Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14-10-2024 06:47

General

  • Target

    utorrent_installer.exe

  • Size

    1.8MB

  • MD5

    32710bfba1858421cbf383e6f5c1ad8d

  • SHA1

    313d79259c5936b8705d0fda24ff3cb59758c36b

  • SHA256

    cb0abb633f628eeac47bec9379d698e08b4f281965277703d77fcb548b022496

  • SHA512

    66d9316854f39cafd650d16e6ad02d3eb30e9f9aede455c91d369e94e8db6251e9997f4261dfc7f8f04b0778f6c37e3924b8bdb22e326f42c28808eda71326ef

  • SSDEEP

    24576:uawwKusHwEwSDMnsQMJU/628S04FSq2FKfUbpW7/tumQ1wBRR:OwREDDMkU/6tS0QpYWVumQ1wvR

Malware Config

Signatures

  • Cobalt Strike reflective loader 1 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Drops file in Drivers directory 4 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks for any installed AV software in registry 1 TTPs 9 IoCs
  • Downloads MZ/PE file
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
  • Modifies powershell logging option 1 TTPs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 43 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks system information in the registry 2 TTPs 10 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 41 IoCs
  • Loads dropped DLL 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 29 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 15 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 21 IoCs
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\utorrent_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\utorrent_installer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Users\Admin\AppData\Local\Temp\is-UPRD9.tmp\utorrent_installer.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-UPRD9.tmp\utorrent_installer.tmp" /SL5="$C01EA,854542,829952,C:\Users\Admin\AppData\Local\Temp\utorrent_installer.exe"
      2⤵
      • Checks for any installed AV software in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\uTorrent.exe
        "C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\uTorrent.exe" /S /FORCEINSTALL 1110010101111110
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1404
        • C:\Users\Admin\AppData\Local\Temp\nsdE82E.tmp\utorrent.exe
          "C:\Users\Admin\AppData\Local\Temp\nsdE82E.tmp\utorrent.exe" /S /FORCEINSTALL 1110010101111110
          4⤵
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:4488
      • C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\component0.exe
        "C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\component0.exe" -ip:"dui=f9d1bf68-a4a3-4e40-8567-86018b80b4b2&dit=20241014064806&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100&b=&se=true" -vp:"dui=f9d1bf68-a4a3-4e40-8567-86018b80b4b2&dit=20241014064806&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100&oip=26&ptl=7&dta=true" -dp:"dui=f9d1bf68-a4a3-4e40-8567-86018b80b4b2&dit=20241014064806&oc=ZB_RAV_Cross_Tri_NCB&p=707e&a=100" -i -v -d -se=true
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Users\Admin\AppData\Local\Temp\33ymtzbf.exe
          "C:\Users\Admin\AppData\Local\Temp\33ymtzbf.exe" /silent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4620
          • C:\Users\Admin\AppData\Local\Temp\7zSC02F2548\UnifiedStub-installer.exe
            .\UnifiedStub-installer.exe /silent
            5⤵
            • Drops file in Drivers directory
            • Drops file in Program Files directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1908
            • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
              "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
              6⤵
              • Executes dropped EXE
              PID:620
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
              6⤵
              • Adds Run key to start application
              PID:7508
              • C:\Windows\system32\runonce.exe
                "C:\Windows\system32\runonce.exe" -r
                7⤵
                • Checks processor information in registry
                PID:7532
                • C:\Windows\System32\grpconv.exe
                  "C:\Windows\System32\grpconv.exe" -o
                  8⤵
                    PID:7600
              • C:\Windows\system32\wevtutil.exe
                "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:7700
              • C:\Windows\SYSTEM32\fltmc.exe
                "fltmc.exe" load rsKernelEngine
                6⤵
                • Suspicious behavior: LoadsDriver
                • Suspicious use of AdjustPrivilegeToken
                PID:7780
              • C:\Windows\system32\wevtutil.exe
                "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:7884
              • C:\Program Files\ReasonLabs\EPP\rsWSC.exe
                "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
                6⤵
                • Executes dropped EXE
                • Modifies system certificate store
                • Suspicious use of AdjustPrivilegeToken
                PID:7944
              • C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
                "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
                6⤵
                • Executes dropped EXE
                PID:5032
              • C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
                "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:5420
              • C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
                "C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i
                6⤵
                • Executes dropped EXE
                PID:7476
        • C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\component1_extract\saBSI.exe
          "C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\component1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=NL
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          PID:4772
          • C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\component1_extract\installer.exe
            "C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\component1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
            4⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            PID:4728
            • C:\Program Files\McAfee\Temp1226215240\installer.exe
              "C:\Program Files\McAfee\Temp1226215240\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
              5⤵
              • Executes dropped EXE
              PID:5560
        • C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
          "C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe"
          3⤵
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Checks SCSI registry key(s)
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4892
          • C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47142\utorrentie.exe
            "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47142\utorrentie.exe" uTorrent_4892_03B01F10_1432035236 µTorrent4823DF041B09 uTorrent ie unp
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4768
          • C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47142\utorrentie.exe
            "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47142\utorrentie.exe" uTorrent_4892_03B12360_100246336 µTorrent4823DF041B09 uTorrent ie unp
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:3620
          • C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47142\utorrentie.exe
            "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47142\utorrentie.exe" uTorrent_4892_03B15490_1726283899 µTorrent4823DF041B09 uTorrent ie unp
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:3152
          • C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47142\utorrentie.exe
            "C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.6.0_47142\utorrentie.exe" uTorrent_4892_03B58808_1638404871 µTorrent4823DF041B09 uTorrent ie unp
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1104
          • C:\Users\Admin\AppData\Roaming\uTorrent\MicrosoftEdgeWebView2Setup.exe
            MicrosoftEdgeWebView2Setup.exe /silent /install
            4⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3796
            • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\MicrosoftEdgeUpdate.exe
              "C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
              5⤵
              • Event Triggered Execution: Image File Execution Options Injection
              • Checks system information in the registry
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1304
              • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                PID:5284
              • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:5376
                • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe
                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Modifies registry class
                  PID:5412
                • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe
                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Modifies registry class
                  PID:5488
                • C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe
                  "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Modifies registry class
                  PID:5524
              • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMjUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMjUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTczQjY4QkMtRUQwQy00NEQ1LUEyRDgtMDA5MzI1OTVBOUUyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsyRkEzQ0Y3MC1FNUM4LTRCQTQtOURFMS0zQzJDMkFBMDg4OTF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iUUVNVSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjI1IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTM5ODA3NzM4IiBpbnN0YWxsX3RpbWVfbXM9Ijg3NSIvPjwvYXBwPjwvcmVxdWVzdD4
                6⤵
                • Checks system information in the registry
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:5572
              • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
                "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{E73B68BC-ED0C-44D5-A2D8-00932595A9E2}" /silent
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:5648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 2304
          3⤵
          • Program crash
          PID:3084
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 2304
          3⤵
          • Program crash
          PID:5984
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:4712
    • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
      "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
      1⤵
      • Executes dropped EXE
      PID:484
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3008
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:3520
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2332
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3948
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      PID:1868
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
      1⤵
      • Checks system information in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5692
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMjUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMjUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTczQjY4QkMtRUQwQy00NEQ1LUEyRDgtMDA5MzI1OTVBOUUyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzFGODNEREYtQUE5Qy00NDNBLUI2NTUtMUE4MzYzOEE3NEM2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IlFFTVUiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjE5MiIgaW5zdGFsbGRhdGV0aW1lPSIxNzEyMjMzNzA4IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNTY3MDY1ODUxNDYwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE0MzI0NTMyMSIvPjwvYXBwPjwvcmVxdWVzdD4
        2⤵
        • Drops file in System32 directory
        • Checks system information in the registry
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Modifies data under HKEY_USERS
        PID:5736
    • C:\Windows\SysWOW64\werfault.exe
      werfault.exe /h /shared Global\4bb84b544b0c4d3e87d9ba3183521829 /t 3360 /p 4892
      1⤵
        PID:5540
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /7
        1⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5124
      • C:\Users\Admin\AppData\Roaming\utorrent\uTorrent.exe
        "C:\Users\Admin\AppData\Roaming\utorrent\uTorrent.exe"
        1⤵
        • Identifies Wine through registry keys
        • Adds Run key to start application
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks SCSI registry key(s)
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4808
        • C:\Users\Admin\AppData\Roaming\utorrent\updates\3.6.0_47142\utorrentie.exe
          "C:\Users\Admin\AppData\Roaming\utorrent\updates\3.6.0_47142\utorrentie.exe" uTorrent_4808_00B644C0_494058332 µTorrent4823DF041B09 uTorrent ie unp
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3644
        • C:\Users\Admin\AppData\Roaming\utorrent\updates\3.6.0_47142\utorrentie.exe
          "C:\Users\Admin\AppData\Roaming\utorrent\updates\3.6.0_47142\utorrentie.exe" uTorrent_4808_03B0E658_1398774030 µTorrent4823DF041B09 uTorrent ie unp
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5388
        • C:\Users\Admin\AppData\Roaming\utorrent\updates\3.6.0_47142\utorrentie.exe
          "C:\Users\Admin\AppData\Roaming\utorrent\updates\3.6.0_47142\utorrentie.exe" uTorrent_4808_03B0E8C0_657476795 µTorrent4823DF041B09 uTorrent ie unp
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5568
        • C:\Users\Admin\AppData\Roaming\utorrent\updates\3.6.0_47142\utorrentie.exe
          "C:\Users\Admin\AppData\Roaming\utorrent\updates\3.6.0_47142\utorrentie.exe" uTorrent_4808_03B0ED90_1668582918 µTorrent4823DF041B09 uTorrent ie unp
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3936
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
        1⤵
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:5024
      • C:\Windows\system32\browser_broker.exe
        C:\Windows\system32\browser_broker.exe -Embedding
        1⤵
        • Modifies Internet Explorer settings
        PID:1676
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        PID:3216
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Drops file in Windows directory
        PID:5764
      • C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:6572
      • C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
        "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
        1⤵
        • Executes dropped EXE
        PID:5400
      • C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
        "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
        1⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:6224
        • \??\c:\program files\reasonlabs\epp\rsHelper.exe
          "c:\program files\reasonlabs\epp\rsHelper.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:8164
      • C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
        "C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
        1⤵
        • Checks BIOS information in registry
        • Enumerates connected drives
        • Drops file in System32 directory
        • Checks system information in the registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        PID:6528

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\EdgeUpdate.dat

        Filesize

        12KB

        MD5

        369bbc37cff290adb8963dc5e518b9b8

        SHA1

        de0ef569f7ef55032e4b18d3a03542cc2bbac191

        SHA256

        3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

        SHA512

        4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\MicrosoftEdgeComRegisterShellARM64.exe

        Filesize

        182KB

        MD5

        d16deab532387bb817fcaa50b9bd8972

        SHA1

        2338f86ce086f48fb5c0c340d3fa5d71dd006064

        SHA256

        ba27ca798445934d02be72a0faa198539dfa38e922c06bdd93eb3070ee12311b

        SHA512

        0574f1fdc21d9c9b82a48d0ec651bb3b02c79bbad4643dbacfc72336200bf1bf8a524a5a0beaa19aad07e616d63b1e2f7c49c2e51e9397b05b5eb1e52d5c8290

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\MicrosoftEdgeUpdate.exe

        Filesize

        201KB

        MD5

        1509ed11b3781e023e9c0a491bfdac80

        SHA1

        2183e8228f0596d6c80927c0df49ddc1101a1219

        SHA256

        f626890b39920d9fa35ebcc31d448b75df05fe4a7a424c2b5ceb95c7d61e5d71

        SHA512

        1a9c53ff6906251cba2133d8907401c5f9e8f4f0ac918ae8466c4d21b2f5468bc86a08dbd01527bc0150cebf55737ac3023d564a6d032ac8d526648815662047

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

        Filesize

        214KB

        MD5

        8cda2d501c51f0869a69d5951f2aec5e

        SHA1

        b5263b1302ac3c9d99a7c7bd655c3fb9829e4a03

        SHA256

        208497513ff0c793e6dc0a9935d73dfc37887c875fe00aff4dfaeb3854054d31

        SHA512

        2dc9dd6299a6b0781879ea1d9fb14ef19c55e372887ac006a658d5d9c3396cf7953a8d93963053173c7c40d4d3d8650f46999cd766edddedd33064a2c15f9c64

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\MicrosoftEdgeUpdateCore.exe

        Filesize

        262KB

        MD5

        6fb9e3cc84490ac01ce63c90bd011d03

        SHA1

        472b6a9f09c7b5eb1d508f2c83468fab1a623261

        SHA256

        fdbedb7ffd417839bef8a9fcc69b545adf002739dd6a3f4fe92fd2e5859502ef

        SHA512

        3e1bd82154e8c142aaf19c2ef8e2b581c6f5d0697eaab350931e8d39da2b3e01d41be93b2d472a7d88a0279c1f62d8faa4476176ea41b3b5db712256e13338bd

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\NOTICE.TXT

        Filesize

        4KB

        MD5

        6dd5bf0743f2366a0bdd37e302783bcd

        SHA1

        e5ff6e044c40c02b1fc78304804fe1f993fed2e6

        SHA256

        91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

        SHA512

        f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\msedgeupdateres_af.dll

        Filesize

        29KB

        MD5

        606ed68037082cee9216cb2f67766f4e

        SHA1

        72a736e0232877318c4faefa7e34c6dfba61e042

        SHA256

        4231acb9cc52694d3a314bd43266cdbfec48ee7f805e278a3cdf458b1550bb90

        SHA512

        f159c18eebd3db5bde59f378901dc1a1a34f4770e0467cb29b1d13cdc987aa43d59abed849547347892ec74a729425c0a538386886035101eb766161133ac3da

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\msedgeupdateres_am.dll

        Filesize

        24KB

        MD5

        00dff51bc419ca992c8b00ba6f600911

        SHA1

        ce1beb0d9f721493942d37eeaad453cfdc258ab1

        SHA256

        bc9c9e5e30d6da8f566ea3d34cb58aebae0751b43106244dbfaf99af88a03e18

        SHA512

        284fe349cac1ea4f359d5aa5fe5942c8ee08073a2a4b95dff01522b7164c324674ab87f153309b8c699280e0d346dda6cf5e5238a95a86d297ff187d4868e0c3

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\msedgeupdateres_ar.dll

        Filesize

        26KB

        MD5

        96bc228c659fc3b2f09b39aae22a0d08

        SHA1

        0e92c15622a60eceba9451b7262fe430399b4c74

        SHA256

        e863afcc91f8eb43808cf936cf3c9eca097740cb65ba50d615171a96c79835a0

        SHA512

        a17fe3682c681592c1fe19dada7c02dd809af2f5e7c49abede362e3986610bb1121d86d2beb72a0387c5c32b1fe88f6a3e1208192543ff5a906d430b7c382bb7

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\msedgeupdateres_as.dll

        Filesize

        28KB

        MD5

        f0bb461ccbd972b8890e62c110941324

        SHA1

        528b0b2bc5e67a70bb7a519ccd3110a57c3ced30

        SHA256

        4021b6bf6678eeaca50f787fa653ec5a9b8d9c0d4d0cc0bcc515e19590e659da

        SHA512

        808410313f1dd24357bcdd74cc00d282eb712eb3e3326de4f7db23b57512b0256b73f6660e8eff2a92fac124e2b9863e0beeae4a4b7af2faa9f60aaa40f2806d

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\msedgeupdateres_az.dll

        Filesize

        29KB

        MD5

        1d92f560471809eea74e20645f189f84

        SHA1

        eba6611cbbf97d3149bf1c2827323d6accddbd42

        SHA256

        b4a953430a4dc8d5a2b69709c1f6af2e42277df366f5528604734c1d933c212b

        SHA512

        589f3ef4a3b21d1959d5b8a70e07e71c6baac6b57468e1a8638beb0d6ebc6a4fe7e1fa60c0a1d255bee769c1b88c265879a01486d7e397750aa8dbaf3987890d

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\msedgeupdateres_bg.dll

        Filesize

        29KB

        MD5

        5b17b4ac96d90bf48af3814f82679e13

        SHA1

        0097d33be3c86423002fb418c07172791ea04239

        SHA256

        14a5cd6d9e23888df3314aabd68b44166ce4f5c3a59f492a5194483aa2b0d824

        SHA512

        828e97c92b6864fa713bb5fea48d27c2a31678d271703ec04432a691939c516196b170f9787b12d7350e80d56b0751c108d3333a415669c0263025d6e5553ce9

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\msedgeupdateres_bn-IN.dll

        Filesize

        29KB

        MD5

        1289424869c0efde5c5d7d81304ed019

        SHA1

        59904fb85b90b373c1e5de9fc1e67a2232082253

        SHA256

        19c114b66308c20fef3955d586740b63e61169d49cd81603e0418b546bf6a25a

        SHA512

        aae935ed3856fa93f15b1c89ac849d5d397b417e59b7de97a4af1d2c82efe3b5b58b545801fb9ea6de554213ebb373b07f21e880a725ecd14f2947d6264fb5a0

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\msedgeupdateres_bn.dll

        Filesize

        29KB

        MD5

        ebffb9a8931987a8295709723183f980

        SHA1

        3d3085b39a34210d362149943ae73dc1978314ac

        SHA256

        a233815225c4cd9eeb0c4225ff6f37127ea68c363aebc4bb47474306746b63c3

        SHA512

        09939fb403d4731eed9fc7023af306663426e76884fba880428312d4fa322bb1fd11b4ef4a7116e5a4d809dc46486f0fed8e84887359e7c69c13eb57d9d9d009

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\msedgeupdateres_bs.dll

        Filesize

        28KB

        MD5

        cb09124947b9355f54a25241f2abc507

        SHA1

        faafade6af4ec3ac77ceba740191795aafcfce79

        SHA256

        c982c2e0917ffed0e63763aae668ff9b5b552c4f5ff6df5e04bd861906b62cad

        SHA512

        cc3d0a34e191fa3d58fc389f29554898d6ad896357eb89baecf68ebdbf7d715b12e57508fb172394c3e540fcd275b78a859411cffc7b304b9ba5d605e82efbb3

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\msedgeupdateres_ca.dll

        Filesize

        30KB

        MD5

        6a258d3b877f79678312901752a9b357

        SHA1

        c5c9a2b3757e44b791587bd8b9676b0c8bcc7d1b

        SHA256

        ae1120fc76dbef20dbf56dbd7284253547c27d55029f2a170772b7f1bd8651d3

        SHA512

        52371bd55629d8a4daa45a12141a067250d8d7987cc1a7047a3239f56ccb24a868f9613d98908546bcbe63cf751031b18910472be2578b570888681525d73cdd

      • C:\Program Files (x86)\Microsoft\Temp\EU2268.tmp\msedgeupdateres_en.dll

        Filesize

        27KB

        MD5

        ca40f911aba7884d6840edfa2898843f

        SHA1

        d99e19aff7a2cea9f2796e10a23dc7938ff20332

        SHA256

        46cca81704cd9cd8a14968f493227691e91d3eda03aa265c38352ccd30c46ac1

        SHA512

        8f591900ae18cd264164fd7022b93eca30c54a8e99a612773da77fe23ce6d54f953cafb936d557d5f3155ebe46187cbd668ef7d38a03d4e33d29ed93ff72e687

      • C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

        Filesize

        798KB

        MD5

        f2738d0a3df39a5590c243025d9ecbda

        SHA1

        2c466f5307909fcb3e62106d99824898c33c7089

        SHA256

        6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21

        SHA512

        4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872

      • C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

        Filesize

        388B

        MD5

        1068bade1997666697dc1bd5b3481755

        SHA1

        4e530b9b09d01240d6800714640f45f8ec87a343

        SHA256

        3e9b9f8ed00c5197cb2c251eb0943013f58dca44e6219a1f9767d596b4aa2a51

        SHA512

        35dfd91771fd7930889ff466b45731404066c280c94494e1d51127cc60b342c638f333caa901429ad812e7ccee7530af15057e871ed5f1d3730454836337b329

      • C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

        Filesize

        633B

        MD5

        6895e7ce1a11e92604b53b2f6503564e

        SHA1

        6a69c00679d2afdaf56fe50d50d6036ccb1e570f

        SHA256

        3c609771f2c736a7ce540fec633886378426f30f0ef4b51c20b57d46e201f177

        SHA512

        314d74972ef00635edfc82406b4514d7806e26cec36da9b617036df0e0c2448a9250b0239af33129e11a9a49455aab00407619ba56ea808b4539549fd86715a2

      • C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallState

        Filesize

        7KB

        MD5

        362ce475f5d1e84641bad999c16727a0

        SHA1

        6b613c73acb58d259c6379bd820cca6f785cc812

        SHA256

        1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

        SHA512

        7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

      • C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

        Filesize

        335KB

        MD5

        0e0649fdb5e165ff2916476e5c612434

        SHA1

        eaccd3e538a15ebea97f0b85bda0da3cda78134f

        SHA256

        130a5f3338de1b1698692ff1b7eceaf32cddb8fbb3167490aed1976a0cd00da9

        SHA512

        2ce8202eae6f311d6bb96f888e774fbba1287da12da89c81fe2232de8f78b516efdce89c94d4c7c505f9ba2fe6d870e0b4e893d72dcf646c1d2f7cb6f9cb6dfa

      • C:\Program Files\ReasonLabs\EPP\mc.dll

        Filesize

        1.1MB

        MD5

        e3facfc07a9f81cf70f27f11d23cbdab

        SHA1

        55d810be7107d1ef29e8379ad30ba71f4e4fbbf2

        SHA256

        23accd7a0b75bb93238933d112dfa5b14bd989c773baed0ebacbdc0a9e439880

        SHA512

        26dbc8b35c33b4b6e3621dbea2afabbb10dd9b0eb581bc36c36c22130fb93846cca4540de060e85663de1d2a2522e8cb59f40a66608b6e43912a83640e78ef2d

      • C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

        Filesize

        347KB

        MD5

        6acadb26f4417f07421ccc426a6bff7a

        SHA1

        ab5a7385bfec5e68ef2973af88c63c8dccb3e3b4

        SHA256

        aefd24908b4ed4296d9223edd6d10c3493ec0dd0bdc547c2b185013951f07df5

        SHA512

        b52a4e74f6c3c03a814ca43aa76ff42f73498ea2dca81ce18e2e389e666eb22ea76226cf9b421fdb6e35349dab2e77e66216d33d9eb558582789aee10244b11d

      • C:\Program Files\ReasonLabs\EPP\rsEngine.config

        Filesize

        6KB

        MD5

        737aa4841b3f633906c9be89005c022f

        SHA1

        50cc14e87cbb7d94c842aa7195f0796125264045

        SHA256

        45b5a91bbf0ac67960e182ae413b1116e88f14f7004c5dfeadeb383ed0cf399f

        SHA512

        a020204f96acf9954e60903ba474691607cc5262a0306c62b37c18de829999af447e41c76966b8cc518f0f1805c495122b6a38dc577e54e001912c9f12ace9cf

      • C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

        Filesize

        257B

        MD5

        2afb72ff4eb694325bc55e2b0b2d5592

        SHA1

        ba1d4f70eaa44ce0e1856b9b43487279286f76c9

        SHA256

        41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e

        SHA512

        5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

      • C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

        Filesize

        370B

        MD5

        b2ec2559e28da042f6baa8d4c4822ad5

        SHA1

        3bda8d045c2f8a6daeb7b59bf52295d5107bf819

        SHA256

        115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3

        SHA512

        11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

      • C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

        Filesize

        2.2MB

        MD5

        ac1e94a075241967e440f1d84254666c

        SHA1

        20558c191c29e27610de4251731dc46023621ecd

        SHA256

        29fc893dea171964426e3e38d093c063134b8d789b16d3a7917f574afa4a1e63

        SHA512

        b500c30afb9ea7d640bb99b50410d037082ac882bd97ca7c165bea1bc1ef0fee5fe4b1ffccc612e979ceb89ca797dae80d534be19928b48e33612d87290343f7

      • C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys

        Filesize

        19KB

        MD5

        8129c96d6ebdaebbe771ee034555bf8f

        SHA1

        9b41fb541a273086d3eef0ba4149f88022efbaff

        SHA256

        8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

        SHA512

        ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

      • C:\Program Files\ReasonLabs\VPN\Uninstall.exe

        Filesize

        192KB

        MD5

        3296a55f409ca8d305c541be731ff335

        SHA1

        caaf2a1fc7467fc854b39aa494be9e4610c0f336

        SHA256

        5cc0302ac3ebf1b90a9fe00a592e536f37a62c79765e332ca6c0cfe9a37077c2

        SHA512

        956395060b193a7c9de4162d4ec3d861c87348afd02f52430973c4e32dfa0546bf1f70fca5b37db4ddd747580b1fac9a02bef38236384ce177b37b9ea70da2f1

      • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

        Filesize

        15KB

        MD5

        d6fcf840480085b97fe8c2cd93e5414d

        SHA1

        66b7e25d0007f4710ade4bd92ee284c871f200b4

        SHA256

        4a598d01d9af7aa5546c8abc6160d6b51037166f56b2670b703dbfd4b77a620d

        SHA512

        fb6937faebbda228ee62db0c9563c6f78d35547c66b9c4f3365ddab134086fcaba7cc46a83812852ddd6fab1686da9008c5bab54d026fd39c70afd2e15a7728b

      • C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

        Filesize

        5.4MB

        MD5

        f04f4966c7e48c9b31abe276cf69fb0b

        SHA1

        fa49ba218dd2e3c1b7f2e82996895d968ee5e7ae

        SHA256

        53996b97e78c61db51ce4cfd7e07e6a2a618c1418c3c0d58fa5e7a0d441b9aaa

        SHA512

        7c8bb803cc4d71e659e7e142221be2aea421a6ef6907ff6df75ec18a6e086325478f79e67f1adcc9ce9fd96e913e2a306f5285bc8a7b47f24fb324fe07457547

      • C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp

        Filesize

        2.9MB

        MD5

        2a69f1e892a6be0114dfdc18aaae4462

        SHA1

        498899ee7240b21da358d9543f5c4df4c58a2c0d

        SHA256

        b667f411a38e36cebd06d7ef71fdc5a343c181d310e3af26a039f2106d134464

        SHA512

        021cc359ba4c59ec6b0ca1ea9394cfe4ce5e5ec0ba963171d07cdc281923fb5b026704eeab8453824854d11b758ac635826eccfa5bb1b4c7b079ad88ab38b346

      • C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp

        Filesize

        592KB

        MD5

        8b314905a6a3aa1927f801fd41622e23

        SHA1

        0e8f9580d916540bda59e0dceb719b26a8055ab8

        SHA256

        88dfaf386514c73356a2b92c35e41261cd7fe9aa37f0257bb39701c11ae64c99

        SHA512

        45450ae3f4a906c509998839704efdec8557933a24e4acaddef5a1e593eaf6f99cbfc2f85fb58ff2669d0c20362bb8345f091a43953e9a8a65ddcf1b5d4a7b8e

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\6RX2F3GZ.cookie

        Filesize

        92B

        MD5

        7f293b97573c192d0f627761230e5899

        SHA1

        e8ded3afab9fd80e40e2acb79cbe86c16b79d781

        SHA256

        8d442a908467d310e3169ff864e6f983373381d636823fe873ab83494f068d72

        SHA512

        01fa0b51f3d7681a7daa48517c5a0596aca35643d2da240d7eb0466490e6086a164ce1c5f19c03e4a941409bb66103b2d35acb5d806338016fc8b527b2f65993

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\P25NBSGP\faviconUT-be6029e02bb2d6e0415a561c42641a2f[1].ico

        Filesize

        32KB

        MD5

        be6029e02bb2d6e0415a561c42641a2f

        SHA1

        a7995d37d73e7becbd95d20a01aa50bdde293dd9

        SHA256

        a59c7b93f881e55f6d476c9549d51ec7edfcfcd6f5fa862521b7e638b0dc5c18

        SHA512

        e9838c36195797800b608792bdc891c3e746e8937d31a515b95bceba355f78f2bae2b6577488d36e7663f667d4b7a0863b11f8b0e81e44261fca4a78eb784c67

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

        Filesize

        512KB

        MD5

        736871e2db75843307f7a3845d5833bf

        SHA1

        c06a16e1f2a485dd140ae72b404975ca4534f39a

        SHA256

        575d0bc5cc0bc1d69f66be0ab8062db0775ca6fac9ed6ba10af06e91cc7f519e

        SHA512

        4157c3ff191670956f9ebac37abedb866e945c4b659f1984560f74d7bd6b4b5a1ffd9136e327f2025ae1dec2041f8fb3da04ef0e1b5b49d55bf2146a88440827

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF6E86BA3005F0851F.TMP

        Filesize

        24KB

        MD5

        54716e2023164bbb20bf1bbe5ab4820e

        SHA1

        e6bbd6beb30b3938d33be0b7e517911d89e87a5a

        SHA256

        626fc4f60cea0f04c3f6879e642ba4cf94e6d3ada1af24eee3924b58e5d7b4e8

        SHA512

        e1167dc3de283d957fa8d08a472f11f2e1a0b7b4a5890efea7ee791e364dc09a81e0d10f91c3a396840f950ff3fbd2f8ef2cc7e0368b7098b772c91699e6cf4e

      • C:\Users\Admin\AppData\Local\Temp\33ymtzbf.exe

        Filesize

        2.4MB

        MD5

        32dbb951bcdc721ad9ec4a096e8384a0

        SHA1

        1fea668c0e116d875e50a43048969b4821f2cdc3

        SHA256

        73fa690b36e518b493e346c267b1db64e68a1d694bf9e1b0ad9da954a9d08389

        SHA512

        4a52a3c324fcb143c88ce9791032be5452ee81cbf026f23d54d5ac112feab6b4744b6f8aab180e25ee3386cdf78a775175e3c1d2a305e3bce132848bc07c4964

      • C:\Users\Admin\AppData\Local\Temp\7zSC02F2548\Microsoft.Win32.TaskScheduler.dll

        Filesize

        339KB

        MD5

        07d2c6c45e3b9513062f73c6b4ef13e8

        SHA1

        4ec2ffa55a31e44234e868a94066dab280370a3b

        SHA256

        dcadc14a5a4a0886cf8506aef9ca312f304ad77af37e9c3bebadb90fecef90fe

        SHA512

        64386d0269ec05f1e854f321421d907b23fae4ef6687f143b0638afe9b983bea360bba0ba25169151e1e1fda7caec6b60abe48216009668063f79dba8b6a42d4

      • C:\Users\Admin\AppData\Local\Temp\7zSC02F2548\Newtonsoft.Json.dll

        Filesize

        701KB

        MD5

        394a6e7da2972f0307604f1cf027a955

        SHA1

        fba0319c7a82c183ffa96e01a6d427e2c0911f2d

        SHA256

        981fac0f3323033c87c5a236a7cc80ea4a633cbf7c7b926b28ddbe720d4b8fdf

        SHA512

        24763b6887c222c4a609e1db621279cb5441211902d3a57789e93f6e5bcd61081dc985f5382676b39207f85d5e8a24f0d610f66bedec0af9b6d294816d68785d

      • C:\Users\Admin\AppData\Local\Temp\7zSC02F2548\Reason.PAC.dll

        Filesize

        171KB

        MD5

        6852acb92faf84c7ba2dbcf8f251ca21

        SHA1

        80e06a69b0e89eda01dc9058f6867cd163d7de44

        SHA256

        9de687df8721e57bec834a1ed971edc6abd277e81ec6d5fee0de7f9f08eebd11

        SHA512

        cb9bb5b04e1dfea25c8178cbcc2277d2df40a65afb5203b7edc996c5039b7f609671d5780fea519f673685ee92080b8dd0ac054627e1e9148e2c7599e1c66e76

      • C:\Users\Admin\AppData\Local\Temp\7zSC02F2548\UnifiedStub-installer.exe

        Filesize

        1.0MB

        MD5

        eb01e3263ed81d47c948763397e200f7

        SHA1

        6e15d83055beee39dfd255221e9784ba919eeb94

        SHA256

        8e9c6533623fb610c20b91362bd74645eb767e5b0f47a62644e8ad6eefe17d91

        SHA512

        56df74f5cb578b658ee518fb7f1dd6400df4188a188acda4fe83bba0af557e239e5a82699613f3b2bbcdbc2da0265f0248a82f773c65e59ab644c723ef2e18e9

      • C:\Users\Admin\AppData\Local\Temp\7zSC02F2548\f91a71cc-a52e-41cb-b907-5c751fba3c59\UnifiedStub-installer.exe\assembly\dl3\5321157c\6293934d_051edb01\rsAtom.DLL

        Filesize

        170KB

        MD5

        3e3fb87e2695d5127722bfa80a5df42d

        SHA1

        e1c20f3d6b1c7a75c076a9d53500ac38a6f2db14

        SHA256

        4d22dfc2b75b436e674c324ac43c2b5f0abb5d609cb7e3e9079290d2a7ba5698

        SHA512

        64abb4514f26ee148434813403c590063aad8476a64278993c37a50a4cd315e4e7231b4bdbfcfce9de720e90c8a82934def8cf3c5a7d63ebfa30a710f1886ced

      • C:\Users\Admin\AppData\Local\Temp\7zSC02F2548\f91a71cc-a52e-41cb-b907-5c751fba3c59\UnifiedStub-installer.exe\assembly\dl3\6c1fdc96\fa1b9d4d_051edb01\rsServiceController.DLL

        Filesize

        182KB

        MD5

        02ff517bf81ecfd5363b5f8df13c4fdd

        SHA1

        85dc5ffd23c55f0120ddb2c784937e6cb6ad9bba

        SHA256

        dccca51255284c09675dec517fc1c1ef175415c5e8d9d5695f7644a48d1b7078

        SHA512

        4d7be2c73e655bad920387c13f347d499d875ee1482c7e335bc080e4e28894867e904dd7463de4c5d22d5a912605b3d6b022b3f56e427682a622d5cf73ad8055

      • C:\Users\Admin\AppData\Local\Temp\7zSC02F2548\f91a71cc-a52e-41cb-b907-5c751fba3c59\UnifiedStub-installer.exe\assembly\dl3\8331f950\fa1b9d4d_051edb01\rsJSON.DLL

        Filesize

        222KB

        MD5

        771b9423950ae27111db7af2655bdb79

        SHA1

        d08c5ad3bed49e90050da4128844ed06ef2a1c2d

        SHA256

        b08d3d0156d2dbf9e4b631beb3ae436ce4876e851586f7908066ac034acd4809

        SHA512

        87dd0a37688577d9b19ad1df3e5518e4e299f31974837226f9ff68ad33f383b37460e82fc29f02cdeac2b530cf9f0d627f430b4f74a728d843ac338e36a50c9c

      • C:\Users\Admin\AppData\Local\Temp\7zSC02F2548\f91a71cc-a52e-41cb-b907-5c751fba3c59\UnifiedStub-installer.exe\assembly\dl3\c355e456\fa1b9d4d_051edb01\rsLogger.DLL

        Filesize

        184KB

        MD5

        d03339e6db680fdb24d0d3e3eb29dbf0

        SHA1

        2cebaff56c106d2c773d68c5d5c837341d49e4d9

        SHA256

        8e21ac4959d70477812f256d608e70de05b6e5d23f327e4d5565a5fc124cca86

        SHA512

        f3161c14d98729004abf9c2351e8684fda0272cbd2d0d5c157bc27a78ddfc62d517dc20cba9d8007915508e3da50ebede0392274d1f0b3bc499cd77c23b6bdb2

      • C:\Users\Admin\AppData\Local\Temp\7zSC02F2548\rsLogger.dll

        Filesize

        182KB

        MD5

        8d7c6d91acc80161238fb1b57f290580

        SHA1

        94653d2574ce4b23711030d8a4855735691c248d

        SHA256

        15f727b784dad456177df9328d1760693ae4648b37bd395dfb43bf3ceba760fe

        SHA512

        89366a2d2e3ce5eaeb81a7728aa720a86d59521a612a64e26cc988ea4353b9ec95e94ccd74a4582a3f87fcc8c881fd03fcdace85aa566a1b4ae92409a98b839e

      • C:\Users\Admin\AppData\Local\Temp\7zSC02F2548\rsStubLib.dll

        Filesize

        270KB

        MD5

        26ffa645c99b87925ef785e67cfefc4c

        SHA1

        665f81ad2d77f3047df56b5d4d724b7eaf86945b

        SHA256

        c56d0502297fa69575fcc1521a6190c1c281243770270b2e1732f5494fb8f05e

        SHA512

        d49034d2cc7ab47b2c701aa1acbca5cf4890338b9f64c62978a6d09049ed1928f23ca41f03035b1f655ce1e7d2ff220e8098db4b38c9812921b5481ce2932823

      • C:\Users\Admin\AppData\Local\Temp\7zSC02F2548\uninstall-epp.exe

        Filesize

        319KB

        MD5

        882fee1ea7c9969476942c0134e5051d

        SHA1

        f42c13c7e4777bc1fcdf1719c99f156627345a76

        SHA256

        9716fd65434ef067f707ffd0a81762c32d2b2fbdb61ae5a03fb44a6ed9213bfa

        SHA512

        ded432c4038d0b021f3f1afc1cd0acd522da3a33244ef7618fda0cfe8acb3cf3ab624edc0b2b1498bfe48b9ccb81d4c06037460c2246cd6773b0cd3e947b0571

      • C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\107.png

        Filesize

        74KB

        MD5

        cd09f361286d1ad2622ba8a57b7613bd

        SHA1

        4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

        SHA256

        b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

        SHA512

        f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

      • C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\108.png

        Filesize

        47KB

        MD5

        4cfff8dc30d353cd3d215fd3a5dbac24

        SHA1

        0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

        SHA256

        0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

        SHA512

        9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

      • C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\109.png

        Filesize

        29KB

        MD5

        0b4fa89d69051df475b75ca654752ef6

        SHA1

        81bf857a2af9e3c3e4632cbb88cd71e40a831a73

        SHA256

        60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

        SHA512

        8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

      • C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\component0.exe

        Filesize

        32KB

        MD5

        bbd2d654bc315a099c1db65071cb47a0

        SHA1

        8f38580a9af04e3c472142f2142c01723cda1e0c

        SHA256

        11e9fe10c952b20df6cc9230591754b774579327cf38fe9fa8c55b55431a5ae3

        SHA512

        34fe9427f77289ba3923cd64665da2b39abc988e5b44965392202b96c2a0dcd1a89d2291464614fea90fd6a30daf19ffed8efe90d9f292ac27ab7dda501423e3

      • C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\component1.zip

        Filesize

        515KB

        MD5

        f68008b70822bd28c82d13a289deb418

        SHA1

        06abbe109ba6dfd4153d76cd65bfffae129c41d8

        SHA256

        cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

        SHA512

        fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

      • C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\component1_extract\installer.exe

        Filesize

        24.4MB

        MD5

        46c50dc50d9be92829b9d6fd4678c11d

        SHA1

        3c0b0493b9e6269a1a00c48720c7fd97c04ddd4f

        SHA256

        d9c15d4a7e2b1a320154a5c61af012242e3408a5c5519cbb4e93a7843692cf50

        SHA512

        340fdbc7618e86ef4178142aa9012ab9317869b85ac148fcd31c0c2fff007114eaccbf60ee829be99890d36b7d5e1a78c4617e40a538735a8b01002d4d5e41e9

      • C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\component1_extract\saBSI.exe

        Filesize

        1.1MB

        MD5

        143255618462a577de27286a272584e1

        SHA1

        efc032a6822bc57bcd0c9662a6a062be45f11acb

        SHA256

        f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

        SHA512

        c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

      • C:\Users\Admin\AppData\Local\Temp\is-P31QK.tmp\uTorrent.exe

        Filesize

        3.5MB

        MD5

        dfc260ae851e48d6a012ae545ca4bb58

        SHA1

        5c81201a0354d1cad1a04cdca255d6d1c29e99f9

        SHA256

        401409e8da7321fb94a1a8ac6217d2dd067007d29547257575c26a39f31e8931

        SHA512

        6322e14e85586bbf8d2171ab49fd451c85919823717baa8763f1361685efb90c69c05af8e219629692f98e5140de9c1dec81da3e92a9feb79c86d7aa92b8118c

      • C:\Users\Admin\AppData\Local\Temp\is-UPRD9.tmp\utorrent_installer.tmp

        Filesize

        3.2MB

        MD5

        f1ae90a9f6324a07d39d877fcdf99710

        SHA1

        60a6ff33c3a1e980c529072890a1326b8a56b809

        SHA256

        2de8e11d8d9532ec1c51b30eac3906b38d06109238ba8ae272ec841fa9b42ad1

        SHA512

        1ac279c5d8f2cb403dc10eebb2c753c86ce10757fa3a1a5d59173864e82bfe4f0ed42e4c105ca40d7462f73ea6cea408889ea5bde8543b93d9a0febe0cd05f78

      • C:\Users\Admin\AppData\Local\Temp\nsdE82E.tmp\bt_datachannel.dll

        Filesize

        4.1MB

        MD5

        dfca05beb0d6a31913c04b1314ca8b4a

        SHA1

        5fbbccf13325828016446f63d21250c723578841

        SHA256

        d4c4e05fade7e76f4a2d0c9c58a6b9b82b761d9951ffddd838c381549368e153

        SHA512

        858d4fb9d073c51c0ab7a0b896c30e35376678cc12aec189085638376d3cc74c1821495692eac378e4509ef5dcab0e8b950ad5bfab66d2c62ab31bc0a75118cf

      • C:\Users\Admin\AppData\Local\Temp\nsdE82E.tmp\utorrent.exe

        Filesize

        2.0MB

        MD5

        b7f8a3909ad963d5b5260dacfa897e6e

        SHA1

        030ed1e99cb6d681dadca6068caf194bf67580e9

        SHA256

        8837428a93c7ee46b9772d6c857e109e9baa0f5b28450f87fff7c0e8b87cf017

        SHA512

        42569e974ef38ddea3300c6d82fd5e371c3cff8bdb04311c6bf3d94727fc37c5ef223ad07198ca2e499528a1671593ea6ef2bf3000611dbda49ca0a0c59c6bb4

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-160447019-1232603106-4168707212-1000\1f91d2d17ea675d4c2c3192e241743f9_f9d1bf68-a4a3-4e40-8567-86018b80b4b2

        Filesize

        1KB

        MD5

        5b1029611354585c0f15c8107f240366

        SHA1

        a1243e560375a5e5d8bcf17192c64a7ec57659b3

        SHA256

        99e5da69ade897ac50ae6155498d67d21a00c2f4a131d8ab1262c85a5eb2ece5

        SHA512

        d0e4af73b8e304e9bbe4a3b122df330e0a4d751ce3a2494fe56154e9cf65d5b77fed700d9aad426cc8a67e9710cef4f2fc94576fbf5e8792a73e24fb1222f1d4

      • C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat

        Filesize

        8KB

        MD5

        bbeb016a4d072947bfc8280856337069

        SHA1

        fc2c87f1276e5d7671bcc0ec63ee0cf96b5a23a4

        SHA256

        dd127a7991cbee06738135be4e1928a994f487149df8a3290219da9e3dae2666

        SHA512

        6dfe76f0bfb524d6702ac4fef0d416f9ba8e65ebb0d52084b0571e5a91197745f24cf9f312da46a5b026562ddd1e8d344280ce50ddfc013b05415a33115707da

      • C:\Users\Admin\AppData\Roaming\utorrent\MicrosoftEdgeWebView2Setup.exe

        Filesize

        1.6MB

        MD5

        a05c87dd1c5bef14c7c75f48bf4d01ea

        SHA1

        d71f4a29ba67dc5f5a6cf99091613771d664ee0e

        SHA256

        274e12d01e0cae083202df4a809c1c153b02cb3ca121c19c43b0aaa1c3a53a40

        SHA512

        f64864193ff892be86462aaea9a019a9085e937d199161536d163bf183f4ba08100d17f2cf962818b106b2c797d1f22b92933e9711273d85d7d08f0d18400222

      • C:\Users\Admin\AppData\Roaming\utorrent\updates\3.6.0_47142\utorrentie.exe

        Filesize

        693KB

        MD5

        cb7beaf76d79ccc4d91d043419ec3661

        SHA1

        6952a0600d07c65f023e7a33cc1f9e9e8bd426b3

        SHA256

        ab5fb8587d7ec8dd8e9ea9e69d8a8695bb165f44fe1d07f0f7df1ace5203d552

        SHA512

        cbf6e27909f7ae5798154e9a5138bf4fa14f42504593f7918563b81178d4b15dec1649ae43d9fcef062980b05f6024b953d09796419f8ce28f79fc27e6453363

      • \Program Files (x86)\Microsoft\Temp\EU2268.tmp\msedgeupdate.dll

        Filesize

        2.1MB

        MD5

        8a816664389165f11a9e50fe42671657

        SHA1

        ae43aba2a512b5139e7dfd034655259bf638c698

        SHA256

        09d9f52e86ddd5fb3391d7dd683c42a9fa9d03a2ceee56b1273ccd42986b4851

        SHA512

        a65fcebdbc170ddff5eea916cc92233c5a91d7167b35cd71f2093a43e34020c3813f083d82622ad4f8db8cca30728cbd21f8bdbfd17663273f05de24538d0f7b

      • \Users\Admin\AppData\Local\Temp\nsdE82E.tmp\INetC.dll

        Filesize

        24KB

        MD5

        640bff73a5f8e37b202d911e4749b2e9

        SHA1

        9588dd7561ab7de3bca392b084bec91f3521c879

        SHA256

        c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

        SHA512

        39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

      • \Users\Admin\AppData\Local\Temp\nsdE82E.tmp\System.dll

        Filesize

        12KB

        MD5

        cff85c549d536f651d4fb8387f1976f2

        SHA1

        d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

        SHA256

        8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

        SHA512

        531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

      • \Users\Admin\AppData\Local\Temp\nsdE82E.tmp\nsisFirewall.dll

        Filesize

        8KB

        MD5

        f5bf81a102de52a4add21b8a367e54e0

        SHA1

        cf1e76ffe4a3ecd4dad453112afd33624f16751c

        SHA256

        53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

        SHA512

        6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

      • memory/1544-796-0x00000000080C0000-0x0000000008200000-memory.dmp

        Filesize

        1.2MB

      • memory/1544-6-0x0000000001760000-0x0000000001761000-memory.dmp

        Filesize

        4KB

      • memory/1544-26-0x0000000000F70000-0x00000000012A8000-memory.dmp

        Filesize

        3.2MB

      • memory/1544-24-0x00000000080C0000-0x0000000008200000-memory.dmp

        Filesize

        1.2MB

      • memory/1544-359-0x0000000000F70000-0x00000000012A8000-memory.dmp

        Filesize

        3.2MB

      • memory/1544-23-0x00000000080C0000-0x0000000008200000-memory.dmp

        Filesize

        1.2MB

      • memory/1544-18-0x0000000000F70000-0x00000000012A8000-memory.dmp

        Filesize

        3.2MB

      • memory/1544-19-0x0000000001760000-0x0000000001761000-memory.dmp

        Filesize

        4KB

      • memory/1544-30-0x00000000080C0000-0x0000000008200000-memory.dmp

        Filesize

        1.2MB

      • memory/1544-36-0x00000000080C0000-0x0000000008200000-memory.dmp

        Filesize

        1.2MB

      • memory/1544-31-0x00000000080C0000-0x0000000008200000-memory.dmp

        Filesize

        1.2MB

      • memory/1544-32-0x00000000080C0000-0x0000000008200000-memory.dmp

        Filesize

        1.2MB

      • memory/1544-42-0x00000000080C0000-0x0000000008200000-memory.dmp

        Filesize

        1.2MB

      • memory/1544-41-0x00000000080C0000-0x0000000008200000-memory.dmp

        Filesize

        1.2MB

      • memory/1544-40-0x0000000000F70000-0x00000000012A8000-memory.dmp

        Filesize

        3.2MB

      • memory/1544-110-0x0000000000F70000-0x00000000012A8000-memory.dmp

        Filesize

        3.2MB

      • memory/1544-37-0x00000000080C0000-0x0000000008200000-memory.dmp

        Filesize

        1.2MB

      • memory/1868-608-0x0000020BCF0E0000-0x0000020BCF1E0000-memory.dmp

        Filesize

        1024KB

      • memory/1868-611-0x00000213D1900000-0x00000213D1A00000-memory.dmp

        Filesize

        1024KB

      • memory/1868-656-0x00000213E27E0000-0x00000213E2800000-memory.dmp

        Filesize

        128KB

      • memory/1868-657-0x00000213E1FF0000-0x00000213E20F0000-memory.dmp

        Filesize

        1024KB

      • memory/1868-685-0x00000213E2850000-0x00000213E2852000-memory.dmp

        Filesize

        8KB

      • memory/1868-698-0x00000213E38F0000-0x00000213E38F2000-memory.dmp

        Filesize

        8KB

      • memory/1868-696-0x00000213E33F0000-0x00000213E33F2000-memory.dmp

        Filesize

        8KB

      • memory/1868-702-0x00000213E3CD0000-0x00000213E3CD2000-memory.dmp

        Filesize

        8KB

      • memory/1868-700-0x00000213E3CC0000-0x00000213E3CC2000-memory.dmp

        Filesize

        8KB

      • memory/1868-704-0x00000213E3E90000-0x00000213E3E92000-memory.dmp

        Filesize

        8KB

      • memory/1868-600-0x00000213D0D70000-0x00000213D0D72000-memory.dmp

        Filesize

        8KB

      • memory/1868-603-0x00000213D0DA0000-0x00000213D0DA2000-memory.dmp

        Filesize

        8KB

      • memory/1868-605-0x00000213D0DC0000-0x00000213D0DC2000-memory.dmp

        Filesize

        8KB

      • memory/1908-3457-0x000001B367EF0000-0x000001B367F2A000-memory.dmp

        Filesize

        232KB

      • memory/1908-3481-0x000001B367EF0000-0x000001B367F1E000-memory.dmp

        Filesize

        184KB

      • memory/1908-297-0x000001B366EA0000-0x000001B366EF8000-memory.dmp

        Filesize

        352KB

      • memory/1908-292-0x000001B366CF0000-0x000001B366D1E000-memory.dmp

        Filesize

        184KB

      • memory/1908-290-0x000001B366C30000-0x000001B366C52000-memory.dmp

        Filesize

        136KB

      • memory/1908-289-0x000001B366F00000-0x000001B366FB2000-memory.dmp

        Filesize

        712KB

      • memory/1908-287-0x000001B34E4A0000-0x000001B34E4D0000-memory.dmp

        Filesize

        192KB

      • memory/1908-3494-0x000001B367FD0000-0x000001B368000000-memory.dmp

        Filesize

        192KB

      • memory/1908-1753-0x000001B367CA0000-0x000001B367CF0000-memory.dmp

        Filesize

        320KB

      • memory/1908-283-0x000001B34C710000-0x000001B34C81A000-memory.dmp

        Filesize

        1.0MB

      • memory/1908-1831-0x000001B367E90000-0x000001B367EE6000-memory.dmp

        Filesize

        344KB

      • memory/1908-285-0x000001B34E4E0000-0x000001B34E526000-memory.dmp

        Filesize

        280KB

      • memory/1908-3469-0x000001B367EF0000-0x000001B367F20000-memory.dmp

        Filesize

        192KB

      • memory/2060-17-0x00000000001A0000-0x0000000000279000-memory.dmp

        Filesize

        868KB

      • memory/2060-0-0x00000000001A0000-0x0000000000279000-memory.dmp

        Filesize

        868KB

      • memory/2060-2-0x00000000001A1000-0x0000000000249000-memory.dmp

        Filesize

        672KB

      • memory/3008-360-0x000001DB29320000-0x000001DB29330000-memory.dmp

        Filesize

        64KB

      • memory/3008-376-0x000001DB29420000-0x000001DB29430000-memory.dmp

        Filesize

        64KB

      • memory/3008-395-0x000001DB268D0000-0x000001DB268D2000-memory.dmp

        Filesize

        8KB

      • memory/3016-131-0x0000027EF1F10000-0x0000027EF2436000-memory.dmp

        Filesize

        5.1MB

      • memory/3016-130-0x0000027ED7600000-0x0000027ED7608000-memory.dmp

        Filesize

        32KB

      • memory/3948-537-0x00000171F6E00000-0x00000171F6F00000-memory.dmp

        Filesize

        1024KB

      • memory/4488-82-0x0000000000400000-0x00000000009C3000-memory.dmp

        Filesize

        5.8MB

      • memory/4488-108-0x0000000000400000-0x00000000009C3000-memory.dmp

        Filesize

        5.8MB

      • memory/4808-1387-0x0000000000400000-0x00000000009C3000-memory.dmp

        Filesize

        5.8MB

      • memory/4808-1264-0x0000000000400000-0x00000000009C3000-memory.dmp

        Filesize

        5.8MB

      • memory/4892-612-0x0000000000400000-0x00000000009C3000-memory.dmp

        Filesize

        5.8MB

      • memory/4892-319-0x0000000000400000-0x00000000009C3000-memory.dmp

        Filesize

        5.8MB

      • memory/4892-613-0x0000000000400000-0x00000000009C3000-memory.dmp

        Filesize

        5.8MB

      • memory/4892-1191-0x0000000000400000-0x00000000009C3000-memory.dmp

        Filesize

        5.8MB

      • memory/5420-3561-0x000001F0ABDA0000-0x000001F0ABDFA000-memory.dmp

        Filesize

        360KB

      • memory/5420-3572-0x000001F0ABE00000-0x000001F0ABE44000-memory.dmp

        Filesize

        272KB

      • memory/5420-3560-0x000001F0933F0000-0x000001F093418000-memory.dmp

        Filesize

        160KB

      • memory/5420-3559-0x000001F091800000-0x000001F09184C000-memory.dmp

        Filesize

        304KB

      • memory/5420-3562-0x000001F091800000-0x000001F09184C000-memory.dmp

        Filesize

        304KB

      • memory/5420-3586-0x000001F0AC290000-0x000001F0AC4E8000-memory.dmp

        Filesize

        2.3MB

      • memory/6224-3831-0x000001BB831C0000-0x000001BB831E8000-memory.dmp

        Filesize

        160KB

      • memory/6224-3832-0x000001BB83260000-0x000001BB83292000-memory.dmp

        Filesize

        200KB

      • memory/6224-3590-0x000001BB805F0000-0x000001BB80628000-memory.dmp

        Filesize

        224KB

      • memory/6224-3591-0x000001BB80540000-0x000001BB80564000-memory.dmp

        Filesize

        144KB

      • memory/6224-3592-0x000001BB80670000-0x000001BB806A2000-memory.dmp

        Filesize

        200KB

      • memory/6224-3852-0x000001BB84270000-0x000001BB843E6000-memory.dmp

        Filesize

        1.5MB

      • memory/6224-3797-0x000001BB81E80000-0x000001BB81EAC000-memory.dmp

        Filesize

        176KB

      • memory/6224-3713-0x000001BB812A0000-0x000001BB81328000-memory.dmp

        Filesize

        544KB

      • memory/6224-3848-0x000001BB83360000-0x000001BB8338C000-memory.dmp

        Filesize

        176KB

      • memory/6224-3716-0x000001BB81210000-0x000001BB81238000-memory.dmp

        Filesize

        160KB

      • memory/6224-3717-0x000001BB813B0000-0x000001BB81404000-memory.dmp

        Filesize

        336KB

      • memory/6224-3847-0x000001BB83300000-0x000001BB8332A000-memory.dmp

        Filesize

        168KB

      • memory/6224-3843-0x000001BB83D60000-0x000001BB83DB4000-memory.dmp

        Filesize

        336KB

      • memory/6224-3731-0x000001BB81240000-0x000001BB81270000-memory.dmp

        Filesize

        192KB

      • memory/6224-3839-0x000001BB83C80000-0x000001BB83CF6000-memory.dmp

        Filesize

        472KB

      • memory/6224-3838-0x000001BB83C00000-0x000001BB83C80000-memory.dmp

        Filesize

        512KB

      • memory/6224-3745-0x000001BB81270000-0x000001BB812A0000-memory.dmp

        Filesize

        192KB

      • memory/6224-3837-0x000001BB83B90000-0x000001BB83BF8000-memory.dmp

        Filesize

        416KB

      • memory/6224-3746-0x000001BB816D0000-0x000001BB8172E000-memory.dmp

        Filesize

        376KB

      • memory/6224-3748-0x000001BB81730000-0x000001BB81A95000-memory.dmp

        Filesize

        3.4MB

      • memory/6224-3749-0x000001BB81410000-0x000001BB8145F000-memory.dmp

        Filesize

        316KB

      • memory/6224-3836-0x000001BB83330000-0x000001BB8335A000-memory.dmp

        Filesize

        168KB

      • memory/6224-3788-0x000001BB81F30000-0x000001BB821BC000-memory.dmp

        Filesize

        2.5MB

      • memory/6224-3789-0x000001BB81D10000-0x000001BB81D74000-memory.dmp

        Filesize

        400KB

      • memory/6224-3835-0x000001BB832D0000-0x000001BB832FC000-memory.dmp

        Filesize

        176KB

      • memory/6224-3798-0x000001BB82EA0000-0x000001BB82F06000-memory.dmp

        Filesize

        408KB

      • memory/6224-3795-0x000001BB82DE0000-0x000001BB82E92000-memory.dmp

        Filesize

        712KB

      • memory/6224-3796-0x000001BB81E40000-0x000001BB81E74000-memory.dmp

        Filesize

        208KB

      • memory/6224-3794-0x000001BB81CA0000-0x000001BB81CC5000-memory.dmp

        Filesize

        148KB

      • memory/6224-3714-0x000001BB81330000-0x000001BB813A8000-memory.dmp

        Filesize

        480KB

      • memory/6224-3793-0x000001BB81D80000-0x000001BB81DBA000-memory.dmp

        Filesize

        232KB

      • memory/6224-3799-0x000001BB83410000-0x000001BB8390E000-memory.dmp

        Filesize

        5.0MB

      • memory/6224-3834-0x000001BB832A0000-0x000001BB832C6000-memory.dmp

        Filesize

        152KB

      • memory/6224-3833-0x000001BB83E40000-0x000001BB840E4000-memory.dmp

        Filesize

        2.6MB

      • memory/6224-3830-0x000001BB83190000-0x000001BB831B6000-memory.dmp

        Filesize

        152KB

      • memory/6224-3829-0x000001BB81EB0000-0x000001BB81EB8000-memory.dmp

        Filesize

        32KB

      • memory/6224-3828-0x000001BB81EF0000-0x000001BB81F22000-memory.dmp

        Filesize

        200KB

      • memory/6224-3812-0x000001BB83910000-0x000001BB83B90000-memory.dmp

        Filesize

        2.5MB

      • memory/6224-3811-0x000001BB83040000-0x000001BB83082000-memory.dmp

        Filesize

        264KB

      • memory/6528-3809-0x0000027F31600000-0x0000027F31608000-memory.dmp

        Filesize

        32KB

      • memory/6528-3750-0x0000027F2F460000-0x0000027F2F512000-memory.dmp

        Filesize

        712KB

      • memory/6528-3807-0x0000027F30760000-0x0000027F3076A000-memory.dmp

        Filesize

        40KB

      • memory/6528-3747-0x0000027F2F230000-0x0000027F2F25E000-memory.dmp

        Filesize

        184KB

      • memory/6528-3806-0x0000027F30730000-0x0000027F30746000-memory.dmp

        Filesize

        88KB

      • memory/6528-3810-0x0000027F31620000-0x0000027F3162A000-memory.dmp

        Filesize

        40KB

      • memory/6528-3805-0x0000027F2F870000-0x0000027F2F8CE000-memory.dmp

        Filesize

        376KB

      • memory/6528-3804-0x0000027F2FB00000-0x0000027F2FDF0000-memory.dmp

        Filesize

        2.9MB

      • memory/6572-3556-0x0000018B3C720000-0x0000018B3C73A000-memory.dmp

        Filesize

        104KB

      • memory/6572-3557-0x0000018B3C770000-0x0000018B3C792000-memory.dmp

        Filesize

        136KB

      • memory/6572-3553-0x0000018B554B0000-0x0000018B559DA000-memory.dmp

        Filesize

        5.2MB

      • memory/6572-3554-0x0000018B559E0000-0x0000018B55D44000-memory.dmp

        Filesize

        3.4MB

      • memory/6572-3555-0x0000018B552A0000-0x0000018B5541A000-memory.dmp

        Filesize

        1.5MB

      • memory/7476-3718-0x00000226CF230000-0x00000226CF25A000-memory.dmp

        Filesize

        168KB

      • memory/7476-3715-0x00000226E9A40000-0x00000226E9C00000-memory.dmp

        Filesize

        1.8MB

      • memory/7476-3712-0x00000226CF230000-0x00000226CF25A000-memory.dmp

        Filesize

        168KB

      • memory/7944-3532-0x000002C9A4FD0000-0x000002C9A4FE2000-memory.dmp

        Filesize

        72KB

      • memory/7944-3533-0x000002C9A5050000-0x000002C9A508E000-memory.dmp

        Filesize

        248KB

      • memory/7944-3519-0x000002C9A4BD0000-0x000002C9A4BFE000-memory.dmp

        Filesize

        184KB

      • memory/7944-3518-0x000002C9A4BD0000-0x000002C9A4BFE000-memory.dmp

        Filesize

        184KB