Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

qbittorren...up.exe

windows7-x64

7

qbittorren...up.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...lW.dll

windows7-x64

3

$PLUGINSDI...lW.dll

windows10-2004-x64

3

qbittorrent.exe

windows7-x64

1

qbittorrent.exe

windows10-2004-x64

1

uninst.exe

windows7-x64

7

uninst.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...lW.dll

windows7-x64

3

$PLUGINSDI...lW.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    56s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/01/2025, 11:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qbittorrent_5.0.3_x64_setup.exe

  • Size

    37.5MB

  • MD5

    83505c82e83bd2e61bd67dfcf30724cf

  • SHA1

    5fbde5f904a7c0e1346b9bcef4a66a7a7dd7e5b9

  • SHA256

    878ca7e3fb7a90a937afdbe080c055877b4c6334a9589d27e092fd6737a0716f

  • SHA512

    87ead0cac1dd041f7929e68bfdf8b61ac50c9d05a74344ab951f9c624874452e22a30f678a6a059cc3e8906f92189c39cfe7bba6552681140d610edb1b529833

  • SSDEEP

    786432:7nvRa6b9c7DLVZhxGjtYO9NByxgyXXbFTUgCe4Oa0eMe6NwRI/gWfe+C:7paO9c7VZejf3OBbFTU3U+6NxIV+C

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 26 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\qbittorrent_5.0.3_x64_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\qbittorrent_5.0.3_x64_setup.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Program Files\qBittorrent\qbittorrent.exe
      "C:\Program Files\qBittorrent\qbittorrent.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      PID:4720

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-dc-msedge.net
    ax-0001.ax-dc-msedge.net
    IN A
    150.171.30.10
    ax-0001.ax-dc-msedge.net
    IN A
    150.171.29.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1f5d12d176f742c085bcc0e36b54fd2e&localId=w:CED07D76-568E-F00B-486A-AAD2F0DB624F&deviceId=6896210250710623&anid=
    Remote address:
    150.171.30.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1f5d12d176f742c085bcc0e36b54fd2e&localId=w:CED07D76-568E-F00B-486A-AAD2F0DB624F&deviceId=6896210250710623&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=33C78003C3C16AFE29449586C2B86BE5; domain=.bing.com; expires=Wed, 25-Feb-2026 11:33:50 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F3F09E54C5DB4CC99B7CC3B46455C8C4 Ref B: LON212050704003 Ref C: 2025-01-31T11:33:50Z
    date: Fri, 31 Jan 2025 11:33:50 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1f5d12d176f742c085bcc0e36b54fd2e&localId=w:CED07D76-568E-F00B-486A-AAD2F0DB624F&deviceId=6896210250710623&anid=
    Remote address:
    150.171.30.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1f5d12d176f742c085bcc0e36b54fd2e&localId=w:CED07D76-568E-F00B-486A-AAD2F0DB624F&deviceId=6896210250710623&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=33C78003C3C16AFE29449586C2B86BE5
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=RrVXbMawGEGosDFhlLiiNYBnmh8r6hfYaZr0-9Ad4hE; domain=.bing.com; expires=Wed, 25-Feb-2026 11:33:50 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 9609E156A1BA42309AC9BF7A92C4F469 Ref B: LON212050704003 Ref C: 2025-01-31T11:33:50Z
    date: Fri, 31 Jan 2025 11:33:50 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1f5d12d176f742c085bcc0e36b54fd2e&localId=w:CED07D76-568E-F00B-486A-AAD2F0DB624F&deviceId=6896210250710623&anid=
    Remote address:
    150.171.30.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1f5d12d176f742c085bcc0e36b54fd2e&localId=w:CED07D76-568E-F00B-486A-AAD2F0DB624F&deviceId=6896210250710623&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=33C78003C3C16AFE29449586C2B86BE5; MSPTC=RrVXbMawGEGosDFhlLiiNYBnmh8r6hfYaZr0-9Ad4hE
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7FE1133B3EC748C184AED17FD08CA21D Ref B: LON212050704003 Ref C: 2025-01-31T11:33:51Z
    date: Fri, 31 Jan 2025 11:33:50 GMT
  • flag-us
    DNS
    13.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.153.16.2.in-addr.arpa
    IN PTR
    Response
    13.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-13deploystaticakamaitechnologiescom
  • flag-us
    DNS
    10.30.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.30.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • 150.171.30.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1f5d12d176f742c085bcc0e36b54fd2e&localId=w:CED07D76-568E-F00B-486A-AAD2F0DB624F&deviceId=6896210250710623&anid=
    tls, http2
    2.0kB
     9.4kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1f5d12d176f742c085bcc0e36b54fd2e&localId=w:CED07D76-568E-F00B-486A-AAD2F0DB624F&deviceId=6896210250710623&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=1f5d12d176f742c085bcc0e36b54fd2e&localId=w:CED07D76-568E-F00B-486A-AAD2F0DB624F&deviceId=6896210250710623&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=1f5d12d176f742c085bcc0e36b54fd2e&localId=w:CED07D76-568E-F00B-486A-AAD2F0DB624F&deviceId=6896210250710623&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     169 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.30.10
    150.171.29.10

  • 8.8.8.8:53
    13.153.16.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    13.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    10.30.171.150.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    10.30.171.150.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\qBittorrent\qbittorrent.exe
    Filesize

    35.0MB

    MD5

    7a47d50bdb7a84a1fa58653f55eb2697

    SHA1

    fd767a6225bfdcca0537043b8f647d6ce33f7d1c

    SHA256

    6864e1a85198efb8ecf5f26564f7565d4d4e93f1ba7e4359bc05910ad74e83f0

    SHA512

    8c292a2a0bd6be2dac30e0f2cefe9bfd73aaff96e0cbb1301bba283fa8eabf378bbbc2c45667ec0cb0092e92d54bc02f054fb74b51eaa9068839225c3915d753

    Download Submit

  • C:\Program Files\qBittorrent\qt.conf
    Filesize

    84B

    MD5

    af7f56a63958401da8bea1f5e419b2af

    SHA1

    f66ee8779ca6d570dea22fe34ef8600e5d3c5f38

    SHA256

    fdb8fa58a6ffc14771ca2b1ef6438061a6cba638594d76d9021b91e755d030d3

    SHA512

    02f70ca7f1291b25402989be74408eb82343ab500e15e4ac22fbc7162eb9230cd7061eaa7e34acf69962b57ed0827f51ceaf0fa63da3154b53469c7b7511d23d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfAD97.tmp\FindProcDLL.dll
    Filesize

    3KB

    MD5

    b4faf654de4284a89eaf7d073e4e1e63

    SHA1

    8efcfd1ca648e942cbffd27af429784b7fcf514b

    SHA256

    c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

    SHA512

    eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfAD97.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    50016010fb0d8db2bc4cd258ceb43be5

    SHA1

    44ba95ee12e69da72478cf358c93533a9c7a01dc

    SHA256

    32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e

    SHA512

    ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfAD97.tmp\System.dll
    Filesize

    12KB

    MD5

    4add245d4ba34b04f213409bfe504c07

    SHA1

    ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    SHA256

    9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    SHA512

    1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfAD97.tmp\UAC.dll
    Filesize

    14KB

    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfAD97.tmp\modern-wizard.bmp
    Filesize

    25KB

    MD5

    cbe40fd2b1ec96daedc65da172d90022

    SHA1

    366c216220aa4329dff6c485fd0e9b0f4f0a7944

    SHA256

    3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

    SHA512

    62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfAD97.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    1d8f01a83ddd259bc339902c1d33c8f1

    SHA1

    9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

    SHA256

    4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

    SHA512

    28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsfAD97.tmp\nsisFirewallW.dll
    Filesize

    8KB

    MD5

    f5bf81a102de52a4add21b8a367e54e0

    SHA1

    cf1e76ffe4a3ecd4dad453112afd33624f16751c

    SHA256

    53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

    SHA512

    6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.