Malware Analysis Report

2024-09-11 13:42

Sample ID 240613-skbj7syamn
Target Aimware cracked.exe
SHA256 63c7a5db3e679333031a9560c43a9f4cec16e17a6f77d54e176819777b39bdad
Tags
discovery evasion persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63c7a5db3e679333031a9560c43a9f4cec16e17a6f77d54e176819777b39bdad

Threat Level: Known bad

The file Aimware cracked.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer

Modifies visiblity of hidden/system files in Explorer

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Checks installed software on the system

Blocklisted process makes network request

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies Internet Explorer start page

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 15:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 15:10

Reported

2024-06-13 15:11

Platform

win7-20240220-en

Max time kernel

58s

Max time network

59s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B44883AA-7751-41DA-8DC6-61DBC0911EDE\lite_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C4A13C64-CB0C-4B93-9E20-B68125C283BE\sender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3F0593-1B2E-4154-99A2-59400869626F}.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\AimWare.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aim77AF.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B44883AA-7751-41DA-8DC6-61DBC0911EDE\lite_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B44883AA-7751-41DA-8DC6-61DBC0911EDE\lite_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\AimWare.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3F0593-1B2E-4154-99A2-59400869626F}.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3F0593-1B2E-4154-99A2-59400869626F}.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{CF3F0593-1B2E-4154-99A2-59400869626F}.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f7659d3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5E56.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Installer\f7659d3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5F51.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5F71.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6071.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Installer\MSI5D99.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5FB2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
File created C:\Windows\Installer\f7659d6.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5FA1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5FE1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6030.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6060.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7659d6.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5E36.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "https://yandex.ru/search/?win=650&clid=2337891-699&text={searchTerms}" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\Local\\MICROS~1\\INTERN~1\\Services\\YANDEX~1.ICO" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\FaviconURLFallback = "https://www.ya.ru/favicon.ico" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\YaCreationDate = "2024-11-13" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Яндекс" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\LinksBandEnabled = "1" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\YaCreationDate = "2024-11-13" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\DisplayName = "Bing" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\DisplayName = "Яндекс" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\DisplayName = "Bing" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\NTTopResultURL C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45 C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\URL = "https://yandex.ru/search/?win=650&clid=2337891-699&text={searchTerms}" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "https://www.ya.ru/favicon.ico" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\FaviconURLFallback = "http://www.bing.com/favicon.ico" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "https://yandex.ru/search/?win=650&clid=2337929-699&text={searchTerms}" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://downloader.yandex.net/banner/ntpagelogo/{language}/{scalelevel}.png" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\NTURL = "https://yandex.ru/search/?win=650&clid=2337929-699&text={searchTerms}" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45 C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\ShowSearchSuggestionsInAddressGlobal = "1" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\SuggestionsURL_JSON = "https://suggest.yandex.ru/suggest-ff.cgi?uil=ru&part={searchTerms}" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\FaviconURLFallback = "http://www.bing.com/favicon.ico" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\buffer\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\2e5278a0-2997-11ef-a55b-52226696de45\SuggestionsURL C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.ya.ru/?win=650&clid=2337897-699" C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe \??\c:\users\admin\appdata\local\temp\aimware cracked.exe 
PID 1856 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe \??\c:\users\admin\appdata\local\temp\aimware cracked.exe 
PID 1856 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe \??\c:\users\admin\appdata\local\temp\aimware cracked.exe 
PID 1856 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe \??\c:\users\admin\appdata\local\temp\aimware cracked.exe 
PID 1744 wrote to memory of 1892 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe
PID 1744 wrote to memory of 1892 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe
PID 1744 wrote to memory of 1892 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe
PID 1744 wrote to memory of 1892 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe
PID 1744 wrote to memory of 2688 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2688 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2688 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 2688 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1856 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1856 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1856 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2688 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2452 wrote to memory of 2140 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2452 wrote to memory of 2140 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2452 wrote to memory of 2140 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2452 wrote to memory of 2140 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2140 wrote to memory of 2456 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2140 wrote to memory of 2456 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2140 wrote to memory of 2456 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2140 wrote to memory of 2456 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2456 wrote to memory of 1596 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2456 wrote to memory of 1596 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2456 wrote to memory of 1596 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2456 wrote to memory of 1596 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1596 wrote to memory of 768 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1596 wrote to memory of 768 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1596 wrote to memory of 768 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1596 wrote to memory of 768 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2140 wrote to memory of 2680 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2140 wrote to memory of 2680 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2140 wrote to memory of 2680 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2140 wrote to memory of 2680 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 1596 wrote to memory of 2128 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1596 wrote to memory of 2128 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1596 wrote to memory of 2128 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1596 wrote to memory of 2128 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1892 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 1892 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 1892 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 1892 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 1892 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 1892 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 1892 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
PID 692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
PID 692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
PID 692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
PID 692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
PID 692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
PID 692 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
PID 692 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 692 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 692 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 692 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 692 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 692 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe

"C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe"

\??\c:\users\admin\appdata\local\temp\aimware cracked.exe 

"c:\users\admin\appdata\local\temp\aimware cracked.exe "

C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe

"C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c deldll.bat

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 -w 1000 127.0.0.1

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:12 /f

C:\Users\Admin\AppData\Local\YandexPackLoader.exe

C:\Users\Admin\AppData\Local\YandexPackLoader.exe

C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe

"C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /passive /msicl "VID=699 YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y "

C:\Users\Admin\AppData\Local\YandexPackLoader.exe

C:\Users\Admin\AppData\Local\YandexPackLoader.exe --stat dwnldr/p=8981/rid=855c4f97-9a13-42c0-8a55-6cc0f81e7aea/sbr=0-0/hrc=200-200/bd=267-10639168/gtpr=1-1-1-255-1/cdr=0-b7-b7-ff-b7/for=3-0/fole=255-0/fwle=255-0/vr=ff-800b0109/vle=ff-800b0109/hovr=ff-0/hovle=ff-0/shle=ff-0/vmajor=6/vminor=1/vbuild=7601/distr_type=landing/cnt=0/dt=2/ct=1/rt=0 --dh 1528 --st 1718291469

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7DF1A5BB3254DB297185279F4EA55E22

C:\Users\Admin\AppData\Local\Temp\B44883AA-7751-41DA-8DC6-61DBC0911EDE\lite_installer.exe

"C:\Users\Admin\AppData\Local\Temp\B44883AA-7751-41DA-8DC6-61DBC0911EDE\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER

C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe

"C:\Users\Admin\AppData\Local\Temp\BE255675-F5D2-415C-8F45-3D3750B56A82\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\C4A13C64-CB0C-4B93-9E20-B68125C283BE\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"

C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe

C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.exe --silent --pin-taskbar=y --pin-desktop=n

C:\Users\Admin\AppData\Local\Temp\C4A13C64-CB0C-4B93-9E20-B68125C283BE\sender.exe

C:\Users\Admin\AppData\Local\Temp\C4A13C64-CB0C-4B93-9E20-B68125C283BE\sender.exe --send "/status.xml?clid=2337898-699&uuid=dcd94098-BAB2-4C88-84BD-D312B3FEbeb0&vnt=Windows 7x64&file-no=6%0A10%0A11%0A12%0A13%0A15%0A17%0A18%0A21%0A22%0A24%0A25%0A40%0A42%0A43%0A45%0A57%0A61%0A89%0A103%0A111%0A123%0A124%0A125%0A129%0A"

C:\Users\Admin\AppData\Local\Temp\{CF3F0593-1B2E-4154-99A2-59400869626F}.exe

"C:\Users\Admin\AppData\Local\Temp\{CF3F0593-1B2E-4154-99A2-59400869626F}.exe" --job-name=yBrowserDownloader-{634E1090-FF9A-4AE5-A0E2-40A4463DF7E7} --send-statistics --local-path=C:\Users\Admin\AppData\Local\Temp\{CF3F0593-1B2E-4154-99A2-59400869626F}.exe --YABROWSER --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe?clid=2337888-699&ui=dcd94098-BAB2-4C88-84BD-D312B3FEbeb0 --use-user-default-locale

C:\Users\Admin\AppData\Local\AimWare.exe

C:\Users\Admin\AppData\Local\AimWare.exe

C:\Users\Admin\AppData\Local\Temp\aim77AF.tmp

"C:\Users\Admin\AppData\Local\Temp\aim77AF.tmp"

C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe

"C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe"

C:\Users\Admin\AppData\Local\YandexPackLoader.exe

C:\Users\Admin\AppData\Local\YandexPackLoader.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 downloadbrowser.xyz udp
US 8.8.8.8:53 downloadbrowser.xyz udp
US 188.114.97.2:443 downloadbrowser.xyz tcp
US 188.114.96.2:443 downloadbrowser.xyz tcp
US 8.8.8.8:53 download.cdn.yandex.net udp
US 8.8.8.8:53 download.cdn.yandex.net udp
RU 5.45.205.242:443 download.cdn.yandex.net tcp
RU 5.45.205.244:443 download.cdn.yandex.net tcp
US 8.8.8.8:53 cachev2-ams02.cdn.yandex.net udp
US 8.8.8.8:53 cachev2-ams02.cdn.yandex.net udp
NL 5.45.247.52:443 cachev2-ams02.cdn.yandex.net tcp
US 8.8.8.8:53 download.yandex.ru udp
RU 5.45.205.241:80 download.yandex.ru tcp
US 8.8.8.8:53 cachev2-ams01.cdn.yandex.net udp
NL 5.45.247.51:80 cachev2-ams01.cdn.yandex.net tcp
US 8.8.8.8:53 downloader.yandex.net udp
RU 5.45.205.244:80 downloader.yandex.net tcp
US 8.8.8.8:53 mvploader.pro udp
US 8.8.8.8:53 mvploader.pro udp
RU 194.67.96.183:443 mvploader.pro tcp
RU 194.67.96.183:443 mvploader.pro tcp
US 8.8.8.8:53 clck.yandex.ru udp
RU 77.88.21.14:80 clck.yandex.ru tcp
RU 5.45.205.244:80 downloader.yandex.net tcp
US 8.8.8.8:53 cachev2-ams03.cdn.yandex.net udp
NL 5.45.247.53:80 cachev2-ams03.cdn.yandex.net tcp
RU 194.67.96.183:443 mvploader.pro tcp
RU 77.88.21.14:80 clck.yandex.ru tcp
RU 194.67.96.183:443 mvploader.pro tcp
RU 77.88.21.14:80 clck.yandex.ru tcp
US 8.8.8.8:53 soft.export.yandex.ru udp
RU 87.250.254.20:80 soft.export.yandex.ru tcp
RU 77.88.21.14:80 clck.yandex.ru tcp
US 8.8.8.8:53 api.browser.yandex.ru udp
US 8.8.8.8:53 download.cdn.yandex.net udp
US 8.8.8.8:53 api.browser.yandex.net udp
RU 213.180.193.234:443 api.browser.yandex.net tcp
RU 5.45.205.244:443 download.cdn.yandex.net tcp
US 8.8.8.8:53 cachev2-kiv03.cdn.yandex.net udp
RU 5.45.192.185:443 cachev2-kiv03.cdn.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
RU 194.67.96.183:443 mvploader.pro tcp
RU 194.67.96.183:443 mvploader.pro tcp
RU 5.45.205.244:443 download.cdn.yandex.net tcp
US 188.114.97.2:443 downloadbrowser.xyz tcp
US 188.114.96.2:443 downloadbrowser.xyz tcp
RU 5.45.205.242:443 download.cdn.yandex.net tcp
RU 5.45.205.244:443 download.cdn.yandex.net tcp
US 8.8.8.8:53 cachev2-ams03.cdn.yandex.net udp
US 8.8.8.8:53 cachev2-ams03.cdn.yandex.net udp
NL 5.45.247.53:443 cachev2-ams03.cdn.yandex.net tcp
RU 5.45.205.241:80 download.cdn.yandex.net tcp
US 8.8.8.8:53 cachev2-ams03.cdn.yandex.net udp
NL 5.45.247.53:80 cachev2-ams03.cdn.yandex.net tcp
RU 5.45.205.244:80 download.cdn.yandex.net tcp
US 188.114.97.2:443 downloadbrowser.xyz tcp
US 188.114.96.2:443 downloadbrowser.xyz tcp
RU 5.45.205.242:443 download.cdn.yandex.net tcp
RU 5.45.205.244:443 download.cdn.yandex.net tcp
US 8.8.8.8:53 cachev2-kiv03.cdn.yandex.net udp
US 8.8.8.8:53 cachev2-kiv03.cdn.yandex.net udp
RU 5.45.192.185:443 cachev2-kiv03.cdn.yandex.net tcp
US 188.114.97.2:443 downloadbrowser.xyz tcp
US 188.114.96.2:443 downloadbrowser.xyz tcp
RU 5.45.205.242:443 download.cdn.yandex.net tcp
RU 5.45.205.244:443 download.cdn.yandex.net tcp
US 8.8.8.8:53 cachev2-ams03.cdn.yandex.net udp
NL 5.45.247.53:443 cachev2-ams03.cdn.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
RU 213.180.193.234:443 api.browser.yandex.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 crl.comodoca.com udp
N/A 104.18.38.233:80 tcp
US 8.8.8.8:53 udp
US 172.64.149.23:80 tcp

Files

memory/1856-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\AppData\Local\Temp\aimware cracked.exe 

MD5 16620cf72e58b967961b6d2f5f1cdf83
SHA1 d584bbfce61a6d9a8d03a4e9976d9a52e5eb5b24
SHA256 9f657ef4f8470c854769a9c43b1738171aa6d81050f50eea0e803905a73e8ac4
SHA512 96f416d13f717a8c133312be9c6a96ed23c2d17916474cebb20424c7343dfe982fabbf5f066ad5add1c9624ea4adfeac12b97a8d72bab5aa1c4e7527a5016f6d

\Users\Admin\AppData\Local\Temp\genteert.dll

MD5 6ce814fd1ad7ae07a9e462c26b3a0f69
SHA1 15f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7
SHA256 54c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831
SHA512 e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556

\Users\Admin\AppData\Local\Temp\genteeD0\guig.dll

MD5 d3f8c0334c19198a109e44d074dac5fd
SHA1 167716989a62b25e9fcf8e20d78e390a52e12077
SHA256 005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa
SHA512 9c890e0af5b20ce9db4284e726ec0b05b2a9f18b909fb8e595edf3348a8f0d07d5238d85446a09e72e4faa2e2875beb52742d312e5163f48df4072b982801b51

C:\Users\Admin\AppData\Roaming\Aimware cracked\flutter_windows.dll

MD5 2eb35e2372de5fc7fde925c96de61d48
SHA1 a9eedd7cf44a6eab4e08df9ab0b33fd95ceb48fd
SHA256 80efad451cd0b674b9974ef286d29ef72f219999dd8f993585f9168d97895e6f
SHA512 18a03d297770707709fcada8dd0741bd39057d54b49125119ba8b7d21aa67284dece89947dc14721fe3084e69f03e816a2ed9ad79e82ffe279d7fd0a318ff029

C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe

MD5 3e15e73f6ecc61ef7eaacdee4686e607
SHA1 b76fbdc760285f0d652220e1a0b33fe3b188bd54
SHA256 3b6da10d0eca0ea8f1a28a4df08059555269828db3da3b0b4990681829d27ffa
SHA512 9b2ddbf1c6b64084fc91de7dfa45ebb78ffcb1ee8f4b3ba3e6066fce34c1e36102187460049950741519044d6236e19b054e288f0c1a5177a5ade5c2b70c92e8

\Windows\Resources\Themes\icsys.icn.exe

MD5 b460c68755dd1245a07a218917d171cc
SHA1 da97ad4d84cac54c4c34f897d52d31ca69afa5a8
SHA256 f91f4cbcf2fa86f4c6a2b504cd586697bee567672d744444d055d371b4d424c1
SHA512 cb4c958815eda73f9041f2ad15d18e160104531af7bfc98bced61466ca240ede625545801bddc7f3120ba03d7e3218fd159b1d6ad7f0d3d4ad3171e2a5a1f731

C:\Users\Admin\AppData\Local\Temp\deldll.bat

MD5 ea190ef9b139757a890cd48bdd44b0ee
SHA1 95c684e41bf7919408816aafab881621fface202
SHA256 9131de0fcaaf968896af9d58b6f37b4aa443455bb97c97bc142f295cee577bc4
SHA512 22802ffc1965c8e27f799ee88e3fa46debb316c27507a570b0812bc5de0d59a9c2a2105b8cc204851b3c29984ef1dfb7842131819952b185b7e4325a032fb6ad

memory/2452-74-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 3cc28ddc280bd74e6cb3af6d34fbcbbd
SHA1 4799c637cbc251f1c5051fcc7d23258c309f7c2f
SHA256 407668aec6d1967f007e02cbf7536a003cfb659e9fbe55325d55afdc2021a911
SHA512 d5614fccac6af37d2cda05702e091baefb7a448dee8f7da014f896862b7945b3100ce4a54bc02a8e885c5485d9db74de8349994e76b360519a134ce317ece9e1

memory/2452-82-0x0000000001C30000-0x0000000001C4F000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 58d9b9f663655b00bb9901de5158f276
SHA1 4a3f1c1fcd1a033b9304868c1f4d71e4790f281f
SHA256 4bd5ba7ced097d983cb06e9cb3992d0b6169d92129784ef304e5d6784de5970f
SHA512 c608ace4c59355de57cf232ea48e937482ddcb3ff787af1e5865daf271d0a077583252811c9b936dc35b98900568f82f154f5a307ad6328f3ed11dcd1c2af842

memory/2140-92-0x0000000000390000-0x00000000003AF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Aimware cracked\MSVCP140.dll

MD5 bf78c15068d6671693dfcdfa5770d705
SHA1 4418c03c3161706a4349dfe3f97278e7a5d8962a
SHA256 a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb
SHA512 5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

C:\Users\Admin\AppData\Roaming\Aimware cracked\VCRUNTIME140.dll

MD5 11d9ac94e8cb17bd23dea89f8e757f18
SHA1 d4fb80a512486821ad320c4fd67abcae63005158
SHA256 e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e
SHA512 aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

C:\Users\Admin\AppData\Roaming\Aimware cracked\api-ms-win-crt-runtime-l1-1-0.dll

MD5 c95635d7b2004d521a004cc73ddc6883
SHA1 7871333c1430cf4fe7ed47038383053c7a832c01
SHA256 ffadbed3c8c4a7bc6bd2f888e14830cc515db1c9b68046d5fd43d32e016a540e
SHA512 475b8de45109c931a38e7ec192e1682c2324e0f4522ce543311ef1965e0819e3bd2fd85dcb7d21547061a656e1ce4d56a328cf4a6735cd3643eaff43810731fc

C:\Users\Admin\AppData\Roaming\Aimware cracked\VCRUNTIME140_1.dll

MD5 7667b0883de4667ec87c3b75bed84d84
SHA1 e6f6df83e813ed8252614a46a5892c4856df1f58
SHA256 04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d
SHA512 968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

\Windows\Resources\svchost.exe

MD5 3ba816e4cbe54af5d2ac6be5e7f0d7f5
SHA1 fc16b577dbab9dd428ed75d5e4cb02d915211483
SHA256 df4f16089725b1df4c3df60e12cbfaa19928b835d31d832c4fefc276b607a1e4
SHA512 e4f4a3b4622dd813df20d4b4e22c40bdc9776e4b0cba880ec539e733453cfdde60fcba60e98671200524e79965f49a4fc9ae4601ff0bf5ed7cffee559421b022

memory/2456-115-0x0000000000320000-0x000000000033F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\app.so

MD5 abbf126e8cb35b6e1c68d6abe919391b
SHA1 d70bee483bd7ef8d800a6f3a8b909a8219f6801b
SHA256 498dd477a0ae5d531bb2fe67bcf351c3843aa05e19bbde975fb333b4d9ab200b
SHA512 5dc418243d758fa615666f273af4aef1a46cba88a06b153f935c0b0b301a7867adedc0034aafef5a48a09a6424a66e61e5765a5b619a008ec4d04bcfe5f82d01

memory/1892-123-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1892-124-0x00000000032D0000-0x0000000003749000-memory.dmp

memory/1892-127-0x00000000032D0000-0x0000000003749000-memory.dmp

memory/1892-129-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1892-128-0x00000000032D0000-0x0000000003749000-memory.dmp

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\icudtl.dat

MD5 cf772cf9f6ca67f592fe47da2a15adb1
SHA1 9cc4d99249bdba8a030daf00d98252c8aef7a0ff
SHA256 ac44ccc3f61bf630bb20fb8043d86cfe4c8995d06b460084400db45d70497b30
SHA512 0bec0d3a34a4ac1cc2ed81dba3bc52981c5dd391a68fe21132dfadb70e42ffbe8f3ba798185733d64a900fd2bb2403f9a8558e6666f2c1e2c0e818d8e3f154fc

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\flutter_assets\FontManifest.json

MD5 b2f01a90f24be87c4f4ae98e79090bf5
SHA1 ae7107f7e0d5fae6288e8a82cb1c0f67efbc0b3d
SHA256 eb4549732cd13d6c3874351c182ea15850fbf71f219fe1efe9a1cac19b6c9087
SHA512 422af00f1d8835598586687bec6162c52f6eb0234222f855301bceba8dd71a2bc0e720fa4148c360e77a44be97efc587dd3e2bef5c3cdece1a925f7cf93046ba

memory/768-140-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\flutter_assets\fonts\MaterialIcons-Regular.otf

MD5 e7069dfd19b331be16bed984668fe080
SHA1 fc25284ee3d0aaa75ec5fc8e4fd96926157ed8c4
SHA256 d9865b671a09d683d13a863089d8825e0f61a37696ce5d7d448bc8023aa62453
SHA512 27d9662a22c3e9fe66c261c45bf309e81be7a738ae5dc5b07ad90d207d9901785f3f11dc227c75ca683186b4553b0aa5a621f541c039475b0f032b7688aaa484

memory/2456-139-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\flutter_assets\assets\fonts\Montserrat-Bold.ttf

MD5 88932dadc42e1bba93b21a76de60ef7a
SHA1 3320ff5514b32565b0396de4f2064ce17ec9eea4
SHA256 c4c8cb572a5a2c43d78b3701f4b2349684e6ca4d1557e469af6065b1e099c26c
SHA512 298e1e171dbbe386e1abe153446b883c40910819099f64f54dc9faa95d739be56839537342bbe8dd8408545cb1f8c98878a3524d91af1f11a112d1bfc202657a

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\flutter_assets\assets\fonts\gothampro_black.ttf

MD5 efb0c02a5dbe65a7115b477e74c7a661
SHA1 e30324f4074bcc522a393cecaa62aa4b0e9205cc
SHA256 270d30776b7e5ccf0560b08e0db009f4b1d9753d43689d1e20bb1065e2a3c157
SHA512 0095fb9b0cd508c996cfdc11374a040ef064a22f188d7fbeb21f23c5f7f06aa2bce75e9ae22ec1c0e0f1b8e23003f67c8e8b5962c224c1295fb311e63a9b91f4

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\flutter_assets\assets\YandexBrowserLogo.svg

MD5 8143f6880199b8e992edc37906737642
SHA1 5ea7b2e039ae202878f063da4ec06a58e78789c4
SHA256 10c527dfb3c9521c4bbdff8d52c8ded04bcad20dbb4409c970a0cb2bd8a1f00d
SHA512 1fe8695d8bef10cd4cbf07045dca3c6ec5ce93619a766ea5c18272301551b05ea55c5df52fa3d53be58cd7038c8bd38e188a6bc76f1b9449e298da4a95691655

memory/2452-142-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1856-143-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\YandexPackLoader.exe

MD5 93627dc0563de52ffead32d29dab3bd0
SHA1 bded947f5374609606b06f70ce53ed4874a6a477
SHA256 f1782058359784a2c34ea1c1f313caa3060a72c4c18e9bb7d760e40e6d095001
SHA512 4495bc5cad2b406364f44187138274271d3baa6eaead90f29e5957a5cddcd0d3e87c7d309608cb291635f2c173569dfbf75b35faceb1420f14ea860ce9a379bb

C:\Users\Admin\AppData\Local\Temp\Cab513E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar5150.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar52EC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe

MD5 80d2dd34eb0c5904b09339a0d9c7e26e
SHA1 57f990e23660e2f00ef4c10c68fde78210451376
SHA256 afb3d35762171e821e8f29282b25dacb9c2dc099f2c61ca5ac010e08db475470
SHA512 ebf83cd70d37e0519a5f942a06e052ff75b8d7ccffb88285f6ec4911b196fd1a5fc3b6b0ec74924adba34e91308378847ac5baf84bdcf9e64fcebf45809ce98e

C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

MD5 71f9f40a9b94f25817d743e13e20ef9a
SHA1 855c48a7af4fc8fc6e24bcd5e6fdd42e2f9606c9
SHA256 35de0e1fbfd9ef62ac43d2fddced39e4d231da5f4b68d7d42d57633882e4e3cb
SHA512 28a62c646a00a87f2bcde188b6d794aa5e3f8b1a6a1e25bce4e9a4d3b771f6f16a90a94e4ae17051846513940220043baf4a6ff0fa698e6ccb37b826d5112e60

C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

MD5 b78a1d41318c6f96defed8e74ca4a516
SHA1 cb39558ce386c3e0d7df0fbfaf4aa692630f11f1
SHA256 22db2d018bc8ad91cbcdb9353af64c6063d2cefd2a8503b4464b7c64def60785
SHA512 2d95a0038712c7fea79bdb5b7d5bf307ce894fcf1771194f77191d45ebd175c4adadcaddfa5208c9c0611706fd05f7c6a8d789538bb744cdb8d30933148f1fde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bdc12879d2f691a5f6d9875b2673e9a
SHA1 c5919c542d2852abe03ee74067409552aca12735
SHA256 8bd696fc8518f9c16f30079eea8faa661a6f034dbb515ccd18ccfd682c434e6c
SHA512 00762142e4853c786997adc31fa4219487967cfe470f1c602a745d84ffb0fe13ca9e193c8a91838177f786fb421112e27f523b6c6f54bb6f79d44b4c7152c8e7

C:\Windows\Installer\MSI5D99.tmp

MD5 0c80a997d37d930e7317d6dac8bb7ae1
SHA1 018f13dfa43e103801a69a20b1fab0d609ace8a5
SHA256 a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86
SHA512 fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

\Windows\Installer\MSI5E36.tmp

MD5 e6fd0e66cf3bfd3cc04a05647c3c7c54
SHA1 6a1b7f1a45fb578de6492af7e2fede15c866739f
SHA256 669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2
SHA512 fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

MD5 9fc4c63e9ad343e8a45fd22bee2f5eb4
SHA1 87f865d5b60d3ed6175244e460b70ff5c373c4be
SHA256 0e50fab55969e8d00ca1d0a7ffd24ea614aef944a2d6dad578109937a200762e
SHA512 932b46f108b1b8f41ea094ebfd18800990ada91e8f9af797048bf61d5877d4cf4dc1e6da393ba2168cd850265f8a20e5016baebf935780126c9b639e3cd141a2

C:\Config.Msi\f7659d7.rbs

MD5 672db1da9df74b6f1edc114ad1badb2f
SHA1 c98df0b185e4608fba9925bdb60c30c41d3df9c0
SHA256 c563cf6b775d1ffcc0609dfb3101115eb25902343f270e3d0310161055c9bda3
SHA512 a322c95d2413b6defa93ab6be10648724b01aed428b445c3e8eaba26f3c76f7d29ceb47a2a06a2902f31b60af513d11ea34cdde6f8867b309f6254b7e7d66563

C:\Users\Admin\AppData\Local\Temp\OMNIJA~1.ZIP

MD5 bf306e8d5c65da6939fb3afd0343068c
SHA1 164b28357239a5274f728db1961e6cca1315859a
SHA256 c6d7718196977c2cb446b8398e890dad8d26b6c2d5775d307ba7e1c176201bb3
SHA512 77a8571aaac5c7b65c32f7b5453bb09dd2ac621a5074dd25df197ececadbfe1a4037780a55799d90747374d001e7feb5a743318dc6359908d32b353b694bca74

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.Admin\places.sqlite-20240613151114.243200.backup

MD5 314cb7ffb31e3cc676847e03108378ba
SHA1 3667d2ade77624e79d9efa08a2f1d33104ac6343
SHA256 b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1
SHA512 dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xkoyglns.default-release\thumbnails\51219c819602fd1704cf9839276a7050

MD5 af80a936c10e18de168538a0722d6319
SHA1 9b1c84a1cf7330a698c89b9d7f33b17b4ba35536
SHA256 2435c0376fca765b21d43e897f4baa52daa0958a7015d04103488c606c99d1d3
SHA512 9a1325c8ce05806e5c161a4cf47239f62baad8f79650fbd713e74928fce8171ced10ba7f24fac46c548e1dbf3f64106270cb25ca88c836c870107f5dc1f97879

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xkoyglns.default-release\thumbnails\aca6fc3c340255593de18f7aca065fc4

MD5 998228b70e357630b290d2d8816c25b1
SHA1 216440afe56e95a003802aeb28412b8302334c26
SHA256 a61c9c82b6cf7b583bf6c664b343501fc37ac08fa75bf15b01b3aa4ea11297b5
SHA512 53bdae4da0263a09a908ed1c385ca95467d6a6af95b3dc4fbd78c455ef06e71e1668cfaaba7fc9a41a2aaff08aef00ccf3a7f1dc9bb68d846fb0bd8fdf187993

C:\Users\Admin\AppData\Local\Temp\{CF3F0593-1B2E-4154-99A2-59400869626F}.exe

MD5 868a68bb418740e8f7cdb88c8dae5a40
SHA1 e2efcee76cafd18377e0326551a144d73d947928
SHA256 92ae76a808a63688f5e9e4bc09e427842b371927fc95af04f0d3e7aed99b66f1
SHA512 31d628927753ddab982a5487a6f0d8f3eb175cfadb1f05b5a9504c399fe9073da14f010b1171ee88ccc73114d2de6c80227f1fd44455f429cd511bed4471b4ed

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240613151116.583200.backup

MD5 3adec702d4472e3252ca8b58af62247c
SHA1 35d1d2f90b80dca80ad398f411c93fe8aef07435
SHA256 2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335
SHA512 7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Services\www.ya.ru.ico

MD5 a6f6261de61d910e0b828040414cee02
SHA1 d9df5043d0405b3f5ddaacb74db36623dd3969dc
SHA256 6bb91f1d74389b18bce6e71772e4c5573648c1a4823338193f700afdf8216be5
SHA512 20cb7b646c160c942e379c6e7a1a8981a09f520361c0205052c1d66e2fdb76333ffaaf0ca1dfc779754f0e844b9946900fbd5690d01869e1607abc1fda6dffab

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240613151116.583200.backup

MD5 78113fe49a0d5318c22653110c3a7132
SHA1 3f53d75b311b261fb2c4212f3620a8ce724f2ec2
SHA256 75c5e31e5e1d9783c6d19c3e257acc85f8cef10990c4b1fdaa57f7767eafbdef
SHA512 7d5a1cff7f9360776a6eb758bb77771a58d4258798e2f88d0e179f3ddc0f1363c8050d49bbbafef3449f9a0e3034e4adcc570042b500620287edc7c28b0be8a8

C:\Users\Admin\AppData\Local\Yandex\YaPin\Yandex.lnk

MD5 4b86efa3a47b5713ab2defabb83f61db
SHA1 357d55d45d0c1c393b7fb1ed71c132071c3d1b77
SHA256 3a3c516071871f6c5f314aa5d17d7bfe6f5573449e6e9073a7af58f675b5a91d
SHA512 e3268b898d5cfaad9575af3996914f62c4c61b49c6a10e8e6c4287a11bb7b62b2b43981b7862881dc7c95a437f244d8adec43fe593a7b76906bfab44a651cfd7

C:\Users\Admin\AppData\Local\Yandex\YaPin\Яндекс.website

MD5 f3b2bb2c25a6be7d1cff7f70739db6cf
SHA1 8836190f4ad8b04a5ca4a20ad54f4941b3804704
SHA256 812f76d1d2d5cab919519487b323286b2f6967db857cc5c6556017a535ce7ca3
SHA512 0868b482d04468a19cbda3486f700fd96d0c1c995885a3aa23aad2c1a86f1e4bf98c57729b9659b149a16ff872b45037242f89a66dcfdb701b7cc7c85fd9c5bd

memory/2468-8925-0x0000000000570000-0x0000000000572000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lite_installer.log

MD5 d62357131af13d580b86f378412e755d
SHA1 24838ecc21a5882ee314ff3e6e5fe5ca5afe3dea
SHA256 2ccd802dd1efc90076a24695b4738a27cf5477f981fe40d748d5d6b4c2259bac
SHA512 986dfdd705d6f5ba1c85231e94b3ef08c2e5e33ba35cae57e85784e46a55d12eef61482174752d53fb36badc226bad4f467d1614fc63568ca20d577b05bd8ae8

C:\Users\Admin\AppData\Local\Temp\lite_installer.log

MD5 333b8548248218a64cd0b0e05d313388
SHA1 04ed5aea0d0f8795cf58a48437d8e82fe23c56f4
SHA256 d2dea50d0723cc97c8aa1dd88c8681e0ff854270931c033d1803eb7085f9e260
SHA512 05f65e0a4bf75afca42890d4c7b90e4018f85b67bed1bc5d9377e967f0acc4ce65086c81e072772e0fa9b58aa5238893ef1752b32a86d629aedd27edc5038a82

C:\Users\Admin\AppData\Local\AimWare.zip

MD5 0874e014407612b68d95fcc2810c5757
SHA1 a6491c031978cb216d84210684f81be3850cec65
SHA256 59e4d52326c12fdcf36c4123d30b6c6ceb137ce8674ec971e0ad0c7ec1f9623b
SHA512 044a272b4922e742b8138274432b3d3ff025d673445c3c39fe7ff33948f7cf3d2a15a4b7352e0d9e02aa1ed34441775a392e9cc5e0fbca4dae597cf2562ad524

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\info[1].rss

MD5 1624f4a1e637e4a958ca214764ad4d02
SHA1 4cc8a668178c5ed1b3b40077a9cc890f2d7920e9
SHA256 69e56887caf622cda9ba6380bfc46bc08ba2e80361d9b087b79bf12d40b07f75
SHA512 239c21bc060b10eb350d4a69700189d61136f09278c1d41004310d151973ad8e56e62a39bb2700481390b4a11904c727dd4ac555b43f56d3046535052db1d551

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1da4558d66b57e765d502050ba6fb767
SHA1 c0109c06389948a8c0649d2e30385369e37da66b
SHA256 2de1b65b9590c4ebbc3896b7cd6559761f928e8fa2ef99df4d2dc0b138b00a62
SHA512 c3d4c33182edb5ad26aa15e32510ebe258b6ffe84298dfded53a8415327e5ba8dbfc6d0841acdff8df8750bde2329a2d94e92265a03db0b01e230468f8efeb8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 15:10

Reported

2024-06-13 15:12

Platform

win10v2004-20240611-en

Max time kernel

74s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8D314215-B82F-4AFE-8260-247227A01E40\lite_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0085E2C8-1A34-4FED-852E-F79557255378\seederexe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6FD5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification C:\Windows\Installer\e586a3e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6D1D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6DDA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6E69.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6EB9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File created C:\Windows\Installer\e586a3e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6E48.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6E89.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6F08.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6F86.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Installer\MSI6D9B.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\YandexPackLoader.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4592 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe \??\c:\users\admin\appdata\local\temp\aimware cracked.exe 
PID 4592 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe \??\c:\users\admin\appdata\local\temp\aimware cracked.exe 
PID 4592 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe \??\c:\users\admin\appdata\local\temp\aimware cracked.exe 
PID 1700 wrote to memory of 4508 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe
PID 1700 wrote to memory of 4508 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe
PID 1700 wrote to memory of 3300 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 3300 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 3300 N/A \??\c:\users\admin\appdata\local\temp\aimware cracked.exe  C:\Windows\SysWOW64\cmd.exe
PID 4592 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 4592 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 4592 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 3036 wrote to memory of 5116 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 3036 wrote to memory of 5116 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 3036 wrote to memory of 5116 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 3300 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3300 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3300 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5116 wrote to memory of 3256 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 5116 wrote to memory of 3256 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 5116 wrote to memory of 3256 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3256 wrote to memory of 5036 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3256 wrote to memory of 5036 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3256 wrote to memory of 5036 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 5036 wrote to memory of 3316 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 5036 wrote to memory of 3316 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 5036 wrote to memory of 3316 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4508 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 4508 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 4508 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 3544 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
PID 3544 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
PID 3544 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe
PID 3544 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 3544 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 3544 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\YandexPackLoader.exe C:\Users\Admin\AppData\Local\YandexPackLoader.exe
PID 4560 wrote to memory of 4052 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4560 wrote to memory of 4052 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4560 wrote to memory of 4052 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4052 wrote to memory of 1824 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\8D314215-B82F-4AFE-8260-247227A01E40\lite_installer.exe
PID 4052 wrote to memory of 1824 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\8D314215-B82F-4AFE-8260-247227A01E40\lite_installer.exe
PID 4052 wrote to memory of 1824 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\8D314215-B82F-4AFE-8260-247227A01E40\lite_installer.exe
PID 4052 wrote to memory of 1212 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\0085E2C8-1A34-4FED-852E-F79557255378\seederexe.exe
PID 4052 wrote to memory of 1212 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\0085E2C8-1A34-4FED-852E-F79557255378\seederexe.exe
PID 4052 wrote to memory of 1212 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\0085E2C8-1A34-4FED-852E-F79557255378\seederexe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe

"C:\Users\Admin\AppData\Local\Temp\Aimware cracked.exe"

\??\c:\users\admin\appdata\local\temp\aimware cracked.exe 

"c:\users\admin\appdata\local\temp\aimware cracked.exe "

C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe

"C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c deldll.bat

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 -w 1000 127.0.0.1

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Users\Admin\AppData\Local\YandexPackLoader.exe

C:\Users\Admin\AppData\Local\YandexPackLoader.exe

C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe

"C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe" /passive /msicl "VID=699 YABROWSER=y YAHOMEPAGE=y YAQSEARCH=y "

C:\Users\Admin\AppData\Local\YandexPackLoader.exe

C:\Users\Admin\AppData\Local\YandexPackLoader.exe --stat dwnldr/p=8981/rid=5d26e555-c30d-4f4d-b039-eea236ecfae8/sbr=0-0/hrc=200-200/bd=267-10639168/gtpr=1-1-1-255-1/cdr=0-b7-b7-ff-b7/for=3-0/fole=255-0/fwle=255-0/vr=ff-0/vle=ff-0/hovr=ff-ff/hovle=ff-ff/shle=ff-0/vmajor=10/vminor=0/vbuild=19041/distr_type=landing/cnt=0/dt=2/ct=0/rt=0 --dh 2348 --st 1718291530

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A130780DD4E8C52905CF7BACB9D20C45

C:\Users\Admin\AppData\Local\Temp\8D314215-B82F-4AFE-8260-247227A01E40\lite_installer.exe

"C:\Users\Admin\AppData\Local\Temp\8D314215-B82F-4AFE-8260-247227A01E40\lite_installer.exe" --use-user-default-locale --silent --remote-url=http://downloader.yandex.net/downloadable_soft/browser/pseudoportal-ru/Yandex.exe --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/ --YABROWSER

C:\Users\Admin\AppData\Local\Temp\0085E2C8-1A34-4FED-852E-F79557255378\seederexe.exe

"C:\Users\Admin\AppData\Local\Temp\0085E2C8-1A34-4FED-852E-F79557255378\seederexe.exe" "--yqs=y" "--yhp=y" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=y" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\11AC166F-C1CF-46B7-98D8-19AAD6254A9A\sender.exe" "--is_elevated=yes" "--ui_level=2" "--good_token=x" "--no_opera=n"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 downloadbrowser.xyz udp
US 8.8.8.8:53 downloadbrowser.xyz udp
US 172.67.176.4:443 downloadbrowser.xyz tcp
US 104.21.48.19:443 downloadbrowser.xyz tcp
US 8.8.8.8:53 download.cdn.yandex.net udp
US 8.8.8.8:53 download.cdn.yandex.net udp
US 8.8.8.8:53 4.176.67.172.in-addr.arpa udp
RU 5.45.205.244:443 download.cdn.yandex.net tcp
RU 5.45.205.243:443 download.cdn.yandex.net tcp
US 8.8.8.8:53 cachev2-ams03.cdn.yandex.net udp
US 8.8.8.8:53 cachev2-ams03.cdn.yandex.net udp
NL 5.45.247.53:443 cachev2-ams03.cdn.yandex.net tcp
US 8.8.8.8:53 download.yandex.ru udp
US 8.8.8.8:53 244.205.45.5.in-addr.arpa udp
US 8.8.8.8:53 53.247.45.5.in-addr.arpa udp
RU 5.45.205.241:80 download.yandex.ru tcp
US 8.8.8.8:53 cachev2-ams02.cdn.yandex.net udp
NL 5.45.247.52:80 cachev2-ams02.cdn.yandex.net tcp
US 8.8.8.8:53 downloader.yandex.net udp
RU 5.45.205.242:80 downloader.yandex.net tcp
US 8.8.8.8:53 cachev2-ams03.cdn.yandex.net udp
NL 5.45.247.53:80 cachev2-ams03.cdn.yandex.net tcp
US 8.8.8.8:53 241.205.45.5.in-addr.arpa udp
US 8.8.8.8:53 52.247.45.5.in-addr.arpa udp
US 8.8.8.8:53 242.205.45.5.in-addr.arpa udp
US 8.8.8.8:53 133.130.101.151.in-addr.arpa udp
US 8.8.8.8:53 clck.yandex.ru udp
RU 213.180.193.14:80 clck.yandex.ru tcp

Files

memory/4592-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aimware cracked.exe 

MD5 16620cf72e58b967961b6d2f5f1cdf83
SHA1 d584bbfce61a6d9a8d03a4e9976d9a52e5eb5b24
SHA256 9f657ef4f8470c854769a9c43b1738171aa6d81050f50eea0e803905a73e8ac4
SHA512 96f416d13f717a8c133312be9c6a96ed23c2d17916474cebb20424c7343dfe982fabbf5f066ad5add1c9624ea4adfeac12b97a8d72bab5aa1c4e7527a5016f6d

C:\Users\Admin\AppData\Local\Temp\genteert.dll

MD5 6ce814fd1ad7ae07a9e462c26b3a0f69
SHA1 15f440c2a8498a4efe2d9ba0c6268fab4fb8e0a7
SHA256 54c0da1735bb1cb02b60c321de938488345f8d1d26bf389c8cb2acad5d01b831
SHA512 e5cff6bcb063635e5193209b94a9b2f5465f1c82394f23f50bd30bf0a2b117b209f5fca5aa10a7912a94ad88711dcd490aa528a7202f09490acd96cd640a3556

C:\Users\Admin\AppData\Local\Temp\genteeBA\guig.dll

MD5 d3f8c0334c19198a109e44d074dac5fd
SHA1 167716989a62b25e9fcf8e20d78e390a52e12077
SHA256 005c251c21d6a5ba1c3281e7b9f3b4f684d007e0c3486b34a545bb370d8420aa
SHA512 9c890e0af5b20ce9db4284e726ec0b05b2a9f18b909fb8e595edf3348a8f0d07d5238d85446a09e72e4faa2e2875beb52742d312e5163f48df4072b982801b51

C:\Users\Admin\AppData\Roaming\Aimware cracked\cheatloader.exe

MD5 3e15e73f6ecc61ef7eaacdee4686e607
SHA1 b76fbdc760285f0d652220e1a0b33fe3b188bd54
SHA256 3b6da10d0eca0ea8f1a28a4df08059555269828db3da3b0b4990681829d27ffa
SHA512 9b2ddbf1c6b64084fc91de7dfa45ebb78ffcb1ee8f4b3ba3e6066fce34c1e36102187460049950741519044d6236e19b054e288f0c1a5177a5ade5c2b70c92e8

C:\Users\Admin\AppData\Roaming\Aimware cracked\flutter_windows.dll

MD5 2eb35e2372de5fc7fde925c96de61d48
SHA1 a9eedd7cf44a6eab4e08df9ab0b33fd95ceb48fd
SHA256 80efad451cd0b674b9974ef286d29ef72f219999dd8f993585f9168d97895e6f
SHA512 18a03d297770707709fcada8dd0741bd39057d54b49125119ba8b7d21aa67284dece89947dc14721fe3084e69f03e816a2ed9ad79e82ffe279d7fd0a318ff029

C:\Users\Admin\AppData\Roaming\Aimware cracked\MSVCP140.dll

MD5 bf78c15068d6671693dfcdfa5770d705
SHA1 4418c03c3161706a4349dfe3f97278e7a5d8962a
SHA256 a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb
SHA512 5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

C:\Users\Admin\AppData\Roaming\Aimware cracked\VCRUNTIME140.dll

MD5 11d9ac94e8cb17bd23dea89f8e757f18
SHA1 d4fb80a512486821ad320c4fd67abcae63005158
SHA256 e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e
SHA512 aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 b460c68755dd1245a07a218917d171cc
SHA1 da97ad4d84cac54c4c34f897d52d31ca69afa5a8
SHA256 f91f4cbcf2fa86f4c6a2b504cd586697bee567672d744444d055d371b4d424c1
SHA512 cb4c958815eda73f9041f2ad15d18e160104531af7bfc98bced61466ca240ede625545801bddc7f3120ba03d7e3218fd159b1d6ad7f0d3d4ad3171e2a5a1f731

C:\Users\Admin\AppData\Roaming\Aimware cracked\vcruntime140_1.dll

MD5 7667b0883de4667ec87c3b75bed84d84
SHA1 e6f6df83e813ed8252614a46a5892c4856df1f58
SHA256 04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d
SHA512 968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

C:\Windows\Resources\Themes\explorer.exe

MD5 ccbeec7f7cfa202892d0bd73379244d8
SHA1 71d1dab17212d3fcfad5f4d5e12b6069374acd41
SHA256 243ac2085da06bf8b4fecfb74f3b5a20d4cfdd5407fde23c21b8ed675cb6090a
SHA512 1dd5003e227fb71a15e02426260705aeecec616fc9396e07c0d8603ee2f9e45499e1258c54a00415a4779d3ccbaa9cdd5c130706244789ea57adecf2f196a169

memory/4508-91-0x0000018134870000-0x0000018134CE9000-memory.dmp

memory/4508-90-0x0000018134870000-0x0000018134CE9000-memory.dmp

memory/4508-93-0x0000018134790000-0x0000018134791000-memory.dmp

memory/4508-89-0x0000018134780000-0x0000018134781000-memory.dmp

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\icudtl.dat

MD5 cf772cf9f6ca67f592fe47da2a15adb1
SHA1 9cc4d99249bdba8a030daf00d98252c8aef7a0ff
SHA256 ac44ccc3f61bf630bb20fb8043d86cfe4c8995d06b460084400db45d70497b30
SHA512 0bec0d3a34a4ac1cc2ed81dba3bc52981c5dd391a68fe21132dfadb70e42ffbe8f3ba798185733d64a900fd2bb2403f9a8558e6666f2c1e2c0e818d8e3f154fc

memory/4508-92-0x0000018134870000-0x0000018134CE9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\app.so

MD5 abbf126e8cb35b6e1c68d6abe919391b
SHA1 d70bee483bd7ef8d800a6f3a8b909a8219f6801b
SHA256 498dd477a0ae5d531bb2fe67bcf351c3843aa05e19bbde975fb333b4d9ab200b
SHA512 5dc418243d758fa615666f273af4aef1a46cba88a06b153f935c0b0b301a7867adedc0034aafef5a48a09a6424a66e61e5765a5b619a008ec4d04bcfe5f82d01

C:\Users\Admin\AppData\Local\Temp\deldll.bat

MD5 ea190ef9b139757a890cd48bdd44b0ee
SHA1 95c684e41bf7919408816aafab881621fface202
SHA256 9131de0fcaaf968896af9d58b6f37b4aa443455bb97c97bc142f295cee577bc4
SHA512 22802ffc1965c8e27f799ee88e3fa46debb316c27507a570b0812bc5de0d59a9c2a2105b8cc204851b3c29984ef1dfb7842131819952b185b7e4325a032fb6ad

\??\c:\windows\resources\spoolsv.exe

MD5 5ced1763b0be1a7b055f08a490ab563a
SHA1 5d0179a246846617f87a065fc22465c026fa28ab
SHA256 1c5b92b0fc30b97415d31624a4f3d43c0f79856108ba9f53d26aa7d96ca5a84f
SHA512 4e761da857bbc299f058721bd705f3824cd781c61523a4d5dd5816d95637e1ecdbf5ed15c273072460736628b636db81c0e0f027518db910dd2cc1a645c040ed

\??\c:\windows\resources\svchost.exe

MD5 c00f5e224a140088863c638c801cae75
SHA1 070ee90dc2e6e9042d4bf60dc9a8023375291bbf
SHA256 4205e188b91f27290812034c9c70d052ed609f7d55d363667b203b8f66924509
SHA512 98405f185f5b13a99ec8d638bc24f054346b248ab482da730e9a1010486d4c43d56ff6c4f2724097c76153ee88779366259b4a9248f30a848b462a30f93d5fea

memory/5036-117-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4592-126-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3036-125-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3256-124-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3316-123-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3256-112-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\flutter_assets\FontManifest.json

MD5 b2f01a90f24be87c4f4ae98e79090bf5
SHA1 ae7107f7e0d5fae6288e8a82cb1c0f67efbc0b3d
SHA256 eb4549732cd13d6c3874351c182ea15850fbf71f219fe1efe9a1cac19b6c9087
SHA512 422af00f1d8835598586687bec6162c52f6eb0234222f855301bceba8dd71a2bc0e720fa4148c360e77a44be97efc587dd3e2bef5c3cdece1a925f7cf93046ba

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\flutter_assets\assets\fonts\Montserrat-Bold.ttf

MD5 88932dadc42e1bba93b21a76de60ef7a
SHA1 3320ff5514b32565b0396de4f2064ce17ec9eea4
SHA256 c4c8cb572a5a2c43d78b3701f4b2349684e6ca4d1557e469af6065b1e099c26c
SHA512 298e1e171dbbe386e1abe153446b883c40910819099f64f54dc9faa95d739be56839537342bbe8dd8408545cb1f8c98878a3524d91af1f11a112d1bfc202657a

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\flutter_assets\assets\fonts\gothampro_black.ttf

MD5 efb0c02a5dbe65a7115b477e74c7a661
SHA1 e30324f4074bcc522a393cecaa62aa4b0e9205cc
SHA256 270d30776b7e5ccf0560b08e0db009f4b1d9753d43689d1e20bb1065e2a3c157
SHA512 0095fb9b0cd508c996cfdc11374a040ef064a22f188d7fbeb21f23c5f7f06aa2bce75e9ae22ec1c0e0f1b8e23003f67c8e8b5962c224c1295fb311e63a9b91f4

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\flutter_assets\fonts\MaterialIcons-Regular.otf

MD5 e7069dfd19b331be16bed984668fe080
SHA1 fc25284ee3d0aaa75ec5fc8e4fd96926157ed8c4
SHA256 d9865b671a09d683d13a863089d8825e0f61a37696ce5d7d448bc8023aa62453
SHA512 27d9662a22c3e9fe66c261c45bf309e81be7a738ae5dc5b07ad90d207d9901785f3f11dc227c75ca683186b4553b0aa5a621f541c039475b0f032b7688aaa484

C:\Users\Admin\AppData\Roaming\Aimware cracked\data\flutter_assets\assets\YandexBrowserLogo.svg

MD5 8143f6880199b8e992edc37906737642
SHA1 5ea7b2e039ae202878f063da4ec06a58e78789c4
SHA256 10c527dfb3c9521c4bbdff8d52c8ded04bcad20dbb4409c970a0cb2bd8a1f00d
SHA512 1fe8695d8bef10cd4cbf07045dca3c6ec5ce93619a766ea5c18272301551b05ea55c5df52fa3d53be58cd7038c8bd38e188a6bc76f1b9449e298da4a95691655

C:\Users\Admin\AppData\Local\YandexPackLoader.exe

MD5 93627dc0563de52ffead32d29dab3bd0
SHA1 bded947f5374609606b06f70ce53ed4874a6a477
SHA256 f1782058359784a2c34ea1c1f313caa3060a72c4c18e9bb7d760e40e6d095001
SHA512 4495bc5cad2b406364f44187138274271d3baa6eaead90f29e5957a5cddcd0d3e87c7d309608cb291635f2c173569dfbf75b35faceb1420f14ea860ce9a379bb

C:\Users\Admin\AppData\Local\Temp\7F4987FB1A6E43d69E3E94B29EB75926\YandexPackSetup.exe

MD5 80d2dd34eb0c5904b09339a0d9c7e26e
SHA1 57f990e23660e2f00ef4c10c68fde78210451376
SHA256 afb3d35762171e821e8f29282b25dacb9c2dc099f2c61ca5ac010e08db475470
SHA512 ebf83cd70d37e0519a5f942a06e052ff75b8d7ccffb88285f6ec4911b196fd1a5fc3b6b0ec74924adba34e91308378847ac5baf84bdcf9e64fcebf45809ce98e

C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

MD5 f319ea39ab59c91edfe04c08620bfbc6
SHA1 46b1732a90bbcf9eebfb25b9027eed550c8b1610
SHA256 9524986a9d2b6a04ccdf40fbbce7a024085fba697249a5a24288c83a0b54f4c4
SHA512 2465aa5455864b934c7214bd1450e1f570591ca0a6d0dc614a52f4d5c60ec7855d5dce90ceb398af416d08d9c0a8ada4156668db7d0af355f253806c79df2b2a

C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

MD5 b78a1d41318c6f96defed8e74ca4a516
SHA1 cb39558ce386c3e0d7df0fbfaf4aa692630f11f1
SHA256 22db2d018bc8ad91cbcdb9353af64c6063d2cefd2a8503b4464b7c64def60785
SHA512 2d95a0038712c7fea79bdb5b7d5bf307ce894fcf1771194f77191d45ebd175c4adadcaddfa5208c9c0611706fd05f7c6a8d789538bb744cdb8d30933148f1fde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

MD5 654d2e602b1e06712daf7c50bad0a7ac
SHA1 0f07f2950eed89dfd5bd46744181aa0b70db48a6
SHA256 93678a6f1e8f8ef5878e0338490797150f03bda81f3d7aaee5e860a5847de52a
SHA512 1d7ac4a142e9f0313d723231691cb733a5b9c39d79a74a2d3d9771f6afce9ddf3c5cce41cf7252a441d670b21a4d46ab7f9fa6afc008ee9f96fc7ae18217925e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7

MD5 66c364b18d82ddd44b65b1e763b789fe
SHA1 b9cd7f818a92e57915c09cc5b6c0e9c1786bd7dc
SHA256 7bf40599273b96bff014d7e4a5c857972a803004bb88dfc0452c0dd30a29d6d6
SHA512 035a589fb03210b387343a390b48e4e643438f9b6b2aa190ef28b26211e19dc93700fec4c12b1db26413e696b1aea6d8d4369c20db036754854925e878a9e9f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 ff71724ca94ca286c8b2c1602ed2e7cf
SHA1 170ca7df3991449185abff40999dfea0162dad4a
SHA256 f8905fc8c404370d966feff0fb316d3a9a96fd7643b80d2e4ebb69fbe3fac1e4
SHA512 85192f7ad1f9ea4895562f5945e61454609db37feac1cdcbb68072df4c6b243b65690c768b9d9d3fd5bef7908294b95e51daaae929c6a24aed4b125d6735ac10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 0c6b53a5a762d47bec063de294a45e16
SHA1 149ea40492f75e98016c45cc0c4d0db0cbeffd82
SHA256 a7d065a7b28c0b9efd9f7a2fabf265069ca982119767eef9a70929aaab5d0fa6
SHA512 8bb0fa0b07e607b533070f76cec917074a93ba94cfb04a18651b625dff5ea1a16079d90b4cfa25c1dda16d6409e4dcf492c7b7e88d82cc46331f23a27cb6096b

C:\Windows\Installer\MSI6D1D.tmp

MD5 0c80a997d37d930e7317d6dac8bb7ae1
SHA1 018f13dfa43e103801a69a20b1fab0d609ace8a5
SHA256 a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86
SHA512 fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

C:\Windows\Installer\MSI6D9B.tmp

MD5 e6fd0e66cf3bfd3cc04a05647c3c7c54
SHA1 6a1b7f1a45fb578de6492af7e2fede15c866739f
SHA256 669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2
SHA512 fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb

C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

MD5 9fc4c63e9ad343e8a45fd22bee2f5eb4
SHA1 87f865d5b60d3ed6175244e460b70ff5c373c4be
SHA256 0e50fab55969e8d00ca1d0a7ffd24ea614aef944a2d6dad578109937a200762e
SHA512 932b46f108b1b8f41ea094ebfd18800990ada91e8f9af797048bf61d5877d4cf4dc1e6da393ba2168cd850265f8a20e5016baebf935780126c9b639e3cd141a2

C:\Users\Admin\AppData\Local\Temp\8D314215-B82F-4AFE-8260-247227A01E40\lite_installer.exe

MD5 aafdfaa7a989ddb216510fc9ae5b877f
SHA1 41cf94692968a7d511b6051b7fe2b15c784770cb
SHA256 688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc
SHA512 6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

C:\Users\Admin\AppData\Local\Temp\0085E2C8-1A34-4FED-852E-F79557255378\seederexe.exe

MD5 225ba20fa3edd13c9c72f600ff90e6cb
SHA1 5f1a9baa85c2afe29619e7cc848036d9174701e4
SHA256 35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797
SHA512 97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

C:\Config.Msi\e586a41.rbs

MD5 5027650d5f49e933fa583c44e52769bd
SHA1 4535c61578f638e9e5eccbb19a5e2db2843a712c
SHA256 6333e1059da56c72539c84112ee48f350897b57c438fcedfc9c40f14ac38477c
SHA512 e6a773e3f7fc5cb5f6e6c4e19472540debc178dc98034b5cd12196a995eb1de7f6ecc291e56a8912dee3c150d25a87eaddeec163c7cef6af0df7a19982a6b69d

C:\Users\Admin\AppData\Local\Temp\omnija-20241213.zip

MD5 fa66915afcd256926008a20fe34f3b75
SHA1 3cad946b4b11cb16bd483e73546d019c29fefeee
SHA256 aeeeb9d3a66864eafda547e0f6047639d017c701824a62c49d2fe4de45be2017
SHA512 1ba2ed3e5b7b7f8c0783507c4a636f28ba33ad591d452ca7c8251edeea089ef39ec638c9367b592c0dda73eb93e484cedd13bf7f8fa48de9cfc54eb81aa095a7