131072 /prefetch:1
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                        PID:5140
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=renderer --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --help-url=https://api.browser.yandex.ru/redirect/help/ --user-agent-info --web-ntp-url-for-renderer=https://webntp.yandex.ru/ --translate-security-origin=https://yastatic.net --display-capture-permissions-policy-allowed --enable-instaserp --disable-gpu-compositing --lang=ru --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=4856 --field-trial-handle=1880,50995059727692082,13804680137611564486,131072 /prefetch:1
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                        PID:5596
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Discord\Update.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                      PID:4000
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Discord\app-1.0.9004\Discord.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9004\Discord.exe"
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:100
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Discord\app-1.0.9004\Discord.exe
                                                                                                                                                                            C:\Users\Admin\AppData\Local\Discord\app-1.0.9004\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=1.0.9004 --annotation=prod=Electron --annotation=ver=13.6.6 --initial-client-data=0x4b0,0x4b4,0x4b8,0x4ac,0x4bc,0x7353850,0x7353860,0x735386c
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:212
                                                                                                                                                                      • C:\Windows\system32\msiexec.exe
                                                                                                                                                                        C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                        1⤵
                                                                                                                                                                        • Enumerates connected drives
                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                                                        PID:1864
                                                                                                                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding AC1132D688F2A335356963A2D8DD8ED8
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                                                          PID:4772
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\3B76FAE8-9771-4AF7-AB61-1F6423177B90\lite_installer.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\3B76FAE8-9771-4AF7-AB61-1F6423177B90\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                            PID:672
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\B81401D4-AC3F-4547-A0A6-99A293ACA436\seederexe.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\B81401D4-AC3F-4547-A0A6-99A293ACA436\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\1A16FF3B-D437-4C6B-827D-09806A0444C0\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Modifies Internet Explorer settings
                                                                                                                                                                            • Modifies Internet Explorer start page
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                                                                                            PID:1236
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n
                                                                                                                                                                              4⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                              PID:3948
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\pin\explorer.exe
                                                                                                                                                                                C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n /pin-path="C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk" --is-pinning
                                                                                                                                                                                5⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                PID:4200
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\1A16FF3B-D437-4C6B-827D-09806A0444C0\sender.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\1A16FF3B-D437-4C6B-827D-09806A0444C0\sender.exe --send "/status.xml?clid=2313438-119&uuid=9bfc2066-f9a4-4a9c-9cbf-9fc315942247&vnt=Windows 10x64&file-no=8%0A10%0A11%0A12%0A13%0A15%0A17%0A18%0A20%0A21%0A22%0A25%0A36%0A38%0A40%0A42%0A43%0A45%0A57%0A61%0A89%0A102%0A103%0A106%0A111%0A123%0A124%0A125%0A129%0A"
                                                                                                                                                                              4⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                              PID:744
                                                                                                                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding D5F29B3500FB873E50399CA7E30D5205
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:1480
                                                                                                                                                                        • C:\Program Files (x86)\Yandex\YandexBrowser\22.3.1.896\service_update.exe
                                                                                                                                                                          "C:\Program Files (x86)\Yandex\YandexBrowser\22.3.1.896\service_update.exe" --run-as-service
                                                                                                                                                                          1⤵
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                          PID:3880
                                                                                                                                                                          • C:\Program Files (x86)\Yandex\YandexBrowser\22.3.1.896\service_update.exe
                                                                                                                                                                            "C:\Program Files (x86)\Yandex\YandexBrowser\22.3.1.896\service_update.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://crash-reports.browser.yandex.net/submit --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=3880 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.3.1.896 --initial-client-data=0x258,0x25c,0x260,0x234,0x264,0x5eb008,0x5eb018,0x5eb024
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:4128
                                                                                                                                                                          • C:\Program Files (x86)\Yandex\YandexBrowser\22.3.1.896\service_update.exe
                                                                                                                                                                            "C:\Program Files (x86)\Yandex\YandexBrowser\22.3.1.896\service_update.exe" --update-scheduler
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Drops file in Windows directory
                                                                                                                                                                            PID:4572
                                                                                                                                                                            • C:\Program Files (x86)\Yandex\YandexBrowser\22.3.1.896\service_update.exe
                                                                                                                                                                              "C:\Program Files (x86)\Yandex\YandexBrowser\22.3.1.896\service_update.exe" --update-background-scheduler
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                              PID:5068
                                                                                                                                                                          • C:\Program Files (x86)\Yandex\YandexBrowser\22.3.1.896\service_update.exe
                                                                                                                                                                            "C:\Program Files (x86)\Yandex\YandexBrowser\22.3.1.896\service_update.exe" --statistics=https://api.browser.yandex.ru/installstats/send/dtype=stred/pid=457/cid=72992/path=extended_stat/vars=-action=version_folder_files_check_unused,-brand_id=unknown,-error=FONT_NOT_FOUND,-files_mask=66977119,-installer_type=service_audit,-launched=false,-old_style=0,-old_ver=,-result=0,-stage=error,-target=version_folder_files_check,-ui=D37A61F0_3290_453C_82A6_FE616699E37F/*
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                            PID:2560
                                                                                                                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:1096
                                                                                                                                                                          • C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe
                                                                                                                                                                            "C:\Program Files (x86)\360\Total Security\safemon\WscReg.exe"
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                            PID:5032
                                                                                                                                                                            • C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe
                                                                                                                                                                              "C:\Program Files (x86)\360\Total Security\SoftMgr\EaInstHelper64.exe" /Install_run
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Drops file in Drivers directory
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Drops file in Windows directory
                                                                                                                                                                              PID:2336
                                                                                                                                                                          • C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
                                                                                                                                                                            "C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe"
                                                                                                                                                                            1⤵
                                                                                                                                                                            • Drops file in Drivers directory
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                            • Checks for any installed AV software in registry
                                                                                                                                                                            • Checks whether UAC is enabled
                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                            • Writes to the Master Boot Record (MBR)
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            • Drops file in Program Files directory
                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                            • Suspicious behavior: LoadsDriver
                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                            PID:3312
                                                                                                                                                                            • C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
                                                                                                                                                                              /showtrayicon
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                              • Checks whether UAC is enabled
                                                                                                                                                                              • Writes to the Master Boot Record (MBR)
                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                              PID:1460
                                                                                                                                                                              • C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
                                                                                                                                                                                "C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /install
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Checks for any installed AV software in registry
                                                                                                                                                                                PID:2056
                                                                                                                                                                              • C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe
                                                                                                                                                                                "C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /cleantip=1
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                • Suspicious use of SendNotifyMessage
                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                PID:3516
                                                                                                                                                                                • C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe
                                                                                                                                                                                  "C:\Program Files (x86)\360\Total Security\safemon\PopWndLog.exe" /ExShowTrayIcon
                                                                                                                                                                                  4⤵
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  PID:2132
                                                                                                                                                                              • C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
                                                                                                                                                                                "C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe" /ExShowTrayIcon
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                PID:2940
                                                                                                                                                                              • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\360\Total Security\safemon\safemon.dll"
                                                                                                                                                                                3⤵
                                                                                                                                                                                  PID:4548
                                                                                                                                                                                • C:\Program Files (x86)\360\Total Security\QHSafeMain.exe
                                                                                                                                                                                  "C:\Program Files (x86)\360\Total Security\QHSafeMain.exe"
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                  • Checks for any installed AV software in registry
                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                  • Drops desktop.ini file(s)
                                                                                                                                                                                  • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                  PID:6948
                                                                                                                                                                                  • C:\Program Files (x86)\360\Total Security\PromoUtil.exe
                                                                                                                                                                                    "C:\Program Files (x86)\360\Total Security\PromoUtil.exe"
                                                                                                                                                                                    4⤵
                                                                                                                                                                                    • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                    PID:6060
                                                                                                                                                                                    • C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe
                                                                                                                                                                                      /lang=en
                                                                                                                                                                                      5⤵
                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                      • Modifies system certificate store
                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                      PID:6640
                                                                                                                                                                                      • C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe
                                                                                                                                                                                        "C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe" --type=renderer --disable-gpu-compositing --no-sandbox --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\360\Total Security\Utils\cef\debug.log" --log-severity=disable --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="6640.0.981155503\2032831259" /prefetch:1
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:4184
                                                                                                                                                                                        • C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe
                                                                                                                                                                                          "C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe" --type=renderer --disable-gpu-compositing --no-sandbox --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\360\Total Security\Utils\cef\debug.log" --log-severity=disable --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="6640.1.1470888874\607924389" /prefetch:1
                                                                                                                                                                                          6⤵
                                                                                                                                                                                            PID:6464
                                                                                                                                                                                          • C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe
                                                                                                                                                                                            "C:\Program Files (x86)\360\Total Security\Utils\cef\cefutil.exe" --type=utility --channel="6640.2.1261688156\1717672874" --lang=en-US --no-sandbox --no-sandbox --lang=en-US --log-file="C:\Program Files (x86)\360\Total Security\Utils\cef\debug.log" --log-severity=disable /prefetch:8
                                                                                                                                                                                            6⤵
                                                                                                                                                                                              PID:3328
                                                                                                                                                                                        • C:\Program Files (x86)\360\Total Security\360DeskAna.exe
                                                                                                                                                                                          "C:\Program Files (x86)\360\Total Security\360DeskAna.exe" lspscan 32 \\.\pipe\lspscanlkzosyzq
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:2124
                                                                                                                                                                                          • C:\Program Files (x86)\360\Total Security\360DeskAna.exe
                                                                                                                                                                                            "C:\Program Files (x86)\360\Total Security\360DeskAna.exe" lspscan 32 \\.\pipe\lspscanlkzosyzq
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:2060
                                                                                                                                                                                            • C:\Program Files (x86)\360\Total Security\360DeskAna.exe
                                                                                                                                                                                              "C:\Program Files (x86)\360\Total Security\360DeskAna.exe" lspscan 32 \\.\pipe\lspscanlkzosyzq
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:3952
                                                                                                                                                                                              • C:\Program Files (x86)\360\Total Security\360DeskAna64.exe
                                                                                                                                                                                                "C:\Program Files (x86)\360\Total Security\360DeskAna64.exe" EnumProcDLL: "explorer.exe","","0"
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:5852
                                                                                                                                                                                                • C:\Program Files (x86)\360\Total Security\360DeskAna64.exe
                                                                                                                                                                                                  "C:\Program Files (x86)\360\Total Security\360DeskAna64.exe" EnumProcDLL: "iexplore.exe","","0"
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:6620
                                                                                                                                                                                                  • C:\Program Files (x86)\360\Total Security\360DeskAna64.exe
                                                                                                                                                                                                    "C:\Program Files (x86)\360\Total Security\360DeskAna64.exe" EnumProcDLL: "explorer.exe","","0"
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:5204
                                                                                                                                                                                                    • C:\Program Files (x86)\360\Total Security\360DeskAna64.exe
                                                                                                                                                                                                      "C:\Program Files (x86)\360\Total Security\360DeskAna64.exe" EnumProcDLL: "iexplore.exe","","0"
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                        PID:6572
                                                                                                                                                                                                      • C:\Program Files (x86)\360\Total Security\360DeskAna64.exe
                                                                                                                                                                                                        "C:\Program Files (x86)\360\Total Security\360DeskAna64.exe" EnumProcDLL: "explorer.exe","","0"
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:7068
                                                                                                                                                                                                        • C:\Program Files (x86)\360\Total Security\360DeskAna64.exe
                                                                                                                                                                                                          "C:\Program Files (x86)\360\Total Security\360DeskAna64.exe" EnumProcDLL: "iexplore.exe","","0"
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                            PID:6148
                                                                                                                                                                                                      • C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
                                                                                                                                                                                                        "C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe" /watch
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        PID:1404
                                                                                                                                                                                                      • C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
                                                                                                                                                                                                        "C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe"
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                        PID:4592
                                                                                                                                                                                                      • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\scan.dll"
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:3748
                                                                                                                                                                                                        • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\safemon\bdfltlib.dll"
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:4996
                                                                                                                                                                                                          • C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe
                                                                                                                                                                                                            "C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe" /delay:30
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                            • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                            PID:5060
                                                                                                                                                                                                          • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                            C:\Windows\system32\gpupdate.exe /force
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:1804
                                                                                                                                                                                                            • C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe
                                                                                                                                                                                                              "C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe" /delay:30
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                              • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                                                                                              PID:4680
                                                                                                                                                                                                            • C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe
                                                                                                                                                                                                              "C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe" /delay:30
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                              • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                              • Checks SCSI registry key(s)
                                                                                                                                                                                                              PID:5736
                                                                                                                                                                                                          • C:\Windows\system32\AUDIODG.EXE
                                                                                                                                                                                                            C:\Windows\system32\AUDIODG.EXE 0x46c 0x500
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:5432
                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:5632
                                                                                                                                                                                                              • C:\Windows\SysWOW64\DllHost.exe
                                                                                                                                                                                                                C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:6096
                                                                                                                                                                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                    PID:6596
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --broupdater --bits_job_guid={16A952CD-84B4-4784-8412-9CDAC09DB96D}
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                    PID:6256
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" --url=https://crash-reports.browser.yandex.net/submit --annotation=install_date=1649961803 --annotation=last_update_date=1649961803 --annotation=launches_after_update=1 --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=6256 --annotation=metrics_client_id=54479c31e07c46db97af0635604e3a38 --annotation=micromode=broupdater --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.3.1.896 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x6b491490,0x6b4914a0,0x6b4914ac
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:6328
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Network Service" --mojo-platform-channel-handle=1936 --field-trial-handle=1808,13178063319336178958,9564563982175022805,131072 --brver=22.3.1.896 /prefetch:8
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:5404
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1768 --field-trial-handle=1808,13178063319336178958,9564563982175022805,131072 /prefetch:2
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:5380
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --broupdater-stat-bits --broupdater-stat-name=install --bits_job_guid={BCB4E6D6-775C-4E6C-9F67-DE88B2AA6F7D}
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                          PID:3068
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\User Data" --url=https://crash-reports.browser.yandex.net/submit --annotation=install_date=1649961803 --annotation=last_update_date=1649961803 --annotation=launches_after_update=1 --annotation=machine_id=f5ea51da667ecd6b5f2b9d06e4a3fc52 --annotation=main_process_pid=3068 --annotation=metrics_client_id=54479c31e07c46db97af0635604e3a38 --annotation=plat=Win32 --annotation=prod=Yandex --annotation=session_logout=False --annotation=ver=22.3.1.896 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x6b491490,0x6b4914a0,0x6b4914ac
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:1996
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=gpu-process --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1808 --field-trial-handle=1952,3446712637495357946,5031233122282535805,131072 /prefetch:2
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:6856
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=ru --service-sandbox-type=none --user-id=9bfc2066-f9a4-4a9c-9cbf-9fc315942247 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Network Service" --mojo-platform-channel-handle=1872 --field-trial-handle=1952,3446712637495357946,5031233122282535805,131072 --brver=22.3.1.896 /prefetch:8
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:6876
                                                                                                                                                                                                                              • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:3744
                                                                                                                                                                                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:6436
                                                                                                                                                                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:5512
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\DllHost.exe
                                                                                                                                                                                                                                      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                        PID:1904

                                                                                                                                                                                                                                      Network

                                                                                                                                                                                                                                      MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                                                                      Downloads

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        1005d14131859c0d2e455d9b7d44e1a4

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        a54f44c3fb62c68318b131690e78cc4cb572c95c

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        34205460c00dbc88851eee6b82124278784a8c9e2fce91bf150393741d8afd90

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        2fa7775e88796ed1d1048da1caf75552512a8c6126156bc526a17972635750bd0aa89a3de038624cda8cc8cfbd3517e65d7a70605a6e1c81a452c01574067904

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_A2E0B287EC2147F84DD8A330B45D3489
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        c2896c2ba2ce9a8f718f6cea1f009e49

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        1a0ffe30e769a016fb97ad66dbe6be91c4a997b3

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        20bc20f1042cf4ee393688558520dfe271c4992c8492fa8e2fe08ad13468ea4d

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        43f8158673fae4385c3dfca86666dc594e5cc1e56eb14c5221d58bd44eda2f819bfb4c052f24e39ff143ae6a520ae3f1640cfc11d905f1c4412d60b003fac278

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        498B

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        d70ddb3905cf3b33872255fdfd3e47fb

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        a1bb96e2b2da8a1ef041ba147d95ebb838afc627

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        210d459ba63210b3ee75c2b0fc59a6c7b1a488142b884dabfc430dbdea99a157

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        c90f729faa4eb32bdad12afe29c2e6f30b342fe57d43267d6f59e636651b6e25ce373b4d331c1ead22af7081818f2aa1e3ea46dfae5da630b737daafed7cc9a3

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_A2E0B287EC2147F84DD8A330B45D3489
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        530B

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        ca2bc21e43ed2cbfeac1a29de6b0872b

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        12b049dd0baca6fa18e8016ec6db5aefbf492519

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        da12cbb55c4756f50e8ca3417e4292b9424ce938c3990d6a21d2a758af26d538

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        55bba8c1c2260a2b74076623cd3feae2eaa265a09afb1518ddb30c60b9bac015d2b89f96b8d4961813be8a4d74ea2cd90b4768dc8d361e9eb2796c72eb86d8cf

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\3B76FAE8-9771-4AF7-AB61-1F6423177B90\lite_installer.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        413KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        d32458fe0e1747ee9c166bca7ab2a01b

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        7f454ed4687eaea4a7c061b8800d53df90992804

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        40fa37f2a87361c371adf76517abd4221eb13649cd21bc05eb3a8b0b17c9033c

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        2b2ab123c164d838e75a1e4db34dbd51acce20fcf5375ba737070052bca241a14532265bcb2888096d6d384555795d1d940f820524c9a3934468d814fcb1e06d

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        9.0MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        e140654264ef01bc3e25f0e18f5e003d

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        93d30d31adf8e0af345a120e3e3def37cc3fab15

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        9eb88155196ad2e2010906643bb89aa954205f6740635c45dbf6265d1060c051

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        97662500585758ecb8f13ef3909676da452daaeb351b2843645ded0c51a90302b49dfaeda19796745de959344b4cac67a0b7627dbf0d02c7ad655f559ed9b18e

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        9.0MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        e140654264ef01bc3e25f0e18f5e003d

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        93d30d31adf8e0af345a120e3e3def37cc3fab15

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        9eb88155196ad2e2010906643bb89aa954205f6740635c45dbf6265d1060c051

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        97662500585758ecb8f13ef3909676da452daaeb351b2843645ded0c51a90302b49dfaeda19796745de959344b4cac67a0b7627dbf0d02c7ad655f559ed9b18e

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        04217a3943644e0b7e734fc18f144616

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        685390aa23f186d426004974597e6d45c4bdb4cc

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        8daa2e4c0706a3a8bd1e696e8a198fe409d21b917008d10a4e0b5c025da7836d

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        99a45bd0bf6513f0cf496ac685ccddbbf2efe02f8e274651bad88477eeca6b0ee0905f1774ec2fee25a0e9ccea4ae53760ef82ba8278e91e03f4610a2035df5d

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-30DQB.tmp\UnoSetup.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        3.1MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        5355154de3423b0f062c2d77446457cf

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        25bf917864322ac74278ecda273040d9137287b0

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        c28d3a36bb73ed7e4457f8a4de1628d6eb620101067ebd36d53efa117c2bb711

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        d4be003f22100bb0d73f523f16470f9464aa8ff664bf9f7ecc372ebadd15847e72ed8c4ff61b9152eea7a9628b8c7d1fb1673081eda163cddf88b92eb691d629

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\360TS_Setup_Mini_WW_Coin_CPI202205_6.6.0.1054.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        1.5MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        1b2a7fc17f031879561bc73141c6ebee

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        815db9a7aede04f55d983ed7ca2b38ba34360edc

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        e05412ec3bb86aae3e71218c08d53ffd19f09fc1c5d971cfe08695c09668c01e

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        11f1ef16f0fde6b17693b8ccc732b3ec06ecf4e7b9070e0b9dcefdf7d8797cebfcf9367974a32f55c83e3468372dc8dd6ae73bff9ed70460c80872c5faeadd58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\360TS_Setup_Mini_WW_Coin_CPI202205_6.6.0.1054.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        1.5MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        1b2a7fc17f031879561bc73141c6ebee

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        815db9a7aede04f55d983ed7ca2b38ba34360edc

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        e05412ec3bb86aae3e71218c08d53ffd19f09fc1c5d971cfe08695c09668c01e

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        11f1ef16f0fde6b17693b8ccc732b3ec06ecf4e7b9070e0b9dcefdf7d8797cebfcf9367974a32f55c83e3468372dc8dd6ae73bff9ed70460c80872c5faeadd58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\PTB.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        261KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        85c343098c79f5fd5b910031a5ed8e64

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        5429b525a6d83c819e7f84cb012724f2f8a9e86e

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        53a56b4c1a8ce9452efa9d0f484f0d251326f37d227b7a9b399be655e3e1c5ba

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        ac49aadc0333b0955faa13d91c530f1c808b4817485068445505cf1e38ad6bc4598727dce5bd3868fd8b436811b20cd7771722c43ba42ba48a7911017c18db7e

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\PTB.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        261KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        85c343098c79f5fd5b910031a5ed8e64

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        5429b525a6d83c819e7f84cb012724f2f8a9e86e

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        53a56b4c1a8ce9452efa9d0f484f0d251326f37d227b7a9b399be655e3e1c5ba

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        ac49aadc0333b0955faa13d91c530f1c808b4817485068445505cf1e38ad6bc4598727dce5bd3868fd8b436811b20cd7771722c43ba42ba48a7911017c18db7e

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\WebKitTime.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        87KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        08e99159c0194360dd801746d7245107

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        559b3c5684ce63d44e00ec7fef76bd136fbde514

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        6c43e922c3cdaf1317a69e1573bceadb8bc01b91fe4f0ac49360e71ecd7694ff

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        683e2d8b8af36cd58364aafd824d89387d9850face2f36c10dd399e42aad17578cbe9398bbb884e51c5827c257875c7dc0f665cc70584118819f57ec9cd615c7

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\WebKitTime.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        87KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        08e99159c0194360dd801746d7245107

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        559b3c5684ce63d44e00ec7fef76bd136fbde514

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        6c43e922c3cdaf1317a69e1573bceadb8bc01b91fe4f0ac49360e71ecd7694ff

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        683e2d8b8af36cd58364aafd824d89387d9850face2f36c10dd399e42aad17578cbe9398bbb884e51c5827c257875c7dc0f665cc70584118819f57ec9cd615c7

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\downloader.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        198KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        64f01094081e5214edde9d6d75fca1b5

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        d7364c6fb350843c004e18fc0bce468eaa64718f

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        5861fcac5dcd75e856fb96a2f0563df56e321a4be2c420618763d0bf495700a0

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        a7679967d985d006a3c6b000d32b5a258b3c489bddb303c98d9cc54fa597d8a410fa66980767fcf1defe682f7952f744fd3bace26e66244a2529dbddd7a35db0

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\downloader.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        198KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        64f01094081e5214edde9d6d75fca1b5

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        d7364c6fb350843c004e18fc0bce468eaa64718f

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        5861fcac5dcd75e856fb96a2f0563df56e321a4be2c420618763d0bf495700a0

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        a7679967d985d006a3c6b000d32b5a258b3c489bddb303c98d9cc54fa597d8a410fa66980767fcf1defe682f7952f744fd3bace26e66244a2529dbddd7a35db0

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\pack.zip
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        2.8MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        d35acb27fb93ad90a61ad1e43bcd9230

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        d11d21a787506dcfbac466a0cb8cc32ed3c1c194

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        568a183c3a0d986cdb7b16133d99ec4a7ff72775e33dafec335ce6e30cb6e4ae

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        6c92804990695a2044e0394c3310007668f3cddf948acff521254b1602bc86161bfba075b098fa31121bb0f20786def3c5fe6b4c44aab4a804e4d3fc88f2ebfa

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\unzip.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        184KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        f8670f43ddd6316f7a8312babf290079

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        575134b2bd1db2a4cff20a8a421e94adbb9aacd2

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        3444f4d1e9402c46cfb77bfc292437a9f57a42562ddc901a4a980e05588fc54f

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1856b2754452e114c02874017c9eafb17b135b1eb7afb283797ca753acc9cf2bdc5dc45eb24302b56461094ecd68e7ee8b197ae977871bd7d92592ea83467868

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-7BU5R.tmp\unzip.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        184KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        f8670f43ddd6316f7a8312babf290079

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        575134b2bd1db2a4cff20a8a421e94adbb9aacd2

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        3444f4d1e9402c46cfb77bfc292437a9f57a42562ddc901a4a980e05588fc54f

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1856b2754452e114c02874017c9eafb17b135b1eb7afb283797ca753acc9cf2bdc5dc45eb24302b56461094ecd68e7ee8b197ae977871bd7d92592ea83467868

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-CEEKP.tmp\discord-install.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        3.0MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bb50b736754a9f599095cf9126c6874c

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        5bae73777c0408684d338623bc415ec4d46d334f

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        9d91940f37677b7b126b40ff839a1f9582206d0808dde1cc4102a83dda772a7c

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        4c67d069230758f74d50b6b2a698fe667e42d4f91ab51dd0dafa6d3e0e7d664f8b62f815de6cdec88ad9eef1e0fb150c0a87594fab7cd5646bc459bb8f564378

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-CEEKP.tmp\discord-install.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        3.0MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bb50b736754a9f599095cf9126c6874c

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        5bae73777c0408684d338623bc415ec4d46d334f

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        9d91940f37677b7b126b40ff839a1f9582206d0808dde1cc4102a83dda772a7c

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        4c67d069230758f74d50b6b2a698fe667e42d4f91ab51dd0dafa6d3e0e7d664f8b62f815de6cdec88ad9eef1e0fb150c0a87594fab7cd5646bc459bb8f564378

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\Adobe_Flash_Player.bmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        3KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        02bb045a8ad3510fa52226040a600381

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        d008bc04df3c7a39bf037cfec655ef0015a65749

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        460ba552859480088a765e67aadfb9203ad38c0203758be6abb66bd561825cd9

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        ea576a4a3bf538cf8da4e497edaecee346fd149cd14450f00c293cc0b51bb798d0ad9ee59a4332ac6428876e8f4650585bfc8f33e03acb5dc5df8888a78ce3a9

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\DownloadNow.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        636KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        0ef89278c44bdfb74ee35eeee2b6a36f

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        d63ad892f3cb3f103e6b9f0dcdcc1e0eed68977b

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        ff936c32fb888c469b0c59463f1ee8113e91fa07209a708953b9bd8a2602bec7

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        b95863b67af4490053663d887b1a649822e1109cd0f0008689618b0896102889fa8de37343a7e114de7f696781107de32af71ce81852ccf1eeb8a99cc9b3822e

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\DownloadNow.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        636KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        0ef89278c44bdfb74ee35eeee2b6a36f

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        d63ad892f3cb3f103e6b9f0dcdcc1e0eed68977b

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        ff936c32fb888c469b0c59463f1ee8113e91fa07209a708953b9bd8a2602bec7

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        b95863b67af4490053663d887b1a649822e1109cd0f0008689618b0896102889fa8de37343a7e114de7f696781107de32af71ce81852ccf1eeb8a99cc9b3822e

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\DownloadPngToBmp.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        764KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        51da7dac5824ca53a25f127dff49feaa

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        384086d637cefbafcb70ab431273f53f384f4e2c

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        2e4bc51905f8c3dd92a521491ce10d2d8b4d6aac55d7b29a11ed3841d54f13ee

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        85d663675509e7133e078be0f7da1853c103f3b7711532576ec103f93206ab6da34e92da8685e3f4c46dc40377c7965c5f4ea51f0dae9c5efc868a14fdd10f4f

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\DownloadPngToBmp.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        764KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        51da7dac5824ca53a25f127dff49feaa

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        384086d637cefbafcb70ab431273f53f384f4e2c

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        2e4bc51905f8c3dd92a521491ce10d2d8b4d6aac55d7b29a11ed3841d54f13ee

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        85d663675509e7133e078be0f7da1853c103f3b7711532576ec103f93206ab6da34e92da8685e3f4c46dc40377c7965c5f4ea51f0dae9c5efc868a14fdd10f4f

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\DownloadProgress.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        637KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        9599adacad3d2027f5033236bb1b5938

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        f5d0f05a38e65f3878bd568efe715b2928345a5c

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        7749df39a07bd55dd251a71f48114ae62af1c8676069be817eaed18830dd3ce5

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        3c9f427cc70a3aaf784dda9a97f0533ea2f2be6f4f45aabbcca706de0fc9f20cc254492612d4504ce7f7cbbe92921c59c804d7bddfb9ec0775e73a936dab53e2

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\DownloadProgress.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        637KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        9599adacad3d2027f5033236bb1b5938

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        f5d0f05a38e65f3878bd568efe715b2928345a5c

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        7749df39a07bd55dd251a71f48114ae62af1c8676069be817eaed18830dd3ce5

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        3c9f427cc70a3aaf784dda9a97f0533ea2f2be6f4f45aabbcca706de0fc9f20cc254492612d4504ce7f7cbbe92921c59c804d7bddfb9ec0775e73a936dab53e2

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\DownloadStream.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        634KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        356262868adabb850bf4a0d0a1f1accb

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        459c46d0a993c1e7c995fa81b75fbbc1db11f710

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        4025639593ef70be8d09bc1433665d9ca89e75e055624eeec7722aadea3de1f6

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        7a17a9919784f80eaa0fc7f33ad62d3019dd5dc5f529d787487dc081e3bf776ef226c6904a1650828e18a67a49767f0183f6ee15f50ddd60ae5a7366d607d5d2

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\DownloadStream.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        634KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        356262868adabb850bf4a0d0a1f1accb

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        459c46d0a993c1e7c995fa81b75fbbc1db11f710

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        4025639593ef70be8d09bc1433665d9ca89e75e055624eeec7722aadea3de1f6

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        7a17a9919784f80eaa0fc7f33ad62d3019dd5dc5f529d787487dc081e3bf776ef226c6904a1650828e18a67a49767f0183f6ee15f50ddd60ae5a7366d607d5d2

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\InnoCallback.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        63KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        1c55ae5ef9980e3b1028447da6105c75

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        f85218e10e6aa23b2f5a3ed512895b437e41b45c

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\InnoCallback.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        63KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        1c55ae5ef9980e3b1028447da6105c75

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        f85218e10e6aa23b2f5a3ed512895b437e41b45c

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\IsRunning.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        88KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        4f686ae2446528595bf253bc1bcf8abb

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b8baf432755db350b62307af4415ec0e48c25257

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        6d7f9b231b36bdf9efc688216c1fb34089b15506c7fd2ea725dc6245b062baa2

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        d679bf7e025d23ac611d23a34095acde40432fd87d93b19eee2874e816141fedbf3ad728b877fd4943a9eaa29ee9c102c9ac71eca5f27d8701335ddc8947d3b2

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\IsRunning.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        88KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        4f686ae2446528595bf253bc1bcf8abb

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b8baf432755db350b62307af4415ec0e48c25257

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        6d7f9b231b36bdf9efc688216c1fb34089b15506c7fd2ea725dc6245b062baa2

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        d679bf7e025d23ac611d23a34095acde40432fd87d93b19eee2874e816141fedbf3ad728b877fd4943a9eaa29ee9c102c9ac71eca5f27d8701335ddc8947d3b2

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\PTB.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        261KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        85c343098c79f5fd5b910031a5ed8e64

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        5429b525a6d83c819e7f84cb012724f2f8a9e86e

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        53a56b4c1a8ce9452efa9d0f484f0d251326f37d227b7a9b399be655e3e1c5ba

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        ac49aadc0333b0955faa13d91c530f1c808b4817485068445505cf1e38ad6bc4598727dce5bd3868fd8b436811b20cd7771722c43ba42ba48a7911017c18db7e

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\PTB.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        261KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        85c343098c79f5fd5b910031a5ed8e64

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        5429b525a6d83c819e7f84cb012724f2f8a9e86e

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        53a56b4c1a8ce9452efa9d0f484f0d251326f37d227b7a9b399be655e3e1c5ba

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        ac49aadc0333b0955faa13d91c530f1c808b4817485068445505cf1e38ad6bc4598727dce5bd3868fd8b436811b20cd7771722c43ba42ba48a7911017c18db7e

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\audition.bmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        3KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        34ead054a2e01e836957625059c846c7

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        60c9730f025946a06c2469788a46d88d2908d277

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        e99dc52a703bfd686a49f9cc8391c1e3994b42cdd5409eb9fe12d05218914851

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        ce72b27b566eadac6dfcba825076aa1e8e46759bfb88dbee030cce26b3abbd0ad609a34a1a9e1316574f721baee594fdbaeee9e1ee9a18c23489300d3c9b8a6e

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\images.zip
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        60KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        f35cae2c5bf26d914270cdd777717e60

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        be7699c36dbcda6334f3debd6529401be269bdad

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        bf943c55503a576bc381bf460e8460faf5fd78318da5d638526b0cd2010db149

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        d73fff43e1a159f41bb620d5d800533d3a44187324a60316276860a2f0abd94beaabc7f78d96e3f7f082a0c4cd90a037615b1a4017d8619e8e27a8ac98289ae4

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\unzip.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        164KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        75375c22c72f1beb76bea39c22a1ed68

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        e1652b058195db3f5f754b7ab430652ae04a50b8

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-HIV9R.tmp\unzip.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        164KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        75375c22c72f1beb76bea39c22a1ed68

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        e1652b058195db3f5f754b7ab430652ae04a50b8

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\{25217D8E-046C-4c92-BAF4-6EDD7A3F9612}.tmp\360P2SP.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        824KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        fc1796add9491ee757e74e65cedd6ae7

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        8.6MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        94b0de6d69d3a17549f4aba998c04a65

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        6a821ce01f217a1551b011d48e790da005c14ab9

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        a8c0a7ebce591a6b5e8f8e630272926bc7e0f9b1f23a23debceac9519bcb8ab6

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        941ec93cd544324109eeaddedcfea6c4137368dc7140a16af99cf98b15257008665f07b68e2edc58dbca9ceb66ef463d013453645532f832082d17f4494093eb

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\Unosetup\UnoSetup.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        3.4MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        4d12c69e5ea597a401d4df8985c07ac3

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        cd849272a978dcee29423c522bca4662406002c2

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        93a0a5ff338ed2028bfb48a105c2ae94342e0e805fbf7d8e5037a50e35ea0f20

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        f6f42b0f8ed3bc72dc50fd117338acc32fc5f8b95db225ac503975ad5f6f54e54074dcd92c0d59bda97038d1c124deee799e491e8542ee3970f6f549d4c6407f

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\Unosetup\UnoSetup.exe
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        3.4MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        4d12c69e5ea597a401d4df8985c07ac3

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        cd849272a978dcee29423c522bca4662406002c2

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        93a0a5ff338ed2028bfb48a105c2ae94342e0e805fbf7d8e5037a50e35ea0f20

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        f6f42b0f8ed3bc72dc50fd117338acc32fc5f8b95db225ac503975ad5f6f54e54074dcd92c0d59bda97038d1c124deee799e491e8542ee3970f6f549d4c6407f

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Users\Admin\Unosetup\run.bat
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        24B

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        861f3b0ea89b5b444abc0d1864e95d41

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        61c05aefe8b6369e63de57d6af23ac4386df7b34

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        e4a32b3f06118b0546994edc4365cc908108febfbb156badafe6123bf4831d32

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        759c537e8c1c3e72e185cfad8be1b4e229857f93235e04baba9160f6932d2dfcfab28a1baf614239a275ecedde4a318dd22991f227088fb506a51fef7b93ad94

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIA3DE.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bf550a292da34f8e873d6967fc8e48fc

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b99143293b2537bd14a75b6c51ad1fc82bf83e12

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        33820dd281ed1444bd8bd5339812048b9bfd72fc59b9a417304a216cf4a4e4df

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1109b5a1faf6872642e969caf3bd45c0e376f491cee577017f198a4bd26ed7a1359834e495593c11466eb5cd0373ddf625458dd894f8ed748e837429b147ad58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIA3DE.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bf550a292da34f8e873d6967fc8e48fc

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b99143293b2537bd14a75b6c51ad1fc82bf83e12

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        33820dd281ed1444bd8bd5339812048b9bfd72fc59b9a417304a216cf4a4e4df

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1109b5a1faf6872642e969caf3bd45c0e376f491cee577017f198a4bd26ed7a1359834e495593c11466eb5cd0373ddf625458dd894f8ed748e837429b147ad58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIA5D3.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        183KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        ea69fed5e402effc777eaeed7239f7e7

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        a72f7a0e7e164c245dab1ff5deefb19459140adb

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        ce46ce12d5fa299668244a1c567aacc62caef2f5b118717dce83ddc0b26284e6

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        f64e459109e81d2e0b378c5d51a3df58c3d706ee1570ca645f1db0922b9ec09f34b761c3ad3a864da6925cb69edc62602287c610d6e05efa06a053de0c3fe54d

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIA5D3.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        183KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        ea69fed5e402effc777eaeed7239f7e7

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        a72f7a0e7e164c245dab1ff5deefb19459140adb

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        ce46ce12d5fa299668244a1c567aacc62caef2f5b118717dce83ddc0b26284e6

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        f64e459109e81d2e0b378c5d51a3df58c3d706ee1570ca645f1db0922b9ec09f34b761c3ad3a864da6925cb69edc62602287c610d6e05efa06a053de0c3fe54d

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIA7D8.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        183KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        ea69fed5e402effc777eaeed7239f7e7

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        a72f7a0e7e164c245dab1ff5deefb19459140adb

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        ce46ce12d5fa299668244a1c567aacc62caef2f5b118717dce83ddc0b26284e6

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        f64e459109e81d2e0b378c5d51a3df58c3d706ee1570ca645f1db0922b9ec09f34b761c3ad3a864da6925cb69edc62602287c610d6e05efa06a053de0c3fe54d

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIA7D8.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        183KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        ea69fed5e402effc777eaeed7239f7e7

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        a72f7a0e7e164c245dab1ff5deefb19459140adb

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        ce46ce12d5fa299668244a1c567aacc62caef2f5b118717dce83ddc0b26284e6

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        f64e459109e81d2e0b378c5d51a3df58c3d706ee1570ca645f1db0922b9ec09f34b761c3ad3a864da6925cb69edc62602287c610d6e05efa06a053de0c3fe54d

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIA9AE.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bf550a292da34f8e873d6967fc8e48fc

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b99143293b2537bd14a75b6c51ad1fc82bf83e12

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        33820dd281ed1444bd8bd5339812048b9bfd72fc59b9a417304a216cf4a4e4df

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1109b5a1faf6872642e969caf3bd45c0e376f491cee577017f198a4bd26ed7a1359834e495593c11466eb5cd0373ddf625458dd894f8ed748e837429b147ad58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIA9AE.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bf550a292da34f8e873d6967fc8e48fc

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b99143293b2537bd14a75b6c51ad1fc82bf83e12

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        33820dd281ed1444bd8bd5339812048b9bfd72fc59b9a417304a216cf4a4e4df

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1109b5a1faf6872642e969caf3bd45c0e376f491cee577017f198a4bd26ed7a1359834e495593c11466eb5cd0373ddf625458dd894f8ed748e837429b147ad58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIAA0D.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bf550a292da34f8e873d6967fc8e48fc

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b99143293b2537bd14a75b6c51ad1fc82bf83e12

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        33820dd281ed1444bd8bd5339812048b9bfd72fc59b9a417304a216cf4a4e4df

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1109b5a1faf6872642e969caf3bd45c0e376f491cee577017f198a4bd26ed7a1359834e495593c11466eb5cd0373ddf625458dd894f8ed748e837429b147ad58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIAA0D.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bf550a292da34f8e873d6967fc8e48fc

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b99143293b2537bd14a75b6c51ad1fc82bf83e12

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        33820dd281ed1444bd8bd5339812048b9bfd72fc59b9a417304a216cf4a4e4df

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1109b5a1faf6872642e969caf3bd45c0e376f491cee577017f198a4bd26ed7a1359834e495593c11466eb5cd0373ddf625458dd894f8ed748e837429b147ad58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIAA9A.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bf550a292da34f8e873d6967fc8e48fc

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b99143293b2537bd14a75b6c51ad1fc82bf83e12

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        33820dd281ed1444bd8bd5339812048b9bfd72fc59b9a417304a216cf4a4e4df

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1109b5a1faf6872642e969caf3bd45c0e376f491cee577017f198a4bd26ed7a1359834e495593c11466eb5cd0373ddf625458dd894f8ed748e837429b147ad58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIAA9A.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bf550a292da34f8e873d6967fc8e48fc

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b99143293b2537bd14a75b6c51ad1fc82bf83e12

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        33820dd281ed1444bd8bd5339812048b9bfd72fc59b9a417304a216cf4a4e4df

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1109b5a1faf6872642e969caf3bd45c0e376f491cee577017f198a4bd26ed7a1359834e495593c11466eb5cd0373ddf625458dd894f8ed748e837429b147ad58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIAB28.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bf550a292da34f8e873d6967fc8e48fc

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b99143293b2537bd14a75b6c51ad1fc82bf83e12

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        33820dd281ed1444bd8bd5339812048b9bfd72fc59b9a417304a216cf4a4e4df

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1109b5a1faf6872642e969caf3bd45c0e376f491cee577017f198a4bd26ed7a1359834e495593c11466eb5cd0373ddf625458dd894f8ed748e837429b147ad58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIAB28.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bf550a292da34f8e873d6967fc8e48fc

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b99143293b2537bd14a75b6c51ad1fc82bf83e12

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        33820dd281ed1444bd8bd5339812048b9bfd72fc59b9a417304a216cf4a4e4df

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1109b5a1faf6872642e969caf3bd45c0e376f491cee577017f198a4bd26ed7a1359834e495593c11466eb5cd0373ddf625458dd894f8ed748e837429b147ad58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIAD6B.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bf550a292da34f8e873d6967fc8e48fc

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b99143293b2537bd14a75b6c51ad1fc82bf83e12

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        33820dd281ed1444bd8bd5339812048b9bfd72fc59b9a417304a216cf4a4e4df

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1109b5a1faf6872642e969caf3bd45c0e376f491cee577017f198a4bd26ed7a1359834e495593c11466eb5cd0373ddf625458dd894f8ed748e837429b147ad58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\Installer\MSIAD6B.tmp
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        176KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        bf550a292da34f8e873d6967fc8e48fc

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        b99143293b2537bd14a75b6c51ad1fc82bf83e12

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        33820dd281ed1444bd8bd5339812048b9bfd72fc59b9a417304a216cf4a4e4df

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1109b5a1faf6872642e969caf3bd45c0e376f491cee577017f198a4bd26ed7a1359834e495593c11466eb5cd0373ddf625458dd894f8ed748e837429b147ad58

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\libeay32.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        1.3MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        7d24b5a2fdfc78cd530a8510db09faca

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        f521d8063ac8194b870fb5f0dfdf77f285c910d3

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        f5da7f8fbf844d130f3fcb674d9ad09427b867cec7b956c730973c3f48b1e7a5

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        f224e0416a33646692a65c7f371c5eb448ac72c30ecf6a897c3d649607480ffb287a33da6561ff257e3bceed180e5fb1851b92cc54d9e3beb3b28713f75ea581

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\ssleay32.dll
                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        329KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        e7effe997bdbf1e0f9dd1c271eab5f3f

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        18c4d5383a00a4ab376a1d06ba68042fad01d986

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        8bdff8c4dd2d8b1690e4d63deb9ab4068a5109a0b78b64bf1e920f1696b0fb41

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        9c171a609d4974fa15eb00bcd6e418839b61c244385833fb16f145389bf34f19b3704da654f57bc8f6dbaea149b830d4b8773d83a2f47e113f9c64694d2b6890

                                                                                                                                                                                                                                        Download Submit

                                                                                                                                                                                                                                      • memory/688-165-0x0000000000400000-0x00000000004E8000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        928KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/688-174-0x0000000000400000-0x00000000004E8000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        928KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/828-358-0x0000000000310000-0x0000000000486000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        1.5MB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/1664-374-0x00007FFFC35F0000-0x00007FFFC35F1000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/2240-144-0x0000000003F50000-0x0000000003F6F000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        124KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/2240-141-0x0000000003DC0000-0x0000000003E0C000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        304KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/2792-259-0x0000000005590000-0x00000000055B0000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/3200-239-0x0000000000A70000-0x0000000000BE6000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        1.5MB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/3200-282-0x0000000006880000-0x0000000006912000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        584KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/4144-355-0x0000000005A10000-0x0000000005F3C000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        5.2MB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/4184-389-0x000000003B300000-0x000000003B301000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/4292-194-0x0000000004810000-0x000000000485C000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        304KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/4292-197-0x0000000003650000-0x0000000003665000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        84KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/4292-181-0x00000000042D0000-0x000000000439A000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        808KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/4292-178-0x0000000003550000-0x00000000035F8000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        672KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/4292-173-0x0000000003490000-0x0000000003538000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        672KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/4292-187-0x0000000003630000-0x000000000364F000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        124KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/4292-184-0x00000000044E0000-0x0000000004588000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        672KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/5028-134-0x0000000000400000-0x00000000004DB000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        876KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/5028-136-0x0000000000400000-0x00000000004DB000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        876KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/6464-390-0x0000000000800000-0x0000000000801000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/6640-387-0x0000000000010000-0x0000000000011000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                        Download

                                                                                                                                                                                                                                      • memory/6948-388-0x000000006BC10000-0x000000006BC9E000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        568KB

                                                                                                                                                                                                                                        Download