Overview

overview

10

Static

static

1

utorrent_i...1).exe

windows10-2004-x64

7

utorrent_i...1).exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    utorrent_installer(1).exe

  • Size

    1.7MB

  • MD5

    241ce365f228ee5f74d81b3fea14e09a

  • SHA1

    700b05506dd3eebb4b87ff545f6d2bb6af6a3ae3

  • SHA256

    bf4ee47d0df1870104f4fada8a68c2fb29e94fea9284c7bb6a6b385a718d8a18

  • SHA512

    bf3756fb2b037a10592498f08e6eb3bad8f50da4ff9e96703e646a69ea1481e6801023abb3b1aae923fb2c68bb21ae5bb50f8e675b57ff90504c8e7ee8f81593

  • SSDEEP

    49152:9BuZrEUT97LZxMPrlDZFBmS06nIJOZobMP:LkLp/ZSr97Bmb6naO6bs

Score
7/10
discoveryevasionpersistencespywarestealerupx

Malware Config

Signatures

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 4 IoCs
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Script User-Agent 6 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\utorrent_installer(1).exe
    "C:\Users\Admin\AppData\Local\Temp\utorrent_installer(1).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Users\Admin\AppData\Local\Temp\is-E4D8D.tmp\utorrent_installer(1).tmp
      "C:\Users\Admin\AppData\Local\Temp\is-E4D8D.tmp\utorrent_installer(1).tmp" /SL5="$60068,875149,815616,C:\Users\Admin\AppData\Local\Temp\utorrent_installer(1).exe"
      2⤵
      • Checks for any installed AV software in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\uTorrent.exe
        "C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\uTorrent.exe" /S /FORCEINSTALL 1110010101111110
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Users\Admin\AppData\Local\Temp\nsu37C5.tmp\utorrent.exe
          "C:\Users\Admin\AppData\Local\Temp\nsu37C5.tmp\utorrent.exe" /S /FORCEINSTALL 1110010101111110
          4⤵
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:4448
      • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component0.exe
        "C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component0.exe" -ip:"dui=54631303-6cba-4b22-b333-215df416769a&dit=20240506170101&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100&b=&se=true" -vp:"dui=54631303-6cba-4b22-b333-215df416769a&dit=20240506170101&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100&oip=26&ptl=7&dta=true" -dp:"dui=54631303-6cba-4b22-b333-215df416769a&dit=20240506170101&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100" -i -v -d -se=true
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3652
        • C:\Users\Admin\AppData\Local\Temp\j5csvcmu.exe
          "C:\Users\Admin\AppData\Local\Temp\j5csvcmu.exe" /silent
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3792
          • C:\Users\Admin\AppData\Local\Temp\nsu512A.tmp\RAVEndPointProtection-installer.exe
            "C:\Users\Admin\AppData\Local\Temp\nsu512A.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\j5csvcmu.exe" /silent
            5⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:224
            • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
              "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
              6⤵
              • Executes dropped EXE
              PID:5012
      • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component1_extract\saBSI.exe
        "C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2324
      • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component2_extract\OperaSetup.exe
        "C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component2_extract\OperaSetup.exe" --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a
        3⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3760
        • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component2_extract\OperaSetup.exe
          C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component2_extract\OperaSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x721de1d0,0x721de1dc,0x721de1e8
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4856
        • C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
          "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4320
        • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component2_extract\OperaSetup.exe
          "C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component2_extract\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3760 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240506170212" --session-guid=4cddb9c1-9ce7-4057-aae8-e7ceef3a294f --server-tracking-blob=ZjQ4MGYyNzQwYzc0NGQ4MTg5YzI3NzRkNDBjYWM4OTE2ZDhmOTVjNDFhNGNhYTBjZDdmYTM2MDUzMjUwZmE2ZTp7ImNvdW50cnkiOiJJTCIsImVkaXRpb24iOiJjZGYiLCJpbnN0YWxsZXJfbmFtZSI6Ik9wZXJhU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmEifSwicXVlcnkiOiIvZWRpdGlvbi9jZGY/dXRtX2NvbnRlbnQ9Y2RmJnV0bV9tZWRpdW09cGIiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMCIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTI0NzU3NzIuMDk1MiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjMuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInV0bSI6eyJjYW1wYWlnbiI6Im9wZXJhX25ld19hIiwiY29udGVudCI6ImNkZiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6ImFpcyJ9LCJ1dWlkIjoiNGQ1NTg2MjEtNjlkNy00Nzk0LTk5ZDMtY2NmODEwMjY4YTg3In0= --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3005000000000000
          4⤵
          • Enumerates connected drives
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:4484
          • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component2_extract\OperaSetup.exe
            C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component2_extract\OperaSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x7108e1d0,0x7108e1dc,0x7108e1e8
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:4324
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
    1⤵
      PID:1828
    • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
      "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
      1⤵
      • Executes dropped EXE
      PID:1692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
      Filesize

      797KB

      MD5

      ded746a9d2d7b7afcb3abe1a24dd3163

      SHA1

      a074c9e981491ff566cd45b912e743bd1266c4ae

      SHA256

      c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3

      SHA512

      2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2405061702109623760.dll
      Filesize

      4.6MB

      MD5

      2a3159d6fef1100348d64bf9c72d15ee

      SHA1

      52a08f06f6baaa12163b92f3c6509e6f1e003130

      SHA256

      668bf8a7f3e53953dd6789fc6146a205c6c7330832c5d20b439eedb7c52ed303

      SHA512

      251c0d3cdd0597b962d4e32cf588a82454c42067cbe5e35b41b0548eea742ea25815e5d6830b63c1992b5730a4e6d7c005fb0019aa4c389549b06fff9a74b38c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-E4D8D.tmp\utorrent_installer(1).tmp
      Filesize

      3.0MB

      MD5

      27174a5611d8827d1736d9ac8382d19f

      SHA1

      f000848acdd1c152d32a44c928deace522983886

      SHA256

      36a40fb99c1b026e59c6ba286a02548c64ec7a7e280b19d3169af9aa3c59b994

      SHA512

      4b6180facd75a9f10e2122ed1ca513979752f953cb92f8436877aff341b40575125db43293259a291406d95f408fbebbd89081fc07f2a5779ec02e5ead23406d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\Logo.png
      Filesize

      7KB

      MD5

      5424804c80db74e1304535141a5392c6

      SHA1

      6d749f3b59672b0c243690811ec3240ff2eced8e

      SHA256

      9b7e2ea77e518b50e5dd78e0faec509e791949a7c7f360a967c9ee204a8f1412

      SHA512

      6c7364b9693ce9cbbdbca60ecef3911dfe3d2d836252d7650d34506d2aa41fc5892028ba93f2619caf7edb06576fddae7e5f91f5844b5c3a47f54ca39f84cc6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\Opera_new.png
      Filesize

      65KB

      MD5

      ca01cd3778c987f64633d8af840ccccb

      SHA1

      85ecea538314c4c09ce79ce554a32331d83bb4f1

      SHA256

      3c1235a59c023bad329532d2c559350b40536ef859c00fb36425f76f348e82ab

      SHA512

      ddb561140f22c874b35849553314e034fc4a0b792486fca09f46cba947d0438cea73f84a1775f035d0c344a9a2745a9e10f610375da4948256ee249999b21cdc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\RAV_Cross.png
      Filesize

      74KB

      MD5

      cd09f361286d1ad2622ba8a57b7613bd

      SHA1

      4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

      SHA256

      b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

      SHA512

      f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\WebAdvisor.png
      Filesize

      47KB

      MD5

      4cfff8dc30d353cd3d215fd3a5dbac24

      SHA1

      0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

      SHA256

      0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

      SHA512

      9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\botva2.dll
      Filesize

      37KB

      MD5

      67965a5957a61867d661f05ae1f4773e

      SHA1

      f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

      SHA256

      450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

      SHA512

      c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component0.exe
      Filesize

      44KB

      MD5

      fc85f17a5bb21d3483a2cfc9c6eca57c

      SHA1

      4299213cd82271f144cfbaf94ac6b413bb1d721b

      SHA256

      f8430e243ddb1b60f329b3f04ad6c5473f8d42d87e2464f0c3c8513226490152

      SHA512

      5e96cfbbbcfcc53b86a33b318f789e1fc251c37c809d8f7c517815cbf942cdfef179eab704d9079a1adca61bb8ddd0091a20b2ea2c72bdbb1485a2fa35014055

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component1.zip
      Filesize

      515KB

      MD5

      f68008b70822bd28c82d13a289deb418

      SHA1

      06abbe109ba6dfd4153d76cd65bfffae129c41d8

      SHA256

      cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

      SHA512

      fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component1_extract\saBSI.exe
      Filesize

      1.1MB

      MD5

      143255618462a577de27286a272584e1

      SHA1

      efc032a6822bc57bcd0c9662a6a062be45f11acb

      SHA256

      f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

      SHA512

      c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component2.zip
      Filesize

      2.3MB

      MD5

      f743314bda8fb2a98ae14316c4d0d3a2

      SHA1

      5d8f007bd38a0b20d5c5ed5aa20b77623a856297

      SHA256

      2113c6d5ef32e3ded8b4b070a6d0da8b1c11a1ba5e7d7fbfb61deeeafc9d451c

      SHA512

      f30af84df2eb2ddf3ed414c069f0edbcf42110f14e0aed61c0f28d6bca0f1c7785db1d53f90686ffe1f543d610b0f5f223c79160f7245924c38d99e6ffe2321d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\component2_extract\OperaSetup.exe
      Filesize

      5.1MB

      MD5

      472dea5069dd8ba24cd0379d70a78f4f

      SHA1

      b543293dd4cf909eb0ad3477e718bcdcbf0dadef

      SHA256

      80640139d8a69161417b01b1e21618921096ec5ea25658e1a56de9a6b7941395

      SHA512

      fa85babaa4a7ac60759da659ef22348569cf7c653d6c865b3c8277dc1a4a9d7edb356a621b218a9c1f39b48ac7f01dee902a046a57b2bc8b9ce6f424051bf6e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-FE11F.tmp\uTorrent.exe
      Filesize

      3.7MB

      MD5

      d5bda33383b3ace63aa7df579ccef364

      SHA1

      804c1a7738d16240c6a3333ee10127a1182679a9

      SHA256

      44e91f68e2440fcc567530b72bbe0d04c8fc40bdd055d5973bdef62bbb21b857

      SHA512

      5a8ccc4e288fb493749af784fccea8b87ffe46af1799e1fd409076930f0d76356297922b5044fe15e582218f96b307979a3ea843be0b846a82b4f4bca5be2350

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\j5csvcmu.exe
      Filesize

      1.9MB

      MD5

      617fb2792eab69dd685f6c0af82788d0

      SHA1

      0d88d0abcd44907fb1ce430efefdfa51d96dd493

      SHA256

      a57d016e86169b7699ece6781d34f26be8d95216c21724afda110047b43c23e4

      SHA512

      5ad6dc0cb6fc47787a80983fdb418009a6a30b10210c4175f1acefc2ef69d1f84d26aa4075073754ba4284766bb53dfc7e5834aa2b338c8465f98611dc954c4c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu37C5.tmp\INetC.dll
      Filesize

      24KB

      MD5

      640bff73a5f8e37b202d911e4749b2e9

      SHA1

      9588dd7561ab7de3bca392b084bec91f3521c879

      SHA256

      c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

      SHA512

      39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu37C5.tmp\System.dll
      Filesize

      12KB

      MD5

      cff85c549d536f651d4fb8387f1976f2

      SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

      SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

      SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu37C5.tmp\bt_datachannel.dll
      Filesize

      4.1MB

      MD5

      dfca05beb0d6a31913c04b1314ca8b4a

      SHA1

      5fbbccf13325828016446f63d21250c723578841

      SHA256

      d4c4e05fade7e76f4a2d0c9c58a6b9b82b761d9951ffddd838c381549368e153

      SHA512

      858d4fb9d073c51c0ab7a0b896c30e35376678cc12aec189085638376d3cc74c1821495692eac378e4509ef5dcab0e8b950ad5bfab66d2c62ab31bc0a75118cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu37C5.tmp\nsisFirewall.dll
      Filesize

      8KB

      MD5

      f5bf81a102de52a4add21b8a367e54e0

      SHA1

      cf1e76ffe4a3ecd4dad453112afd33624f16751c

      SHA256

      53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

      SHA512

      6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu37C5.tmp\utorrent.exe
      Filesize

      2.2MB

      MD5

      3cdd9138411fe937bb972005782cd7db

      SHA1

      5d899bd8dd1e5e8ce4191071c8a83234ebfe8869

      SHA256

      59dc2da6612f57422ad2aaec7acd13da79c441855befb575ac38024b9dd1106f

      SHA512

      9d7e5845893acfd6773e6098e739035a9c960af0d3dc629b2530d1666474474df2e1cdceb08e3f0293ac57a36dd3cac1278d5c8509d8e486e140999260276fcd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu512A.tmp\Microsoft.Win32.TaskScheduler.dll
      Filesize

      341KB

      MD5

      a09decc59b2c2f715563bb035ee4241e

      SHA1

      c84f5e2e0f71feef437cf173afeb13fe525a0fea

      SHA256

      6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149

      SHA512

      1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu512A.tmp\RAVEndPointProtection-installer.exe
      Filesize

      539KB

      MD5

      41a3c2a1777527a41ddd747072ee3efd

      SHA1

      44b70207d0883ec1848c3c65c57d8c14fd70e2c3

      SHA256

      8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365

      SHA512

      14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu512A.tmp\rsAtom.dll
      Filesize

      156KB

      MD5

      9deba7281d8eceefd760874434bd4e91

      SHA1

      553e6c86efdda04beacee98bcee48a0b0dba6e75

      SHA256

      02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9

      SHA512

      7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu512A.tmp\rsJSON.dll
      Filesize

      218KB

      MD5

      f8978087767d0006680c2ec43bda6f34

      SHA1

      755f1357795cb833f0f271c7c87109e719aa4f32

      SHA256

      221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e

      SHA512

      54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu512A.tmp\rsLogger.dll
      Filesize

      177KB

      MD5

      83ad54079827e94479963ba4465a85d7

      SHA1

      d33efd0f5e59d1ef30c59d74772b4c43162dc6b7

      SHA256

      ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312

      SHA512

      c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu512A.tmp\rsStubLib.dll
      Filesize

      248KB

      MD5

      a16602aad0a611d228af718448ed7cbd

      SHA1

      ddd9b80306860ae0b126d3e834828091c3720ac5

      SHA256

      a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a

      SHA512

      305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsu512A.tmp\uninstall.ico
      Filesize

      170KB

      MD5

      af1c23b1e641e56b3de26f5f643eb7d9

      SHA1

      6c23deb9b7b0c930533fdbeea0863173d99cf323

      SHA256

      0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058

      SHA512

      0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
      Filesize

      40B

      MD5

      af2a71eeaee848f0ebbc9eca311347ee

      SHA1

      d2b9bdb287ccb4aa20e672c190c125fcb2c148a7

      SHA256

      e9d43898036105f9660a5fc38a8041b62a514119603a76f83a9fd7160bad1d4f

      SHA512

      eda9753b745d3ee55df3e59a77b2f8595fe9c4bd647c4a286a58775e87862722d092f2344fb390778b4f13b6f9f6899c1fca4197715c20d5fec20d37b00466c1

      Download Submit

    • memory/224-340-0x0000021BA5B20000-0x0000021BA5B4A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/224-312-0x0000021BA3E30000-0x0000021BA3EB8000-memory.dmp

      Filesize

      544KB

      Download

    • memory/224-315-0x0000021BA42A0000-0x0000021BA42E0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/224-317-0x0000021BA4490000-0x0000021BA44C0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/224-338-0x0000021BA5B60000-0x0000021BA5B9A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/224-348-0x0000021BBEC80000-0x0000021BBECD8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1928-43-0x00000000038C0000-0x00000000038CF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1928-29-0x00000000038C0000-0x00000000038CF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1928-6-0x0000000000400000-0x000000000070F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1928-15-0x00000000038C0000-0x00000000038CF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1928-342-0x0000000000400000-0x000000000070F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1928-49-0x0000000000400000-0x000000000070F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1928-50-0x00000000038C0000-0x00000000038CF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1928-42-0x0000000000400000-0x000000000070F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1928-28-0x0000000000400000-0x000000000070F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3652-156-0x000001BB2F930000-0x000001BB2FE58000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3652-155-0x000001BB14D80000-0x000001BB14D88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4448-105-0x0000000000400000-0x00000000009C2000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/4448-129-0x0000000000400000-0x00000000009C2000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/4848-2-0x0000000000401000-0x00000000004B7000-memory.dmp

      Filesize

      728KB

      Download

    • memory/4848-27-0x0000000000400000-0x00000000004D4000-memory.dmp

      Filesize

      848KB

      Download

    • memory/4848-0-0x0000000000400000-0x00000000004D4000-memory.dmp

      Filesize

      848KB

      Download