bazarloader | hxxps://www[.]fosshub[.]com/qBittorrent[.]html

Analysis

max time kernel
230s
max time network
232s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
19-05-2023 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.fosshub.com/qBittorrent.html

Score

10^/10

bazarloader discovery dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5

Executes dropped EXE 2 IoCs

Processes:

qbittorrent_4.5.2_x64_setup.exeqbittorrent.exe

pid process

704 qbittorrent_4.5.2_x64_setup.exe
2220 qbittorrent.exe

Loads dropped DLL 7 IoCs

Processes:

qbittorrent_4.5.2_x64_setup.exe

pid	process
704	qbittorrent_4.5.2_x64_setup.exe
704	qbittorrent_4.5.2_x64_setup.exe
704	qbittorrent_4.5.2_x64_setup.exe
704	qbittorrent_4.5.2_x64_setup.exe
704	qbittorrent_4.5.2_x64_setup.exe
704	qbittorrent_4.5.2_x64_setup.exe
704	qbittorrent_4.5.2_x64_setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 37 IoCs

Processes:

qbittorrent_4.5.2_x64_setup.exe

description	ioc	process
File created	C:\Program Files\qBittorrent\translations\qtbase_gd.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_he.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_tr.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_hr.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_sk.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_zh_CN.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_zh_TW.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\qt.conf	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ca.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fi.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_pt_BR.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_uk.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\uninst.exe	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\qbittorrent.pdb	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_lt.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fr.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fa.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_it.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ja.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ru.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_gl.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_sl.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_cs.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_nl.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_nn.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_pl.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_pt_PT.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_sv.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_es.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ko.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_lv.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ar.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_de.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_hu.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\qbittorrent.exe	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_bg.qm	qbittorrent_4.5.2_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_da.qm	qbittorrent_4.5.2_x64_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133290190438462947"	chrome.exe

Modifies registry class 44 IoCs

Processes:

qbittorrent_4.5.2_x64_setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\magnet\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent\DefaultIcon	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\URL Protocol	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open\command	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\DefaultIcon	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\magnet\shell\open	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.torrent	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\magnet\ = "URL:Magnet link"	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\magnet\shell	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\ = "qBittorrent Torrent File"	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open\command	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\Content Type = "application/x-bittorrent"	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent\shell\open\command	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.torrent\Content Type = "application/x-bittorrent"	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\ = "URL:Magnet link"	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\shell\open\command	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\magnet\URL Protocol	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\ = "qBittorrent"	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\.torrent\ = "qBittorrent"	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\ = "open"	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\magnet\Content Type = "application/x-magnet"	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\magnet\shell\ = "open"	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent\shell	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.torrent	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\shell	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\magnet\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\magnet\shell\open\command	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\Content Type = "application/x-magnet"	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\magnet	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\magnet\DefaultIcon	qbittorrent_4.5.2_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\FriendlyTypeName = "qBittorrent Torrent File"	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\ = "open"	qbittorrent_4.5.2_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.5.2_x64_setup.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

qbittorrent.exe

pid process

2220 qbittorrent.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exeqbittorrent_4.5.2_x64_setup.exechrome.exe

pid process

2540 chrome.exe
2540 chrome.exe
704 qbittorrent_4.5.2_x64_setup.exe
704 qbittorrent_4.5.2_x64_setup.exe
2388 chrome.exe
2388 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

qbittorrent.exe

pid process

2220 qbittorrent.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

2540 chrome.exe
2540 chrome.exe
2540 chrome.exe
2540 chrome.exe
2540 chrome.exe

pid	process
2220	qbittorrent.exe

pid	process
2220	qbittorrent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

chrome.exeqbittorrent.exe

pid	process
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2220	qbittorrent.exe
2220	qbittorrent.exe
2220	qbittorrent.exe
2220	qbittorrent.exe
2220	qbittorrent.exe
2220	qbittorrent.exe
2220	qbittorrent.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

chrome.exeqbittorrent.exe

pid	process
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2220	qbittorrent.exe
2220	qbittorrent.exe
2220	qbittorrent.exe
2220	qbittorrent.exe
2220	qbittorrent.exe
2220	qbittorrent.exe
2220	qbittorrent.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2540 wrote to memory of 2592	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2592	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 2800	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4456	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4456	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe
PID 2540 wrote to memory of 4204	2540	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.fosshub.com/qBittorrent.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa870e9758,0x7ffa870e9768,0x7ffa870e9778
2⤵
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:2
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1680 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:8
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:8
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:1
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:1
2⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4464 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:1
2⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4772 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:1
2⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4656 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:1
2⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:8
2⤵
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:8
2⤵
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5816 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:8
2⤵
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5772 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:8
2⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:8
2⤵
PID:300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6104 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:8
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6120 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:8
2⤵
PID:4860

C:\Users\Admin\Downloads\qbittorrent_4.5.2_x64_setup.exe
"C:\Users\Admin\Downloads\qbittorrent_4.5.2_x64_setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:704

C:\Program Files\qBittorrent\qbittorrent.exe
"C:\Program Files\qBittorrent\qbittorrent.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5304 --field-trial-handle=1732,i,14578983266255994693,786041181394104989,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\qBittorrent\qbittorrent.exe
Filesize
28.3MB

MD5
cb03a80bc17d2d81fd34aab4341e89eb

SHA1
baf0f8686769ae47ed411e8432028057974a1611

SHA256
8e6af6cbd3765b8d8c1dd553354a0d4ff9f7fc2eb293704845af7e66a9ccdb0a

SHA512
f2bc0fefab5c22b9732f506ad47b93108779859f2ba7615c8e0522622cd2587cdb711225d603804f75a28932389b2877ab2f886facbbe5871cd55dc20256bcbe

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe
Filesize
28.3MB

MD5
cb03a80bc17d2d81fd34aab4341e89eb

SHA1
baf0f8686769ae47ed411e8432028057974a1611

SHA256
8e6af6cbd3765b8d8c1dd553354a0d4ff9f7fc2eb293704845af7e66a9ccdb0a

SHA512
f2bc0fefab5c22b9732f506ad47b93108779859f2ba7615c8e0522622cd2587cdb711225d603804f75a28932389b2877ab2f886facbbe5871cd55dc20256bcbe

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe
Filesize
28.3MB

MD5
cb03a80bc17d2d81fd34aab4341e89eb

SHA1
baf0f8686769ae47ed411e8432028057974a1611

SHA256
8e6af6cbd3765b8d8c1dd553354a0d4ff9f7fc2eb293704845af7e66a9ccdb0a

SHA512
f2bc0fefab5c22b9732f506ad47b93108779859f2ba7615c8e0522622cd2587cdb711225d603804f75a28932389b2877ab2f886facbbe5871cd55dc20256bcbe

Download Submit
C:\Program Files\qBittorrent\qt.conf
Filesize
84B

MD5
af7f56a63958401da8bea1f5e419b2af

SHA1
f66ee8779ca6d570dea22fe34ef8600e5d3c5f38

SHA256
fdb8fa58a6ffc14771ca2b1ef6438061a6cba638594d76d9021b91e755d030d3

SHA512
02f70ca7f1291b25402989be74408eb82343ab500e15e4ac22fbc7162eb9230cd7061eaa7e34acf69962b57ed0827f51ceaf0fa63da3154b53469c7b7511d23d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
408B

MD5
3855f749a2e623f954b460a203346c2f

SHA1
117035d0eed3a8eaded921444fc6094c91097466

SHA256
b4b6b1c9c5509fdf7ee916641449fc952aa92c751c775d84f71bdcf611fe62a9

SHA512
5997ea811be935c900460c581a7243d3c5f55730850be59bcace34199b353d66ca68499e4974641ff7c64f8622cdfa750917834dad5720c0176efd43fc21feab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
3046c147f0c99c98d11041a9973a5a9a

SHA1
b75ab4867caa2b5d5650041280d260e5250b971a

SHA256
6b8efea8240c69091df2d175dc399b0bbfc754e6d20bb9b8914bb2beac019c1b

SHA512
c0aa3896aec89775051241eaa0b9abe9d3945c40334e0470680820f117dc6b2dfc982920bb00a4db3f86042e8cee5d3f15736fd01529dc3819ee84076fa03623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
73bb3d4522039b40e5d03b4d01f32c25

SHA1
dc2935d7ce145c645054b0d4075d92b87963ff92

SHA256
2bd1d494765db8bb6fba6b7e8dd7fc023a4c2857c0d1c90a1f53623488cbf4f1

SHA512
eca61076045495cd109d4c82d401347866a53010e600593ebced3bbbb7a5cba2f6ed7ced24f13218021b615e36621a46b030b63764e327367405a09e58144636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
4423b7392429134aebb16dcdcabb679f

SHA1
abe593f2332899bf1bb6df0f908846902e67a4fb

SHA256
588acd2e305941c32c6d3e2151d9524934a3f1f80cfbe2f2c2082797dc9f7be2

SHA512
78ce2c4b85548a8b989a3acabb3997156c41af8cb7840df8d8c74370453f54836328327050f6ca7fd7d2ece73f786beca9f9bee503d2455c63f48534e78b0cbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a9399609a456539dc0d73f046d8e57de

SHA1
303416c22d78074809000ed52a758bfaa98e12fe

SHA256
637796e8ecc1f0edccf925e38a8edb0ebe9ecca0f8fa490c2f112a983fdbaf13

SHA512
0b9685a5eaa1ae33b87ff8e7af9731d6f1e9d19780dd815f5e854a02cf1fce47208e4685e389c49067e931386f2c33c315092c75470fb02318d209cf94e9c64c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0af26dc4ee8ba6192fa482d90ba80f51

SHA1
abaeece3fb34211d2ccc67450e2982ee582b269b

SHA256
7ed1c259f7841ff227d0cb7eba966810227761d47e4ebc5887b7bf7fffcf9e0f

SHA512
e867ea4567d5c41a347cf9eb183447b4a383e27d0733d9a6461c2325a62adf5f7e845c4189acd7cd8500de76f2f274322eec0efb435c4519e9674a6da201fe85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
5a7b19daab7e2f22527f8d79767e83be

SHA1
6f3a55de6060571b5e900248dff96c97cce18c19

SHA256
4f1c9ca3bd30d97e6c7e1b900a96d98cff896d626e1a08b3361d2d7e3d4bed0c

SHA512
a183f9f1e00b5e14f3b40bdc28f324814c601e660e4abcfbde0be10ac3d5e1fee19664a35a12dea6fe39129ae146e7939710347869b3d2119d938675207d02b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
db101a3b5bac0e3d7e946f854ad4132d

SHA1
d771839c43b74c14623f8e814d4b5aa3eeb13d4c

SHA256
48349ac53e87c4f0e6921c9e0776224cb26948599b4e68cbe346791b1812ac90

SHA512
8bff75b0a7489014af421214c9168236902e3b7ad7437fe1a16cf01b07a1b8656fca92e21f19cc37a379895c8a460090ecad057b8f8b75587cd0cf1d1cae7e22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
c03a79d33731b3ecda029f3dc767ba80

SHA1
a19a7b7a02e55e479428e6d49a40dc038fd702d1

SHA256
9dc44e0059ddb6ff77db61a8205c8b683ea0ec66516f92fa55d6eac50718eb65

SHA512
bd600c60cea39904451bc8142cb2216f4e8796c78de0291b1e9d2b4947e0cf1bf153acb1b3b695c65863f1203cd042f501431f856072d267ba787b1963e0901e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d45dc59f753a66a8164be6200a05fc61

SHA1
b21e8468a7dc8b8a18fdbb85b87a72b3d7d151f5

SHA256
a23d7e19732c5c0c5d33b3d98a2fed0818017e9a52f84f0148af483ed1e5352c

SHA512
23f46828d25fb108595dd76722318daa2cc18e3686117f6be50bb7d1a43716c9af42f5a490b1d4f972772fac7fd02b5c8d070b060837148250bf62822f53687d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
151KB

MD5
ffc2a319c6855b4b1d6fd3b17b0c6cff

SHA1
a7c5c1d4d1b253b13691e958f09dc563d172dbff

SHA256
4c2cb020d8fd3eda01c2e497b7cbf086357fa6e34b12bc3527bfe62efe599907

SHA512
52e912fb82e90d221c2d91c65e73d3cb5561d351c7659833d62d7b03bfcb077730415aadab35f8e15d216999ff489113088bd6fb28c81345fe131c5f322c90f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\modern-wizard.bmp
Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\nsisFirewallW.dll
Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json
Filesize
4B

MD5
5b76b0eef9af8a2300673e0553f609f9

SHA1
0b56d40c0630a74abec5398e01c6cd83263feddc

SHA256
d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817

SHA512
cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

Download Submit
C:\Users\Admin\Downloads\qbittorrent_4.5.2_x64_setup.exe
Filesize
31.3MB

MD5
c9cd92842c3fe0cbb53e320d46eb71cf

SHA1
1bbbf8fc8b6ac9dc40ffb01b0d521c1b81174216

SHA256
f2ec7fa4c5ae273d6d7181c0c9df225eb8ce8e0e85577b236c7b335c093f2e71

SHA512
fb7f4c71c50b7ff77c8ddc41c6c4d944d8138b0d9b7e948ef16815e4f76a26b9e8f28610866fc9455ffcf04d2e38ceddf15020526730a8154694f2ac501b7138

Download Submit
C:\Users\Admin\Downloads\qbittorrent_4.5.2_x64_setup.exe
Filesize
31.3MB

MD5
c9cd92842c3fe0cbb53e320d46eb71cf

SHA1
1bbbf8fc8b6ac9dc40ffb01b0d521c1b81174216

SHA256
f2ec7fa4c5ae273d6d7181c0c9df225eb8ce8e0e85577b236c7b335c093f2e71

SHA512
fb7f4c71c50b7ff77c8ddc41c6c4d944d8138b0d9b7e948ef16815e4f76a26b9e8f28610866fc9455ffcf04d2e38ceddf15020526730a8154694f2ac501b7138

Download Submit
C:\Users\Admin\Downloads\qbittorrent_4.5.2_x64_setup.exe
Filesize
31.3MB

MD5
c9cd92842c3fe0cbb53e320d46eb71cf

SHA1
1bbbf8fc8b6ac9dc40ffb01b0d521c1b81174216

SHA256
f2ec7fa4c5ae273d6d7181c0c9df225eb8ce8e0e85577b236c7b335c093f2e71

SHA512
fb7f4c71c50b7ff77c8ddc41c6c4d944d8138b0d9b7e948ef16815e4f76a26b9e8f28610866fc9455ffcf04d2e38ceddf15020526730a8154694f2ac501b7138

Download Submit
\??\pipe\crashpad_2540_OLSAEEZCGHSWHTUX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\FindProcDLL.dll
Filesize
3KB

MD5
b4faf654de4284a89eaf7d073e4e1e63

SHA1
8efcfd1ca648e942cbffd27af429784b7fcf514b

SHA256
c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

SHA512
eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

Download Submit
\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\LangDLL.dll
Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\nsisFirewallW.dll
Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
\Users\Admin\AppData\Local\Temp\nsj36E1.tmp\nsisFirewallW.dll
Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
memory/2220-434-0x000002A55D530000-0x000002A55D540000-memory.dmp

Filesize
64KB

Download
memory/2220-457-0x000002A55D530000-0x000002A55D540000-memory.dmp

Filesize
64KB

Download