91bfb22e09589199c5b4d5ec665b49d68efff21e59bf4660a3fb9a533afb8192

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2023, 22:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

utweb_installer.exe
Size

1.7MB
MD5

aa28c6ab66f316f9ca24e34171fd79f9
SHA1

9a85cb527dc06146474410e232c83e88c29fc6b5
SHA256

91bfb22e09589199c5b4d5ec665b49d68efff21e59bf4660a3fb9a533afb8192
SHA512

351f0dbd1ce9d0b76238fbe553889f0cce6ab80d25d86dac6fa6202eb41a778b67a0db94a78d2edcdf5a7b78c9336c57c93b774b03607b9913274f0f4154f594
SSDEEP

24576:F4nXubIQGyxbPV0db26wceCmITRfbWWAmCdqotxoBcXRGEtLi+F/WY4O5bY:Fqe3f60rCRNWlmCdqogBcvhtlm

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4404	utweb_installer.tmp
1516	utweb_installer.exe
3116	utweb.exe

Loads dropped DLL 18 IoCs

pid	Process
4404	utweb_installer.tmp
4404	utweb_installer.tmp
1516	utweb_installer.exe
1516	utweb_installer.exe
1516	utweb_installer.exe
1516	utweb_installer.exe
1516	utweb_installer.exe
1516	utweb_installer.exe
1516	utweb_installer.exe
1516	utweb_installer.exe
1516	utweb_installer.exe
1516	utweb_installer.exe
3116	utweb.exe
3116	utweb.exe
3116	utweb.exe
3116	utweb.exe
3116	utweb.exe
3116	utweb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\utweb = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent Web\\utweb.exe\" /MINIMIZED"	utweb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d5e42c4f-4d2a-45c6-ad41-8f1cae24d820.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230304230433.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3612	4548	WerFault.exe	94

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\ = "Torrent File"	utweb_installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\OpenWithProgids\Torrent File = "0"	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BTWKey File\ = "BTWKey File"	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BTWKey File\DefaultIcon	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BTWKey File\shell\open\command	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\shell	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\open\command	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent Web\\utweb.exe,0"	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\shell\open	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent Web\\utweb.exe,0"	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BTWKey File\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent Web\\utweb.exe,0"	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\shell\open\command	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.btwkey\OpenWithProgids	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\shell\ = "open"	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\ = "open"	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.btwkey	utweb_installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.btwkey\OpenWithProgids\BTWKey File = "0"	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\URL Protocol	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\Content Type	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\Content Type = "application/x-magnet"	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\ = "Torrent File"	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\open	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BTWKey File\shell	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BTWKey File\shell\open	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\ = "Magnet URI"	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\OpenWithProgids	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BTWKey File\shell\ = "open"	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent Web\\utweb.exe \"%1\" /SHELLASSOC"	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\DefaultIcon	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent Web\\utweb.exe \"%1\" /SHELLASSOC"	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.btwkey\ = "BTWKey File"	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BTWKey File	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BTWKey File\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent Web\\utweb.exe \"%1\" /SHELLASSOC"	utweb_installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\Content Type\ = "application/x-magnet"	utweb_installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\DefaultIcon	utweb_installer.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 19000000010000001000000091fad483f14848a8a69b18b805cdbb3a030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d34317e000000010000000800000000c001b39667d6011d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b9700b000000010000001e00000045006e0074007200750073007400200028003200300034003800290000006200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1777f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d820000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	utweb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 040000000100000010000000ee2931bc327e9ae6e8b5f751b43471900f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343119000000010000001000000091fad483f14848a8a69b18b805cdbb3a20000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	utweb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 5c00000001000000040000000008000019000000010000001000000091fad483f14848a8a69b18b805cdbb3a030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d34317e000000010000000800000000c001b39667d6011d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b9700b000000010000001e00000045006e0074007200750073007400200028003200300034003800290000006200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1777f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8040000000100000010000000ee2931bc327e9ae6e8b5f751b434719020000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	utweb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431	utweb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343120000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	utweb.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	45	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	49	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	50	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	53	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1516	utweb_installer.exe
1516	utweb_installer.exe
2244	msedge.exe
2244	msedge.exe
1772	msedge.exe
1772	msedge.exe
5288	identity_helper.exe
5288	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3116	utweb.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
4404	utweb_installer.tmp
3116	utweb.exe
3116	utweb.exe
3116	utweb.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
3116	utweb.exe
3116	utweb.exe
3116	utweb.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe
1772	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 4404	4872	utweb_installer.exe	86
PID 4872 wrote to memory of 4404	4872	utweb_installer.exe	86
PID 4872 wrote to memory of 4404	4872	utweb_installer.exe	86
PID 4404 wrote to memory of 1516	4404	utweb_installer.tmp	95
PID 4404 wrote to memory of 1516	4404	utweb_installer.tmp	95
PID 4404 wrote to memory of 1516	4404	utweb_installer.tmp	95
PID 4404 wrote to memory of 3116	4404	utweb_installer.tmp	106
PID 4404 wrote to memory of 3116	4404	utweb_installer.tmp	106
PID 4404 wrote to memory of 3116	4404	utweb_installer.tmp	106
PID 3116 wrote to memory of 1772	3116	utweb.exe	108
PID 3116 wrote to memory of 1772	3116	utweb.exe	108
PID 1772 wrote to memory of 4916	1772	msedge.exe	109
PID 1772 wrote to memory of 4916	1772	msedge.exe	109
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2000	1772	msedge.exe	110
PID 1772 wrote to memory of 2244	1772	msedge.exe	111
PID 1772 wrote to memory of 2244	1772	msedge.exe	111
PID 1772 wrote to memory of 3652	1772	msedge.exe	113
PID 1772 wrote to memory of 3652	1772	msedge.exe	113
PID 1772 wrote to memory of 3652	1772	msedge.exe	113
PID 1772 wrote to memory of 3652	1772	msedge.exe	113
PID 1772 wrote to memory of 3652	1772	msedge.exe	113
PID 1772 wrote to memory of 3652	1772	msedge.exe	113
PID 1772 wrote to memory of 3652	1772	msedge.exe	113
PID 1772 wrote to memory of 3652	1772	msedge.exe	113
PID 1772 wrote to memory of 3652	1772	msedge.exe	113

C:\Users\Admin\AppData\Local\Temp\utweb_installer.exe
"C:\Users\Admin\AppData\Local\Temp\utweb_installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\is-CS4MJ.tmp\utweb_installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CS4MJ.tmp\utweb_installer.tmp" /SL5="$801B6,897614,818688,C:\Users\Admin\AppData\Local\Temp\utweb_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\is-PIP6S.tmp\utweb_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\is-PIP6S.tmp\utweb_installer.exe" /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1516
- - C:\Users\Admin\AppData\Roaming\uTorrent Web\utweb.exe
    "C:\Users\Admin\AppData\Roaming\uTorrent Web\utweb.exe" /RUNONSTARTUP
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://utweb.rainberrytv.com/gui/index.html?v=1.3.0.5649&firstrun=1&localauth=localapi4c7c4b8d47a14fa2:
      4⤵
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff3b0746f8,0x7fff3b074708,0x7fff3b074718
        5⤵
        
        PID:4916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
        5⤵
        
        PID:2000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
        5⤵
        
        PID:3652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
        5⤵
        
        PID:560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
        5⤵
        
        PID:4760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
        5⤵
        
        PID:1892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5292 /prefetch:8
        5⤵
        
        PID:5016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
        5⤵
        
        PID:5092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
        5⤵
        
        PID:4232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:8
        5⤵
        
        PID:1012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:5168
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6afd35460,0x7ff6afd35470,0x7ff6afd35480
        6⤵
        
        PID:5196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
        5⤵
        
        PID:5300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
        5⤵
        
        PID:5324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
        5⤵
        
        PID:5728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
        5⤵
        
        PID:5744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
        5⤵
        
        PID:1540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
        5⤵
        
        PID:5236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10877316434481280998,8788586140552230077,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
        5⤵
        
        PID:5172

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 4548 -ip 4548
1⤵
PID:4212

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4548 -s 2252
1⤵
- Program crash
PID:3612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x51c 0x520
1⤵
PID:2812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5967a459-b4da-4545-ad23-a80cf900b32a.tmp

Filesize
12KB

MD5
922b316eb6936a9c762d9c9465f50559

SHA1
ad46d141f29d0e8c917af5f0b111edd41d5bf23c

SHA256
496386be0bbfacda5179ea650cfd9671066aa3c5e29eaccc4588b844238ee7e9

SHA512
dcca41d5cbc84095ad330ef286dc2108e8ef4ff08fd81e6f968f3177f5b4a551671991d770530063f3bdfa424296e3a00cbd8bb8892a08a5ca771f28212263db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\717b42c3-b403-4286-a3c2-cb3709b3089b.tmp

Filesize
10KB

MD5
4ae1b24bc3efb1c4087328ea0525f148

SHA1
88bd4fe560d889fe787470133066c2a3f1423ef0

SHA256
70277dd1cc77bfc68a3cadfd0321aadd594b7ef7ef7cc5f6a3945ae6448e3948

SHA512
0b0d960c9ba76e9ce128e0019b900bf8166bcc01fd99ccbc698c6711eda114f4a17e6b7991fd1e4756a335cf2f59fd0f2b8e5ffe81859a4a8220185e852a6c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
90KB

MD5
e71086d6313f99e0c0d86bd95e9b4107

SHA1
4b50c6f71605ce4b7d04f2c58fdfe606c3d1f3c9

SHA256
20d243fba4292b367739016e8109da2888a1d628d7b4ed787616a4a34bdc87ae

SHA512
c603e05c3f6513ead5b1474e4ae2b90134b862c6c28e4a800ba3252969020099b15d91efd8711556911325f16dcb4eddc2425a9f70460f2330653221782a670f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
18KB

MD5
c4964c648fdc9429346e385f60849709

SHA1
4daf6c13f362b859d119eeeaca0b95c5cf5564f4

SHA256
0d512e0b353c0bafc915014dd1157e9d60b308c1f0f3d1447353789432fe64da

SHA512
01f65c6f4db6b4fa5df03991a365000eaca5b77fc1fb15eb0ddfa1f81f3944a4734d6a3f8db5793cc1fcd619359bbb04f79901fa91cbb59b2060788e2d406bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
16KB

MD5
f4f3831793f4def57b350ff16e7e226f

SHA1
e3fc5a97102238b09a2a854620520129dd523fdc

SHA256
61c1436a6cab77cbc0413956d65313d797467a2f5f82c6bd3c74df59cfbb53e3

SHA512
a5db27ba74f8a0959ca5a014e44e9904eaba97d0c909a32b7d7306aa9f38bb296e8a37e59b96b8b4afb141cb6f5f39c67d11b8ac0ff8b57759f80b3c272f49da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
42KB

MD5
ac9cc2b3e4e8abab70f374326b12113f

SHA1
7a3667ebb746b67111d41c2071b40568b2e87faa

SHA256
f4f5c0691db49e2f3b5fe39e9e71b99b8e675feffa1449c6928f5e9abb8576b7

SHA512
0a136ee598e02c9070231540754b0be9d919479deb4e19f9e00b8994b6148217f2428448114b87c60d12c8da85ccedc1988d02568eea0416b1d2b50d57da8557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
62KB

MD5
c224fa84e7dc6d7e62b3bdc1ea1c9d01

SHA1
8ad0ed75d8d6766150a0ec3c5043f94bd5ff4546

SHA256
32039b6e572e4423e711558bdbb48403242c27f973b95ec6f1ae86d84ea62beb

SHA512
0d191a05ba988cc196beee284c7065ff8c7964ec47308e57bd9e9b0d99960686de2aa00b3d15f06a6039e0782a387ecb9bd88242a08ece976b64ce0b96cf8852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
298KB

MD5
f9c0ee5447ef1f600e236f1e2ae9849d

SHA1
3696d623deca7435265182cfa0cd25888bc2a675

SHA256
00048bb0c0ffab3e29d69a2f00daadb7f0b544852b2903295bc062f27396f5ca

SHA512
60450d9bdc98683f00bfaac7fcb9c1c95bf1843d1a11ca820934f3ac1a241d271846234c1849544a1de25385b3f405a3d802b15b77421f42f026683cf06b373d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
26KB

MD5
26160eca05fe7d4a44c14b3461a41676

SHA1
82f7b2436e77343213c07fe3533fba9fccc7f380

SHA256
a22141bff5d52b2bd40a7ab759defb59517894b990de96b6e069bfba26444bcb

SHA512
627a78b797b37918ff0fee094318efb7b79a584f164bd3e15921d725e979e868ddebd11e54d95304e42d45e5c561b6343e876b6d79f665de3d3ff884035f4aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
119KB

MD5
0b872df43f4302f3ba0d0ae335d73b8e

SHA1
8eefb7562eae92270610d48c5c7b751a7e848438

SHA256
22716e02654b6c7fbc16d54bc9790fc9c17be9d64803973d134a751dbb9ef3c5

SHA512
585ebc9c2bffd51587aab4776382469f1d8775fd2723e7901fed14a76cf6b822e898a4cb6157f47ac19059dd3dfdc5f8cd3416938ee69ab830d922d78e4573b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
160KB

MD5
7f27adb1216e4ddb02884fd68a1ec297

SHA1
a33a85dfc58ca995fa184035b8fdb896866c361f

SHA256
aeea36b977f073b902c2c5536b21f43e931fc2ac5ba3601db228e686457e9bc8

SHA512
c1327064f05a62fe28f99830a33ad72b36f9345bb1c7de779461febfae5eea985aaf4a67f069f0e2cfec74b72b3f2d61822a4ff6689ff909c0b9d13ece5ba724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
ad220af520ff635e8163c2526ab703b4

SHA1
c93a3ed81973fbcfcc4b9bc0f52cf762beb9382e

SHA256
0810c31e40de6c68f4aa5749e1d6bfbe8b73bd1e4738c7f20556e4ab701a8b5e

SHA512
e36a561203b8d784f28d8345aa43bcd4a545e013d0014d121ae2a219f6bbd15798599562e1c34396fec69233013c1199987904a1993b30b08e841dfbf8a55446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
0a554e2ee6b64a2ee85839205d2b76f6

SHA1
0d33e0fb4f1e86c3eb2103709b5a4aded8e1b978

SHA256
15df119bbed12c4e04c773dffffff35e1a83442f8f5423a3a1a681420a2417f9

SHA512
36fa48f7094e76769a1434610078771431a82c64dd2e32d6568cc0bc8259067918709515a56ab1c3fe620722a019d197290aa938a709a288e591f700092dbdc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
cc49b9d7b5032e5559f7ee72a7ce682b

SHA1
ae5963d3b933d358d0d9037b9267a4411a686209

SHA256
89697575426fb30d363db083af238ae73ae19b27c15102c906ea9d0b81bf5ed2

SHA512
4fdd9f39867dca3adfb563fe701f0e327346a597923f05a3a5bd04dcfecf8235de91674ccc17be7d4d16022eb23fecb07eb514a9d3226e355779ba455443c988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
13fcbd3b46f12bde94558facd6717b3b

SHA1
9082eb7afe8139358bd25a0b4df31c10044e664a

SHA256
fabe1f9057dbed1af5ede839ea4a8d6764b65a0a427f920dc4ff05e279cd46e7

SHA512
d86603c3a19486985cef27a6065cc09e69e0a86de18b0b5cb2b1cba013139d02d9fb2e30d7ec953b36dbf54f071533481ba69d36bbcdd71bc9349b2ba5908fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b1f33b428ca533fa0849d5bb9e69bb77

SHA1
a0273accd19f0770d2d5e54d3da71771eeb2a2ea

SHA256
8d39aaa89bd5b225ceee95a92b57737a977456e5b8c5836aa6d0ea1885b4e9d0

SHA512
a9c703c2f35d428544f2c98ca22ee3c957715041e71056706af16dadc694be26d31efcd94a1357f0eadffde9ab2d67434ce40f8c70d4a877182ba112d08969d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f666.TMP

Filesize
2KB

MD5
3c6d7fc1adceae54ee085266de1abe74

SHA1
8d40b114755ad098dbb90a92c34f7e0c4c356f8c

SHA256
c71fa6f4d93c9c9ce22b05dd1572d5355d334fdde1690f392410c932dd1dff1e

SHA512
b62cccb666628d8cf88fb4ee4c2b20280e41afaf450eac9f3bd774a859cd16d59021b6edf3bfdbe107d133d1975a18ad75bc974a03d3c1d625fa7888ade6e00f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
04e2394ae1e7a76528233f22b625d405

SHA1
ad14a8d7cdbccd37e8a1c371a957163de329d7e0

SHA256
5b710992913d7053331bc95fdefbdca298bf4c4e84f3cd88e850b1c1a964c514

SHA512
3871449e171382734316a4f0e0cd4cf26d4823acd87ba81bdd681828b1ee80258eb9a3a1581f276cdc74c8c1306c400fbf1a57d714dad83a3b0b0fdaad630b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CS4MJ.tmp\utweb_installer.tmp

Filesize
3.0MB

MD5
e09f4c0fbeda6c07ced22ed0e1206fff

SHA1
8c5b35af00edb742aa5bee8172ef7c880609ffda

SHA256
78f50d6fdff01abe6cfb9cbcea33e5c272aa5f3ed7363ca16fa9c2859a8297d4

SHA512
ea66e066f44b62fb5c0aa0601a6bf43b9ca21d884811fd3de6ca9e9f75f856debd6f98080a41490ac2602c5d8deebda09e370ec8d09a554d1550dbf3a958509e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PIP6S.tmp\Logo.png

Filesize
12KB

MD5
a00cfe887e254c462ad0c6a6d3fb25b6

SHA1
c603a192e23df46c719febf07fd4207c96b1f0f9

SHA256
bca0271f56f7384942ff3affb79fa78ccdceabf7dda89ad3c138226da324cdb1

SHA512
6dc95a05e2712d85067aa92144f7e00871d2f60e377c6df0253e3ff48a02280d4148578fbbf22018693227bdcc035a8bd391f3c390aed39ca58749f28fc19862

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PIP6S.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PIP6S.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PIP6S.tmp\utweb_installer.exe

Filesize
17.1MB

MD5
30b0b419746e27654267388599e4bd40

SHA1
70c21f2c70f82727f4af0f1f2c032340c5661d9c

SHA256
4e8872dc64e01f97b4d0dd479cdea1e83970fa4aa1524d4d6e385dd07886d60a

SHA512
f6558a5096220df6601506057019469aa4234bee95dbd2524dd263ad21ddb8e463d5ed201c76259adc4bc88122160c8cdb362fe47c0d6ed39fae618750835482

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PIP6S.tmp\utweb_installer.exe

Filesize
17.1MB

MD5
30b0b419746e27654267388599e4bd40

SHA1
70c21f2c70f82727f4af0f1f2c032340c5661d9c

SHA256
4e8872dc64e01f97b4d0dd479cdea1e83970fa4aa1524d4d6e385dd07886d60a

SHA512
f6558a5096220df6601506057019469aa4234bee95dbd2524dd263ad21ddb8e463d5ed201c76259adc4bc88122160c8cdb362fe47c0d6ed39fae618750835482

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PIP6S.tmp\utweb_installer.exe

Filesize
17.1MB

MD5
30b0b419746e27654267388599e4bd40

SHA1
70c21f2c70f82727f4af0f1f2c032340c5661d9c

SHA256
4e8872dc64e01f97b4d0dd479cdea1e83970fa4aa1524d4d6e385dd07886d60a

SHA512
f6558a5096220df6601506057019469aa4234bee95dbd2524dd263ad21ddb8e463d5ed201c76259adc4bc88122160c8cdb362fe47c0d6ed39fae618750835482

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\FindProcDLL.dll

Filesize
3KB

MD5
b4faf654de4284a89eaf7d073e4e1e63

SHA1
8efcfd1ca648e942cbffd27af429784b7fcf514b

SHA256
c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

SHA512
eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\nsisFirewall.dll

Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\nsisFirewall.dll

Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss27FB.tmp\nsisFirewall.dll

Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
e5cb84450b6aea232b495b8c068e5144

SHA1
2ca1fcc69a25758333a5821f5b4dac9e484ccdd5

SHA256
80ac470566f0e620914af6e3078b3fe3cc515b5dc3ea383db4bf86b04b5d777c

SHA512
35ffdb7433bc60e3a8946b69fa7cbb3a337fd75540efeca62c9ff88b4a3bf1727738f8b44e2a7d10d781c5d3cdb1c95a7bbfd0d8ac2024fec01a4a6d62493248

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\avcodec-58.dll

Filesize
1.4MB

MD5
9d7585d920144436fd23b5397ad20abf

SHA1
396b69f02b672b2df8b630e0690c440f17e7cd8e

SHA256
8b527770e0580ee328f8c91aae05016b174d15e13f28befff5a6b6a6f4837084

SHA512
c6fce0b220e319c8c91739159e9870302240e734b15c1721bb1357b6e62772b743d62f0a8b280aa285d8adde10e1fe24056ccfd1b05b9bf220e7f4f9434dd356

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\avcodec-58.dll

Filesize
1.4MB

MD5
9d7585d920144436fd23b5397ad20abf

SHA1
396b69f02b672b2df8b630e0690c440f17e7cd8e

SHA256
8b527770e0580ee328f8c91aae05016b174d15e13f28befff5a6b6a6f4837084

SHA512
c6fce0b220e319c8c91739159e9870302240e734b15c1721bb1357b6e62772b743d62f0a8b280aa285d8adde10e1fe24056ccfd1b05b9bf220e7f4f9434dd356

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\avformat-58.dll

Filesize
927KB

MD5
c123211331c1f98b8a679ecbd5048997

SHA1
4b6807dcbbb0160b191cba08413c79ce557921ed

SHA256
4e8d418e6b1345c05e08a4b88e78a84a97c9a8179ca851bd87c93836c2409f31

SHA512
4232c5f759109cb71a5c5833cb3de2b641c71504f62132cced98f56f792c11d9d5a84ac96c91c8dec6b4d19021b9ba555976779957faa3a6c6438f0abc51a6e8

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\avformat-58.dll

Filesize
927KB

MD5
c123211331c1f98b8a679ecbd5048997

SHA1
4b6807dcbbb0160b191cba08413c79ce557921ed

SHA256
4e8d418e6b1345c05e08a4b88e78a84a97c9a8179ca851bd87c93836c2409f31

SHA512
4232c5f759109cb71a5c5833cb3de2b641c71504f62132cced98f56f792c11d9d5a84ac96c91c8dec6b4d19021b9ba555976779957faa3a6c6438f0abc51a6e8

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\avutil-56.dll

Filesize
620KB

MD5
e0cdb9bbfa7a22ef965d55161945176e

SHA1
1d0929e86b838f02025552cd4e0f6eb91f769d75

SHA256
47a1c21d501b81a93088ae081da08e74d098ac82e0dbae7a909f39af5bd24815

SHA512
813c9b18aa7e8d8794010cc40eda839db324079a87a784b9ab8a98c3f318e9c12d2d86eaa8bd4ec1e4ec6175a9e12efce243c0d0daa193b802ed0cc4739173f5

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\avutil-56.dll

Filesize
620KB

MD5
e0cdb9bbfa7a22ef965d55161945176e

SHA1
1d0929e86b838f02025552cd4e0f6eb91f769d75

SHA256
47a1c21d501b81a93088ae081da08e74d098ac82e0dbae7a909f39af5bd24815

SHA512
813c9b18aa7e8d8794010cc40eda839db324079a87a784b9ab8a98c3f318e9c12d2d86eaa8bd4ec1e4ec6175a9e12efce243c0d0daa193b802ed0cc4739173f5

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\helper.partial

Filesize
4.8MB

MD5
bbe951a7ac3b1099ef53e6a42763df45

SHA1
49802f8073f49fdeec1e6bf97b9b0dcc324dc251

SHA256
818403b765e10bb87290b9088ac9b37b2911692c0f674140f345bd990ae5d198

SHA512
2c60e36fd06036eeca565f364207b8cd6f88993433a473dd871b634f81acf2e964225199b540ba4cb24b9fc631c507d80159eb22a3beabb525ddfc2bfac5f06e

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\libcrypto-1_1.dll

Filesize
2.4MB

MD5
cc316f02b1166ba92e53788ab269a639

SHA1
f1ffc069ffd1abacd9b3378a2c40599b8a3d0f85

SHA256
b8453da0de5aefb1b775486cec41011c4877ebd1ffa8089d89bce2ee8e3d5eb5

SHA512
0a86400a472c4ae91a051dde9b260b630f81028aef144f6b6c37754801049958cef3545f903427b0ad1af8c380c8267d95dfd8144601c7c6fedc239ad4a397db

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\libcrypto-1_1.dll

Filesize
2.4MB

MD5
cc316f02b1166ba92e53788ab269a639

SHA1
f1ffc069ffd1abacd9b3378a2c40599b8a3d0f85

SHA256
b8453da0de5aefb1b775486cec41011c4877ebd1ffa8089d89bce2ee8e3d5eb5

SHA512
0a86400a472c4ae91a051dde9b260b630f81028aef144f6b6c37754801049958cef3545f903427b0ad1af8c380c8267d95dfd8144601c7c6fedc239ad4a397db

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\libssl-1_1.dll

Filesize
525KB

MD5
88228668dfd302da82a2ce585db55f38

SHA1
30092d8680c184726e45879f6c7340ecdf98b388

SHA256
2129c263ad08f415ac40abce658e13327ab5911f59a21767dab56d3167083020

SHA512
8b88a1cf14ef47c39c00568df9b421a45936c74989b428e668ec737438fe993f0c08f65a1f164d54594ea66b49e976c3991cc9a9bc2d56c0bce90e589e142bda

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\libssl-1_1.dll

Filesize
525KB

MD5
88228668dfd302da82a2ce585db55f38

SHA1
30092d8680c184726e45879f6c7340ecdf98b388

SHA256
2129c263ad08f415ac40abce658e13327ab5911f59a21767dab56d3167083020

SHA512
8b88a1cf14ef47c39c00568df9b421a45936c74989b428e668ec737438fe993f0c08f65a1f164d54594ea66b49e976c3991cc9a9bc2d56c0bce90e589e142bda

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\swresample-3.dll

Filesize
149KB

MD5
69ae94597b9412a9936aa43340ad1826

SHA1
67cdf694af7543186f1492897d69f5ab41cfe4d4

SHA256
11771c928aff73893e72de8e01912dbbb8c5d8643f23601545457c96d5b8361f

SHA512
34c7e20d67eb0c8076fb83fdc01628d7d532611a5e56c882085acf648eeb6199a5f4b54c6d848846c502f6c1089cf5eacddc0b7bce6667bd84369b2d338f6e93

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\swresample-3.dll

Filesize
149KB

MD5
69ae94597b9412a9936aa43340ad1826

SHA1
67cdf694af7543186f1492897d69f5ab41cfe4d4

SHA256
11771c928aff73893e72de8e01912dbbb8c5d8643f23601545457c96d5b8361f

SHA512
34c7e20d67eb0c8076fb83fdc01628d7d532611a5e56c882085acf648eeb6199a5f4b54c6d848846c502f6c1089cf5eacddc0b7bce6667bd84369b2d338f6e93

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\utweb.exe

Filesize
6.1MB

MD5
4de13af5287ccc91f8f640141e766f1c

SHA1
4506b6540c61d2937393b40409d65c2caa4ef640

SHA256
fcdfdc2b66f5c923d9b96baff4c14bd1cda92df32acec9d872768877ee016aab

SHA512
092733c722bffa55ec834d5dcf0296f44c6c89959bd7ef23cfe3cc1c964b6530b5fb0d14cedb4d005641a6a96170d70b9b6bf880909f74f499e1da178eef9082

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\utweb.exe

Filesize
6.1MB

MD5
4de13af5287ccc91f8f640141e766f1c

SHA1
4506b6540c61d2937393b40409d65c2caa4ef640

SHA256
fcdfdc2b66f5c923d9b96baff4c14bd1cda92df32acec9d872768877ee016aab

SHA512
092733c722bffa55ec834d5dcf0296f44c6c89959bd7ef23cfe3cc1c964b6530b5fb0d14cedb4d005641a6a96170d70b9b6bf880909f74f499e1da178eef9082

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent Web\utweb.exe

Filesize
6.1MB

MD5
4de13af5287ccc91f8f640141e766f1c

SHA1
4506b6540c61d2937393b40409d65c2caa4ef640

SHA256
fcdfdc2b66f5c923d9b96baff4c14bd1cda92df32acec9d872768877ee016aab

SHA512
092733c722bffa55ec834d5dcf0296f44c6c89959bd7ef23cfe3cc1c964b6530b5fb0d14cedb4d005641a6a96170d70b9b6bf880909f74f499e1da178eef9082

Download Submit
memory/2000-333-0x00007FFF57E50000-0x00007FFF57E51000-memory.dmp

Filesize
4KB

Download
memory/4404-157-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/4404-277-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4404-210-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4404-162-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4404-156-0x0000000005290000-0x000000000529F000-memory.dmp

Filesize
60KB

Download
memory/4404-155-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4404-148-0x0000000005290000-0x000000000529F000-memory.dmp

Filesize
60KB

Download
memory/4404-141-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/4872-133-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4872-279-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/4872-154-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download