bazarloader | 3ba266ddbe5624aeedec1a23c6bf86d6cfd5b547e8c1a31169f6a08434c9e615

Analysis

max time kernel
130s
max time network
264s
platform
windows7_x64
resource
win7-20230703-es
resource tags

arch:x64arch:x86image:win7-20230703-eslocale:es-esos:windows7-x64systemwindows
submitted
11-07-2023 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qbittorrent_4.5.4_x64_setup.exe
Size

31.3MB
MD5

6e35e4512488a44ebf34bff82dc4724f
SHA1

38903134b1a0a774cdcf728d3484493e7d83592a
SHA256

3ba266ddbe5624aeedec1a23c6bf86d6cfd5b547e8c1a31169f6a08434c9e615
SHA512

a6faa23d08c34da39111b9da1d9be62eb9486d010b6217b0aaacaa0cc240bca4e305bdbdaf1f4175f4a4ddb12530ddecc3c488d1620e2ead20b9e90f3cbe6a1e
SSDEEP

786432:rVrG7dnL27saKvlVIbS7ykgixD9ZLstXfL:rVrsdn0sa8IbShgiVXLstXT

Score

10^/10

bazarloader discovery dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 8 IoCs

Processes:

resource	yara_rule
\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5

Executes dropped EXE 1 IoCs

Processes:

qbittorrent.exe

pid process

1020 qbittorrent.exe

Loads dropped DLL 12 IoCs

Processes:

qbittorrent_4.5.4_x64_setup.exe

pid	process
2896	qbittorrent_4.5.4_x64_setup.exe
2896	qbittorrent_4.5.4_x64_setup.exe
2896	qbittorrent_4.5.4_x64_setup.exe
2896	qbittorrent_4.5.4_x64_setup.exe
2896	qbittorrent_4.5.4_x64_setup.exe
2896	qbittorrent_4.5.4_x64_setup.exe
2896	qbittorrent_4.5.4_x64_setup.exe
2896	qbittorrent_4.5.4_x64_setup.exe
2896	qbittorrent_4.5.4_x64_setup.exe
1212
1212
1212

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 37 IoCs

Processes:

qbittorrent_4.5.4_x64_setup.exe

description	ioc	process
File created	C:\Program Files\qBittorrent\translations\qt_sl.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ar.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ca.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_hu.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_tr.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_zh_CN.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\qbittorrent.pdb	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_pt_PT.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\uninst.exe	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_gd.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_it.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_sk.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_lt.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_es.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_he.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_hr.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_pt_BR.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_gl.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_sv.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_lv.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_pl.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_zh_TW.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\qbittorrent.exe	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fr.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_de.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_uk.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ko.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_cs.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_da.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fa.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fi.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ja.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_nl.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_nn.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ru.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\qt.conf	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_bg.qm	qbittorrent_4.5.4_x64_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 44 IoCs

Processes:

qbittorrent_4.5.4_x64_setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent\DefaultIcon	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\magnet\Content Type = "application/x-magnet"	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\magnet\shell\open\command	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open\command	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent\shell\open\command	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\ = "URL:Magnet link"	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\shell	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\magnet\DefaultIcon	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent\shell	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\magnet\shell	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\ = "open"	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\shell\open\command	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\magnet\shell\ = "open"	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\Content Type = "application/x-magnet"	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\Content Type = "application/x-bittorrent"	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\ = "open"	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\ = "qBittorrent"	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\URL Protocol	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\DefaultIcon	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\ = "qBittorrent Torrent File"	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\magnet\ = "URL:Magnet link"	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open\command	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\.torrent	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\.torrent\Content Type = "application/x-bittorrent"	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\magnet\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.torrent	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\.torrent\ = "qBittorrent"	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\magnet	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\magnet\URL Protocol	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\magnet\shell\open	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\magnet\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\FriendlyTypeName = "qBittorrent Torrent File"	qbittorrent_4.5.4_x64_setup.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

qbittorrent.exe

pid process

1020 qbittorrent.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

qbittorrent_4.5.4_x64_setup.exechrome.exe

pid process

2896 qbittorrent_4.5.4_x64_setup.exe
2880 chrome.exe
2880 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

qbittorrent.exe

pid process

1020 qbittorrent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe
Token: SeShutdownPrivilege	2880	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

qbittorrent.exechrome.exe

pid	process
1020	qbittorrent.exe
1020	qbittorrent.exe
1020	qbittorrent.exe
1020	qbittorrent.exe
1020	qbittorrent.exe
1020	qbittorrent.exe
1020	qbittorrent.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe

Suspicious use of SendNotifyMessage 39 IoCs

Processes:

qbittorrent.exechrome.exe

pid	process
1020	qbittorrent.exe
1020	qbittorrent.exe
1020	qbittorrent.exe
1020	qbittorrent.exe
1020	qbittorrent.exe
1020	qbittorrent.exe
1020	qbittorrent.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe
2880	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

qbittorrent_4.5.4_x64_setup.exechrome.exe

description	pid	process	target process
PID 2896 wrote to memory of 1020	2896	qbittorrent_4.5.4_x64_setup.exe	qbittorrent.exe
PID 2896 wrote to memory of 1020	2896	qbittorrent_4.5.4_x64_setup.exe	qbittorrent.exe
PID 2896 wrote to memory of 1020	2896	qbittorrent_4.5.4_x64_setup.exe	qbittorrent.exe
PID 2896 wrote to memory of 1020	2896	qbittorrent_4.5.4_x64_setup.exe	qbittorrent.exe
PID 2880 wrote to memory of 2884	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2884	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2884	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 2084	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1816	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1816	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1816	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe
PID 2880 wrote to memory of 1268	2880	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\qbittorrent_4.5.4_x64_setup.exe
"C:\Users\Admin\AppData\Local\Temp\qbittorrent_4.5.4_x64_setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Program Files\qBittorrent\qbittorrent.exe
  "C:\Program Files\qBittorrent\qbittorrent.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6739758,0x7fef6739768,0x7fef6739778
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1316,i,3728859943101498477,10225800338696757317,131072 /prefetch:2
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1316,i,3728859943101498477,10225800338696757317,131072 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1316,i,3728859943101498477,10225800338696757317,131072 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1316,i,3728859943101498477,10225800338696757317,131072 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2276 --field-trial-handle=1316,i,3728859943101498477,10225800338696757317,131072 /prefetch:1
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1176 --field-trial-handle=1316,i,3728859943101498477,10225800338696757317,131072 /prefetch:2
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1360 --field-trial-handle=1316,i,3728859943101498477,10225800338696757317,131072 /prefetch:1
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3772 --field-trial-handle=1316,i,3728859943101498477,10225800338696757317,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3916 --field-trial-handle=1316,i,3728859943101498477,10225800338696757317,131072 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4200 --field-trial-handle=1316,i,3728859943101498477,10225800338696757317,131072 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 --field-trial-handle=1316,i,3728859943101498477,10225800338696757317,131072 /prefetch:8
  2⤵
  PID:2120

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.5MB

MD5
299af9fcfb3067e8f5f64f0866c8fe33

SHA1
5244f3c95dbee3c29c4171899a1a158087419f59

SHA256
aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34

SHA512
35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.5MB

MD5
299af9fcfb3067e8f5f64f0866c8fe33

SHA1
5244f3c95dbee3c29c4171899a1a158087419f59

SHA256
aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34

SHA512
35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.5MB

MD5
299af9fcfb3067e8f5f64f0866c8fe33

SHA1
5244f3c95dbee3c29c4171899a1a158087419f59

SHA256
aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34

SHA512
35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2

Download Submit
C:\Program Files\qBittorrent\qt.conf

Filesize
84B

MD5
af7f56a63958401da8bea1f5e419b2af

SHA1
f66ee8779ca6d570dea22fe34ef8600e5d3c5f38

SHA256
fdb8fa58a6ffc14771ca2b1ef6438061a6cba638594d76d9021b91e755d030d3

SHA512
02f70ca7f1291b25402989be74408eb82343ab500e15e4ac22fbc7162eb9230cd7061eaa7e34acf69962b57ed0827f51ceaf0fa63da3154b53469c7b7511d23d

Download Submit
C:\Program Files\qBittorrent\translations\qtbase_es.qm

Filesize
161KB

MD5
c7c58a6d683797bfdd3ef676a37e2a40

SHA1
809e580cdbf2ffda10c77f8be9bac081978c102b

SHA256
4ffda56ba3bb5414ab0482d1dde64a6f226e3488f6b7f3f11a150e01f53fa4c8

SHA512
c5aed1a1aa13b8e794c83739b7fddeafd96785655c287993469f39607c8b9b0d2d8d222ecd1c13cf8445e623b195192f64de373a8fb6fe43743baf50e153cda5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6fb607.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
8e3c918c952011818cb97c06fd33b715

SHA1
2865bdda36a90ecbee800fa8424379b389575f93

SHA256
bfe6c12daf69448f02458acfe066d748d57dc514c92cb1238532fe844b12a694

SHA512
9cccc24ad25834cba196f5960d0b4b04581861c7c4f405df3368e6fe4fc86cdd6887a474582ed48bed36156065ed8c0fd71c38f48d35a590de5d405f83978414

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
44d4a29f2c312d5276451387e086a173

SHA1
1aa82878a34ac881f63dc422c583298ecd149734

SHA256
832ea777980d841f3ab61a28b68dca446c0ce465f34659260a09d57428a52ab4

SHA512
978d1e7eac7e7874031c1bb71737f955579ee4c597a989433f4d2a0b411aff63ba001c5152616d605d73c7b5c05f1fd7f111e87eff9cc7cccaefdc2ff924c1d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a2ab33ca29da44e00ec8f190b5024770

SHA1
51a20f423d1cb54ef1e016926cd7afadd9963208

SHA256
3dc263a064985b2aa644486458b6f11061a9d24a48976b018f882bddce55f132

SHA512
37df5b240fc6319f8ec5c18d72da4d0e9ecdac0f1e5d9709d8671654498111f603a9d65732f04981be5a91b1576d86d9fa58eafcf43018011e60cc4c08f05064

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF6f3f52.TMP

Filesize
4KB

MD5
8b07d040aae807af475fefb30c21b4df

SHA1
9920a020bf3d43e4fc3dcd3f67253671d509cf15

SHA256
7ffdeb28507751048035013fdf1afa80c248f635a360d64b4a7ade113b05df0d

SHA512
75842caf86a0f560dee1043421f3af263b1b5618a200e54b3f5d372018f4e0a14b49f84832c975c5616d2e119ad9773a0aae65333c9a3230ac5bf4f85cb81d61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD00E.tmp\FindProcDLL.dll

Filesize
3KB

MD5
b4faf654de4284a89eaf7d073e4e1e63

SHA1
8efcfd1ca648e942cbffd27af429784b7fcf514b

SHA256
c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

SHA512
eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD00E.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD00E.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD00E.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD00E.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoD00E.tmp\nsisFirewallW.dll

Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json

Filesize
4B

MD5
5b76b0eef9af8a2300673e0553f609f9

SHA1
0b56d40c0630a74abec5398e01c6cd83263feddc

SHA256
d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817

SHA512
cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

Download Submit
\??\pipe\crashpad_2880_XOLXTXSAGNCSHWPF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.5MB

MD5
299af9fcfb3067e8f5f64f0866c8fe33

SHA1
5244f3c95dbee3c29c4171899a1a158087419f59

SHA256
aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34

SHA512
35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2

Download Submit
\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.5MB

MD5
299af9fcfb3067e8f5f64f0866c8fe33

SHA1
5244f3c95dbee3c29c4171899a1a158087419f59

SHA256
aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34

SHA512
35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2

Download Submit
\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.5MB

MD5
299af9fcfb3067e8f5f64f0866c8fe33

SHA1
5244f3c95dbee3c29c4171899a1a158087419f59

SHA256
aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34

SHA512
35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2

Download Submit
\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.5MB

MD5
299af9fcfb3067e8f5f64f0866c8fe33

SHA1
5244f3c95dbee3c29c4171899a1a158087419f59

SHA256
aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34

SHA512
35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2

Download Submit
\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.5MB

MD5
299af9fcfb3067e8f5f64f0866c8fe33

SHA1
5244f3c95dbee3c29c4171899a1a158087419f59

SHA256
aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34

SHA512
35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2

Download Submit
\Program Files\qBittorrent\uninst.exe

Filesize
140KB

MD5
91069149dbc3b622415e8526caaed735

SHA1
8487fb850aabff16ab683b707cbcce4c69220d99

SHA256
09d1cc6f80cfa7d019365ca50de6dc78adcae147ebf061ae381e0304c3891f13

SHA512
c7cb0efe1256d4888d183740419f0f849fb8634ef1892791ac2bd25ad5b021e1ed3efeaad5616940926c4221d8312d781318e1e6addd6f1092b593ab42716f4f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD00E.tmp\FindProcDLL.dll

Filesize
3KB

MD5
b4faf654de4284a89eaf7d073e4e1e63

SHA1
8efcfd1ca648e942cbffd27af429784b7fcf514b

SHA256
c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

SHA512
eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD00E.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD00E.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD00E.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD00E.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD00E.tmp\nsisFirewallW.dll

Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
memory/1020-219-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/1020-227-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/1020-228-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/1020-198-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/1020-203-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/1020-202-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download