Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

qbittorren...up.exe

windows7-x64

7

qbittorren...up.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...lW.dll

windows7-x64

3

$PLUGINSDI...lW.dll

windows10-2004-x64

3

qbittorrent.exe

windows7-x64

1

qbittorrent.exe

windows10-2004-x64

1

uninst.exe

windows7-x64

7

uninst.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...lW.dll

windows7-x64

3

$PLUGINSDI...lW.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 13:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/UAC.dll

  • Size

    14KB

  • MD5

    adb29e6b186daa765dc750128649b63d

  • SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

  • SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

  • SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • SSDEEP

    192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
      2⤵
        PID:4868
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 624
          3⤵
          • Program crash
          PID:932
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4868 -ip 4868
      1⤵
        PID:5012
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4352

        Network

        • flag-us
          DNS
          133.211.185.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          133.211.185.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          122.136.73.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          122.136.73.23.in-addr.arpa
          IN PTR
          Response
          122.136.73.23.in-addr.arpa
          IN PTR
          a23-73-136-122deploystaticakamaitechnologiescom
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          13.86.106.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          13.86.106.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          86.23.85.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          86.23.85.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          56.126.166.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          56.126.166.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          65.139.73.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          65.139.73.23.in-addr.arpa
          IN PTR
          Response
          65.139.73.23.in-addr.arpa
          IN PTR
          a23-73-139-65deploystaticakamaitechnologiescom
        • flag-us
          DNS
          chromewebstore.googleapis.com
          Remote address:
          8.8.8.8:53
          Request
          chromewebstore.googleapis.com
          IN A
          Response
          chromewebstore.googleapis.com
          IN A
          172.217.18.106
          chromewebstore.googleapis.com
          IN A
          172.217.23.106
          chromewebstore.googleapis.com
          IN A
          142.250.185.74
          chromewebstore.googleapis.com
          IN A
          142.250.185.106
          chromewebstore.googleapis.com
          IN A
          142.250.185.138
          chromewebstore.googleapis.com
          IN A
          142.250.185.170
          chromewebstore.googleapis.com
          IN A
          216.58.206.74
          chromewebstore.googleapis.com
          IN A
          142.250.185.234
          chromewebstore.googleapis.com
          IN A
          142.250.184.234
          chromewebstore.googleapis.com
          IN A
          142.250.185.202
          chromewebstore.googleapis.com
          IN A
          142.250.181.234
          chromewebstore.googleapis.com
          IN A
          142.250.186.42
          chromewebstore.googleapis.com
          IN A
          142.250.186.74
          chromewebstore.googleapis.com
          IN A
          172.217.16.138
          chromewebstore.googleapis.com
          IN A
          216.58.212.170
          chromewebstore.googleapis.com
          IN A
          142.250.74.202
        • flag-us
          DNS
          chromewebstore.googleapis.com
          Remote address:
          8.8.8.8:53
          Request
          chromewebstore.googleapis.com
          IN Unknown
          Response
        • flag-us
          DNS
          pki.goog
          Remote address:
          8.8.8.8:53
          Request
          pki.goog
          IN A
          Response
          pki.goog
          IN A
          216.239.32.29
        • flag-us
          DNS
          pki.goog
          Remote address:
          8.8.8.8:53
          Request
          pki.goog
          IN Unknown
          Response
        • flag-us
          GET
          http://pki.goog/gsr1/gsr1.crt
          Remote address:
          216.239.32.29:80
          Request
          GET /gsr1/gsr1.crt HTTP/1.1
          Host: pki.goog
          Connection: keep-alive
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
          Accept-Encoding: gzip, deflate
          Accept-Language: en-US,en;q=0.9
          Response
          HTTP/1.1 200 OK
          Accept-Ranges: bytes
          Content-Encoding: gzip
          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
          Cross-Origin-Resource-Policy: cross-origin
          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
          Content-Length: 797
          X-Content-Type-Options: nosniff
          Server: sffe
          X-XSS-Protection: 0
          Date: Fri, 05 Apr 2024 13:27:07 GMT
          Expires: Fri, 05 Apr 2024 14:17:07 GMT
          Cache-Control: public, max-age=3000
          Age: 683
          Last-Modified: Wed, 20 May 2020 16:45:00 GMT
          Content-Type: application/pkix-cert
          Vary: Accept-Encoding
        • flag-us
          GET
          http://pki.goog/repo/certs/gtsr1.der
          Remote address:
          216.239.32.29:80
          Request
          GET /repo/certs/gtsr1.der HTTP/1.1
          Host: pki.goog
          Connection: keep-alive
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
          Accept-Encoding: gzip, deflate
          Accept-Language: en-US,en;q=0.9
          Response
          HTTP/1.1 200 OK
          Accept-Ranges: bytes
          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
          Cross-Origin-Resource-Policy: cross-origin
          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
          Content-Length: 1371
          X-Content-Type-Options: nosniff
          Server: sffe
          X-XSS-Protection: 0
          Date: Fri, 05 Apr 2024 13:15:44 GMT
          Expires: Fri, 05 Apr 2024 14:05:44 GMT
          Cache-Control: public, max-age=3000
          Age: 1366
          Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
          Content-Type: application/pkix-cert
          Vary: Accept-Encoding
        • flag-us
          GET
          http://pki.goog/repo/certs/gts1c3.der
          Remote address:
          216.239.32.29:80
          Request
          GET /repo/certs/gts1c3.der HTTP/1.1
          Host: pki.goog
          Connection: keep-alive
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
          Accept-Encoding: gzip, deflate
          Accept-Language: en-US,en;q=0.9
          Response
          HTTP/1.1 200 OK
          Accept-Ranges: bytes
          Content-Encoding: gzip
          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
          Cross-Origin-Resource-Policy: cross-origin
          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
          Content-Length: 1304
          X-Content-Type-Options: nosniff
          Server: sffe
          X-XSS-Protection: 0
          Date: Fri, 05 Apr 2024 13:18:59 GMT
          Expires: Fri, 05 Apr 2024 14:08:59 GMT
          Cache-Control: public, max-age=3000
          Age: 1171
          Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
          Content-Type: application/pkix-cert
          Vary: Accept-Encoding
        • flag-us
          DNS
          106.18.217.172.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          106.18.217.172.in-addr.arpa
          IN PTR
          Response
          106.18.217.172.in-addr.arpa
          IN PTR
          fra16s42-in-f101e100net
          106.18.217.172.in-addr.arpa
          IN PTR
          zrh04s05-in-f106�I
        • flag-us
          DNS
          29.32.239.216.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          29.32.239.216.in-addr.arpa
          IN PTR
          Response
          29.32.239.216.in-addr.arpa
          IN PTR
          any-in-201d1e100net
        • flag-us
          DNS
          121.136.73.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          121.136.73.23.in-addr.arpa
          IN PTR
          Response
          121.136.73.23.in-addr.arpa
          IN PTR
          a23-73-136-121deploystaticakamaitechnologiescom
        • flag-us
          DNS
          31.243.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          31.243.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          13.173.189.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          13.173.189.20.in-addr.arpa
          IN PTR
          Response
        • 13.107.253.64:443
          46 B
           40 B
           1
          1
        • 172.217.18.106:443
          chromewebstore.googleapis.com
          tls
          941 B
           5.2kB
           8
          8
        • 216.239.32.29:80
          http://pki.goog/repo/certs/gts1c3.der
          http
          1.3kB
           6.1kB
           10
          10

          HTTP Request

          GET http://pki.goog/gsr1/gsr1.crt

          HTTP Response

          200

          HTTP Request

          GET http://pki.goog/repo/certs/gtsr1.der

          HTTP Response

          200

          HTTP Request

          GET http://pki.goog/repo/certs/gts1c3.der

          HTTP Response

          200
        • 8.8.8.8:53
          122.136.73.23.in-addr.arpa
          dns
          72 B
           137 B
           1
          1

          DNS Request

          122.136.73.23.in-addr.arpa

        • 8.8.8.8:53
          133.211.185.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          133.211.185.52.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
           144 B
           1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          13.86.106.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          13.86.106.20.in-addr.arpa

        • 8.8.8.8:53
          86.23.85.13.in-addr.arpa
          dns
          70 B
           144 B
           1
          1

          DNS Request

          86.23.85.13.in-addr.arpa

        • 8.8.8.8:53
          56.126.166.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          56.126.166.20.in-addr.arpa

        • 8.8.8.8:53
          65.139.73.23.in-addr.arpa
          dns
          71 B
           135 B
           1
          1

          DNS Request

          65.139.73.23.in-addr.arpa

        • 8.8.8.8:53
          chromewebstore.googleapis.com
          dns
          75 B
           331 B
           1
          1

          DNS Request

          chromewebstore.googleapis.com

          DNS Response

          172.217.18.106
          172.217.23.106
          142.250.185.74
          142.250.185.106
          142.250.185.138
          142.250.185.170
          216.58.206.74
          142.250.185.234
          142.250.184.234
          142.250.185.202
          142.250.181.234
          142.250.186.42
          142.250.186.74
          172.217.16.138
          216.58.212.170
          142.250.74.202

        • 8.8.8.8:53
          chromewebstore.googleapis.com
          dns
          75 B
           132 B
           1
          1

          DNS Request

          chromewebstore.googleapis.com

        • 8.8.8.8:53
          pki.goog
          dns
          54 B
           70 B
           1
          1

          DNS Request

          pki.goog

          DNS Response

          216.239.32.29

        • 8.8.8.8:53
          pki.goog
          dns
          54 B
           128 B
           1
          1

          DNS Request

          pki.goog

        • 8.8.8.8:53
          106.18.217.172.in-addr.arpa
          dns
          73 B
           143 B
           1
          1

          DNS Request

          106.18.217.172.in-addr.arpa

        • 8.8.8.8:53
          29.32.239.216.in-addr.arpa
          dns
          72 B
           107 B
           1
          1

          DNS Request

          29.32.239.216.in-addr.arpa

        • 8.8.8.8:53
          121.136.73.23.in-addr.arpa
          dns
          72 B
           137 B
           1
          1

          DNS Request

          121.136.73.23.in-addr.arpa

        • 8.8.8.8:53
          31.243.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          31.243.111.52.in-addr.arpa

        • 8.8.8.8:53
          13.173.189.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          13.173.189.20.in-addr.arpa

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.