hxxps://www[.]torrentkitty[.]net/information/5C1409B999F65261A8650E9E57294C0E5AB5A87C

Analysis

max time kernel
1799s
max time network
1752s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.torrentkitty.net/information/5C1409B999F65261A8650E9E57294C0E5AB5A87C

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
984	transmission-qt.exe
2904	transmission-qt.exe
744	qbittorrent_4.6.5_x64_setup.exe

Loads dropped DLL 39 IoCs

pid	Process
3024	MsiExec.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
2904	transmission-qt.exe
744	qbittorrent_4.6.5_x64_setup.exe
744	qbittorrent_4.6.5_x64_setup.exe
744	qbittorrent_4.6.5_x64_setup.exe
744	qbittorrent_4.6.5_x64_setup.exe
744	qbittorrent_4.6.5_x64_setup.exe
744	qbittorrent_4.6.5_x64_setup.exe
744	qbittorrent_4.6.5_x64_setup.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
174	1104	msiexec.exe
176	1104	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Transmission\translations\qtbase_ca.qm	msiexec.exe
File created	C:\Program Files\Transmission\imageformats\qico.dll	msiexec.exe
File created	C:\Program Files\Transmission\Qt6Core.dll	msiexec.exe
File created	C:\Program Files\qBittorrent\translations\qt_sv.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_uk.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\Transmission\translations\transmission_en.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qtbase_ru.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\transmission_ja.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\transmission_kk.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_gd.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\transmission_pl.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\transmission_fr.qm	msiexec.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_he.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_bg.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fr.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\Transmission\translations\qt_hr.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_he.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\transmission_lt.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_uk.qm	msiexec.exe
File created	C:\Program Files\qBittorrent\qt.conf	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\Transmission\translations\qtbase_es.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_cs.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\transmission_af.qm	msiexec.exe
File created	C:\Program Files\Transmission\qt.conf	msiexec.exe
File created	C:\Program Files\Transmission\imageformats\qgif.dll	msiexec.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_it.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\Transmission\translations\transmission_de.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_fi.qm	msiexec.exe
File created	C:\Program Files\Transmission\Qt6Gui.dll	msiexec.exe
File created	C:\Program Files\Transmission\Qt6Widgets.dll	msiexec.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_de.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_nl.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\Transmission\translations\qtbase_hu.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_pl.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_it.qm	msiexec.exe
File created	C:\Program Files\qBittorrent\qbittorrent.pdb	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_pt_BR.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\Transmission\translations\qt_lt.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qtbase_ko.qm	msiexec.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ko.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\Transmission\translations\qt_fr.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_sk.qm	msiexec.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_hu.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\Transmission\translations\qtbase_ja.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qtbase_tr.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_nl.qm	msiexec.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_fa.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\Transmission\translations\qt_es.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\transmission_sv.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qtbase_bg.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_ja.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_sv.qm	msiexec.exe
File created	C:\Program Files\Transmission\imageformats\qsvg.dll	msiexec.exe
File created	C:\Program Files\Transmission\platforms\qwindows.dll	msiexec.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_pl.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\Transmission\translations\transmission_da.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_pt_BR.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qtbase_ar.qm	msiexec.exe
File created	C:\Program Files\qBittorrent\translations\qt_pt_PT.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\qBittorrent\translations\qtbase_ca.qm	qbittorrent_4.6.5_x64_setup.exe
File created	C:\Program Files\Transmission\translations\qtbase_lv.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qtbase_cs.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\qt_fa.qm	msiexec.exe
File created	C:\Program Files\Transmission\translations\transmission_sl.qm	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI94F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{E83AF186-257D-4869-8EA4-431F924FE24C}\Tr.ico	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E83AF186-257D-4869-8EA4-431F924FE24C}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9547.tmp	msiexec.exe
File created	C:\Windows\Installer\{E83AF186-257D-4869-8EA4-431F924FE24C}\Tr.ico	msiexec.exe
File created	C:\Windows\Installer\e587f4f.msi	msiexec.exe
File created	C:\Windows\Installer\e587f4d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e587f4d.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004dd597242da055490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004dd597240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004dd59724000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4dd59724000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004dd5972400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637108189447083"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	transmission-qt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	transmission-qt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E405FC2-1A3A-468B-8BD6-BFBB58770390}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\magnet\URL Protocol	qbittorrent_4.6.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E405FC2-1A3A-468B-8BD6-BFBB58770390}\1.0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\transmission-qt.exe\shell\open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	transmission-qt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	transmission-qt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\DefaultIcon\ = "\"C:\\Program Files\\qBittorrent\\qbittorrent.exe\",1"	qbittorrent_4.6.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\magnet\shell\ = "open"	qbittorrent_4.6.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet\shell\open\command	qbittorrent_4.6.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Transmission.QtClient.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{792D1AAC-53CC-4DC9-BC29-E5295FDB93A9}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1E405FC2-1A3A-468B-8BD6-BFBB58770390}\1.0\FLAGS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\681FA38ED7529684E84A34F129F42EC4\Language = "1033"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	transmission-qt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\ = "qBittorrent"	qbittorrent_4.6.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Transmission.QtClient\CurVer\ = "Transmission.QtClient.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Transmission.QtClient.1\ = "Transmission Qt Client Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Transmission.TorrentFile.1\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\681FA38ED7529684E84A34F129F42EC4\CompleteInstall	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\681FA38ED7529684E84A34F129F42EC4\WebUi = "\x06CompleteInstall"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Transmission.QtClient\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\transmission-qt.exe\AppID = "{792D1AAC-53CC-4DC9-BC29-E5295FDB93A9}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\681FA38ED7529684E84A34F129F42EC4\SourceList\Media\1 = ";CD-ROM #1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	transmission-qt.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	transmission-qt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qBittorrent	qbittorrent_4.6.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0E2C952C-0597-491F-BA26-249D7E6FAB49}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\transmission-qt.exe\SupportedTypes	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000ece7597f2ebcda01f9b2f82d39bcda0177989b243ec6da0114000000	transmission-qt.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	transmission-qt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	transmission-qt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	transmission-qt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Transmission.TorrentFile.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Transmission.MagnetUri.1\ = "Magnet URI"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\681FA38ED7529684E84A34F129F42EC4\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	transmission-qt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	transmission-qt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Transmission.MagnetUri.1\FriendlyTypeName = "@\"C:\\Program Files\\Transmission\\transmission-qt.exe\",-101"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\681FA38ED7529684E84A34F129F42EC4\ProductName = "Transmission 4.0.6 (38c164933e) (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\681FA38ED7529684E84A34F129F42EC4\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000604a5c7f2ebcda016f7db7812ebcda019c5918832ebcda0114000000	transmission-qt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	transmission-qt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\magnet	qbittorrent_4.6.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1E405FC2-1A3A-468B-8BD6-BFBB58770390}\1.0\0\win64	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	transmission-qt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	transmission-qt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell	qbittorrent_4.6.5_x64_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\magnet\Content Type = "application/x-magnet"	qbittorrent_4.6.5_x64_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9402F54F-4906-4F20-AD73-AFCFEB5B228D}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\592C3BF14DB98424C8B88BC51DF17E4C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\681FA38ED7529684E84A34F129F42EC4\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	transmission-qt.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	transmission-qt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	transmission-qt.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	transmission-qt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\transmission-qt.exe\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\681FA38ED7529684E84A34F129F42EC4\PackageCode = "FEFCD7EDE885A9C4981FB1C5F6FF8BCD"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\qBittorrent	qbittorrent_4.6.5_x64_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\.torrent	qbittorrent_4.6.5_x64_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E405FC2-1A3A-468B-8BD6-BFBB58770390}\1.0\HELPDIR\ = "C:\\Program Files\\Transmission\\"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
984	transmission-qt.exe
2904	transmission-qt.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
5108	msiexec.exe
5108	msiexec.exe
5928	chrome.exe
5928	chrome.exe
5508	msedge.exe
5508	msedge.exe
5364	msedge.exe
5364	msedge.exe
744	qbittorrent_4.6.5_x64_setup.exe
744	qbittorrent_4.6.5_x64_setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
984	transmission-qt.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe
Token: SeShutdownPrivilege	624	chrome.exe
Token: SeCreatePagefilePrivilege	624	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
1104	msiexec.exe
1104	msiexec.exe
1104	msiexec.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
984	transmission-qt.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
624	chrome.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe
5364	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
984	transmission-qt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 4744	624	chrome.exe	85
PID 624 wrote to memory of 4744	624	chrome.exe	85
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 428	624	chrome.exe	86
PID 624 wrote to memory of 948	624	chrome.exe	87
PID 624 wrote to memory of 948	624	chrome.exe	87
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88
PID 624 wrote to memory of 3300	624	chrome.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.torrentkitty.net/information/5C1409B999F65261A8650E9E57294C0E5AB5A87C
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff8554aab58,0x7ff8554aab68,0x7ff8554aab78
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:2
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4348 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3036 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4148 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5336 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5512 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5732 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5836 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5016 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5276 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2652 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6112 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5884 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2348 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5748 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3468 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5356 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:1632
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\transmission-4.0.6-x64.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2932 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=1628 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files\Transmission\transmission-qt.exe
  "C:\Program Files\Transmission\transmission-qt.exe" "magnet:?xt=urn:btih:5C1409B999F65261A8650E9E57294C0E5AB5A87C&dn=The+Boy+and+the+Heron+2023.%5B1080p%5D+%5BBluRay%5D&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.publicbt.com%3A80&tr=udp%3A%2F%2Ftracker.ccc.de%3A80&tr="
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=2576 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6172 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5396 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=1072 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6404 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6620 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=6680 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6516 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=1548 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=6768 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=6648 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=6984 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7180 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7276 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7568 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:5340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7608 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7432 --field-trial-handle=1868,i,3782442374998790642,10324936802047490414,131072 /prefetch:8
  2⤵
  PID:2292
- C:\Users\Admin\Downloads\qbittorrent_4.6.5_x64_setup.exe
  "C:\Users\Admin\Downloads\qbittorrent_4.6.5_x64_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3292

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5108
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:644
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1518F967193EDB2E0F1B376ED8105145
  2⤵
  - Loads dropped DLL
  PID:3024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4968

C:\Program Files\Transmission\transmission-qt.exe
"C:\Program Files\Transmission\transmission-qt.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff841b646f8,0x7ff841b64708,0x7ff841b64718
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,14872898057397398691,1558154563411998467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,14872898057397398691,1558154563411998467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,14872898057397398691,1558154563411998467,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14872898057397398691,1558154563411998467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14872898057397398691,1558154563411998467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14872898057397398691,1558154563411998467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14872898057397398691,1558154563411998467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:6032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e587f4e.rbs

Filesize
34KB

MD5
50bc5a19f13579615f4fde9b604175b3

SHA1
6be762551df12f383f06187ef288d9b1b9a834fa

SHA256
7a70587016a594190a9ecc275170ac3955057a812496f2c453b2ea48e66c8433

SHA512
afa1203c4bdc96121a5cf9f9398eed28cc6c786cb8276c975a96e2b4ba4579876457bb0dbd72c78d74459dbb7f18e59624823a1f774d6a8e2468958d1a7736b2

Download Submit
C:\Program Files\Transmission\Qt6Core.dll

Filesize
5.3MB

MD5
38e8b3d2475729399832a5436a313d33

SHA1
8c42710793cedbb93fcb67168920fd0797345659

SHA256
850ec082e20d3fda7db48c2795f2fdd701fae7264ce8b8926eeedadf5e233f9a

SHA512
5d8d86f67b890082cbd87a873bfea36a17ae067c03139a0ca5e073ce5a4cbb3d96e5d471b79be01ce018bf66c87bf7d131dbd5d52a78c607cf39bd761afbe7f4

Download Submit
C:\Program Files\Transmission\Qt6DBus.dll

Filesize
606KB

MD5
c685c486c7a49e3322bcbd1be2ff6cbf

SHA1
f8a722ce52b2123333eeb8628ecd02541f684394

SHA256
9a7e1c0effedded7b083efefb34ed10020b3fba1b6214aabcdf1d362702aa243

SHA512
7ac09a6c54c627888061c0be3fa89301f17d461595a87b7284808f2ab9d819fcce079f9f5b58f1018eb69c50b54b9c6f526eaef235b3ec8fc3ed18e24989e814

Download Submit
C:\Program Files\Transmission\Qt6Gui.dll

Filesize
5.5MB

MD5
f3495b976a1745534f157edb86dbec1a

SHA1
67825069b085907ba062fe42adf304c6a977a194

SHA256
b50b74eb9177eea50f3387c28fba50e597dbe02d263c0a10b7fef01f65c9812d

SHA512
84fcce60cddd1280d84a7229d796e7199b66ab504c0729d63e69daf1f8d9323a6af819414244150beab7db43f4cc9df6fef1b8cd1cc5c9ad9886c65d92d603ad

Download Submit
C:\Program Files\Transmission\Qt6Network.dll

Filesize
1.3MB

MD5
5efc61a034b6fb404a979034b175cac6

SHA1
f15e2c856e1d3427541070f0aab991e4f0af77df

SHA256
a6376d440aada2acc463a97e9542bd5d243dadf7ee6ab2e23c8850789b0257cc

SHA512
87e1a17d2827a2a71f32cbfa4e21a41a823802b9e8e471eebd7fe22bb3be3b9b7c665552320e4fc668e37efa8aab113100289a3395c5fd9e714c76a396939bbb

Download Submit
C:\Program Files\Transmission\Qt6Widgets.dll

Filesize
5.7MB

MD5
859c8b699568c0760824518a3b749b9a

SHA1
51c877c9729979b3cd9e7303ef602c383bd9bafd

SHA256
6a5269898161c55dde80dc2f72ff094ecb70be16c94041d0052be3cc97c02e7a

SHA512
74ab57f90ec435b7929f2d71f1936bcced45b51872fabc310cb59b7e819c4778bdb78352cc4e840933990de05d8630623dcb2cf23ef9bde2e0cd1e3b5ab072ac

Download Submit
C:\Program Files\Transmission\dbus-1.dll

Filesize
413KB

MD5
481b69f6ec5087b4a356548aab4616a1

SHA1
30c28a27c41d3e7239c03d35b1ed3a622204bf54

SHA256
99c9d3d72130e121bd5e042943ce18a66837d6d17192e113eef72cd885e3096e

SHA512
bf7c58c1613338bd89eba67a4178c92e35e215812d77638fdc1bf3870ddf70fa47631575d37be5ce9486ce42c657f3d7b3de97d64044397e4a6972c1a1945df1

Download Submit
C:\Program Files\Transmission\imageformats\qgif.dll

Filesize
35KB

MD5
6b689d78467eaa33ce2687935de44f0c

SHA1
605115b86502ff8f4b8dfd890e29ea73e30a78f3

SHA256
a0329604f36883a18d42cfe1f9cf207982699b8923d8621ba6de17de6d5bc99d

SHA512
d244e447490497ae08272dc456b46ad78ad317ab8fd86dada43aac8f812c96e35943cb84bff8b5d00ddf113b531c8b1da53b10c3868af5e71c4102758a4eda82

Download Submit
C:\Program Files\Transmission\imageformats\qico.dll

Filesize
33KB

MD5
fcfda5353f5318956b5eb9d7eca5bab7

SHA1
9d5ad27f8d2888ba52c0c47edbf81cec782236ef

SHA256
0dc405d87e23802947e7e82d163e98bb6625b2c5d7cce084c11f239a66affd06

SHA512
7e0a00ec4adec68edf7bce7a6ac2699e241ee89e35a8c8a195984737f4442514efce19b5a9e51ed1f421de28e3dbfaa11f7bfcc6c672cac4ddbe0bcc444c8f36

Download Submit
C:\Program Files\Transmission\libcrypto-3-x64.dll

Filesize
4.2MB

MD5
73945c54a95c54a8131ac518e6b814f6

SHA1
726bc27225e276ccd94ebb941a17508a5b2f8c34

SHA256
4983d27c0f93a9f03776e8ef0336512c62dcc602dacdbb68b24f2481f041b2c9

SHA512
96f350ff2a998db61c6fba2a3a65df9617d1a4d946e1253a060b3d4e7cd54434c9ea0226a8b43a85bc7730e23b974a957b7d50628b91c91b06f59eeef7fc2d00

Download Submit
C:\Program Files\Transmission\libcurl.dll

Filesize
340KB

MD5
51576f8e2ae7e80a55b0f067e9c9e0fb

SHA1
5755fbee0ec2169fde54122cc052e2f00f87ff7a

SHA256
057af6d28155993fe7d7bb99b6b2501b36dfde7f460d3e27f922e3b4b8f7c2bc

SHA512
f5c64abb26ed8c0a21bcf92b6ff94ce966bd9e3041eb8e817c7e551afc53925441e06cc885e220540aaabbd4c7a29b1292232ca3459219fae38d7889246419a4

Download Submit
C:\Program Files\Transmission\libssl-3-x64.dll

Filesize
669KB

MD5
4865cebb01fbdcaa36c2e2f9243fadd5

SHA1
81ca2bbb419d7ba52c02c4d7fcfae98187a9fd89

SHA256
9bddd5a16e4cf5d38cd02080afc507aaae06692a680e9a3018b6e29fed24b331

SHA512
4d471a656ef440b868ade0c4fd253bfb6632030bd97cfc1dcab6ae3cc5360d92d9ecd7c6f8d955c79cd016846af8d78043a3db4f0f4b05650cd4a154e0c4df49

Download Submit
C:\Program Files\Transmission\platforms\qwindows.dll

Filesize
741KB

MD5
d55e1977e06e9abed9a6aa25f705cc2a

SHA1
e203214325f23369281d3fdcab6a64cb5b7460da

SHA256
3832fc4df957b2d9cc51c98f99f409626f1b3fc80320ce56576c1fca18cbfcc3

SHA512
c3cb1598a2d177b7687b2e8f012b147f88bcbed3845efd853514879fa73d3cc01d6150a627ffc0038307d243a17c61dd436311ae7a194ce3d1a9a666e0936aca

Download Submit
C:\Program Files\Transmission\styles\qwindowsvistastyle.dll

Filesize
141KB

MD5
ef431874e122872acf75af401386bbcb

SHA1
4197d67e769690f4f31b87b4066648343f44aaeb

SHA256
6b38a91df12aed18e0c2792df39aeba31e96714c0394599620ce098a44054c38

SHA512
b581ced24254764db8810e6722babdc90d2d11ab21032c82f3dbadefb5d56a88d568b4f4f3b95639f567f2e1d20b27b2c014d008aa86b7c2e23b95a7ccc526c1

Download Submit
C:\Program Files\Transmission\translations\qtbase_en.qm

Filesize
16B

MD5
bcebcf42735c6849bdecbb77451021dd

SHA1
4884fd9af6890647b7af1aefa57f38cca49ad899

SHA256
9959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85

SHA512
f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78

Download Submit
C:\Program Files\Transmission\translations\transmission_en.qm

Filesize
4KB

MD5
8cbd00ac05c0ae8612b760162b930af1

SHA1
27a40d34b25e14043abae8e9c4c644766fbad1f6

SHA256
4863c4979696c127c58ff38d45db93643ebd6ef83194185db2adf03cf60ca7ad

SHA512
f11234cd007c08ad71c604d15ed5a91b24a3c0b848cba4dc4d9ad11e2f01100baa63009f339dc4c6b980e23cd2777e4f40bb64cda0c8cb351c57b4fee8a28dab

Download Submit
C:\Program Files\Transmission\transmission-qt.exe

Filesize
3.1MB

MD5
a680bb3d234442fecfb1825e1ece8505

SHA1
1a6ed7dfae64b70a1529558883e2a9042b6085fa

SHA256
4033d3d4f99ee4598ddce0720cb13d6ffb03a2a173a7df4f4244e0c4e2b06562

SHA512
ac49e13e97471e8dd1c5f32521e38f3659512d3a43728a14cb86122a38b28337816646b9b6cef2bb638e1b22b583166530a125732c82cb7a403aa84b0663f311

Download Submit
C:\Program Files\Transmission\zlib.dll

Filesize
83KB

MD5
5c947d5d23ef7e7a98fc54a25dfde44a

SHA1
b6cd7faec1105968354c82f5d6186fd6944370f1

SHA256
c2d9e28fb4b36a0e60a2d3527b3c40d6df7f93768817b77b00bcf1fa8b60eb01

SHA512
0f84a448a84d79fed1d13146032d90008349b91b0aa88720fc778b531adef8a95770edec2a134b8d14abdddd9b64e9d6f07780bb10ed00c54ff9d03083bf83d7

Download Submit
C:\Program Files\qBittorrent\qbittorrent.exe

Filesize
30.8MB

MD5
795d49674a190b3fbcf476b248df0f44

SHA1
31348013260d62498a0e30ef56f9e5633ee1411d

SHA256
4960d43a2931d09e560ed18427a2c70f3eb99cca910e5cc0330135bbe061cb39

SHA512
f411077fe19338db447dadd71c8123af8d8ce66684e180f7e8d6b44194fb7161953decddb07dc7b3395120eba31d060b59342ab9f3e8b9c05c8d6e1d428520a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

Filesize
719B

MD5
28bc19a7cc607d718102b84fc9f09871

SHA1
39d1445b8267f6c64398dbdc3b36cb8bf61779ee

SHA256
2182af4e3be8732f98cb14244373d1eb042f40b516f2a4fae039b0c4f536159d

SHA512
dcc21b668fdb55133ca0fe88530be15a312f59b968842a2f9ab1a5530cdf0a74e5c01efdd5ba5832452a4b0e24a0b4088521b2bf8ccd33efdfbeec60c9eede50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D682FDDA10064185EC8111DC39DBA8EC

Filesize
68KB

MD5
a6b072aa4e9d728fc3b8b2811e7679fe

SHA1
d1058a62c76290d96a4fb0493df072a9ddf1a117

SHA256
010cb323f51b4a0a90beb4efd683a3e430bd24882fbefefcdb456df16c8d59c7

SHA512
f130a2f95ab9f8eea3b704d70e9b126d2ffaaea439c26edf9dd31cea1d1a3e098ef4e11d4199da222394296e69afd449ea279c858549f4e267d40221b620207c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

Filesize
446B

MD5
e4f8f7d6542c2c8be1d2190ed6877a5b

SHA1
7acf1f511b92e8e5b05f18a93d7a68a294b5c140

SHA256
8f4ab6ab9bf347a46c98ca3dab3b04ffe447e64ee2fd739f213683fa6df2b3cb

SHA512
14b974f99883c23ceeae3a9de28d3e8ab8ea51b9fae9192d2ead75eeb0dd06897da1296f21702633b2cae7ebbf06a5b508e65d4393a65ed5492530ff0de70216

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D682FDDA10064185EC8111DC39DBA8EC

Filesize
308B

MD5
634e2b17f634c81ea4976285f2354f20

SHA1
1a0d035e524c849c942ea71a41af7226729cf137

SHA256
f2dc0bf9db4442dcdb816bd84ccf6c11ffa76b0ae891a80035bb0c3540cda262

SHA512
9ce7afd8ae8c906387e9f1a8df79b8f4c649fa16cd32edfaa319d02a0d5c211d9c94b327c37b29c7e65a0060f79592a8b49d04cdb03fb0cafef1e301a36b0dcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
59KB

MD5
caaa5222d179a24ca5540080c7018b99

SHA1
1f415a7a73a12a4c16f25709504f4e4e4beae9dd

SHA256
b729255f2e984a20fa0f0eb07e08368cf468fd17ff27a7d1dbb4042ec261d8cf

SHA512
71b4f878aa154ba4a8523c2e36faa8dbe3cfafa082b18796d8b69539dee9506253b9e55fc9b71cc2c9027d22ae08587b0e2ddadbc8d3395dbb73584d1ca1ebcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
328KB

MD5
5d4114cb033dd9abefa79daa8bb1fce3

SHA1
403170941671bb5c568c2a535cfc5d3e0c6798f2

SHA256
6d6e9e73e627d6becbe74b55cd632ced17a11df4e70a99ea305e76184e13dc2e

SHA512
8df0ac9df4d07c8d5572e5cfbd94f1d30fff4a8346bc6807f864550c78fa3293595eabdada7e669192d6b0fac47c06032bc94120ee9a3d4445791e865b54bd28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
105KB

MD5
989f75e894f728b36d6b1608a96fb908

SHA1
c5c82edad1b5668b151799a74e017a16732072ee

SHA256
32a2da14d39f556bcd2747be3b2599227b6feb35c4e06d5ea5402c03562b4d1b

SHA512
8f1aac4b0841caa18302b2313629ce7002d251a4e4e2f2839a987667501a43f2785863c647dd87139a3bb866a103aae2fb423425e258bb9ddfd912f499b7b97a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
73KB

MD5
bdaa1e84052d9aa4cd3fab7df47065b2

SHA1
5fe26535b18377eee3d6e3b7070458596ccd3155

SHA256
4d67bc9f812696d537d3c3e2ba2d2f27aac47442a73462b57e99de715cfd24fc

SHA512
a2230dd74842306c88f7205931bae69a2d074c0b240972265276b58ef35fd328d8700a1a6ef3a650007ae63e8efad6590c218e4c002a01f11801aa43c737ca1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
40KB

MD5
aa12ea792026e66caab5841d4d0b9bab

SHA1
47beeba1239050999e8c98ded40f02ce82a78d3f

SHA256
65fe153a832452e97f5d484440a7047e314d3a83cb61ad2508fed48a820e1de1

SHA512
0b2b1bb8851c60c9d4ab1d039b990a4de5799c97c50b45f64e36a21849c14e785f69196f674ac225b1419d7f501338054074cab6203d041361a4fa1ed8802b27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
936B

MD5
a272f147d18a03a667d842858ac9aa2c

SHA1
0462344c685c313f662e9b7329fc15a910bc9c05

SHA256
da56003fafeb7381fc6750bd508585eaddf1051d776c3b22ffe01fcd59ba4bd7

SHA512
f35a7a893e486c9938bedda6789429fa3204bb010a09f5815d606c85f45873f79f818db5fd78f728d7fe5b614c6d0457b3fa03dd3c9d6ae47845d48f12a9c148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b96cc6c47ea5a174c3914fd9832d20d9

SHA1
f7642910d7c3ee6a95cf889bc853550d3b37725b

SHA256
8c33ee1ce8aa4a34b179c52662ab2b396733c0f6a1ec0956036481d0e8515f48

SHA512
2670e524547d2ab0c4dd86de6bf2e7f8ed6972b9b5c2e6ac83e6b0bc250911b647437750dffbaf6a968bc523f28277fcf4d9fa5d2e38df47e05ee212b3b4d777

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
964dcebaaa500d7823a924786b6bd491

SHA1
d68cb74285e4710ec8ec0f14475b443aa9d3315a

SHA256
751d50c7e50a7dfdb19bebb9fdf52ffbb1efc48d7d75e650cf26de7c89267cda

SHA512
90ac32859a943beaf6c548da1981bc12351d712838457bbd1b5cf8354aaa0f7cb2803bbdd7131f4875ca6a2a847d6622768ced763029ed5528b887e8af38b5db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
6a91cb6e73e648aa6eef5e16d0e51d3d

SHA1
89e685c64893aaf32a01ec69cbd0f5c1f6ff7061

SHA256
029828e85b2865e4495607f1bef4daa1a317fb18b13fa5418e3be14a524cb9fb

SHA512
68b4b8635b4991a3d6fedae196ddf15bb496c6244160750a00528684a02adb62a9ed74e74e5273b2e38ea495f8db369012808dbf8d2d1a2942d0d08d72e788de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
63a8f6c26e7a79c967d962e4447649a7

SHA1
204f1dc28aa56dd6e4bf163cda1687e4fcf548a2

SHA256
7ecfbc71200c03f348da0ec1bba563aa7bd23337f9b7227a1d84db930f4ff14e

SHA512
2a710f672e4d3a648f31d1e8d42edd303ff5717bbef4db2c0c7f1828eedfa7dba7818c8e2c9b1f9089320d095ccd67853e9beb3ff6c7aeae0928f38b1ac2b4ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
f332b439a68c94b3a94797645802871e

SHA1
7d669454ef138e38eec6cec0ae3244fdfcbbfe53

SHA256
bb50992436950b3cba2562f0640b643df65e18ef5f5af395d27c9c3a1fd43d9a

SHA512
38a47f10655c5fcd2beaf1f26e5231549255ae81feea313afb42535d862cb2634119cdcf795fffdd7dc8c796ed25229cb06a6cdfe65e0ceb75d1a550fdf5feb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
16KB

MD5
6c8eb4b32fd7a554c48e0c506d0730b0

SHA1
56450ec3503257ef83f4a6fd314c1d5f93d0dfc5

SHA256
25c7f122dd702fb3174b28ab73bb01c360109d6a6955b3a45135ef9048ef2c28

SHA512
4d8d7d6ebcefdf57abea4140384e2ee380b85a38745582ccba240066d6ddfc841628fcd572d561989113424b53d93c8ff4cbc727fd6a07df254c2516ed443e57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
16KB

MD5
70c61c31d5311db0c148ec11dea35934

SHA1
e5b98b958cfccd795d0d51f44b9d85c8e15ec013

SHA256
5985ac2a6124083b801684c03dc794177c95ca9e8103fe3f05291208d7e9a389

SHA512
05df48926393992ffeb95b759d22620f8eb786826cd0fe7ebdfa95a660dd9889196d3ea0a1a50b37b27490e4ee98d211016d85a54a26894e35d9acf63a4cb3dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
a9b16060f253e3b42bd68413fec53897

SHA1
0c2c0352db1ca360062a0aae1e3f1f520e635381

SHA256
0a45382fddde24257f0c5b76b02ffe5db0019dad83c8d935d925b9478cbe71e8

SHA512
669657053b0fb9e905b4354fb665d08c9fca837808c488cc36ebd424c612fd2b569f2af016672bee7e5616a0801c2a14e2912ba6773d5ed2718d564cd89cbd5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bb85afd6beac544644f26ec75d5f67c3

SHA1
49b02168ae37e792a7a88670189c814fd4b2cce5

SHA256
1374c49967eb486b7d8eb03d81d050016b55e89a970aaee8ee8f03998f1b236a

SHA512
e502922060665b1cf3c349bc3246aa15d7f268690abf3c3951ac8c1550101156d40ab8193d17ec5f8515c3b897f4f233cb251354ed32eb4758cea71f066a03d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
a189bf18e797b5d8a45631dffcd22a6f

SHA1
5c08c4750ee5b8eb663bca6ee3bb774e6f123a58

SHA256
6b496da2af878b78c981e0c72c19579bd994a7f5039885fe84cbb00e1b988f33

SHA512
b0efabfc385cea2bcf704a26c53dad1d214671b3a436bd0ae2a37ff668b8837c6fb0701bca5c2008af1903449a4def96dc99685544d23690b91b4ff5f1e8deb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
300b0aa214b1db0ae31b98da771e4ff0

SHA1
5db7aa9519c3021217805f9c6138b18024a2624e

SHA256
9badc08a0f8a2b14f152ad963bf6e178726dac5f25a0745e421bddb8af95a8bb

SHA512
56cdc41a330eb2aa5893e1fb9297042408ef093802cdfd588410e94e66d562c236b15eef2ad71c3925bdc96b277de3c4bfdb45b82ed23dd9c44c35f4bd392b2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9c38cfcbd400ab196ea5c4de2190bf4b

SHA1
3b697b206e14476d7313573782a1a66c2f1954e6

SHA256
d0ab4e16628be30fe242f658ce67745e13095563142148e794f0c968a5716ab3

SHA512
ea3a35d3fdb8262f6f2ec44f6e88a4f866e099385cf28408939341caa739ff716e4afbaadceade06976d2aef520b94278d0311bda5e694e1845b14a320486324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1015B

MD5
93419c78a62cbfab0f426ef96796bb79

SHA1
60234d30db3ea6fb39fafd1af6f9b3c522cdbd33

SHA256
37371c05a1aa7e9ae358513ad9d926a26dbd0df0c4d9dbf87fb0b30fc3d3e617

SHA512
3ec86c10e4c6804fa26c0379c930cad1d6726af87542fca941323bb472d63f3016f36f281b8d60521f2e57e777b7f637de613a43cfa43cca7b193b40f1da7999

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c0efda5e90ae26dba27d7d54d9337de6

SHA1
4bab2128146e552df02432a35fd6e60e07461597

SHA256
f4ad50e0d3081770a4002f8c94dcf54a2bcab66c1ee83a929293cb3fd18f8206

SHA512
78645fdac0078c83e285f053594a255ba16f8bf77f1d8065a9231779e62828e2c4d48a98f62727c0ed241e83bd0e4e5368de94513cabe86d702ee137ba754660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9136364854614f8b36d867669d6fa09a

SHA1
7c7dc9f79d45e844f050693ee3d254bb3598f2ca

SHA256
f28cba0fea4d45dca52b4c484dabe1fd7a894ba9a535d4783a40e053faeb8cbe

SHA512
78d09bd02cda7e4652af3f4fb38e8b1e8023af9d7639579ac4a1964767ef39b035270ff03d5a7f271e77cbf0bd13ce624f169d94b244a033f135ce2dfb46ccee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
687B

MD5
5ed647b9deca6c9545f7a289a1f55374

SHA1
85836ad651fb2e7ffc1212b09595aec67e47c58f

SHA256
23523c5fc0df8e5dfb2242f666cd17676dda48426bf9e1a0a6e559a6b03d7dfa

SHA512
37f71def6e324bb09e7b89b8208b55e20017b0cd2ccd047558e881cb1970095213de5141a5918e6382db5689666fe549033a3c697a2d1229abc865916bd7beb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
685B

MD5
8ffb9381c09ed64c9ae55376a9b617b2

SHA1
0662ff521db24385fe187e8c5a7be26d25f175a4

SHA256
5e8b4227a9267fdcd3ccd33fe4147732b9417901cb1e9f4d8124de391530c29a

SHA512
7d94f0b53f6c20e0ae7dd69bca6baa2a83a941d5948cac4ff01af49e86bb0e6a21eca376e447a4f49f5b761d58455dce9404d9ea6ee9b813d5ce73d67c9e3e05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5af8ecdd3606222ba40f680aa8f20a05

SHA1
9bd75b335b025b7d6c838b3d8d0d23eb783a1f7f

SHA256
0caa0c5f7f6f5b93671b77ace8bece72737dcd172dd7ae02bf723cf6a6c7bf7b

SHA512
c5f0e49571716fe1ad572e084d0c21e397578134293c4f0659d911c69cc29d4ba6ef54e2402bf0f8bebd1dddb92db4235e45511402a4bcfaa8104aab1ac9a495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2e35f8480d61839ec4ca910fce856166

SHA1
5942f17cc8f790eb00e3d3915379673d1b897da5

SHA256
29839c037310bb04c657afc82bdfa4edf73ad314718d36122e5ebf146b3c8c00

SHA512
f5f378474701dfe7f227e409d6379b8cf4eca6df65978c88adaeb09d872b139f5e9e14a7d52379c53782625c298ba0e22a87de6a843cb057a4fc24cd70d24d1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3ba6ef2298ed927c2bcb953f6accb6db

SHA1
2efe5024c52827d8a24bd9d504468967770c4a8a

SHA256
622c21801fb89865aef17485cefab7e9b4755862d3a1f3331f3526f0a721ed7a

SHA512
07e63ea1d68837fc1982d59f28d8f80bc8d8988987546ef0190e0f155f13f2de715e909f6e0cae866b6a6355191cce3c5aba48d017c493228472350fca858e74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
32143d9a2b7e80f3779a364603406653

SHA1
1507a85aa2e394ce98947d3fc97b04be73cc2a20

SHA256
e30ee4660014485546e6fed39fbe0287c6dc75ce7bd13b331e1a6a6123395e0d

SHA512
e9c9174ab017433b9b463651c624f7819ff587e7cf260c13048dd9f1343496922bd7d1601c2e53e2d65a219d445e3fbde50f2b3d5eb996c7386a337fc9b5128e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3aa50fa940a963ade8c03bf97817a362

SHA1
f2b438b925f62351e9d53d3a9454fc5ca8837544

SHA256
2d10af3235c3c62a8236bf3442205f02671adc2c6bfcf92c224a4cce3b33a625

SHA512
d93b2fbbabc2b6f366db7216720fa1a30b5784057e4c32b3bd14f642aa189276c863b93567f002a7c72613575f88fd41d6a9e2e4f5b02f0963d0986c45721936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
352c6bc4dc5277b4412a38eb4ba4a471

SHA1
9497ae3f9dee5aa8e5cbf437b07e0d80a1faf291

SHA256
d01ae68b7758efbb8280da3cd0b60a919d7bdf85eb717b739745fd5174e4a189

SHA512
b752862c81aa59362d77b8e241043ce285cd6328f997b0c332623fcc8e1a8b74135ac98a36a38fbc2ced95b35a9aec8b57c95cdacdc8d0685d707e763b7424d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1c22a119783ad27c27e32669ba57307a

SHA1
da7c518a9cc5b30cea2ed1c544ff63446dd5f7eb

SHA256
84a4c06696ca8d5fc5d6f42c15566ec1a48f452a06037fbec80003e869ccd2a3

SHA512
fc7e4b1d40f1db9927299ef04ad787ce5f043584babde94d0388aa93c0c76e9131294478bda65e6aa46886c3cdaf930c7ee17b0d1f1a69e3b0c2f3b5b507d74c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3177daf9abb227cad2ec0915b758772b

SHA1
3a34492ad2eef4244d3481b177e538f75eb94a5b

SHA256
b0d2f2d1ac8b28ffeea9691a00f8004122fb30550c16859dd3d5e21ba1202d35

SHA512
99decf3d5995dd23599c60c6e11dbc5a3b31c0500f350401a8c8c556b3404d0de8b886a6965e3c6fb12a1c5d664785b7ef81fae25130adce7d5166d0fb19c308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d51b10017a8a6b37658f4dfd66175944

SHA1
4e65e8d2e857f11632bc73ee09b58d182b16b181

SHA256
4e18520e7ed9fab90591157df304be778705c204adba39cfd673e4d456090944

SHA512
f7ed56e3f5dd9e2bbdc98a9d86aa187f97ea8c204ae04c66c1e6e5076089cbf3947a2be55af5b0a47452a1cda1b23b93e2d698031a83d9a3f86565d9241277d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
182f503a1ae338a9520ca365e6c2cb72

SHA1
169723c7ed14c31639d5842cac98eab6b64ae05c

SHA256
10c3f8643e17979ea59fe9b752cb3d8bc53352b6975e17995fa07bf4a5392c5f

SHA512
8d5c9e22910cc21591a4e49439f8ef00a364ee630218f66cc5341a5e721ec4ce78cf52b4f0576566c1fa2861415d9792a8809aceb51586dfffb7051c8b0bb90b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
7dac435a12b1b6b701ad28eac89afe57

SHA1
35c949352f8724b3d9381b0086745e09f6579393

SHA256
9b4b86da27002db3503523e7c25281659a0175fa1866e6b6793ad42830bf64f2

SHA512
edf38d83b787c544a8a06105feac2398f5151b1f372b8c94bcacc9e64aece2ee9feb3556dec148e220331162705704694ae70c7b7347f6344e4cffc30f470579

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
ffeabb4411ed8875ec7981a371136eac

SHA1
73b0478649a534d60a957c1937357f52d95c513b

SHA256
a91b19475dada86484d89e2233e5ac0ee7d9f29661e933778205c4ccb1066e63

SHA512
4ecfe9d0cc8f0d904635c22bf818662d573d7afffd57902c499133962d5406cb18190390cef393438b5e5998043317faf5893420a94fdd64faa01f272d689a7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
c330ef5a93e38e1c96ccc9805af3e9fa

SHA1
70fc6721e40d13a4d460b87cc4bb394574d70c1f

SHA256
7a4ab2f9c5614652140a8d8dd3e2cfa04223b30156a11c6c9a3c2894f5ea57a2

SHA512
da3a10bca1a56aadd296a7c8bbd055a68f28965ac872d08b3d983da9e4e39f1ae45cae5aa1e7c619a887550e6172328feb8d6358bfd934f3ba8beb0a97271660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
dd5554a86e2ed8c5d42b3c5834656f23

SHA1
fa31f99916af4664f19134d25dd2ae3f9068f13d

SHA256
ecaee932766bc85ccb92609563eae7d0afa3051d158dbe9de9b6f5fb2cb88875

SHA512
44960feb49a605be6e0501f9bd392afa13165b28d04c7b076cec109d266294aa6ff3cc622f1d93381d4701be82eebc4da9801444bb6ec7ce729e3d61a5d0ae82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
19c122c48b9532105ca409707b394571

SHA1
2d8394aa7003a7a20af7c1fd98156e73f6f86e54

SHA256
b2330798e1594877ea598b4e701f3b2356ccbeb7b5d025421a96249c2d102929

SHA512
5836a499275c6f0e5b4a79a0ac933a11545046a99634bebfa893a1336d55e564f6865351397aa10ab9dc65af2afd641f9262448d8b669433624dce90136279cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
37b4a184e613a7ee7aaaf125b2de320d

SHA1
885289f670cfcf6af52d60db62227c60a513c226

SHA256
d89bbc064f4975c3d87d2d9c3d4f1669329c81b47f51fc324ed671d3a05c523d

SHA512
de9dd6b50ec9e6b38a6e1e63d7484a855f686a4cf91786e185d08797d386e8d70159c2604344076a453a6eee3c4ea6c123734c8274fd7c81f69cf6fb8cf0f9a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe585ef4.TMP

Filesize
92KB

MD5
c41705c43be89690929063eb50a4fe52

SHA1
0f58d218344740f13587d2b2ae67865752944abb

SHA256
4c90193c6249a0d516e3aec234f04a6d634130d743ab7f4627696101246f4176

SHA512
2909db62e9a73c554539ee8aa2d60213a5ada0994ffb9509225a8dc4edf383a5c4ab97a592489bbd1161c6c42d1aec725cbbf6a329922a30f500877bd5689f7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3a09f853479af373691d131247040276

SHA1
1b6f098e04da87e9cf2d3284943ec2144f36ac04

SHA256
a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

SHA512
341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9081c34e133c32d02f593df88f047a

SHA1
a0da007c14fd0591091924edc44bee90456700c6

SHA256
c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

SHA512
12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb41638a22bfe78f6ac01e7b6c41e483

SHA1
ea5efca276bd5d0e72b864d332e284b836ce457e

SHA256
c38cd26e6e1027501cb0f97598867430f40619f7b95d8c9a4be91713bb388c52

SHA512
2e8cbbbba52b26cd69a5d67d2350fd4eaba8f455f2817d5c4dd33fb15fda567d2403901d753d6597687073ab599551f29e83796111d86ed611059842c831f8be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bcf7d4508bc1ae2aaaf536189898c939

SHA1
3ca877b50a08a507a281bddbb1fc7414c59132aa

SHA256
01fc68539a5b3ea5418fe9d7ddcdce5e5ddc3f124dd112f37b60564a9815768d

SHA512
67a4cb73306e57ab3abc6c119f961a4beb8cfa98aa5f19148e959b7783a2d7187566d55c6bd3d530e383ba7e7b5bb07bfefc7bebd73abaee932f02551a89e66e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c8c9397c496a4cdaa3c166d0efd0e66

SHA1
63b89a316c5bd390fc6877a78d1e2298b1b952c9

SHA256
b48097802aa83dba4c1c9f4db451b823c8aa4d109a9f4879f6853fdbdc356ebb

SHA512
3611a359eda2675a24bda33dd289445553b1e6095aef0648a07c5a04c15c90efabe23684eec2d1cd458f638d91eb4dc60cc75c0372a7b3e49daaf31118cd0003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx51F.tmp\nsisFirewallW.dll

Filesize
8KB

MD5
f5bf81a102de52a4add21b8a367e54e0

SHA1
cf1e76ffe4a3ecd4dad453112afd33624f16751c

SHA256
53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

SHA512
6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 833197.crdownload

Filesize
18.0MB

MD5
fa656a2edce7829c521b9aba436f7d98

SHA1
95ec5a13fd5dea4ec013dafe21e1110e0bc70775

SHA256
29417282f2a5405018a211aa94e60d324657cf347e7a496ca7a51798ede0f6c1

SHA512
ad115874772dcb8fe04b478ff37cef1196a4ad694c4d9e26b8e8e89f509ffa5ce8a6fa5e5f8db4d561b095a71f4d4f1629040030964213c8f4c4e9bac7c210ad

Download Submit
C:\Users\Admin\Downloads\qbittorrent_4.6.5_x64_setup.exe

Filesize
34.0MB

MD5
72be095f73d046fc7194774ca6478dbb

SHA1
d927eb023c68e2ac47f578a83e477e5a81c352bd

SHA256
50de6e913a6f0a2a5c8356e56e9cc23b1921f067b55e2a97c75bbffe345682fd

SHA512
c4d0a54519e75faed93f06a3c7ec889d557f209141887af9e9e1180c6eaa80c2aa58c4cff678291e848dd7b5bbd8e896d7d91d1e35b78fb4663bee16592422fd

Download Submit
C:\Windows\Installer\MSI9547.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
63dfb8275cca62a081f8bd69efabd9d0

SHA1
5a3b8685c186ba0a4855cb32b88880eb7e5e79f1

SHA256
6325badde212eaad01523fdb5a459ea0b367841ff82f209377d80b2c75633753

SHA512
0f71249367bdf780e377ece98ea41e5ca1301e303b796b63a75c323c568a6ee08a2b212d55a0b15321efcebf83fc4212c273e1f461b73602ae2b00d8d9673fc9

Download Submit
\??\Volume{2497d54d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{12628e24-604b-40fe-bebe-5e2cc4da30ff}_OnDiskSnapshotProp

Filesize
6KB

MD5
b560cc5efdfa6049b7379f237cb47809

SHA1
79567c3c90cb2a62e1a1ce836edcdf17761dda21

SHA256
9fdd5736c98cbcb4838088b3d4ca647c5fc127e229a9223fa5be36d60277f466

SHA512
3d1a66608d5169b5d62b1c1cabea06b98cf8103b60f4ae277d10eac45e34a6310070ebf018306f84e43a94f3dd98ed2b10277a05de04f5971c678dceb88ae29c

Download Submit
memory/984-568-0x00007FF840C20000-0x00007FF8411D3000-memory.dmp

Filesize
5.7MB

Download
memory/984-570-0x00007FF7A07B0000-0x00007FF7A0AD0000-memory.dmp

Filesize
3.1MB

Download
memory/984-569-0x00007FF7A07B0000-0x00007FF7A0AD0000-memory.dmp

Filesize
3.1MB

Download
memory/2904-616-0x00007FF7A07B0000-0x00007FF7A0AD0000-memory.dmp

Filesize
3.1MB

Download
memory/2904-617-0x00007FF840C20000-0x00007FF8411D3000-memory.dmp

Filesize
5.7MB

Download