bazarloader | hxxps://filebin[.]net/kldda95m5hf0rxec

Resubmissions

16-08-2023 16:24

230816-twqnyabh73 10

16-08-2023 16:15

230816-tqbylabh45 8

Analysis

max time kernel
376s
max time network
381s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2023 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filebin.net/kldda95m5hf0rxec

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 4 IoCs

Processes:

resource	yara_rule
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5

Executes dropped EXE 5 IoCs

Processes:

qbittorrent_4.5.4_x64_setup.exeqbittorrent_4.5.4_x64_setup.exeqbittorrent.exeqbittorrent_4.5.4_x64_setup.exeqbittorrent.exe

pid	process
6104	qbittorrent_4.5.4_x64_setup.exe
6068	qbittorrent_4.5.4_x64_setup.exe
3992	qbittorrent.exe
1440	qbittorrent_4.5.4_x64_setup.exe
5140	qbittorrent.exe

Loads dropped DLL 11 IoCs

Processes:

qbittorrent_4.5.4_x64_setup.exeqbittorrent_4.5.4_x64_setup.exeqbittorrent_4.5.4_x64_setup.exe

pid	process
6068	qbittorrent_4.5.4_x64_setup.exe
6068	qbittorrent_4.5.4_x64_setup.exe
6104	qbittorrent_4.5.4_x64_setup.exe
6104	qbittorrent_4.5.4_x64_setup.exe
6104	qbittorrent_4.5.4_x64_setup.exe
6104	qbittorrent_4.5.4_x64_setup.exe
6104	qbittorrent_4.5.4_x64_setup.exe
6104	qbittorrent_4.5.4_x64_setup.exe
6104	qbittorrent_4.5.4_x64_setup.exe
1440	qbittorrent_4.5.4_x64_setup.exe
1440	qbittorrent_4.5.4_x64_setup.exe

Drops file in Program Files directory 37 IoCs

Processes:

qbittorrent_4.5.4_x64_setup.exe

description	ioc	process
File created	C:\Program Files\qBittorrent\translations\qt_gl.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_lt.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_da.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fi.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_tr.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\uninst.exe	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\qbittorrent.exe	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fa.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_lv.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_sk.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_zh_CN.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_nn.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_uk.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_pt_PT.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_sv.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_bg.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_es.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fr.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_gd.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_hr.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_hu.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\qbittorrent.pdb	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_sl.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_cs.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_nl.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_pl.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\qt.conf	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ca.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_pt_BR.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_de.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_he.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ja.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ko.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_zh_TW.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ar.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_it.qm	qbittorrent_4.5.4_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ru.qm	qbittorrent_4.5.4_x64_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31051871"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "156123678"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a69338ef97e94eb4d938c2816c6e0d00000000020000000000106600000001000020000000142a2f27b085483c119ddf14f68da9db6222e209ddd08a35eabc944dfab6434b000000000e8000000002000020000000ac1856dc789fa9120a8d08bb931d6c6daef9cad1b3ffa524acc32a64cb79f8cb200000008ebb7da4ea17f6cf330c555be58a653ad02543deedc0b5018c2405b47ff1562040000000889fc2d0ceabde646ab5d3e5c171bcd669df703fff7991291a2cfaed286a11ab1a6c4f9a3d4112cfe264c5e8fd4fc560c2d8620904ecd3bc965d9cdb80f996e0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ee560a5fd0d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "156123678"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{34CAA845-3C52-11EE-A95E-6E57E90FA48A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31051871"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000052a69338ef97e94eb4d938c2816c6e0d0000000002000000000010660000000100002000000072fb71c00aafb1f19e0f9c07e03f11e68ea460bdc395f6ab33d5e50e3082031c000000000e800000000200002000000025ccca985ed132a9bf9c7c7801382985626019e2edf729fc457e16c8cfeab9a820000000f542dd40502360e17ea7f184d31025b1a4c6245fe91f8acf6602de67dbb5846740000000bed2708cbe70bb25eae31f8be481311627ba9afd5a33c6ef6396477c60e61944220cee464154fe738f482882f979b859aa3682a1b00f652f935a4c99d282cf9a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8089860a5fd0d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

qbittorrent.exeqbittorrent_4.5.4_x64_setup.exefirefox.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	qbittorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent	qbittorrent_4.5.4_x64_setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet\ = "URL:Magnet link"	qbittorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open\command	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet\ = "URL:Magnet link"	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet\shell\open	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000a9a4f368a9add9019439a7adc5afd901ed6b136c5ed0d90114000000	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\ = "qBittorrent Torrent File"	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\DefaultIcon	qbittorrent_4.5.4_x64_setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.5.4_x64_setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	qbittorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\Content Type = "application/x-magnet"	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet\shell\open\command	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.torrent	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\shell	qbittorrent_4.5.4_x64_setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	qbittorrent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open\command	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent_4.5.4_x64_setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet\DefaultIcon	qbittorrent_4.5.4_x64_setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	qbittorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet\Content Type = "application/x-magnet"	qbittorrent_4.5.4_x64_setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	qbittorrent.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\shell\open\command	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\.torrent\ = "qBittorrent"	qbittorrent.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent\DefaultIcon	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.torrent	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	qbittorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet\shell\ = "open"	qbittorrent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\Content Type = "application/x-bittorrent"	qbittorrent_4.5.4_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open	qbittorrent_4.5.4_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1722984668-1829624581-3022101259-1000\{FA616644-784B-4B8F-A303-EE258E7D9611}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	qbittorrent.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	qbittorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	qbittorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\magnet\Content Type = "application/x-magnet"	qbittorrent.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 898731.crdownload:SmartScreen msedge.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

qbittorrent.exeqbittorrent.exe

pid process

3992 qbittorrent.exe
5140 qbittorrent.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 898731.crdownload:SmartScreen	msedge.exe

pid	process
3992	qbittorrent.exe
5140	qbittorrent.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeqbittorrent_4.5.4_x64_setup.exe

pid	process
3700	msedge.exe
3700	msedge.exe
4112	msedge.exe
4112	msedge.exe
3380	identity_helper.exe
3380	identity_helper.exe
3680	msedge.exe
3680	msedge.exe
3252	msedge.exe
3252	msedge.exe
5920	msedge.exe
5920	msedge.exe
6104	qbittorrent_4.5.4_x64_setup.exe
6104	qbittorrent_4.5.4_x64_setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

qbittorrent.exe

pid process

3992 qbittorrent.exe

pid	process
3992	qbittorrent.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exe

pid	process
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

qbittorrent.exefirefox.exe

description pid process

Token: SeManageVolumePrivilege 3992 qbittorrent.exe
Token: SeDebugPrivilege 4204 firefox.exe
Token: SeDebugPrivilege 4204 firefox.exe

description	pid	process
Token: SeManageVolumePrivilege	3992	qbittorrent.exe
Token: SeDebugPrivilege	4204	firefox.exe
Token: SeDebugPrivilege	4204	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeqbittorrent_4.5.4_x64_setup.exeqbittorrent.exefirefox.exe

pid	process
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
6104	qbittorrent_4.5.4_x64_setup.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
4204	firefox.exe
4204	firefox.exe
4204	firefox.exe
4204	firefox.exe
3992	qbittorrent.exe
3992	qbittorrent.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

msedge.exeqbittorrent.exefirefox.exe

pid	process
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
4112	msedge.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
4204	firefox.exe
4204	firefox.exe
4204	firefox.exe
3992	qbittorrent.exe
3992	qbittorrent.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

qbittorrent.exefirefox.exeiexplore.exeIEXPLORE.EXE

pid process

3992 qbittorrent.exe
3992 qbittorrent.exe
3992 qbittorrent.exe
4204 firefox.exe
2604 iexplore.exe
2604 iexplore.exe
3848 IEXPLORE.EXE
3848 IEXPLORE.EXE

pid	process
3992	qbittorrent.exe
3992	qbittorrent.exe
3992	qbittorrent.exe
4204	firefox.exe
2604	iexplore.exe
2604	iexplore.exe
3848	IEXPLORE.EXE
3848	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4112 wrote to memory of 2164	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 2164	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 368	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 3700	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 3700	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe
PID 4112 wrote to memory of 1840	4112	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filebin.net/kldda95m5hf0rxec
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6cc046f8,0x7ffc6cc04708,0x7ffc6cc04718
2⤵
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
2⤵
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
2⤵
PID:368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
2⤵
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
2⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5596 /prefetch:8
2⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
2⤵
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
2⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
2⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
2⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6148 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6128 /prefetch:8
2⤵
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
2⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
2⤵
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
2⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
2⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
2⤵
PID:320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
2⤵
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
2⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
2⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
2⤵
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:1
2⤵
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
2⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
2⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6116 /prefetch:8
2⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,5554768743980843014,2387874539414285538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7432 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5920

C:\Users\Admin\Downloads\qbittorrent_4.5.4_x64_setup.exe
"C:\Users\Admin\Downloads\qbittorrent_4.5.4_x64_setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6068

C:\Users\Admin\Downloads\qbittorrent_4.5.4_x64_setup.exe
"C:\Users\Admin\Downloads\qbittorrent_4.5.4_x64_setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:6104

C:\Program Files\qBittorrent\qbittorrent.exe
"C:\Program Files\qBittorrent\qbittorrent.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4204.0.1233319711\1292562488" -parentBuildID 20221007134813 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {280f4bde-5737-4996-8479-2ee660815703} 4204 "\\.\pipe\gecko-crash-server-pipe.4204" 2004 1dbaefd4b58 gpu
3⤵
PID:4596

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4204.1.2039081422\643112440" -parentBuildID 20221007134813 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d72bfae9-ebaf-482a-ac9d-b7498a40a6cd} 4204 "\\.\pipe\gecko-crash-server-pipe.4204" 2408 1dbaef04458 socket
3⤵
PID:5204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4204.2.1213754657\1993157373" -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8142a18d-1a1b-4112-a6a6-f172a521a569} 4204 "\\.\pipe\gecko-crash-server-pipe.4204" 3192 1dbb3103258 tab
3⤵
PID:3876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4204.3.759762511\1746152383" -childID 2 -isForBrowser -prefsHandle 3628 -prefMapHandle 3624 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7518215f-8063-4fc9-abaa-a88c21b48454} 4204 "\\.\pipe\gecko-crash-server-pipe.4204" 3640 1dbb1827e58 tab
3⤵
PID:5136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4204.4.690834801\537062407" -childID 3 -isForBrowser -prefsHandle 4300 -prefMapHandle 4348 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c05e923-9fcf-48a9-b666-438a447251c7} 4204 "\\.\pipe\gecko-crash-server-pipe.4204" 4344 1dbb4785258 tab
3⤵
PID:1820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4204.7.1285845511\545806614" -childID 6 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {531d9f12-c6b4-4b93-ae40-a2686189ab67} 4204 "\\.\pipe\gecko-crash-server-pipe.4204" 5408 1dbb304ee58 tab
3⤵
PID:3372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4204.6.1700691979\1506993007" -childID 5 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be3ea877-f5de-4c9e-85bd-13ee2945227d} 4204 "\\.\pipe\gecko-crash-server-pipe.4204" 5264 1dbb304e558 tab
3⤵
PID:5292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4204.5.419651755\778343500" -childID 4 -isForBrowser -prefsHandle 5008 -prefMapHandle 5004 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8516b645-8ca5-46f5-8c0d-5b4bb37281b9} 4204 "\\.\pipe\gecko-crash-server-pipe.4204" 5020 1dbb57e4c58 tab
3⤵
PID:2820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4204.8.1945535270\1837250640" -childID 7 -isForBrowser -prefsHandle 5932 -prefMapHandle 5024 -prefsLen 26656 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe274321-81dc-4517-823a-0602c6170bf9} 4204 "\\.\pipe\gecko-crash-server-pipe.4204" 5956 1dbb3066858 tab
3⤵
PID:3884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4204.9.1854521723\1615174158" -childID 8 -isForBrowser -prefsHandle 5152 -prefMapHandle 5068 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bc31056-4570-46c7-b1ec-e4d2fdba381e} 4204 "\\.\pipe\gecko-crash-server-pipe.4204" 5144 1dbb72d9a58 tab
3⤵
PID:408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4204.10.574425453\1515738781" -childID 9 -isForBrowser -prefsHandle 4472 -prefMapHandle 5180 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba3b5b52-3c7b-4fcc-becf-99b692d07eee} 4204 "\\.\pipe\gecko-crash-server-pipe.4204" 4452 1dbb6af2858 tab
3⤵
PID:368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4204.11.661496846\1690921548" -childID 10 -isForBrowser -prefsHandle 6240 -prefMapHandle 6244 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0508228-2657-49b9-be4d-17d030e87cb9} 4204 "\\.\pipe\gecko-crash-server-pipe.4204" 6328 1dbb6b4ef58 tab
3⤵
PID:792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\WatchTest.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3848

C:\Users\Admin\Downloads\qbittorrent_4.5.4_x64_setup.exe
"C:\Users\Admin\Downloads\qbittorrent_4.5.4_x64_setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440

C:\Program Files\qBittorrent\qbittorrent.exe
"C:\Program Files\qBittorrent\qbittorrent.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:5140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\qBittorrent\qbittorrent.exe
Filesize
28.5MB

MD5
299af9fcfb3067e8f5f64f0866c8fe33

SHA1
5244f3c95dbee3c29c4171899a1a158087419f59

SHA256
aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34

SHA512
35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe
Filesize
28.5MB

MD5
299af9fcfb3067e8f5f64f0866c8fe33

SHA1
5244f3c95dbee3c29c4171899a1a158087419f59

SHA256
aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34

SHA512
35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe
Filesize
28.5MB

MD5
299af9fcfb3067e8f5f64f0866c8fe33

SHA1
5244f3c95dbee3c29c4171899a1a158087419f59

SHA256
aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34

SHA512
35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe
Filesize
28.5MB

MD5
299af9fcfb3067e8f5f64f0866c8fe33

SHA1
5244f3c95dbee3c29c4171899a1a158087419f59

SHA256
aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34

SHA512
35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2

Download Submit
C:\Program Files\qBittorrent\qt.conf
Filesize
84B

MD5
af7f56a63958401da8bea1f5e419b2af

SHA1
f66ee8779ca6d570dea22fe34ef8600e5d3c5f38

SHA256
fdb8fa58a6ffc14771ca2b1ef6438061a6cba638594d76d9021b91e755d030d3

SHA512
02f70ca7f1291b25402989be74408eb82343ab500e15e4ac22fbc7162eb9230cd7061eaa7e34acf69962b57ed0827f51ceaf0fa63da3154b53469c7b7511d23d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f6f47b83c67fe32ee32811d6611d269c

SHA1
b32353d1d0ed26e0dd5b5f1f402ffd41a105d025

SHA256
ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc

SHA512
6ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1c9121f7-efd6-4b86-9e52-928343345bcb.tmp
Filesize
24KB

MD5
5544c64f2a8f49dabc19eb84267b1c9b

SHA1
c5b78d63a8bab1c7b985f7ea2f268d0d7809071e

SHA256
a1fcfee2974a77e76a7431a2069db301861ab42dd41769cead8697f41f5a497f

SHA512
38c80d7c810441fc87beff38929473088cf426b0a25a30820d8a060f493350d99bb8521b314afe00578ea54648fce2aa4e55880a83a4f1048c56307991726565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018
Filesize
19KB

MD5
e79a52b8bf94e07d5beb71da469a7864

SHA1
edfdcd6451d255a257988fd564f49822a86055b0

SHA256
ac9e1ea725046cc3e80323c52d972f76797e38a1f8d6a0e6eb2ced5b1e6f3b9d

SHA512
2181765025f7a6ed01cf2489b1095bccaf8dc94bc495537844c93ea966186a0050f5118219411018543de07a2f3f9489782ed6e0fb12038607d0901f88afbeed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
7b27794ec197c7807836429a736953e1

SHA1
1f1b3748b89a307e352deb6c862ea9052003612c

SHA256
e078192179816706572d3630c0fed3a1a0f9e1f2fc358fd0c6e044880e37576c

SHA512
a2171fc923daa1c1fb88206313108ad8e3cb38104ed4f43396ec6f2c8594459440ebabc31acd10963093bceb7e4c30e082db651b43e9ccded239919d712887f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
27d79a5656903a9075d4d53cd886dfb9

SHA1
785a85a6c63f72c5fa661af9590c9508e04e4bdc

SHA256
76ddf944269b4e653d5e4225f7e1595f9ee36609ceeba480c4b5d3298671bf67

SHA512
b481c0501fd2228acf9723e9cf83a313f9befe4334ca225d134a75d36c71c4168c034836a509de430a1c32e75d19eebbe97429fc70804bbdab244a640c3a832a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
a69c0435691f8b58e72325b7e778ea34

SHA1
a03cc6631f37bf4511cbbef1ad6adf04de2b5343

SHA256
feecadb10ce587497604c98bcb22fd2bcabb2bdeaf86f20261c37837117c72d9

SHA512
a638a42e1f4f3ca2ae87c9e763a6914d5dc108222b99a38e823ce288b0b3cfeeb9535988cd8c4e6254fdfd4ab4751c9774845575e6cee9d111ab82c074250ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d5e733794948e48b215cd9e3f5cbc9b7

SHA1
d68d390f2ab65b2806166d41e991aaa28abfde2f

SHA256
9b87754605c95c4a650a20d46c21c1956a100c70a8b760c45708075e0f855b59

SHA512
6d6a1b8daad8799228f1cc9c0d15060bde68b673ec9836a7a2c73f740549beea2d03f97885c450db443d64559c915f83cae1b008e9f2d564e6e962499a745f36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
4eec5e191119e47eb48bfb4caa12b319

SHA1
0d434500c9621e8714f229fcc05c1f28456607b8

SHA256
ffaf636f9e1f3d6558629feb08bb62f129682dc7e06d6842889397ac4d5df02d

SHA512
c9cadb9851ae4091969465d448f24aaf28e67acb83fd7163520fdd1038cb3c4893a68dbc8c607d7398d2f05b11374409dec43d67caeaa85a956407dd655bb4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
8289959c5447823be20639ed7dacab92

SHA1
23b476d909bdf7a9bd04f6df197db56a78d87942

SHA256
8af418524bc7d1dfe50a7f5884115c060214fdc24275444b8f735cf597b91d2c

SHA512
22e6239e573f5c743f1d70abbacc6afadfe7ffea302d502fc93d6bb49b9f8e591648d13102f0f281aa6fcfdb6572ad52df305b227a01e8cd193a46b1c3459c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
934ab7d2874b75ec8884528e2328c5f1

SHA1
18c22c54f64af6494c878c2230afe453d6cd390c

SHA256
f2aa81bbaf2bf0a67eea268a18de51a9e6e8d7bde1f5bb13aa705b0b3c786bad

SHA512
4b4d147df55147aef813bd1216eaab76ea1696eab3295b24ab33e2f2f8948e7ad9b3651078b00f884fcf60e13b72033427644344d1f32c5039748c11fcc199b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
3d0fbff62031fb0d363590cbf4a236f8

SHA1
382fb1db11ab22c5cf6b1428f2f899cbebeeb21a

SHA256
b19ad565fd8287e9006e9a90e5625798454a187b28d1e6a8e9f37e4eb547ccdf

SHA512
ccf2c6594589e65c0f2272b85544296119485d096485f51131316e9778c0c57081212998c8ac6e7d5c70d1ec5a54477b4b0f0d8abc79d871964771694e2b7b67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
2a8c41540330ed779a9c5a404dd4cf48

SHA1
77b5e5c254ca99765271808e5ffb72de0cffe8a6

SHA256
84b02303c3a1f5921f98e15147c0739c300e11232a5c41c9ed901466208ed8ee

SHA512
746fe3fdf264c9ec38bfab62cb9202523df007dad3dee0446a1a6c74fbfcf40f118fd14834a5d102635b0d21a5047822a0490959836833d9e4cf0dcf994b9948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
231c09a21baab73d85c850d8e6d45f40

SHA1
c68f6a399647777fb119abaa995eb5f5e2a0edfb

SHA256
fc05f4b91f9c2d540344d3cb64715f48bfc3fa8661cf70fcaa305c853e5b60e5

SHA512
8869c08ae20f89e8f60366cf2123da3823ddbd25993f0c0d2608f00657da9e6b6262f313597d209e12084aa84239735615a7c24c5bb8abe54862ce042642fe84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
15de92226cec67b603e84a28ca947f16

SHA1
36f2ebfcb6684f243ca75dd50a231bb52d6262c9

SHA256
09651d410499a6b654ed0f4dcf1ca6442e399b8beedf6165aa454bebb0d75ab4

SHA512
3cdb7ff1d3c52d44d86c84b60501f0ee4ab6048efb23a5bfa16c366286702323d8fa66e600bd4daf25e479836713436c409928868a0acbcd2c6d7af9af85fcbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cdef.TMP
Filesize
370B

MD5
b9ac0d91f7738c9ad03e1d439ed81103

SHA1
1cf65aae97812ba29163b9b287dd0cc568377739

SHA256
43d27c42b4477722909426de641bde1fd9ab5040627bf3fd6e243421f8504728

SHA512
4826924744a30b1ce680b3cf4cc866165a20329f62312252073c1843664cebdf657df231a2b1e5967083de19827df7cc1f17e53b9c27d6d43cdaab88e29c7866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
baa84eccca832dbad61513bb2fa24150

SHA1
21a69cb97239c61cd2b1689695476f3c3b9bc444

SHA256
f56438369b098117a905fc77f288a504f97c5a0bf0b325e8ec4429fb62182e7a

SHA512
30425b9e5ad4102251f6cf2f3006cbb1be7dd1ee5f52044ce43e683974c83c6e8918d17e6fef3d3a32c4ba3f99ba759d90f398264ed424f712bc42b9b85165db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
231e61f1cb0a36848dddade8068c52c7

SHA1
ccd88ded520fe468032c55e181fdc58d070f3914

SHA256
06d0e3a55b270a48099ac92662fe50367f72f8da9add77e377d4cfdd1855b619

SHA512
252c1eaa0d9930e33e7a4fde105a3959abf714ef6df4c1d694149d9df398c983a59da17a5d44cd7e08fce41597a61be33b896f3fc8c3841ea7d6e163436ea0cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
5208e23a225eb4a1cf6269392509f3c8

SHA1
d38feec4897fbf27c87e86f0ab193b6acf76557c

SHA256
4fe5ee567f22480a52b68896d7b3470c6e125446a427eb9cc5703b2edf2421cb

SHA512
c8d2ee9a9b58e627367a0b7946434722ad55f8a9bbda25ca23df6ca94527a61a72af051de983f1f20a5b6ef111f26baa1002ad839c5ac603181604c46d49113b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\activity-stream.discovery_stream.json.tmp
Filesize
22KB

MD5
dfc5d9bf15dfe5225d46f72eadab9e70

SHA1
7e587b0ea227e7f8180c36e0e265ff17246480f7

SHA256
87e0c10ce167c3a47abaf92b22808cb1057d8f640100a0cfe299727563fb33e0

SHA512
029c1ab2ace1a15e00fe73de0650078d7db5b320aa4b324593e2f67887503347f9be39e00cbe7e6b4cf5b1470b1aaee1f9ea496e1dae5c6ecff0ffe53e323e69

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cache2\entries\70DBE5F90BD35EEC6D4A07D16DB46EC38E379124
Filesize
13KB

MD5
a4d11f83a34abe521d802b9eadb82277

SHA1
8a0ef15a3ff35dcace2d207771e0a0dadc6c17c2

SHA256
836924652cfcb086fae3d807d83d99a6e8f23f617b6d1674a7c19d3e5bf63864

SHA512
1b593b6c2388f6ac3a69011ccc672d779486db5fd235af81808242579ed9e5e66c95418fdc81db63349099731ceed686ffb6a8d3ccc25981e6a9e15f75e9c33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\FindProcDLL.dll
Filesize
3KB

MD5
b4faf654de4284a89eaf7d073e4e1e63

SHA1
8efcfd1ca648e942cbffd27af429784b7fcf514b

SHA256
c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

SHA512
eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\FindProcDLL.dll
Filesize
3KB

MD5
b4faf654de4284a89eaf7d073e4e1e63

SHA1
8efcfd1ca648e942cbffd27af429784b7fcf514b

SHA256
c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

SHA512
eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\LangDLL.dll
Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\LangDLL.dll
Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\modern-wizard.bmp
Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\nsisFirewallW.dll
Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\nsisFirewallW.dll
Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6946.tmp\nsisFirewallW.dll
Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB196.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB196.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst681D.tmp\LangDLL.dll
Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst681D.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Local\qBittorrent\BT_backup\2b9323f57ab9b7ed4c9ff1e3f6e23b13aa4e71d8.torrent.WZVENo
Filesize
94KB

MD5
2b703a795eda5e08f6f02980d6c81837

SHA1
80e95852f4ee1f50609d3be4d9c38effbfb1adf7

SHA256
19d1fb486698209666f8c4920043887fcf54f475b5c073a225c83bc65b586636

SHA512
77993a193176427c7251ad0ad39267a2158380eb8455f7f44f83c8c8eea5826b552dc8ccc82fb8a27120adac7bd973583fe50d691e84f4cc7900945bdf397a82

Download Submit
C:\Users\Admin\AppData\Local\qBittorrent\logs\qbittorrent.log
Filesize
3KB

MD5
a54841e32e30404d476a5ff0c911f06b

SHA1
9f7ebebe5fed242b01b0293623756dd3880471ea

SHA256
17b8b637a0377de17d3bd2042ad49cbca951d2ee554c4e9be504ce834ef2afcd

SHA512
10a956a11b7bb8c2026bfa54d9a63eac89ec86eee175f951535d6382dac8974e60d6f5f7f7fb5845acdf086c18bd2515ab93420f670ceaf8203192d4a0e01f54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\prefs-1.js
Filesize
7KB

MD5
47b2f4ce303e4385cdf4b054c501b639

SHA1
2a49d45c3057b7b411b0af6579849e7ed5ae8c0b

SHA256
5b5fe2005d44bc17d5e725f8789e588a5ba575a543c534b786f7c65c1cc39fd7

SHA512
0e47c014cb0feab47cb901c99859482f66f593160a721c6ae410fd809dfda5efc339d1c076edda94fffcca4f12fa9795620f960d13a7236bb01e862156eaf7eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\prefs-1.js
Filesize
6KB

MD5
8e2840372ade84fb9f5a5b2ea89b8d6d

SHA1
cda6d7a6e8eaf278975cb00db9ebe3615306995d

SHA256
6dbb11513b4d698333ae2ce75e94ec2a57a180763aa6c793d83adfd3e40df7ec

SHA512
1151b07985ec4cf7ff3213b71a8cf09dc7241dc072fe22772147f5f60d0dea1c792e379bb3bbd945110aabb009165d28a41275e344c2d4fed72df478221c3b54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\prefs-1.js
Filesize
8KB

MD5
f67a8831b483f851300b6d6f7bea681c

SHA1
6a6a93ea711031cf1642c341b5af2201b780c71b

SHA256
9ee7f3a8650157f2ed1ee185a09e6ed41fd6f4efbbfbb1fe4a54e9824fc36e95

SHA512
c9568fd0b06b89bbe1b6dd404f60616ecd53e3c41c3caedddd942a96e5653ee0f6fdcad4336798d950870ddb075cc710722d174723ff20f8e0858425ad86fbf8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionCheckpoints.json.tmp
Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
a0ff66bac59b1c05266ba21650b703f4

SHA1
568682905ec7064cd3873c87d07c8c8fee635286

SHA256
f7a2127c0e8eb8fcd0bceaf995f8093eeeca1bd14423209170d0c29f0a1c5e7c

SHA512
13af8de0c734fe1f43780ce4e963004563af56101304a9ab74bdcc2bd07079a81dfccd55488ff1351785ce5276c6dca2a0a49d4f5ec6866b11708b3585cffe2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
762c9ce7099ada87d5c7848106e5bc6d

SHA1
9c8c0ca77e703eab6b9b070a6a2956bb5090a3c2

SHA256
e22c73d33f729285f73d2b3c71a8a4b8c0d1108b0051a344a95bb343bd855096

SHA512
1f3ea7b3307729cfdeff452c06808857dfcaa6bb002389b564c6ae83e6c09c9b9942ade28d8099e07c6bce28b9a8ecf691c3f0f075bead52529b9f61ba26f57a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
59dc7d02c55942a8874979e3bf45d99c

SHA1
66b8574b9f95f255efb50a6c0126ac0cfed46dce

SHA256
24f4c44d48237d4c5b54a6fe35b3e79a63456d156464fd517056b2df935082ca

SHA512
1ff84c776d521a376bdf82896653f10f2a54b03b92abea9717dd4718e5ce7b8d662b7768f1c1be55e1ad633975d25ca060c1a825d5007cdf6353c0a0a561d703

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
48eff411b1a9b63249ff9b16aed62b46

SHA1
4a21639ea348f50f5b7febe1058e65f96505d544

SHA256
4ba651de1bfb611244e02ac59bc9002f86594db81d591d41ae2f080424b9dd61

SHA512
ac9116fce43ffb970fa61dab372d69b8151c435538f7b4bfa4945d4ffd6c612032a740e23f1bdfc1a7ba7b7fc21613307420716f3154cbdf02fba36d473355c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
832ffac2d5f0e2cdba0a6d41ab92e2f6

SHA1
525ab57c635c850d649372f4295f53dac5e2057e

SHA256
9e9a049639efc0e3db9780652cf2af36aabc7c3df35a3610ecb141c337f97d70

SHA512
c60e5e91e15c4be97080e98acee39747ccabb19862ab6a001246e2bf9ff58ea0dbbaa346cad57c5e7fabdb3cb99d030e0ea11c005b91585c30b9614bee585bad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore.jsonlz4
Filesize
4KB

MD5
71c89980778b813130cacb5bddec5dbf

SHA1
a8ff255eaae98354d859c3a1242aa0ae852c9a0e

SHA256
ad528d762a14f9abc71373b19c0236fc39ff70c32f3d3f26bc2f0e635a23f047

SHA512
1b2c31b3b4530cb2d1a3056690309cf0ef3aa6b21ee64c21037490b891d0f3ee991eb5aaf1e77733b9619f9f6bd598365e7bb804cb8a34d920f1931f602eb009

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\storage\default\https+++www.virustotal.com\cache\morgue\125\{09ebbef8-730e-48f4-91b7-c954b0f9c07d}.final
Filesize
45KB

MD5
27caf73437f129cd844683208601a95d

SHA1
b1c051b6b88e8b76303e4eb4f9c10326a9eb1dcc

SHA256
8af87164badd0d049e2175c881e040f9d451875ff47dd6df392b89b2c6be1376

SHA512
5aaa9573c8dffd45f0ea91d81328ea43a27a137ca931825e910235683fe83989d5b3de626a8d9cc6d68479872f3e34d541eb06a98910c3a9d206c69eecd96f8b

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\qBittorrent.ini
Filesize
6KB

MD5
2ec8de0d114fbe99589aa22e656197d4

SHA1
8fb7546b699c8516f78ee88839acb7a5ead466f3

SHA256
49a26393e1ed5839f9d8fd36f6416c7aed13b827373c69572b219f6e34e40b48

SHA512
103298ad272491f7060ef14418989da4be25c0489564c6a847c3cb8bf4490ce18e5f85fe2ea5c66afb8f03ad10655f37b22b5d3e3ee7b300f0f4e648973e6918

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\qBittorrent_new.ini.lock
Filesize
64B

MD5
6ad89829f65d54f9698dd7815520fe30

SHA1
33e78ce13c7f7d4f16d61dd1a83154c3e0be369b

SHA256
9f9ef0df0749040270799854bfb5462b895d6757009f4fa1c1e77ca4dca24501

SHA512
23b6a482ad22fd6cd00ee6c0a8d6af5e88dd2c4024851c4c1eb1edd3c2156ae9fa14eede10ab598782a84ab4b3f34b9943a5b1925467323f54f9b321eff077bc

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json
Filesize
4B

MD5
5b76b0eef9af8a2300673e0553f609f9

SHA1
0b56d40c0630a74abec5398e01c6cd83263feddc

SHA256
d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817

SHA512
cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

Download Submit
C:\Users\Admin\Downloads\2B9323F57AB9B7ED4C9FF1E3F6E23B13AA4E71D8.torrent
Filesize
95KB

MD5
4c1b63d80b126816981e8899aa59f6ea

SHA1
fa34aff1c9caffde5556134bd598ace2638b2441

SHA256
774094c22b1f6806ef42360c32cec6f07b5b3ca38dbefb769245fe3a6efbe54a

SHA512
362fef9b66f453001598f1bf52a8b22f5c804e04106fad7a5545fe290d21865712cf9339569532f44295bc44832cdefb7d742faf3889413404ba1796bb5144a5

Download Submit
C:\Users\Admin\Downloads\2B9323F57AB9B7ED4C9FF1E3F6E23B13AA4E71D8.torrent
Filesize
95KB

MD5
4c1b63d80b126816981e8899aa59f6ea

SHA1
fa34aff1c9caffde5556134bd598ace2638b2441

SHA256
774094c22b1f6806ef42360c32cec6f07b5b3ca38dbefb769245fe3a6efbe54a

SHA512
362fef9b66f453001598f1bf52a8b22f5c804e04106fad7a5545fe290d21865712cf9339569532f44295bc44832cdefb7d742faf3889413404ba1796bb5144a5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 898731.crdownload
Filesize
31.3MB

MD5
6e35e4512488a44ebf34bff82dc4724f

SHA1
38903134b1a0a774cdcf728d3484493e7d83592a

SHA256
3ba266ddbe5624aeedec1a23c6bf86d6cfd5b547e8c1a31169f6a08434c9e615

SHA512
a6faa23d08c34da39111b9da1d9be62eb9486d010b6217b0aaacaa0cc240bca4e305bdbdaf1f4175f4a4ddb12530ddecc3c488d1620e2ead20b9e90f3cbe6a1e

Download Submit
C:\Users\Admin\Downloads\qbittorrent_4.5.4_x64_setup.exe
Filesize
31.3MB

MD5
6e35e4512488a44ebf34bff82dc4724f

SHA1
38903134b1a0a774cdcf728d3484493e7d83592a

SHA256
3ba266ddbe5624aeedec1a23c6bf86d6cfd5b547e8c1a31169f6a08434c9e615

SHA512
a6faa23d08c34da39111b9da1d9be62eb9486d010b6217b0aaacaa0cc240bca4e305bdbdaf1f4175f4a4ddb12530ddecc3c488d1620e2ead20b9e90f3cbe6a1e

Download Submit
C:\Users\Admin\Downloads\qbittorrent_4.5.4_x64_setup.exe
Filesize
31.3MB

MD5
6e35e4512488a44ebf34bff82dc4724f

SHA1
38903134b1a0a774cdcf728d3484493e7d83592a

SHA256
3ba266ddbe5624aeedec1a23c6bf86d6cfd5b547e8c1a31169f6a08434c9e615

SHA512
a6faa23d08c34da39111b9da1d9be62eb9486d010b6217b0aaacaa0cc240bca4e305bdbdaf1f4175f4a4ddb12530ddecc3c488d1620e2ead20b9e90f3cbe6a1e

Download Submit
C:\Users\Admin\Downloads\qbittorrent_4.5.4_x64_setup.exe
Filesize
31.3MB

MD5
6e35e4512488a44ebf34bff82dc4724f

SHA1
38903134b1a0a774cdcf728d3484493e7d83592a

SHA256
3ba266ddbe5624aeedec1a23c6bf86d6cfd5b547e8c1a31169f6a08434c9e615

SHA512
a6faa23d08c34da39111b9da1d9be62eb9486d010b6217b0aaacaa0cc240bca4e305bdbdaf1f4175f4a4ddb12530ddecc3c488d1620e2ead20b9e90f3cbe6a1e

Download Submit
C:\Users\Admin\Downloads\qbittorrent_4.5.4_x64_setup.exe
Filesize
31.3MB

MD5
6e35e4512488a44ebf34bff82dc4724f

SHA1
38903134b1a0a774cdcf728d3484493e7d83592a

SHA256
3ba266ddbe5624aeedec1a23c6bf86d6cfd5b547e8c1a31169f6a08434c9e615

SHA512
a6faa23d08c34da39111b9da1d9be62eb9486d010b6217b0aaacaa0cc240bca4e305bdbdaf1f4175f4a4ddb12530ddecc3c488d1620e2ead20b9e90f3cbe6a1e

Download Submit
\??\pipe\LOCAL\crashpad_4112_MSVWQBPGSTBYDIJI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3992-860-0x0000015E6EAA0000-0x0000015E6EAB0000-memory.dmp

Filesize
64KB

Download
memory/3992-881-0x0000015E6EAA0000-0x0000015E6EAB0000-memory.dmp

Filesize
64KB

Download
memory/5140-3512-0x000001897EFA0000-0x000001897EFB0000-memory.dmp

Filesize
64KB

Download