fickerstealer | f9ff859f39a9e54d733f9c3da77a0c42a4f9c6c53eccccfd7e874b8b5018ec96

Analysis

max time kernel
1043s
max time network
1218s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup (password is THEPIRATEBAY007).zip
Size

5.1MB
MD5

5a7b05af6be77d411d38e4b9603de6fb
SHA1

890c2441287979341aea951ff1dd0e4e692493bf
SHA256

f9ff859f39a9e54d733f9c3da77a0c42a4f9c6c53eccccfd7e874b8b5018ec96
SHA512

ff24593ff5703675fd41c53acb35e6e36cf33baa660e23a005287eab482c6e79a0cd922efb2b82a6cdec3b8b425f6aeb37f71340b0cbca6ecc2f70475b4c3b2e
SSDEEP

98304:Qay8P3DkDOgkjEBA43Or6uDfilxC0v+3ECjIir05+JKe5G6tZTaD027+mo:Qay8/6vDBAuOr6kYp+tEK6eKe5GoZF2k

Score

10^/10

fickerstealer infostealer

Malware Config

Extracted

Family

fickerstealer

45.93.201.181:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Executes dropped EXE 4 IoCs

Processes:

Setup.exeSetup.exeSetup.exeSetup.exe

pid process

2472 Setup.exe
2904 Setup.exe
2228 Setup.exe
288 Setup.exe

Loads dropped DLL 32 IoCs

Processes:

Setup.exeSetup.exeWerFault.exeSetup.exeSetup.exeWerFault.exe

pid	process
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2904	Setup.exe
2904	Setup.exe
2904	Setup.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2952	WerFault.exe
2228	Setup.exe
288	Setup.exe
288	Setup.exe
288	Setup.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe
828	WerFault.exe

Drops file in System32 directory 1 IoCs

Processes:

SearchProtocolHost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2952 2904 WerFault.exe Setup.exe
828 288 WerFault.exe Setup.exe
2204 2728 WerFault.exe

pid	pid_target	process	target process
2952	2904	WerFault.exe	Setup.exe
828	288	WerFault.exe	Setup.exe
2204	2728	WerFault.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{45670FA8-ED97-4F44-BC93-305082590BFB} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000607a7357736ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Record sound and save it on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-108 = "Penguins"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SoundRecorder.exe,-100 = "Sound Recorder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\recdisc.exe,-2001 = "Creates a disc you can use to access system recovery options."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a049b056736ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\Explorer.exe,-312 = "Play and manage games on your computer."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\speech\speechux\sapi.cpl,-5556 = "Dictate text and control your computer by voice."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\SnippingTool.exe,-15052 = "Capture a portion of your screen so you can save, annotate, or share the image."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\ehome\ehres.dll,-100 = "Windows Media Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\SNTSearch.dll,-504 = "Create short handwritten or text notes."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

Setup.exeSetup.exe

pid	process
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2472	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe
2228	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

osk.exe

pid process

2464 osk.exe

pid	process
2464	osk.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

AUDIODG.EXESearchIndexer.exe7zG.exe

description	pid	process
Token: 33	928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	928	AUDIODG.EXE
Token: 33	928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	928	AUDIODG.EXE
Token: SeManageVolumePrivilege	1704	SearchIndexer.exe
Token: 33	1704	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1704	SearchIndexer.exe
Token: SeRestorePrivilege	1564	7zG.exe
Token: 35	1564	7zG.exe
Token: SeSecurityPrivilege	1564	7zG.exe
Token: SeSecurityPrivilege	1564	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

1564 7zG.exe

pid	process
1564	7zG.exe

Suspicious use of SetWindowsHookEx 52 IoCs

Processes:

SearchProtocolHost.exeSearchProtocolHost.exeosk.exeSearchProtocolHost.exe

pid	process
2308	SearchProtocolHost.exe
2308	SearchProtocolHost.exe
2308	SearchProtocolHost.exe
2308	SearchProtocolHost.exe
2308	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
2308	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
1684	SearchProtocolHost.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
1684	SearchProtocolHost.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
2464	osk.exe
980	SearchProtocolHost.exe
980	SearchProtocolHost.exe
980	SearchProtocolHost.exe
980	SearchProtocolHost.exe
980	SearchProtocolHost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Setup.exe

pid process

2472 Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SearchIndexer.exeutilman.exeSetup.exeSetup.exeSetup.exe

description	pid	process	target process
PID 1704 wrote to memory of 2308	1704	SearchIndexer.exe	SearchProtocolHost.exe
PID 1704 wrote to memory of 2308	1704	SearchIndexer.exe	SearchProtocolHost.exe
PID 1704 wrote to memory of 2308	1704	SearchIndexer.exe	SearchProtocolHost.exe
PID 1704 wrote to memory of 1276	1704	SearchIndexer.exe	SearchFilterHost.exe
PID 1704 wrote to memory of 1276	1704	SearchIndexer.exe	SearchFilterHost.exe
PID 1704 wrote to memory of 1276	1704	SearchIndexer.exe	SearchFilterHost.exe
PID 1704 wrote to memory of 1684	1704	SearchIndexer.exe	SearchProtocolHost.exe
PID 1704 wrote to memory of 1684	1704	SearchIndexer.exe	SearchProtocolHost.exe
PID 1704 wrote to memory of 1684	1704	SearchIndexer.exe	SearchProtocolHost.exe
PID 556 wrote to memory of 2464	556	utilman.exe	osk.exe
PID 556 wrote to memory of 2464	556	utilman.exe	osk.exe
PID 556 wrote to memory of 2464	556	utilman.exe	osk.exe
PID 1704 wrote to memory of 2544	1704	SearchIndexer.exe	SearchFilterHost.exe
PID 1704 wrote to memory of 2544	1704	SearchIndexer.exe	SearchFilterHost.exe
PID 1704 wrote to memory of 2544	1704	SearchIndexer.exe	SearchFilterHost.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2472 wrote to memory of 2904	2472	Setup.exe	Setup.exe
PID 2904 wrote to memory of 2952	2904	Setup.exe	WerFault.exe
PID 2904 wrote to memory of 2952	2904	Setup.exe	WerFault.exe
PID 2904 wrote to memory of 2952	2904	Setup.exe	WerFault.exe
PID 2904 wrote to memory of 2952	2904	Setup.exe	WerFault.exe
PID 2904 wrote to memory of 2952	2904	Setup.exe	WerFault.exe
PID 2904 wrote to memory of 2952	2904	Setup.exe	WerFault.exe
PID 2904 wrote to memory of 2952	2904	Setup.exe	WerFault.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe
PID 2228 wrote to memory of 288	2228	Setup.exe	Setup.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007).zip"
1⤵
PID:1212

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3787592910-3720486031-2929222812-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2308
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528
  2⤵
  - Modifies data under HKEY_USERS
  PID:1276
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1684
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528
  2⤵
  PID:2544
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528
  2⤵
  PID:664
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:980

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {9E175B8B-F52A-11D8-B9A5-505054503030} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:2868

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
PID:2688

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2464

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\" -spe -an -ai#7zMap22029:150:7zEvent27632
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1564

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 256
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2952

C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 256
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:828

C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"
1⤵
PID:984
- C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe"
  2⤵
  PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 256
1⤵
- Program crash
PID:2204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
40077e58c61fad92519e140e0dc34022

SHA1
2cce66177530344f88e37eb84f0043be701bf444

SHA256
6e3868949a3dc1443296f14a96c93c58e3b50bfc4b177f37ac0b233ed8baa1f0

SHA512
20e5128d8533a27568aacd900a58a947cbbce92dbd1bac8dce44871d1f7edb57b8d303c21c1b9945e386bb42265c48ed32347b3f4b275e0dd835c30eab2f662f

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
df78d996923e25ccae8a37cd32aae5b0

SHA1
be868520dd592b5f1a2eb818b10e290d5e052f64

SHA256
ed45e93b1db2db5a55d8343c0f850d9f80b1bd5723be4610ff0cdcd305dc83ee

SHA512
e2478e27c481e35f069c3bfcd49b2c391dd04340a79c54acac7f66ff48f43bcd2296bd2fed406121772a50c662265147f8670baffb4627e44f9c9a4b498b7f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
16.5MB

MD5
0b60147c97d9534409c2a808ec88fbe8

SHA1
a1966f36c4e714d1c8b23ebbf777ddf76464b05c

SHA256
8d43ff0ec3bf1b368fac0628625a26223f170d4f9b8c649bcf7de57826c3c432

SHA512
a7bc144ef83da7874d991ef88ea3ced8963b74fcde9cefca433752f2cecb0673b284c18fe01e42561a081049f9fa2a9b3a8faff788d31467225cd62584dea8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
13.6MB

MD5
cf67c7bbcd3a7e2fa55fd481a02b191c

SHA1
715e67369f6b27f11b43a7cf6a0a11096bfc571b

SHA256
2d3a9cd629bafa0cf8a4658fe4db7697dafcb08c9fd88fd3701f0bdcf931b58d

SHA512
81598e0335f67f8fadbddc66a4f240af0f1489d37e56ce9fc38c62de00bdc09b88e2328fe91b501a1b5bcd1044aaefe5d9ee8dfb1e2cc7fa7282d6cc780f52fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
1.2MB

MD5
d3b33bdf9af7fe5b71649345c87d7274

SHA1
2924d50ed749fa16e1bcf84a57319f936e0bfef2

SHA256
4597c6cf2456f937f957ba314d6d72b9597438e3e1fd852acf5a19f9bcf5ae87

SHA512
f68d4fe3356f98f92f7cb8af097e0c99bee93526b278d8fdcefa17786b87b4047ac2f71d3a8b75ad05caf0b151c6c5f417876edd04d8fc3749ff3984275ca436

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
1.1MB

MD5
a5b4e59c3619163dafac8454b1568cd3

SHA1
aac558cb4e485e96fcc9fe499c39c716f0a07d39

SHA256
0ae112e56c0741335b8a955db3bba86d60602a5aa1a68a6d5adcb28d4a9539b9

SHA512
a68d62756585de5161c310a3e631575a2fe5ccb05ac488388841f0b87c56f5b594af02ea6345d2869faef6ca87bbdbdea730976d4dba1ba721d3c5854747fb49

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
768KB

MD5
4cff8f8d378a5e6a2ff558cbee9af9b5

SHA1
54c27e9e7709a8949ffeb5200789895accf93dcf

SHA256
3a3a1965f57a92802f95ac2af1a2deb0449c0b189682afa1b10764554ee3969b

SHA512
84399220c16d7602e6a0a3679277c7141fb71db314dbbdcb0fab438a223dbb94fe13d7bebea96555b86e82aaad15dad4687041bf7044a19f25f7edb3899dab38

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
512KB

MD5
dd05157275bbdd3fa6290e197344fb05

SHA1
b2538c8d6f730a0df46954081723e1eb3759f7fa

SHA256
dd7b57e2bacd20c42f946dca0391bd05d10decd6fccce9f02688d2b9797c0f23

SHA512
2cd21d18ba8b4036623a1c58457d8d0f18dee56d522d47242db39588a8e4c1d8df491c39a79b29a105b84794e176bd5a1704c2f74b958275073229356af9e752

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
320KB

MD5
b1e0a65817c0d99487a065fab746b61c

SHA1
c191f842613c45a087ee85f44b0c5f1a4d927b22

SHA256
ffad2bb6d6c6edacf34a4b0dffcebea4ebbdac6ff329d05d1e802fb8c4246169

SHA512
bfa96dcc8eef2adcbf1e16ab9efc5d6dfcb25061404b132dcbd0070dba2b9257d4a82c775a4fd8b6f46f9915110dd3166b25d10fe64b448b9c455b5112347e28

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
3.5MB

MD5
7100214aa493007c015e9c5c92bdce9c

SHA1
e39bbc914145af2cd83dfdddf08cbec0976a7bd3

SHA256
4cdecaa3f6ebdb23590a468886ab3455ddbbb70da6911506dd95263f8ca64867

SHA512
1705c7adb7f7f30efbf7eeaac3b958ace3de15fabc2e842b5533faa51e4da718d92e7696b7c3faa72e7242cc98fa49f02299786503fbf72f298acf5d99cddd9f

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
1.8MB

MD5
2f2af0eff6ecb681fdcb4c25cb67afe3

SHA1
4dcc750b8940d69f4337410c67c949c24889b7bd

SHA256
d3046e947323e0d92242b6e13e7370b502be3e320080302ad5009f03027d5d9d

SHA512
3e39fd8f2aa4d7a009dd4cda0b47ce66bddd9598709a0e29d18e05ca6d9d3ff9d17dd98a16b7c79bb865be8051ce5529311ba977eeba480725668591c5ec6030

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
1.4MB

MD5
5fda3187e19862689f13fe34c07608f1

SHA1
d0624e2245b8b498db307f8e5c37d97d06098972

SHA256
8cd07163418702b6a82d0c135838c3b74558d1be270e863a4fec14594abd75b5

SHA512
b2a7a329a91e2bfaf75dd9f377a0c4f77b9f866625213e094c43678ca67d5154cde96307ea5bb91a914ff2a48a02175fb7a2e42843483eff58d0189ed0143350

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
1.4MB

MD5
c520b07fcfe100019198a8b7d9cf52d2

SHA1
e8cddfedf878d7408437748201ec97f9b9f7d2e7

SHA256
9da08cf7db50c754a55c8e4cbe0a1612fd3d63b49a3b62fcb3518ca3c6bdb5aa

SHA512
b221c697ae476aa0babe626ca089d8a657d0f088c073691d8527f4dfdf05da561517a706251ccb610ae552707fb78e6e2cdbeae0455a264bb177facfa2169a12

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
384KB

MD5
e74558edaf38b188494c10655a08bae8

SHA1
c85977e51bb7e74e074d4a26eb0624ec05ede698

SHA256
8ef123cc5b5659457543b8969f93d872ab79e93cbe99b6ec8266969e4b18bfd5

SHA512
21c0046b42ef63a4e6b99c4f9a2374912db5e38b269ded72ec533746151be5780db3af52eb5e104451484feb70dfdf58474179b192d5c6fa6201e1678f33cc46

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
192KB

MD5
757f0a2c30fb7ab28cdc662c55cb5a27

SHA1
23b6ddf41ba1dc942daf74ba583f2d94792bf20a

SHA256
c31faf4c9fedc8356e19b2357626507313091093dbf1b829638b59e5acc78dee

SHA512
701a7c9430ee2e263bd052f3c2a19e3c5ccdb337c307a4a3d7281d4f479171349fed2cae194befa1f7c265c16cd0ffa3784b52ea5413af5f55dc4cd357a535fe

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
128KB

MD5
af9f5180cb111c4ec7af0df436f120f1

SHA1
2b5d8320300a661f2ebaf7c500bf146045e24edc

SHA256
a6434af83424eb6e3785542438f29b4c6d470691c72f93a70d67f73c2c1a7a33

SHA512
d01db3a2f80cb6b6c67a82b4e0732788316d4068b89881cb14bc8055fb662b5e690b8490bdc184bfff3da1d2ce35e8564e4259612b9d654917ef386da395ecb8

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
31KB

MD5
90393567f7b46d0bf7d74f311502a707

SHA1
ea93fca8da8084fa6a4a1c17340c13432034e308

SHA256
46f5749085979991c881e94760f0c7c0547446d411b080ea36cdcaa78d40ee1c

SHA512
5e0d42b208291c4d368e8f98da5729277ef4c6e946ed7c2c2692b248ee5a1a0021e30cdc001ede7b72fc954f04d86d628383b29638f55248c69f2b6fc7783157

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
8KB

MD5
fc601eae187eb0307c182081d82d9150

SHA1
220ee5f0afedddd59b4636d84d435fc8aa8c8cfe

SHA256
1629f7d833a29e80fbfdf758b571d4c2697c80dceda2ff2394677b5152350fde

SHA512
7de55dbb3fc29f88029ce38fa3cae26eaf72a8469b4407e0c09007fca946050353367e776297d3cbf78f45c6ada1001cb5f73bac8fd6478815da9be185bdcc97

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
960KB

MD5
a482f634425a236645832cc11053abf2

SHA1
ea2a7004dafa7951e0a665d5e3c8b790245d3d3b

SHA256
3618cc6a0c163a24f8aa7d631f73dac6f5fcc99d80790fa2311bb0b4591fe217

SHA512
362f050571ca09c32dd9a4264037925080a350ba1faf4d73894df8a0704d4e6b12a256cd57fc898f2f4a0c90711d13fe9b61b98f3fe4b1ac3e95b82718074c0f

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
1.4MB

MD5
77f152a093a445c4b4568b95d57af9bf

SHA1
b14848a1ebaaeb4a6f3f21bb563a849ecd5cd6df

SHA256
a2f3b7de1fe2301a05ddfd8ee377fcd0a41524963dec834f9b8edbaec549ab7b

SHA512
eef79d91f705a6443158820c0174fcfd444c5d9546dd68608c847443ff5e8c231c4768a387f83e6f20add381b4ad643a127f9f11c6a351942af8a3acd060a7ee

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
704KB

MD5
9ae2c181815ef82a20105a0819fd74f5

SHA1
bd31c82efde4bf9d54db2b8564f6d73769aceb04

SHA256
f23d86375e244b3d8d1a49a237b5ee9c1659609d338ce183ed8881997e4678e0

SHA512
4e6e60889d761f20fee14a437389393a9b062e0bb3bce3ff59ab896b9df90efd87d2d5a0fa5775517e35b3a1d5641b3913776f964540f44f68d44e50974193d0

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
1024KB

MD5
7c31fb01113ca0fcfc9470763cbad631

SHA1
19f12afdf4cb37a264affe71a2f3289138e156bd

SHA256
b020e17721555331333ee5011d00db60e66de19f48f1a5d46dffa6e5a5db6a14

SHA512
94481fbcee3b43a5a226fe20163d2f81a2939e633b4f9381388628372cfddc941f59623895ab6350f40b5064722fc89ac89e6b443951d5f4f050aada526bdffb

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
448KB

MD5
e0c39f213fedc5c4cde026655841b8ca

SHA1
fe4251952e275332bb90cc0c9c167cada7b56d5f

SHA256
384b97acbf3b2084f2a30cf8d6beb194964914153993c37a519fd7f7b4630db4

SHA512
b403b2a8647ef515161445fb7e5c804cb2336778e61d2497b2c4407b43172b00379db80b00b907902696496bd75b991e966ec377092d2b5f2543ae5c0ddfe735

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
1.5MB

MD5
b5cde28921e860dd9b33e5f577c9ae67

SHA1
90dd53be25a410b843c3bfe27206b0172b7fc58e

SHA256
723612ab355ded6347c5ef5a1e4488e379fd5b042db19a189b7f6d9db5049858

SHA512
e5930f52cd70d340018960b6a4ac7e503a49e91ab4b61696078aa8f26c52a1dfc7ee0187329c286e1e54a16a397a967b467cee4bd7ca7f7b5337fbf8eae6076a

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
1.1MB

MD5
206d802b1dece91d9ba6fb291b1d2e7d

SHA1
e307ed2bad276356a79424462c39d0bd517aa587

SHA256
00664719df71a112fe4495a2771c438cd210c8c0e7700a72fd8d834d1e8f9435

SHA512
bd7c83f2ee1323f1d1f871a652c236e851eef7aed347fb4540733f4851663f20dc789cbcad68d7174d922707e19db543b310a16ddddc534b826165836c5ee34a

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

Filesize
256KB

MD5
52550ef816b0128e53a5199009283a4d

SHA1
552eced19925fd9ad9cf4d874f4dae4b4504453a

SHA256
d6bbf915c644e749c454b60c7b2bb930b7bc71deb59a38d274930b51bde970a4

SHA512
0583ee8d8f08ed22ef260792e2be9a8712a8819427f1c7ce86bb6df58e7c3ddbb078b0e31760032774c5e90ce3f1fa1aa6f537269e56b591d071bdc3c3244064

Download Submit
\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007)\Setup.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/984-281-0x0000000033890000-0x0000000033A10000-memory.dmp

Filesize
1.5MB

Download
memory/984-280-0x0000000031E70000-0x0000000031EEB000-memory.dmp

Filesize
492KB

Download
memory/1276-71-0x000007FEF2A70000-0x000007FEF2BB3000-memory.dmp

Filesize
1.3MB

Download
memory/1276-72-0x000007FE8ED30000-0x000007FE8ED3A000-memory.dmp

Filesize
40KB

Download
memory/1276-86-0x000007FEF2A70000-0x000007FEF2BB3000-memory.dmp

Filesize
1.3MB

Download
memory/1276-87-0x000007FE8ED30000-0x000007FE8ED3A000-memory.dmp

Filesize
40KB

Download
memory/1704-89-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1704-77-0x0000000005110000-0x0000000005118000-memory.dmp

Filesize
32KB

Download
memory/1704-16-0x00000000017E0000-0x00000000017F0000-memory.dmp

Filesize
64KB

Download
memory/1704-39-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/1704-45-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1704-51-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/1704-53-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1704-62-0x0000000002B90000-0x0000000002B98000-memory.dmp

Filesize
32KB

Download
memory/1704-70-0x0000000003290000-0x0000000003298000-memory.dmp

Filesize
32KB

Download
memory/1704-85-0x0000000005100000-0x0000000005108000-memory.dmp

Filesize
32KB

Download
memory/1704-134-0x0000000003570000-0x0000000003578000-memory.dmp

Filesize
32KB

Download
memory/1704-131-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/1704-130-0x0000000003580000-0x0000000003588000-memory.dmp

Filesize
32KB

Download
memory/1704-112-0x00000000042C0000-0x00000000042C8000-memory.dmp

Filesize
32KB

Download
memory/1704-110-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/1704-100-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1704-78-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/1704-0-0x00000000016E0000-0x00000000016F0000-memory.dmp

Filesize
64KB

Download
memory/2228-184-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2228-182-0x0000000033960000-0x0000000033AE0000-memory.dmp

Filesize
1.5MB

Download
memory/2228-187-0x0000000031DE0000-0x0000000031E5B000-memory.dmp

Filesize
492KB

Download
memory/2228-181-0x0000000031DE0000-0x0000000031E5B000-memory.dmp

Filesize
492KB

Download
memory/2464-95-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/2472-149-0x0000000033820000-0x000000003389B000-memory.dmp

Filesize
492KB

Download
memory/2472-148-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2472-158-0x0000000033820000-0x000000003389B000-memory.dmp

Filesize
492KB

Download
memory/2472-151-0x00000000338A0000-0x0000000033A20000-memory.dmp

Filesize
1.5MB

Download
memory/2904-162-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2904-163-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2904-153-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2904-154-0x0000000077D7F000-0x0000000077D80000-memory.dmp

Filesize
4KB

Download
memory/2904-155-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download