0bb4adf992267f14d272bb10743030952057ba5429013b1f6559788498c901d0

Analysis

max time kernel
31s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.exe
Size

13.8MB
MD5

42b0828a300ff9641620a1ab43cb9547
SHA1

aea4f6eefcc2aca7f04220daf688565f66b4c212
SHA256

0bb4adf992267f14d272bb10743030952057ba5429013b1f6559788498c901d0
SHA512

60341d9363a09636b1ccf19ff4ee20bc361c41488bba108ff546b8393aad2652988923d16e958ac889a13265a10f7ffce74b311acbc5986ac1d75c6cb3efa7d5
SSDEEP

196608:4j6kU9NYlObEk0Lp2dd/kZzkmxgy9NSW7I7GIXSpINbhiTGIwTh3kC3uDEN9TrSi:yLSN30LpEiSCC9XSpIFwah3RuINhkUP

Score

7^/10

evasion spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

Processes:

Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\AVAST Software\Avast	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\AVG\AV\Dir	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OperaSetup.exeOperaSetup.exe

description	ioc	process
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\D:	OperaSetup.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1208 netsh.exe

pid	process
1208	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmpprod0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	prod0.exe

Executes dropped EXE 10 IoCs

Processes:

Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmpprod0.exesaBSI.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exetwek0i4t.exeRAVEndPointProtection-installer.exe

pid	process
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
4960	prod0.exe
1348	saBSI.exe
3508	OperaSetup.exe
1104	OperaSetup.exe
1412	OperaSetup.exe
1456	OperaSetup.exe
1332	OperaSetup.exe
4336	twek0i4t.exe
920	RAVEndPointProtection-installer.exe

Loads dropped DLL 9 IoCs

Processes:

Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmpOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exetwek0i4t.exe

pid	process
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
3508	OperaSetup.exe
1104	OperaSetup.exe
1412	OperaSetup.exe
1456	OperaSetup.exe
1332	OperaSetup.exe
4336	twek0i4t.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 42 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	42	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmpsaBSI.exe

pid	process
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
1348	saBSI.exe
1348	saBSI.exe
1348	saBSI.exe
1348	saBSI.exe
1348	saBSI.exe
1348	saBSI.exe
1348	saBSI.exe
1348	saBSI.exe
1348	saBSI.exe
1348	saBSI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

prod0.exeRAVEndPointProtection-installer.exe

description pid process

Token: SeDebugPrivilege 4960 prod0.exe
Token: SeDebugPrivilege 920 RAVEndPointProtection-installer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp

pid process

5056 Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp

description	pid	process
Token: SeDebugPrivilege	4960	prod0.exe
Token: SeDebugPrivilege	920	RAVEndPointProtection-installer.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.exeTeenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmpOperaSetup.exeOperaSetup.exeprod0.exetwek0i4t.exe

description	pid	process	target process
PID 4428 wrote to memory of 5056	4428	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.exe	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
PID 4428 wrote to memory of 5056	4428	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.exe	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
PID 4428 wrote to memory of 5056	4428	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.exe	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
PID 5056 wrote to memory of 4960	5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp	prod0.exe
PID 5056 wrote to memory of 4960	5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp	prod0.exe
PID 5056 wrote to memory of 1348	5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp	saBSI.exe
PID 5056 wrote to memory of 1348	5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp	saBSI.exe
PID 5056 wrote to memory of 1348	5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp	saBSI.exe
PID 5056 wrote to memory of 3508	5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp	OperaSetup.exe
PID 5056 wrote to memory of 3508	5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp	OperaSetup.exe
PID 5056 wrote to memory of 3508	5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp	OperaSetup.exe
PID 3508 wrote to memory of 1104	3508	OperaSetup.exe	OperaSetup.exe
PID 3508 wrote to memory of 1104	3508	OperaSetup.exe	OperaSetup.exe
PID 3508 wrote to memory of 1104	3508	OperaSetup.exe	OperaSetup.exe
PID 3508 wrote to memory of 1412	3508	OperaSetup.exe	OperaSetup.exe
PID 3508 wrote to memory of 1412	3508	OperaSetup.exe	OperaSetup.exe
PID 3508 wrote to memory of 1412	3508	OperaSetup.exe	OperaSetup.exe
PID 3508 wrote to memory of 1456	3508	OperaSetup.exe	OperaSetup.exe
PID 3508 wrote to memory of 1456	3508	OperaSetup.exe	OperaSetup.exe
PID 3508 wrote to memory of 1456	3508	OperaSetup.exe	OperaSetup.exe
PID 1456 wrote to memory of 1332	1456	OperaSetup.exe	OperaSetup.exe
PID 1456 wrote to memory of 1332	1456	OperaSetup.exe	OperaSetup.exe
PID 1456 wrote to memory of 1332	1456	OperaSetup.exe	OperaSetup.exe
PID 4960 wrote to memory of 4336	4960	prod0.exe	twek0i4t.exe
PID 4960 wrote to memory of 4336	4960	prod0.exe	twek0i4t.exe
PID 4960 wrote to memory of 4336	4960	prod0.exe	twek0i4t.exe
PID 5056 wrote to memory of 1208	5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp	netsh.exe
PID 5056 wrote to memory of 1208	5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp	netsh.exe
PID 5056 wrote to memory of 1208	5056	Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp	netsh.exe
PID 4336 wrote to memory of 920	4336	twek0i4t.exe	RAVEndPointProtection-installer.exe
PID 4336 wrote to memory of 920	4336	twek0i4t.exe	RAVEndPointProtection-installer.exe

C:\Users\Admin\AppData\Local\Temp\Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.exe
"C:\Users\Admin\AppData\Local\Temp\Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Local\Temp\is-LC7U7.tmp\Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LC7U7.tmp\Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp" /SL5="$B0044,13603942,780800,C:\Users\Admin\AppData\Local\Temp\Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.exe"
2⤵
- Checks for any installed AV software in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod0.exe
"C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod0.exe" -ip:"dui=1037f2ac-7687-4b04-90ea-cc9b87b0e187&dit=20240425081636&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=d267&a=100&b=em&se=true" -vp:"dui=1037f2ac-7687-4b04-90ea-cc9b87b0e187&dit=20240425081636&oc=ZB_RAV_Cross_Tri_NCB&p=d267&a=100&oip=26&ptl=7&dta=true" -dp:"dui=1037f2ac-7687-4b04-90ea-cc9b87b0e187&dit=20240425081636&oc=ZB_RAV_Cross_Tri_NCB&p=d267&a=100" -i -v -d -se=true
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\twek0i4t.exe
"C:\Users\Admin\AppData\Local\Temp\twek0i4t.exe" /silent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\nscA9C.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nscA9C.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\twek0i4t.exe" /silent
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
6⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod1_extract\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod1_extract\installer.exe
"C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
4⤵
PID:3068

C:\Program Files\McAfee\Temp1783647089\installer.exe
"C:\Program Files\McAfee\Temp1783647089\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
5⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod2_extract\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod2_extract\OperaSetup.exe" --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_b
3⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod2_extract\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod2_extract\OperaSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2a8,0x2ac,0x2b0,0x284,0x2b4,0x7252e1d0,0x7252e1dc,0x7252e1e8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412

C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod2_extract\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod2_extract\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3508 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240425081646" --session-guid=7d471afb-0f2f-404e-a52c-fce405eb4a1a --server-tracking-blob=ZmE5YzFmMDNlZTRmNmYwZjgwOTY1ODc4MWYzOGRiNDg3YWIzOTYxNzg1ZTM4MGM1YzZjZDU0OTM4MWRlZTQxMjp7ImNvdW50cnkiOiJJTCIsImVkaXRpb24iOiJjZGYiLCJpbnN0YWxsZXJfbmFtZSI6Ik9wZXJhU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmEifSwicXVlcnkiOiIvZWRpdGlvbi9jZGY/dXRtX2NvbnRlbnQ9Y2RmJnV0bV9tZWRpdW09cGIiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTI0NzU3NzIuMDk1MiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjMuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wZXJhX25ld19iIiwiY29udGVudCI6ImNkZiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6ImFpcyJ9LCJ1dWlkIjoiNGQ1NTg2MjEtNjlkNy00Nzk0LTk5ZDMtY2NmODEwMjY4YTg3In0= --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4C05000000000000
4⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod2_extract\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod2_extract\OperaSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7158e1d0,0x7158e1dc,0x7158e1e8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332

C:\Windows\SysWOW64\netsh.exe
"netsh" firewall add allowedprogramC:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\qbittorrent.exe "qBittorrent" ENABLE
3⤵
- Modifies Windows Firewall
PID:1208

C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\qbittorrent.exe
"C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\qbittorrent.exe" magnet:?xt=urn:btih:BFF18AF5608F9196CF05BF0C1F0B54A18C3F0A77
3⤵
PID:3756

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\McAfee\Temp1783647089\analyticsmanager.cab
Filesize
2.0MB

MD5
b86746aabbaf37831a38b6eae5e3e256

SHA1
5c81a896b9a7e59cdff3d7e10de5ace243132e56

SHA256
70e35195fece6ebf6e97b76c460d67449c4785a1bd21f205908f995aa8c11a5e

SHA512
68e2f2359e6306a5ff3af0c348c2d452afa7a8766e10b2d36358eb30e70ed17f4b45b479b8be5585a91febbdda67cd2b96c225728ad32e9a54bad358269711e8

Download Submit
C:\Program Files\McAfee\Temp1783647089\analyticstelemetry.cab
Filesize
57KB

MD5
fc2f204b92db0e8daec09ae45cedbc96

SHA1
5d16a19f70224e97cfc383143ddbf5f6b5565f19

SHA256
22f38866a64fcc685be87a949f17d0bc85d20c9d5f6aec1ad469d59f099383c6

SHA512
32fd7845c34ff4df8b7ec5d041c4de1a577cb686d7b6b9bfe10897edd1b5dab503ff1fd5b6e729f0a081fff41d5b273cbd188dd7952c27366cf3f5c3b3fd3637

Download Submit
C:\Program Files\McAfee\Temp1783647089\browserhost.cab
Filesize
1.2MB

MD5
047cd507df3d47ad5b4580f92cca8462

SHA1
a3cba758d2c3a435d8b4841ed7874d3dae98affa

SHA256
d1ca37407ee6c256a2d174da8139dae1b5f3b681540763e4208073646dc3f85a

SHA512
beee3e3b0606c8620370033da292f8d177fc4c8556dc7c952bc9a56a1ad446e36cb425c2f849741a24f3ebce6b814e213ab051e31283f16854069b7b83289c74

Download Submit
C:\Program Files\McAfee\Temp1783647089\browserplugin.cab
Filesize
768KB

MD5
433889f06e58d9a9296f4d44b6e88109

SHA1
d1e52a6c83fe8d40fa4ccc2859aa033852ec03fa

SHA256
c757eda95b01d58e7b6a9461169bb0bc234064092175d27314a04a2ce94c52e2

SHA512
b92d5eb16151d3660ee8b954779875d6d995d96a2983c11455cc8e84ee489740d6ec195a562e77100b1968596de8ed6f05aac7dbd7ca4976b29c03b0d78b63cd

Download Submit
C:\Program Files\McAfee\Temp1783647089\downloadscan.cab
Filesize
512KB

MD5
f153f8d60497db4c990647a19ddffe04

SHA1
98ccb7b7b19e9b15441a85efd6f2ea4ca60ac89f

SHA256
c0de34f6e673cbc9e24a4126620f7c575d1369839613330fb27122e0678c4d18

SHA512
ef1c01d2110723aa600c9acd50fb8806eb4e5dbb59ff834717fbf2e0c1cb66cb75256a77accfdf037ce8b8b68de731a6b93decdb53a843ac01952111b1118ca6

Download Submit
C:\Program Files\McAfee\Temp1783647089\eventmanager.cab
Filesize
640KB

MD5
5174ce534cbb2645875f98b08e53272e

SHA1
f83334c3dd7776c764394de5662a39bf334a013e

SHA256
7fd36968d9699f2a18618432d7cc73761837df11b09721cd9960fd8f00feae10

SHA512
d548660bac1a02cf29737a4dc26615d038c786ff24ab5df2578c7f916c7e3185ec3bb1ef4251e29bb1f0628ce7c3aa9c9eeffb5b87860576f4d9d1b48f96e03e

Download Submit
C:\Program Files\McAfee\Temp1783647089\installer.exe
Filesize
2.5MB

MD5
4034e2003874264c50436da1b0437783

SHA1
e91861f167d61b3a72784e685a78a664522288c2

SHA256
471d799e2b2292dbdbc9aed0be57c51d8bb89725a944b965aeb03892493e8769

SHA512
f0923f9c6f111583358c4c4670c3e017da2182853f489d36e49efbb4ad0eed23bc420cecf9584a1df4cff30d1428cb745c6143eacd1ee4acb8cac7385bd3b080

Download Submit
C:\Program Files\McAfee\Temp1783647089\l10n.cab
Filesize
274KB

MD5
d2d49a3e1e9a75f4908d8bafeec64a8a

SHA1
7b73095c122d816f07d7372920025ee07a34452f

SHA256
ae57687e54b8f26ac9a233cb382a96a2f11b6ea3722feceab3fe6ef73e1a9cc7

SHA512
6bb7d5db7ae08d1bad860a2467da10d92794f73594ee20e044747f4129f4b2f89dcca1cd52662d5ad88c7279798b457585605c03dc7b9f1817fedf072dec5e8b

Download Submit
C:\Program Files\McAfee\Temp1783647089\logicmodule.cab
Filesize
576KB

MD5
d1f4402bd66f5ad3355c93150a0cf31a

SHA1
0035facb702568ee8fd4835542edeafd06e8cd7b

SHA256
6f0201e93f16b061b77e84b37f3874ad29f0be6709ef6d5ce295f6b9031e3425

SHA512
d7e878f105e3fe8a7046ac0161588edcdaddaff5c8d215af6bcb7fed7f51cf5cc591ab317cb95064b770729cd4884ba2a787ff10fadd446a8690a6501e218d91

Download Submit
C:\Program Files\McAfee\Temp1783647089\lookupmanager.cab
Filesize
192KB

MD5
305bc9c02e3d3d8507cc73c5ecc7ea06

SHA1
c691ea61b69c7fce489da5d8570d5030cd980a00

SHA256
916a12032e1b8015f0981acc463623dcf707e56de8f9697e8fff2d2374abf041

SHA512
3a997e13c0e4e84ea677dfac756bce2044896fcd3ddb69daa062650bac47832cac48a6f28a1b4c25a23180a8a9ace393d21cdd17ef099eca768a2979b8a7f38a

Download Submit
C:\Program Files\McAfee\Temp1783647089\mfw-nps.cab
Filesize
33KB

MD5
d9ca680b1fcd3930a7e88164d29835ad

SHA1
46e5f1906e3535936326529c81bad3ca77eba700

SHA256
b32933bd6e5b2f0d2928e92546195120375bbc8da68533e577adf6c54ea4ec0a

SHA512
45614f889ec7b1c30f5186bf61d4d82705f9175604cd82972a29b612f6fa4eb230179506adfc14bcfd5097890c9ebb37db54a96f80e781e742fe35e8c68b17eb

Download Submit
C:\Program Files\McAfee\Temp1783647089\mfw-webadvisor.cab
Filesize
128KB

MD5
cc4f5cc395f38d13cd1554538ee00dfa

SHA1
13d990275660bfc72e43b7173b84b84cdeda2999

SHA256
9993fb7f261dc04b83a563fbedeb19150c2dad026d8a0d904a7b02f37ab06702

SHA512
93c8c5221834fe5020f14e32aa6e78fc8d6ffd08a9d1835eeba5fb031c11bcc6bb345e7d4c848cd719a4eb8163e35b94f50ac417ec61859b665f7919ded71c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404250816460153508.dll
Filesize
4.6MB

MD5
2a3159d6fef1100348d64bf9c72d15ee

SHA1
52a08f06f6baaa12163b92f3c6509e6f1e003130

SHA256
668bf8a7f3e53953dd6789fc6146a205c6c7330832c5d20b439eedb7c52ed303

SHA512
251c0d3cdd0597b962d4e32cf588a82454c42067cbe5e35b41b0548eea742ea25815e5d6830b63c1992b5730a4e6d7c005fb0019aa4c389549b06fff9a74b38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\Opera_new.png
Filesize
49KB

MD5
b3a9a687108aa8afed729061f8381aba

SHA1
9b415d9c128a08f62c3aa9ba580d39256711519a

SHA256
194b65c682a76dc04ce9b675c5ace45df2586cc5b76664263170b56af51c8aeb

SHA512
14d10df29a3bb575c40581949d7c00312de08bb42578b7335792c057b83ab2878d44c87042bbdb6ec8ceaf763b4fbd8f080a27866fe92a1baf81c4f06705a0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\RAV_Cross.png
Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\WebAdvisor.png
Filesize
33KB

MD5
db6c259cd7b58f2f7a3cca0c38834d0e

SHA1
046fd119fe163298324ddcd47df62fa8abcae169

SHA256
494169cdd9c79eb4668378f770bfa55d4b140f23a682ff424441427dfab0ced2

SHA512
a5e8bb6dc4cae51d4ebbe5454d1b11bc511c69031db64eff089fb2f8f68665f4004f0f215b503f7630a56c995bbe9cf72e8744177e92447901773cc7e2d9fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\finish.png
Filesize
2KB

MD5
7afaf9e0e99fd80fa1023a77524f5587

SHA1
e20c9c27691810b388c73d2ca3e67e109c2b69b6

SHA256
760b70612bb9bd967c2d15a5133a50ccce8c0bd46a6464d76875298dcc45dea0

SHA512
a090626e7b7f67fb5aa207aae0cf65c3a27e1b85e22c9728eee7475bd9bb7375ca93baaecc662473f9a427b4f505d55f2c61ba36bda460e4e6947fe22eedb044

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod0.exe
Filesize
44KB

MD5
8486ba812bd128057947880070f20641

SHA1
2baded2c98a0f1411e34da64baedfb9f9ca6199d

SHA256
da3a60b410639b8c6e83fbf5f42def6da500e5dca4d9049fd2459a9901a1c93b

SHA512
629bcce9ba35e7b6e2643698f544907291e27757e7405880d138fea2c2eab8fe441a4f0675d3867304016960d33dc8b2f9bf047156f665258cf77312575c2c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod1.zip
Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod1_extract\installer.exe
Filesize
7.8MB

MD5
567f4759b69d1b6159e8fc22d4cb0569

SHA1
a8a9eac6404e30f54286a0707ebc18669ee9bfa7

SHA256
28ac658dafc00f56752ca3c323ee1219a49b8feb07e4acec2e459f04f4318c22

SHA512
37b612bd37a660711fee1e11868a08b43ca295a8d702fc7131c1782d2a373b14857797d1a8a1c5024b99fcf4a7d6a9c5493233ef1d86ae41082399f4f85afce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod1_extract\installer.exe
Filesize
5.4MB

MD5
beeaf995fd95d6f99ce53044348d6778

SHA1
e9b89a48ad7e5045c104a3b20b7fab78a354f725

SHA256
cb4b9367147ede6607a6ef84375e490db1d7d6c267765cc378e6b36088913914

SHA512
b76dbdff15a5d12412548dabd105abc40d359d5d55ec8f783048ec2cb518a72e004017f1085084c853da45f20c60623eaacc0ff7047a444f32a3b068b757f81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod1_extract\saBSI.exe
Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod2.zip
Filesize
2.3MB

MD5
f743314bda8fb2a98ae14316c4d0d3a2

SHA1
5d8f007bd38a0b20d5c5ed5aa20b77623a856297

SHA256
2113c6d5ef32e3ded8b4b070a6d0da8b1c11a1ba5e7d7fbfb61deeeafc9d451c

SHA512
f30af84df2eb2ddf3ed414c069f0edbcf42110f14e0aed61c0f28d6bca0f1c7785db1d53f90686ffe1f543d610b0f5f223c79160f7245924c38d99e6ffe2321d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\prod2_extract\OperaSetup.exe
Filesize
5.1MB

MD5
472dea5069dd8ba24cd0379d70a78f4f

SHA1
b543293dd4cf909eb0ad3477e718bcdcbf0dadef

SHA256
80640139d8a69161417b01b1e21618921096ec5ea25658e1a56de9a6b7941395

SHA512
fa85babaa4a7ac60759da659ef22348569cf7c653d6c865b3c8277dc1a4a9d7edb356a621b218a9c1f39b48ac7f01dee902a046a57b2bc8b9ce6f424051bf6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\qbittorrent.exe
Filesize
22.8MB

MD5
22a34900ada67ead7e634eb693bd3095

SHA1
2913c78bcaaa6f4ee22b0977be72333d2077191d

SHA256
3cec1e40e8116a35aac6df3da0356864e5d14bc7687c502c7936ee9b7c1b9c58

SHA512
88d90646f047f86adf3d9fc5c04d97649b0e01bac3c973b2477bb0e9a02e97f56665b7ede1800b68edd87115aed6559412c48a79942a8c2a656dfae519e2c36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MLQ0.tmp\zbShieldUtils.dll
Filesize
2.0MB

MD5
c79e3df659cdee033a447a8f372760ce

SHA1
f402273e29a6fa39572163e4595e72bde3d9330a

SHA256
7d09715c4e0735a0832bf81d92d84600df1815a2ba451586bd25eb16f7c450a5

SHA512
490cc30ccfac209f1f5332ce4168b0dc849d7e4d86f3c198ddd23b39ddc950001928a1e071c2ace74c4710508265c0872adb02e3f068e521d28ed8b19ea36492

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LC7U7.tmp\Teenage Mutant Ninja Turtles IV Turtles in Time_j-u51M1.tmp
Filesize
2.9MB

MD5
392188858aab78d544835de0fe665a04

SHA1
e2c06e4d926bbecee75887c83b5a9e732b0103b8

SHA256
eaa483432e2cae37fcf1350c160b848948f8e512ed085fab67d901bfcd8d5d07

SHA512
0d0d1d1196d705af2a755d054372b45e8540edeb201d2b9ac2d48a08240399314130f3e78e7e962ce708d3da90ed933fa848023f7db9ecaf7fc6ec7979cb05a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA9B.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA9C.tmp\ArchiveUtilityx64.dll
Filesize
150KB

MD5
3351152f6ee87e97682a0a7c459ef614

SHA1
5312f9da67fcfd573dc5e45f6a7cc35fa463af89

SHA256
6e2673687ba029074657f0d1c4410691ee013eff2223d0c7695dfe4f70c62f1c

SHA512
2b7ecb22746bf907ae4da891e170226da4f180ade27e41a16e1ef9e11f39e5e35b9eac3fcfff520dbb8a8888a1dbd1ca2459ab58ce8dc44a424c5de7b8132de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA9C.tmp\Microsoft.Win32.TaskScheduler.dll
Filesize
341KB

MD5
a09decc59b2c2f715563bb035ee4241e

SHA1
c84f5e2e0f71feef437cf173afeb13fe525a0fea

SHA256
6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149

SHA512
1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA9C.tmp\RAVEndPointProtection-installer.exe
Filesize
539KB

MD5
41a3c2a1777527a41ddd747072ee3efd

SHA1
44b70207d0883ec1848c3c65c57d8c14fd70e2c3

SHA256
8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365

SHA512
14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA9C.tmp\rsAtom.dll
Filesize
156KB

MD5
9deba7281d8eceefd760874434bd4e91

SHA1
553e6c86efdda04beacee98bcee48a0b0dba6e75

SHA256
02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9

SHA512
7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA9C.tmp\rsJSON.dll
Filesize
218KB

MD5
f8978087767d0006680c2ec43bda6f34

SHA1
755f1357795cb833f0f271c7c87109e719aa4f32

SHA256
221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e

SHA512
54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA9C.tmp\rsLogger.dll
Filesize
177KB

MD5
83ad54079827e94479963ba4465a85d7

SHA1
d33efd0f5e59d1ef30c59d74772b4c43162dc6b7

SHA256
ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312

SHA512
c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA9C.tmp\rsStubLib.dll
Filesize
248KB

MD5
a16602aad0a611d228af718448ed7cbd

SHA1
ddd9b80306860ae0b126d3e834828091c3720ac5

SHA256
a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a

SHA512
305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA9C.tmp\rsSyncSvc.exe
Filesize
797KB

MD5
ded746a9d2d7b7afcb3abe1a24dd3163

SHA1
a074c9e981491ff566cd45b912e743bd1266c4ae

SHA256
c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3

SHA512
2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscA9C.tmp\uninstall.ico
Filesize
170KB

MD5
af1c23b1e641e56b3de26f5f643eb7d9

SHA1
6c23deb9b7b0c930533fdbeea0863173d99cf323

SHA256
0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058

SHA512
0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\twek0i4t.exe
Filesize
1.9MB

MD5
f391817bc4f501c01e9942fc4a427d27

SHA1
cc75779d12b9fa1b9ad88d6ca734cb2b23418df9

SHA256
96c0a58bbf4cc1176b9fe18d6d96a7dba89997da81c687e24b0c73a7666cc738

SHA512
e7ae9a10887ca05e0d6a2a2ae8b91332f35de6af65759e8f1751d88d47cd6fe5df4b9ef339b70d069daa0f7f11ed290cf3aa2c99b93ecfda789dc5dca68ee347

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
06d25ac0757c885ac4fc4fffe5afdef9

SHA1
58ad92187bad662cf94226f86fba4985df961a0f

SHA256
e25483425e66251c030b92b1c3071019078aac2656c8a845954248cbacac1c94

SHA512
00f5a34e5b6ff4ef6b6c2dfc0a23469671b0ed2b68d6780ca562aa269bd279525f2f267b6a7e8645917cabb2c9c1b85e4c728e808b700c07a0f95f93a42a87e1

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json
Filesize
4B

MD5
5b76b0eef9af8a2300673e0553f609f9

SHA1
0b56d40c0630a74abec5398e01c6cd83263feddc

SHA256
d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817

SHA512
cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

Download Submit
memory/920-253-0x00000237F3460000-0x00000237F3490000-memory.dmp

Filesize
192KB

Download
memory/920-263-0x00000237F3410000-0x00000237F3411000-memory.dmp

Filesize
4KB

Download
memory/920-261-0x00000237F3ED0000-0x00000237F3EFA000-memory.dmp

Filesize
168KB

Download
memory/920-272-0x00000237F4760000-0x00000237F47B8000-memory.dmp

Filesize
352KB

Download
memory/920-259-0x00000237F3400000-0x00000237F3401000-memory.dmp

Filesize
4KB

Download
memory/920-258-0x00000237F3440000-0x00000237F3441000-memory.dmp

Filesize
4KB

Download
memory/920-248-0x00000237F1830000-0x00000237F18B8000-memory.dmp

Filesize
544KB

Download
memory/920-249-0x00007FFF7EC80000-0x00007FFF7F741000-memory.dmp

Filesize
10.8MB

Download
memory/920-257-0x00000237F3490000-0x00000237F34A0000-memory.dmp

Filesize
64KB

Download
memory/920-256-0x00000237F3E90000-0x00000237F3ECA000-memory.dmp

Filesize
232KB

Download
memory/920-251-0x00000237F35C0000-0x00000237F3600000-memory.dmp

Filesize
256KB

Download
memory/3756-266-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/4280-483-0x00007FF773B30000-0x00007FF773B40000-memory.dmp

Filesize
64KB

Download
memory/4428-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4428-45-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4428-307-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4428-2-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4960-67-0x00000239DB520000-0x00000239DBA48000-memory.dmp

Filesize
5.2MB

Download
memory/4960-68-0x00007FFF7EC80000-0x00007FFF7F741000-memory.dmp

Filesize
10.8MB

Download
memory/4960-335-0x00007FFF7EC80000-0x00007FFF7F741000-memory.dmp

Filesize
10.8MB

Download
memory/4960-65-0x00000239C0B30000-0x00000239C0B38000-memory.dmp

Filesize
32KB

Download
memory/4960-71-0x00000239C2910000-0x00000239C2920000-memory.dmp

Filesize
64KB

Download
memory/5056-262-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/5056-66-0x0000000006370000-0x000000000637F000-memory.dmp

Filesize
60KB

Download
memory/5056-64-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/5056-29-0x0000000006370000-0x000000000637F000-memory.dmp

Filesize
60KB

Download
memory/5056-6-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/5056-305-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download