Analysis
-
max time kernel
1043s -
max time network
1218s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-02-2024 17:59
Static task
static1
Behavioral task
behavioral1
Sample
Setup (password is THEPIRATEBAY007).zip
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
Setup (password is THEPIRATEBAY007).zip
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
Setup (password is THEPIRATEBAY007).zip
Resource
win10-20240221-en
Behavioral task
behavioral4
Sample
Setup (password is THEPIRATEBAY007).zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Setup (password is THEPIRATEBAY007).zip
Resource
win11-20240221-en
General
-
Target
Setup (password is THEPIRATEBAY007).zip
-
Size
5.1MB
-
MD5
5a7b05af6be77d411d38e4b9603de6fb
-
SHA1
890c2441287979341aea951ff1dd0e4e692493bf
-
SHA256
f9ff859f39a9e54d733f9c3da77a0c42a4f9c6c53eccccfd7e874b8b5018ec96
-
SHA512
ff24593ff5703675fd41c53acb35e6e36cf33baa660e23a005287eab482c6e79a0cd922efb2b82a6cdec3b8b425f6aeb37f71340b0cbca6ecc2f70475b4c3b2e
-
SSDEEP
98304:Qay8P3DkDOgkjEBA43Or6uDfilxC0v+3ECjIir05+JKe5G6tZTaD027+mo:Qay8/6vDBAuOr6kYp+tEK6eKe5GoZF2k
Malware Config
Extracted
fickerstealer
45.93.201.181:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Executes dropped EXE 4 IoCs
pid Process 2472 Setup.exe 2904 Setup.exe 2228 Setup.exe 288 Setup.exe -
Loads dropped DLL 32 IoCs
pid Process 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2904 Setup.exe 2904 Setup.exe 2904 Setup.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2952 WerFault.exe 2228 Setup.exe 288 Setup.exe 288 Setup.exe 288 Setup.exe 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 2952 2904 WerFault.exe 55 828 288 WerFault.exe 58 2204 2728 WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000607a7357736ada01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a049b056736ada01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2472 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe 2228 Setup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2464 osk.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: 33 928 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 928 AUDIODG.EXE Token: 33 928 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 928 AUDIODG.EXE Token: SeManageVolumePrivilege 1704 SearchIndexer.exe Token: 33 1704 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1704 SearchIndexer.exe Token: SeRestorePrivilege 1564 7zG.exe Token: 35 1564 7zG.exe Token: SeSecurityPrivilege 1564 7zG.exe Token: SeSecurityPrivilege 1564 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1564 7zG.exe -
Suspicious use of SetWindowsHookEx 52 IoCs
pid Process 2308 SearchProtocolHost.exe 2308 SearchProtocolHost.exe 2308 SearchProtocolHost.exe 2308 SearchProtocolHost.exe 2308 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 2308 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 1684 SearchProtocolHost.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 1684 SearchProtocolHost.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 2464 osk.exe 980 SearchProtocolHost.exe 980 SearchProtocolHost.exe 980 SearchProtocolHost.exe 980 SearchProtocolHost.exe 980 SearchProtocolHost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2472 Setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2308 1704 SearchIndexer.exe 39 PID 1704 wrote to memory of 2308 1704 SearchIndexer.exe 39 PID 1704 wrote to memory of 2308 1704 SearchIndexer.exe 39 PID 1704 wrote to memory of 1276 1704 SearchIndexer.exe 40 PID 1704 wrote to memory of 1276 1704 SearchIndexer.exe 40 PID 1704 wrote to memory of 1276 1704 SearchIndexer.exe 40 PID 1704 wrote to memory of 1684 1704 SearchIndexer.exe 41 PID 1704 wrote to memory of 1684 1704 SearchIndexer.exe 41 PID 1704 wrote to memory of 1684 1704 SearchIndexer.exe 41 PID 556 wrote to memory of 2464 556 utilman.exe 47 PID 556 wrote to memory of 2464 556 utilman.exe 47 PID 556 wrote to memory of 2464 556 utilman.exe 47 PID 1704 wrote to memory of 2544 1704 SearchIndexer.exe 51 PID 1704 wrote to memory of 2544 1704 SearchIndexer.exe 51 PID 1704 wrote to memory of 2544 1704 SearchIndexer.exe 51 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2472 wrote to memory of 2904 2472 Setup.exe 55 PID 2904 wrote to memory of 2952 2904 Setup.exe 56 PID 2904 wrote to memory of 2952 2904 Setup.exe 56 PID 2904 wrote to memory of 2952 2904 Setup.exe 56 PID 2904 wrote to memory of 2952 2904 Setup.exe 56 PID 2904 wrote to memory of 2952 2904 Setup.exe 56 PID 2904 wrote to memory of 2952 2904 Setup.exe 56 PID 2904 wrote to memory of 2952 2904 Setup.exe 56 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58 PID 2228 wrote to memory of 288 2228 Setup.exe 58
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007).zip"1⤵PID:1212
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1796
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc81⤵
- Suspicious use of AdjustPrivilegeToken
PID:928
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2308
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 5282⤵
- Modifies data under HKEY_USERS
PID:1276
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1684
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 5282⤵PID:2544
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 5282⤵PID:664
-
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Suspicious use of SetWindowsHookEx
PID:980
-
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {9E175B8B-F52A-11D8-B9A5-505054503030} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵PID:2868
-
C:\Windows\system32\osk.exe"C:\Windows\system32\osk.exe"1⤵PID:2688
-
C:\Windows\system32\utilman.exeutilman.exe /debug1⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\System32\osk.exe"C:\Windows\System32\osk.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2464
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\" -spe -an -ai#7zMap22029:150:7zEvent276321⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1564
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 2563⤵
- Loads dropped DLL
- Program crash
PID:2952
-
-
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 2563⤵
- Loads dropped DLL
- Program crash
PID:828
-
-
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"1⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"2⤵PID:2728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 2561⤵
- Program crash
PID:2204
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD540077e58c61fad92519e140e0dc34022
SHA12cce66177530344f88e37eb84f0043be701bf444
SHA2566e3868949a3dc1443296f14a96c93c58e3b50bfc4b177f37ac0b233ed8baa1f0
SHA51220e5128d8533a27568aacd900a58a947cbbce92dbd1bac8dce44871d1f7edb57b8d303c21c1b9945e386bb42265c48ed32347b3f4b275e0dd835c30eab2f662f
-
Filesize
1024KB
MD5df78d996923e25ccae8a37cd32aae5b0
SHA1be868520dd592b5f1a2eb818b10e290d5e052f64
SHA256ed45e93b1db2db5a55d8343c0f850d9f80b1bd5723be4610ff0cdcd305dc83ee
SHA512e2478e27c481e35f069c3bfcd49b2c391dd04340a79c54acac7f66ff48f43bcd2296bd2fed406121772a50c662265147f8670baffb4627e44f9c9a4b498b7f19
-
Filesize
16.5MB
MD50b60147c97d9534409c2a808ec88fbe8
SHA1a1966f36c4e714d1c8b23ebbf777ddf76464b05c
SHA2568d43ff0ec3bf1b368fac0628625a26223f170d4f9b8c649bcf7de57826c3c432
SHA512a7bc144ef83da7874d991ef88ea3ced8963b74fcde9cefca433752f2cecb0673b284c18fe01e42561a081049f9fa2a9b3a8faff788d31467225cd62584dea8e3
-
Filesize
13.6MB
MD5cf67c7bbcd3a7e2fa55fd481a02b191c
SHA1715e67369f6b27f11b43a7cf6a0a11096bfc571b
SHA2562d3a9cd629bafa0cf8a4658fe4db7697dafcb08c9fd88fd3701f0bdcf931b58d
SHA51281598e0335f67f8fadbddc66a4f240af0f1489d37e56ce9fc38c62de00bdc09b88e2328fe91b501a1b5bcd1044aaefe5d9ee8dfb1e2cc7fa7282d6cc780f52fc
-
Filesize
1.2MB
MD5d3b33bdf9af7fe5b71649345c87d7274
SHA12924d50ed749fa16e1bcf84a57319f936e0bfef2
SHA2564597c6cf2456f937f957ba314d6d72b9597438e3e1fd852acf5a19f9bcf5ae87
SHA512f68d4fe3356f98f92f7cb8af097e0c99bee93526b278d8fdcefa17786b87b4047ac2f71d3a8b75ad05caf0b151c6c5f417876edd04d8fc3749ff3984275ca436
-
Filesize
1.1MB
MD5a5b4e59c3619163dafac8454b1568cd3
SHA1aac558cb4e485e96fcc9fe499c39c716f0a07d39
SHA2560ae112e56c0741335b8a955db3bba86d60602a5aa1a68a6d5adcb28d4a9539b9
SHA512a68d62756585de5161c310a3e631575a2fe5ccb05ac488388841f0b87c56f5b594af02ea6345d2869faef6ca87bbdbdea730976d4dba1ba721d3c5854747fb49
-
Filesize
768KB
MD54cff8f8d378a5e6a2ff558cbee9af9b5
SHA154c27e9e7709a8949ffeb5200789895accf93dcf
SHA2563a3a1965f57a92802f95ac2af1a2deb0449c0b189682afa1b10764554ee3969b
SHA51284399220c16d7602e6a0a3679277c7141fb71db314dbbdcb0fab438a223dbb94fe13d7bebea96555b86e82aaad15dad4687041bf7044a19f25f7edb3899dab38
-
Filesize
512KB
MD5dd05157275bbdd3fa6290e197344fb05
SHA1b2538c8d6f730a0df46954081723e1eb3759f7fa
SHA256dd7b57e2bacd20c42f946dca0391bd05d10decd6fccce9f02688d2b9797c0f23
SHA5122cd21d18ba8b4036623a1c58457d8d0f18dee56d522d47242db39588a8e4c1d8df491c39a79b29a105b84794e176bd5a1704c2f74b958275073229356af9e752
-
Filesize
320KB
MD5b1e0a65817c0d99487a065fab746b61c
SHA1c191f842613c45a087ee85f44b0c5f1a4d927b22
SHA256ffad2bb6d6c6edacf34a4b0dffcebea4ebbdac6ff329d05d1e802fb8c4246169
SHA512bfa96dcc8eef2adcbf1e16ab9efc5d6dfcb25061404b132dcbd0070dba2b9257d4a82c775a4fd8b6f46f9915110dd3166b25d10fe64b448b9c455b5112347e28
-
Filesize
3.5MB
MD57100214aa493007c015e9c5c92bdce9c
SHA1e39bbc914145af2cd83dfdddf08cbec0976a7bd3
SHA2564cdecaa3f6ebdb23590a468886ab3455ddbbb70da6911506dd95263f8ca64867
SHA5121705c7adb7f7f30efbf7eeaac3b958ace3de15fabc2e842b5533faa51e4da718d92e7696b7c3faa72e7242cc98fa49f02299786503fbf72f298acf5d99cddd9f
-
Filesize
1.8MB
MD52f2af0eff6ecb681fdcb4c25cb67afe3
SHA14dcc750b8940d69f4337410c67c949c24889b7bd
SHA256d3046e947323e0d92242b6e13e7370b502be3e320080302ad5009f03027d5d9d
SHA5123e39fd8f2aa4d7a009dd4cda0b47ce66bddd9598709a0e29d18e05ca6d9d3ff9d17dd98a16b7c79bb865be8051ce5529311ba977eeba480725668591c5ec6030
-
Filesize
1.4MB
MD55fda3187e19862689f13fe34c07608f1
SHA1d0624e2245b8b498db307f8e5c37d97d06098972
SHA2568cd07163418702b6a82d0c135838c3b74558d1be270e863a4fec14594abd75b5
SHA512b2a7a329a91e2bfaf75dd9f377a0c4f77b9f866625213e094c43678ca67d5154cde96307ea5bb91a914ff2a48a02175fb7a2e42843483eff58d0189ed0143350
-
Filesize
1.4MB
MD5c520b07fcfe100019198a8b7d9cf52d2
SHA1e8cddfedf878d7408437748201ec97f9b9f7d2e7
SHA2569da08cf7db50c754a55c8e4cbe0a1612fd3d63b49a3b62fcb3518ca3c6bdb5aa
SHA512b221c697ae476aa0babe626ca089d8a657d0f088c073691d8527f4dfdf05da561517a706251ccb610ae552707fb78e6e2cdbeae0455a264bb177facfa2169a12
-
Filesize
384KB
MD5e74558edaf38b188494c10655a08bae8
SHA1c85977e51bb7e74e074d4a26eb0624ec05ede698
SHA2568ef123cc5b5659457543b8969f93d872ab79e93cbe99b6ec8266969e4b18bfd5
SHA51221c0046b42ef63a4e6b99c4f9a2374912db5e38b269ded72ec533746151be5780db3af52eb5e104451484feb70dfdf58474179b192d5c6fa6201e1678f33cc46
-
Filesize
192KB
MD5757f0a2c30fb7ab28cdc662c55cb5a27
SHA123b6ddf41ba1dc942daf74ba583f2d94792bf20a
SHA256c31faf4c9fedc8356e19b2357626507313091093dbf1b829638b59e5acc78dee
SHA512701a7c9430ee2e263bd052f3c2a19e3c5ccdb337c307a4a3d7281d4f479171349fed2cae194befa1f7c265c16cd0ffa3784b52ea5413af5f55dc4cd357a535fe
-
Filesize
128KB
MD5af9f5180cb111c4ec7af0df436f120f1
SHA12b5d8320300a661f2ebaf7c500bf146045e24edc
SHA256a6434af83424eb6e3785542438f29b4c6d470691c72f93a70d67f73c2c1a7a33
SHA512d01db3a2f80cb6b6c67a82b4e0732788316d4068b89881cb14bc8055fb662b5e690b8490bdc184bfff3da1d2ce35e8564e4259612b9d654917ef386da395ecb8
-
Filesize
31KB
MD590393567f7b46d0bf7d74f311502a707
SHA1ea93fca8da8084fa6a4a1c17340c13432034e308
SHA25646f5749085979991c881e94760f0c7c0547446d411b080ea36cdcaa78d40ee1c
SHA5125e0d42b208291c4d368e8f98da5729277ef4c6e946ed7c2c2692b248ee5a1a0021e30cdc001ede7b72fc954f04d86d628383b29638f55248c69f2b6fc7783157
-
Filesize
8KB
MD5fc601eae187eb0307c182081d82d9150
SHA1220ee5f0afedddd59b4636d84d435fc8aa8c8cfe
SHA2561629f7d833a29e80fbfdf758b571d4c2697c80dceda2ff2394677b5152350fde
SHA5127de55dbb3fc29f88029ce38fa3cae26eaf72a8469b4407e0c09007fca946050353367e776297d3cbf78f45c6ada1001cb5f73bac8fd6478815da9be185bdcc97
-
Filesize
960KB
MD5a482f634425a236645832cc11053abf2
SHA1ea2a7004dafa7951e0a665d5e3c8b790245d3d3b
SHA2563618cc6a0c163a24f8aa7d631f73dac6f5fcc99d80790fa2311bb0b4591fe217
SHA512362f050571ca09c32dd9a4264037925080a350ba1faf4d73894df8a0704d4e6b12a256cd57fc898f2f4a0c90711d13fe9b61b98f3fe4b1ac3e95b82718074c0f
-
Filesize
1.4MB
MD577f152a093a445c4b4568b95d57af9bf
SHA1b14848a1ebaaeb4a6f3f21bb563a849ecd5cd6df
SHA256a2f3b7de1fe2301a05ddfd8ee377fcd0a41524963dec834f9b8edbaec549ab7b
SHA512eef79d91f705a6443158820c0174fcfd444c5d9546dd68608c847443ff5e8c231c4768a387f83e6f20add381b4ad643a127f9f11c6a351942af8a3acd060a7ee
-
Filesize
704KB
MD59ae2c181815ef82a20105a0819fd74f5
SHA1bd31c82efde4bf9d54db2b8564f6d73769aceb04
SHA256f23d86375e244b3d8d1a49a237b5ee9c1659609d338ce183ed8881997e4678e0
SHA5124e6e60889d761f20fee14a437389393a9b062e0bb3bce3ff59ab896b9df90efd87d2d5a0fa5775517e35b3a1d5641b3913776f964540f44f68d44e50974193d0
-
Filesize
1024KB
MD57c31fb01113ca0fcfc9470763cbad631
SHA119f12afdf4cb37a264affe71a2f3289138e156bd
SHA256b020e17721555331333ee5011d00db60e66de19f48f1a5d46dffa6e5a5db6a14
SHA51294481fbcee3b43a5a226fe20163d2f81a2939e633b4f9381388628372cfddc941f59623895ab6350f40b5064722fc89ac89e6b443951d5f4f050aada526bdffb
-
Filesize
448KB
MD5e0c39f213fedc5c4cde026655841b8ca
SHA1fe4251952e275332bb90cc0c9c167cada7b56d5f
SHA256384b97acbf3b2084f2a30cf8d6beb194964914153993c37a519fd7f7b4630db4
SHA512b403b2a8647ef515161445fb7e5c804cb2336778e61d2497b2c4407b43172b00379db80b00b907902696496bd75b991e966ec377092d2b5f2543ae5c0ddfe735
-
Filesize
1.5MB
MD5b5cde28921e860dd9b33e5f577c9ae67
SHA190dd53be25a410b843c3bfe27206b0172b7fc58e
SHA256723612ab355ded6347c5ef5a1e4488e379fd5b042db19a189b7f6d9db5049858
SHA512e5930f52cd70d340018960b6a4ac7e503a49e91ab4b61696078aa8f26c52a1dfc7ee0187329c286e1e54a16a397a967b467cee4bd7ca7f7b5337fbf8eae6076a
-
Filesize
1.1MB
MD5206d802b1dece91d9ba6fb291b1d2e7d
SHA1e307ed2bad276356a79424462c39d0bd517aa587
SHA25600664719df71a112fe4495a2771c438cd210c8c0e7700a72fd8d834d1e8f9435
SHA512bd7c83f2ee1323f1d1f871a652c236e851eef7aed347fb4540733f4851663f20dc789cbcad68d7174d922707e19db543b310a16ddddc534b826165836c5ee34a
-
Filesize
256KB
MD552550ef816b0128e53a5199009283a4d
SHA1552eced19925fd9ad9cf4d874f4dae4b4504453a
SHA256d6bbf915c644e749c454b60c7b2bb930b7bc71deb59a38d274930b51bde970a4
SHA5120583ee8d8f08ed22ef260792e2be9a8712a8819427f1c7ce86bb6df58e7c3ddbb078b0e31760032774c5e90ce3f1fa1aa6f537269e56b591d071bdc3c3244064