bazarloader | a95a39a8701661fcd9eec6dbf78f8099be1edfa145fb7d43a0105ec82f97df8f

Analysis

max time kernel
1855s
max time network
1864s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qbittorrent_4.5.5_x64_setup.exe
Size

31.5MB
MD5

a1e3d62bb16c2fef5fba7d2899796239
SHA1

841c7c16a30ca3a2ec77148b2fcd250ce9335830
SHA256

a95a39a8701661fcd9eec6dbf78f8099be1edfa145fb7d43a0105ec82f97df8f
SHA512

121401f7df8f4cd01ecc5205510ad4d824ca7208ddb69bb9a5e4678359e82005d76b20467662878975a739f41236edc8581f61279bae278dbb5c7206058def59
SSDEEP

786432:rDRS7fOdUC+EQNLErJ5L8xPEP9vnzfrnfHo9ft03Pvy96VgQCGq7NBwq:rp1+EQNLkJO2pnvnfIfq3P6YCn7H

Score

10^/10

bazarloader discovery dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 8 IoCs

Processes:

resource	yara_rule
\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
C:\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5
\Program Files\qBittorrent\qbittorrent.exe	BazarLoaderVar5

Executes dropped EXE 1 IoCs

Processes:

qbittorrent.exe

pid process

312 qbittorrent.exe

pid	process
312	qbittorrent.exe

Loads dropped DLL 12 IoCs

Processes:

qbittorrent_4.5.5_x64_setup.exe

pid	process
2132	qbittorrent_4.5.5_x64_setup.exe
2132	qbittorrent_4.5.5_x64_setup.exe
2132	qbittorrent_4.5.5_x64_setup.exe
2132	qbittorrent_4.5.5_x64_setup.exe
2132	qbittorrent_4.5.5_x64_setup.exe
2132	qbittorrent_4.5.5_x64_setup.exe
2132	qbittorrent_4.5.5_x64_setup.exe
2132	qbittorrent_4.5.5_x64_setup.exe
2132	qbittorrent_4.5.5_x64_setup.exe
1264
1264
1264

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 37 IoCs

Processes:

qbittorrent_4.5.5_x64_setup.exe

description	ioc	process
File created	C:\Program Files\qBittorrent\translations\qt_gl.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_sv.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_hr.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_nn.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ca.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\uninst.exe	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_pt_PT.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ar.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fa.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_pt_BR.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_sk.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_zh_CN.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_bg.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_da.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_es.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_lv.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_zh_TW.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\qbittorrent.pdb	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_cs.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fr.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_it.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_uk.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\qbittorrent.exe	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_sl.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_gd.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_hu.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ja.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_pl.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qt_lt.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_de.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_he.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ko.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_nl.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\qt.conf	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fi.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ru.qm	qbittorrent_4.5.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_tr.qm	qbittorrent_4.5.5_x64_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 44 IoCs

Processes:

qbittorrent_4.5.5_x64_setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open\command	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\.torrent\ = "qBittorrent"	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\shell	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\ = "open"	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\magnet\shell	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\magnet\shell\open\command	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent\shell	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\.torrent	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.torrent	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\magnet	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\magnet\URL Protocol	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent\shell\open\command	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent\DefaultIcon	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\shell\open\command	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\magnet\shell\open	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\DefaultIcon	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open\command	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\magnet\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\magnet\shell\ = "open"	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\URL Protocol	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\FriendlyTypeName = "qBittorrent Torrent File"	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\ = "qBittorrent"	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\.torrent\Content Type = "application/x-bittorrent"	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\Content Type = "application/x-bittorrent"	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\ = "URL:Magnet link"	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\Content Type = "application/x-magnet"	qbittorrent_4.5.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\magnet\DefaultIcon	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\magnet\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\ = "qBittorrent Torrent File"	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\ = "open"	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent\shell\open\command\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\" \"%1\""	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\magnet\ = "URL:Magnet link"	qbittorrent_4.5.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\magnet\Content Type = "application/x-magnet"	qbittorrent_4.5.5_x64_setup.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

qbittorrent.exe

pid process

312 qbittorrent.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exeqbittorrent_4.5.5_x64_setup.exe

pid process

3064 chrome.exe
3064 chrome.exe
2132 qbittorrent_4.5.5_x64_setup.exe
2132 qbittorrent_4.5.5_x64_setup.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

qbittorrent.exe

pid process

312 qbittorrent.exe

pid	process
312	qbittorrent.exe

pid	process
312	qbittorrent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe
Token: SeShutdownPrivilege	3064	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

chrome.exeqbittorrent.exe

pid	process
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
312	qbittorrent.exe
312	qbittorrent.exe
312	qbittorrent.exe
312	qbittorrent.exe
312	qbittorrent.exe
312	qbittorrent.exe
312	qbittorrent.exe

Suspicious use of SendNotifyMessage 47 IoCs

Processes:

chrome.exeqbittorrent.exe

pid	process
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
3064	chrome.exe
312	qbittorrent.exe
312	qbittorrent.exe
312	qbittorrent.exe
312	qbittorrent.exe
312	qbittorrent.exe
312	qbittorrent.exe
312	qbittorrent.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3064 wrote to memory of 1516	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 1516	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 1516	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2924	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2852	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2852	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2852	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe
PID 3064 wrote to memory of 2616	3064	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7049758,0x7fef7049768,0x7fef7049778
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:2
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2252 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2260 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:2
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3304 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3448 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3844 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:8
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1060 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3336 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:1
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2632 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2328 --field-trial-handle=1360,i,9176754449987412687,12403885924019627459,131072 /prefetch:8
  2⤵
  PID:1100

C:\Users\Admin\AppData\Local\Temp\qbittorrent_4.5.5_x64_setup.exe
"C:\Users\Admin\AppData\Local\Temp\qbittorrent_4.5.5_x64_setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2132
- C:\Program Files\qBittorrent\qbittorrent.exe
  "C:\Program Files\qBittorrent\qbittorrent.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2840

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-10-1.bdic

Filesize
441KB

MD5
4604e676a0a7d18770853919e24ec465

SHA1
415ef3b2ca0851e00ebaf0d6c9f6213c561ac98f

SHA256
a075b01d9b015c616511a9e87da77da3d9881621db32f584e4606ddabf1c1100

SHA512
3d89c21f20772a8bebdb70b29c42fca2f6bffcda49dff9d5644f3f3910b7c710a5c20154a7af5134c9c7a8624a1251b5e56ced9351d87463f31bed8188eb0774

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.6MB

MD5
eec321e889eadd13f2f398cb42c31e8c

SHA1
43f4a009554c22528ceb14b37cdc1f795a55876a

SHA256
3249a461c69458830faaa3bcbf138e1de9a882f381a8b44067475066f1fa6a77

SHA512
61303b82f9eec4e7fa9020835b4def4c8febe5636323ff89d2a56ca4cee788752cad4e40ba7b00b9547e4aa9e56aed992bf4d4bb3b6b11e0b33590d1b12b0811

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.6MB

MD5
eec321e889eadd13f2f398cb42c31e8c

SHA1
43f4a009554c22528ceb14b37cdc1f795a55876a

SHA256
3249a461c69458830faaa3bcbf138e1de9a882f381a8b44067475066f1fa6a77

SHA512
61303b82f9eec4e7fa9020835b4def4c8febe5636323ff89d2a56ca4cee788752cad4e40ba7b00b9547e4aa9e56aed992bf4d4bb3b6b11e0b33590d1b12b0811

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.6MB

MD5
eec321e889eadd13f2f398cb42c31e8c

SHA1
43f4a009554c22528ceb14b37cdc1f795a55876a

SHA256
3249a461c69458830faaa3bcbf138e1de9a882f381a8b44067475066f1fa6a77

SHA512
61303b82f9eec4e7fa9020835b4def4c8febe5636323ff89d2a56ca4cee788752cad4e40ba7b00b9547e4aa9e56aed992bf4d4bb3b6b11e0b33590d1b12b0811

Download Submit
C:\Program Files\qBittorrent\qt.conf

Filesize
84B

MD5
af7f56a63958401da8bea1f5e419b2af

SHA1
f66ee8779ca6d570dea22fe34ef8600e5d3c5f38

SHA256
fdb8fa58a6ffc14771ca2b1ef6438061a6cba638594d76d9021b91e755d030d3

SHA512
02f70ca7f1291b25402989be74408eb82343ab500e15e4ac22fbc7162eb9230cd7061eaa7e34acf69962b57ed0827f51ceaf0fa63da3154b53469c7b7511d23d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
df1aace18a135d293b9ebb38606cf242

SHA1
3c1bd64f41f582aad4a36ff5fdfb89a7dd9810c0

SHA256
353e31fd138110bcfec2ecae7743bd5fe8262df1ca3315fa5923b5312f9a80c3

SHA512
b7ac49bb5268d46c60a079afbd689da870509524b4e84054e0e9bc8a546e2dfdf537dea64fa155bfdcd87e7e71b0f5c6effe80ce02ba32682ec8de530a514b2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
21a143ecf4e36c31c21e760b48140a89

SHA1
e1f622c223031722fd00292ddacd0a06667903e7

SHA256
a5d8021bee377bef2040548f61191efce98fd50c841660e6caf397508c859cdf

SHA512
c34ea952f91edf697b63c17216c01f3d5f10912ce7c80fb9128516bd663b6b7c8e350d4c57dea8a91e0c6f86fcf0560e58fba13a620bd12ad526911da2408a8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
90f0aa1dcaedce2feb58c6a7fd0c11c6

SHA1
e73d0855243140513823a009667392891aea94be

SHA256
0ef65c528644e21e43b8395b6c6093893ffd07361ba95279f606a7eb0cfd9d00

SHA512
d696d212c106d22100a834873cf5f18c88b7b71974f43cedf443bd815777b52aff5d064c244c96625c56c35065c2522c0925d8430698da76fb1222c472a0d0fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
39c685e54267eade4aa11cd5a2ff1e00

SHA1
9c3811c57cd799fac48dcb20f9f4a848385a85ae

SHA256
faddbcbdd9fb4bfa6d73bc8631239ce45a56939abaa3800e3c2e85dc5cab3948

SHA512
32d451475aa987edcb13a4f031f7de46eaac1600d2b2c126c7d3b7c97ede418a7af8563c68ae9446c590114b585fd75405be20a879d4d339562183959358d4f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
43c3ffa7b3c5f37d0b5373a1b5ddb000

SHA1
e6eb98708ea5b6fd446fd356112f2025e9cf3416

SHA256
8636fb2836cc9791f4862a94b56bf7d3a2f979c92c2f7bc1fdefdb3e932e70b2

SHA512
4e849225a358df4ca3d44035cef094bdbf32c3f5399b14bbf1f65f02d8b81a858e0fdcc3a716937d974eb484a72b2266aa7d4bd24527028f6729ea8f6360f5fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8a2b5a0b-a184-4f5c-b379-37441fc791eb.tmp

Filesize
214KB

MD5
894cba208ad16a062bb337cdf7332fb3

SHA1
267069420afb92d02125b08d5b9c83547435d1ed

SHA256
aa1c9aaeb740f81003fce0ea3dfcca73d5ff1b0ece164145efd39e922267ad69

SHA512
1e888232c1d1a70cd2dd5f162c7ee949d86b92672cc134a18ab321668a00134749e6917ffbb9d0c5b34f6c25f1d800e308972d10a2268aae6a2e527b4fbfe1c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b00580fd0b0a2608a4f6e292bd2b70b7

SHA1
08d5ba1307c953b604d776df2beefdfae33787f0

SHA256
8e0e911bbb9bd08bbfdd979fdd066211d5a4e24fbd194c1eea1fd4ff8e155804

SHA512
9bca6752e516a5e2e27b8863ba2d9c3b1b806b916c3e6ebc8a29beb68ffcd424b3e3bc316dec431a8ecc30a2d0963d541fd7ddf2298b2566d276cd3f437aff99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
5cb81fcdc62553e0d4406eae3c1065b4

SHA1
44ab9c50f7fdcbb7db8aa6b59593b876282ca894

SHA256
79c63970756c801a2751d805c57fb4749bbc34ceff30b70ea8cf809644b00f25

SHA512
499fa5de5f2e0b38bcb20e1093a677e2e61ed74406218ae37d9d05dab7de0f348f81a1ade80c8ec0020d8c46a17a4e804d9bb97e3a2ddc3587e9f2c3eacd9824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dd1b9337305e73731b8d816872176639

SHA1
e56645a4a7fa96746a956dbe6e88f9607d61b2a6

SHA256
607b6c3f869f504d5a499642fdcd66bf0066754984eecec69876a559d3699f75

SHA512
513bc6a77b26018774bed1d1501c5f17fe52928b280090adc722f911ebce4a2b8209cd6b240aa25922a73a370cf8365287d1a307a27891a07d1260da2903f543

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6e3b3791a4ef564b1d4f7812ba27b29c

SHA1
36abcfb7f023918ed479b4495fcd43349e43a561

SHA256
e5df773adc96b53b4ce4a9ebdb6211da94abbc26f1619a45cb60c7c4976c9936

SHA512
d2171d7aef294c9733be47f65c5113fa78f5df8de285dad2ffe5a8a38796e33dd0eab1d2e7147a8ccff84442eade22dc266f53d1d9429f7dcaa8e911792d81b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
510ff0acd635bc4992dc34c8e6a4f505

SHA1
0e12dd37677850384fab99bb4f00de336119cc91

SHA256
2b6ed2288ee5d6c6c77d5360c507d115d17a4b8bb4c192b10fac01f610f0d38a

SHA512
7acb1de81526a254602dda7e220d3ff666245df03378a29850c4e693ef6c63e87a17f5fb659ca5ec120a730eb901abe47790cbef787e40569106da616d50b997

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2fef839833aadde39cc03d1d205f45ca

SHA1
25550dc9dc62681960ae18d97ffd0fda83af1677

SHA256
5fdb8662997f05ec64fafc2fb93a878ac69527db57a3a4f30ec819a0b446e8c0

SHA512
8bf2e52b2176f717b6c36b9f4ff7424aeb1a1cf499d33f5a156d7e4cc65151cf23624cc5f2caa11e64a232a5fd16db22bf69f1d425ede201254025e0e11ceeeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
ba94a03708531cf365fd29ee5e071dd1

SHA1
d045ac0ce3760742e57fd5d60db773efedd93cf8

SHA256
b05d0596930268a7f6793c13f357118a9937f03c0d319b78f6fb60aa976e85f6

SHA512
b5dc249e015a2deca3ca7c9a1d084044a0ead32acc8a46c641f51fecdbcccefc2ec74412addcb7ebf1bd6c80135901a2d68430d47619c3770ad87868f2d7a87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab90FB.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar91E8.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5266.tmp\FindProcDLL.dll

Filesize
3KB

MD5
b4faf654de4284a89eaf7d073e4e1e63

SHA1
8efcfd1ca648e942cbffd27af429784b7fcf514b

SHA256
c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

SHA512
eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5266.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5266.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5266.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5266.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5266.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5266.tmp\nsisFirewallW.dll

Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json

Filesize
4B

MD5
5b76b0eef9af8a2300673e0553f609f9

SHA1
0b56d40c0630a74abec5398e01c6cd83263feddc

SHA256
d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817

SHA512
cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

Download Submit
\??\pipe\crashpad_3064_LOKQCXRBRXMNAWLO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.6MB

MD5
eec321e889eadd13f2f398cb42c31e8c

SHA1
43f4a009554c22528ceb14b37cdc1f795a55876a

SHA256
3249a461c69458830faaa3bcbf138e1de9a882f381a8b44067475066f1fa6a77

SHA512
61303b82f9eec4e7fa9020835b4def4c8febe5636323ff89d2a56ca4cee788752cad4e40ba7b00b9547e4aa9e56aed992bf4d4bb3b6b11e0b33590d1b12b0811

Download Submit
\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.6MB

MD5
eec321e889eadd13f2f398cb42c31e8c

SHA1
43f4a009554c22528ceb14b37cdc1f795a55876a

SHA256
3249a461c69458830faaa3bcbf138e1de9a882f381a8b44067475066f1fa6a77

SHA512
61303b82f9eec4e7fa9020835b4def4c8febe5636323ff89d2a56ca4cee788752cad4e40ba7b00b9547e4aa9e56aed992bf4d4bb3b6b11e0b33590d1b12b0811

Download Submit
\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.6MB

MD5
eec321e889eadd13f2f398cb42c31e8c

SHA1
43f4a009554c22528ceb14b37cdc1f795a55876a

SHA256
3249a461c69458830faaa3bcbf138e1de9a882f381a8b44067475066f1fa6a77

SHA512
61303b82f9eec4e7fa9020835b4def4c8febe5636323ff89d2a56ca4cee788752cad4e40ba7b00b9547e4aa9e56aed992bf4d4bb3b6b11e0b33590d1b12b0811

Download Submit
\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.6MB

MD5
eec321e889eadd13f2f398cb42c31e8c

SHA1
43f4a009554c22528ceb14b37cdc1f795a55876a

SHA256
3249a461c69458830faaa3bcbf138e1de9a882f381a8b44067475066f1fa6a77

SHA512
61303b82f9eec4e7fa9020835b4def4c8febe5636323ff89d2a56ca4cee788752cad4e40ba7b00b9547e4aa9e56aed992bf4d4bb3b6b11e0b33590d1b12b0811

Download Submit
\Program Files\qBittorrent\qbittorrent.exe

Filesize
28.6MB

MD5
eec321e889eadd13f2f398cb42c31e8c

SHA1
43f4a009554c22528ceb14b37cdc1f795a55876a

SHA256
3249a461c69458830faaa3bcbf138e1de9a882f381a8b44067475066f1fa6a77

SHA512
61303b82f9eec4e7fa9020835b4def4c8febe5636323ff89d2a56ca4cee788752cad4e40ba7b00b9547e4aa9e56aed992bf4d4bb3b6b11e0b33590d1b12b0811

Download Submit
\Program Files\qBittorrent\uninst.exe

Filesize
140KB

MD5
b6242ecb9f7c7d737c29d7e4661eebd6

SHA1
9761d2f82f9acaaabc17e4b30afcfb1030b06dde

SHA256
39f2b9371e27cc177ce332a416452c6fa85e777a3bbb51c08d5b22a2f9541900

SHA512
5100d186e6489795c9cb6497fb453d080cada9aa97f6587d21b82383eb8b9407853e9369fb586587962f9e5d1351e00fd1792ee631596de46bd8095148407657

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5266.tmp\FindProcDLL.dll

Filesize
3KB

MD5
b4faf654de4284a89eaf7d073e4e1e63

SHA1
8efcfd1ca648e942cbffd27af429784b7fcf514b

SHA256
c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

SHA512
eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5266.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5266.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5266.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5266.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5266.tmp\nsisFirewallW.dll

Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
memory/312-226-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/312-225-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/312-215-0x00000000000A0000-0x00000000000B0000-memory.dmp

Filesize
64KB

Download
memory/312-238-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/312-217-0x00000000000A0000-0x00000000000B0000-memory.dmp

Filesize
64KB

Download
memory/312-241-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download