File name:

2021-09-20-Qakbot-DLL-example-01.bin

Full analysis: https://app.any.run/tasks/aa8aea77-34ac-40fc-9952-6e5a7fd53301
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: March 31, 2025, 08:43:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
qbot
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

944DB2EE2B1958A2740D0B5C0057C46F

SHA1:

B0804ED04064AED6C9B283629B3416B5AEAC84FB

SHA256:

095C41270AE3A26AE9EFB626BE12ED920C44432F3C8CC8ED8EE67D67425C1251

SSDEEP:

24576:ANow25dB3YK5Uv6S1Pr9mQ+udoAs/DYQKUi3oM+d33HuF:4owmdB3YK5Uv6S1Pr9mQ+uiAs/DYQKl7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QBOT has been detected (YARA)

      • explorer.exe (PID: 7900)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 7900)

  • INFO

    • Create files in a temporary directory

      • explorer.exe (PID: 7900)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 7900)

    • Reads the software policy settings

      • slui.exe (PID: 7512)
      • slui.exe (PID: 8060)

    • Checks proxy server information

      • slui.exe (PID: 8060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Qbot

(PID) Process(7900) explorer.exe
Botnetobama100
Campaign1632151873
Version402.318
C2 (150)100.2.20.137:443
105.198.236.101:443
105.198.236.99:443
106.250.150.98:443
108.46.145.30:443
109.106.69.138:2222
109.12.111.14:443
120.150.218.241:995
122.148.156.131:995
125.62.192.195:443
125.63.101.62:443
136.232.34.70:443
140.82.49.12:443
142.117.191.18:2222
144.139.166.18:443
144.139.47.206:443
144.202.38.185:2222
144.202.38.185:443
144.202.38.185:995
149.28.101.90:2222
149.28.101.90:443
149.28.101.90:8443
149.28.101.90:995
149.28.98.196:2222
149.28.98.196:443
149.28.98.196:995
149.28.99.97:2222
149.28.99.97:443
149.28.99.97:995
151.205.102.42:443
156.223.110.23:443
172.78.42.79:443
173.21.10.71:2222
174.104.22.30:443
175.143.92.16:443
184.185.103.157:443
185.250.148.74:2222
186.144.33.73:443
186.154.175.13:443
187.250.238.164:995
188.27.179.172:443
189.146.183.105:443
189.210.115.207:443
189.222.59.177:443
193.248.221.184:2222
195.12.154.8:443
195.43.173.70:443
196.151.252.84:443
196.218.227.241:995
196.221.207.137:995
197.161.154.132:443
2.7.116.188:2222
202.185.166.181:443
202.188.138.162:443
207.246.116.237:2222
207.246.116.237:443
207.246.116.237:8443
207.246.116.237:995
207.246.77.75:2222
207.246.77.75:443
207.246.77.75:8443
207.246.77.75:995
209.210.187.52:443
209.210.187.52:995
213.122.113.120:443
213.60.147.140:443
216.201.162.158:443
217.133.54.140:32100
217.165.164.110:2222
222.153.169.147:995
24.122.118.18:443
24.139.72.117:443
24.152.219.253:995
24.179.77.236:443
24.229.150.54:995
24.55.112.61:443
24.95.61.62:443
27.223.92.142:995
31.4.242.28:995
45.32.211.207:2222
45.32.211.207:443
45.32.211.207:8443
45.32.211.207:995
45.46.53.140:2222
45.63.107.192:2222
45.63.107.192:443
45.63.107.192:995
45.67.231.247:443
45.77.115.208:2222
45.77.115.208:443
45.77.115.208:8443
45.77.115.208:995
45.77.117.108:2222
45.77.117.108:443
45.77.117.108:8443
45.77.117.108:995
46.149.81.250:443
47.196.213.73:443
47.22.148.6:443
50.244.112.106:443
50.29.166.232:995
59.90.246.200:443
64.121.114.87:443
67.165.206.193:993
67.6.12.4:443
68.186.192.69:443
68.204.7.158:443
70.163.161.79:443
70.168.130.172:995
71.163.222.223:443
71.187.170.235:443
71.199.192.62:443
71.41.184.10:3389
71.63.120.101:443
71.74.12.34:443
72.240.200.181:2222
72.252.201.69:443
73.151.236.31:443
73.25.124.140:2222
74.222.204.82:995
75.137.47.174:443
75.188.35.168:443
75.67.192.125:443
76.168.147.166:993
76.25.142.196:443
76.94.200.148:995
77.27.207.217:995
78.63.226.32:443
78.97.207.104:443
80.227.5.69:443
81.214.126.173:2222
82.12.157.95:995
83.110.103.152:443
83.110.9.71:2222
83.196.56.65:2222
84.72.35.226:443
86.220.60.247:2222
86.236.77.68:2222
89.137.211.239:995
90.87.245.154:2222
92.59.35.196:2222
92.96.3.180:2078
95.77.223.148:443
96.21.251.127:2222
96.253.46.210:443
96.37.113.36:993
96.61.23.88:995
97.69.160.4:2222
98.192.185.86:443
98.252.118.134:443
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (176)/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
from
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "%s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%S.%06d
%SystemRoot%\SysWOW64\OneDriveSetup.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\msra.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\OneDriveSetup.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\msra.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$%s = \"%s\"; & $%s"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$%s = \\\"%s\\\\; & $%s\"
%s\system32\
*/*
.cfg
.dat
.dll
.exe
.lnk
/t4
1234567890
3719
5812
A3E64E55_pr;VBoxVideo
ALLUSERSPROFILE
AvastSvc.exe
ByteFence.exe
C:\INTERNAL\__empty
Caption
Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
CommandLine
Content-Type: application/x-www-form-urlencoded
Create
FALSE
Initializing database...
LastBootUpTime
LocalLow
MBAMService.exe;mbamgui.exe
Microsoft
Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
MsMpEng.exe
NTUSER.DAT
Name
Packages
ProfileImagePath
ProgramData
ROOT\CIMV2
Red Hat VirtIO;QEMU
S:(ML;;NW;;;LW)
SAVAdminService.exe;SavService.exe
SELECT * FROM AntiVirusProduct
SELECT * FROM Win32_OperatingSystem
SELECT * FROM Win32_Processor
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Self test FAILED!!!
Self test OK.
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
Software\Microsoft
SpyNetReporting
SubmitSamplesConsent
SysWOW64
System32
SystemRoot
TRUE
VIRTUAL-PC
Virtual
WBJ_IGNORE
WQL
WRSA.exe
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
Win32_Bios
Win32_ComputerSystem
Win32_DiskDrive
Win32_PhysicalMemory
Win32_PnPEntity
Win32_Process
Win32_Product
Winsta0
\System32\WindowsPowerShell\v1.0\powershell.exe
\\.\pipe\
\sf2.dll
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abcdefghijklmnopqrstuvwxyz
advapi32.dll
amstream.dll
application/x-shockwave-flash
arp -a
artifact.exe;mlwr_smpl;sample;sandbox;cuckoo-;virus
aswhooka.dll
aswhookx.dll
at.exe %u:%u "%s" /I
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c:\ProgramData
c:\\
c:\hiberfil.sysss
ccSvcHst.exe
cmd /c set
cmd.exe
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cscript.exe
displayName
dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
fmon.exe
fshoster32.exe
https
image/gif
image/jpeg
image/pjpeg
ipconfig /all
iphlpapi.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
kernel32.dll
mcshield.exe
mpr.dll
net localgroup
net share
net view /all
netapi32.dll
netstat -nao
nltest /domain_trusts /all_trusts
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.%s
ntdll.dll
open
powershell.exe
qwinsta
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
regsvr32.exe -s
root\SecurityCenter2
route print
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
schtasks.exe /Delete /F /TN %u
select
setupapi.dll
shell32.dll
shlwapi.dll
snxhk_border_mywnd
srvpost.exe;frida-winjector-helper-32.exe;frida-winjector-helper-64.exe
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
type=0x%04X
urlmon.dll
user32.dll
userenv.dll
vbs
vkise.exe;isesrv.exe;cmdagent.exe
wbj.go
whoami /all
wininet.dll
winsta0\default
wmic process call create 'expand "%S" "%S"'
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:09 02:28:19+00:00
ImageFileCharacteristics: Executable, 32-bit, DLL
PEType: PE32
LinkerVersion: 14
CodeSize: 428032
InitializedDataSize: 519680
UninitializedDataSize: -
EntryPoint: 0x1a0e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs sppextcomobj.exe no specs slui.exe #QBOT explorer.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7412"C:\WINDOWS\SysWOW64\rundll32.exe" C:\Users\admin\AppData\Local\Temp\2021-09-20-Qakbot-DLL-example-01.bin.dll, #1C:\Windows\SysWOW64\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7480C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7512"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7900C:\WINDOWS\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcp_win.dll
c:\windows\syswow64\ucrtbase.dll
Qbot
(PID) Process(7900) explorer.exe
Botnetobama100
Campaign1632151873
Version402.318
C2 (150)100.2.20.137:443
105.198.236.101:443
105.198.236.99:443
106.250.150.98:443
108.46.145.30:443
109.106.69.138:2222
109.12.111.14:443
120.150.218.241:995
122.148.156.131:995
125.62.192.195:443
125.63.101.62:443
136.232.34.70:443
140.82.49.12:443
142.117.191.18:2222
144.139.166.18:443
144.139.47.206:443
144.202.38.185:2222
144.202.38.185:443
144.202.38.185:995
149.28.101.90:2222
149.28.101.90:443
149.28.101.90:8443
149.28.101.90:995
149.28.98.196:2222
149.28.98.196:443
149.28.98.196:995
149.28.99.97:2222
149.28.99.97:443
149.28.99.97:995
151.205.102.42:443
156.223.110.23:443
172.78.42.79:443
173.21.10.71:2222
174.104.22.30:443
175.143.92.16:443
184.185.103.157:443
185.250.148.74:2222
186.144.33.73:443
186.154.175.13:443
187.250.238.164:995
188.27.179.172:443
189.146.183.105:443
189.210.115.207:443
189.222.59.177:443
193.248.221.184:2222
195.12.154.8:443
195.43.173.70:443
196.151.252.84:443
196.218.227.241:995
196.221.207.137:995
197.161.154.132:443
2.7.116.188:2222
202.185.166.181:443
202.188.138.162:443
207.246.116.237:2222
207.246.116.237:443
207.246.116.237:8443
207.246.116.237:995
207.246.77.75:2222
207.246.77.75:443
207.246.77.75:8443
207.246.77.75:995
209.210.187.52:443
209.210.187.52:995
213.122.113.120:443
213.60.147.140:443
216.201.162.158:443
217.133.54.140:32100
217.165.164.110:2222
222.153.169.147:995
24.122.118.18:443
24.139.72.117:443
24.152.219.253:995
24.179.77.236:443
24.229.150.54:995
24.55.112.61:443
24.95.61.62:443
27.223.92.142:995
31.4.242.28:995
45.32.211.207:2222
45.32.211.207:443
45.32.211.207:8443
45.32.211.207:995
45.46.53.140:2222
45.63.107.192:2222
45.63.107.192:443
45.63.107.192:995
45.67.231.247:443
45.77.115.208:2222
45.77.115.208:443
45.77.115.208:8443
45.77.115.208:995
45.77.117.108:2222
45.77.117.108:443
45.77.117.108:8443
45.77.117.108:995
46.149.81.250:443
47.196.213.73:443
47.22.148.6:443
50.244.112.106:443
50.29.166.232:995
59.90.246.200:443
64.121.114.87:443
67.165.206.193:993
67.6.12.4:443
68.186.192.69:443
68.204.7.158:443
70.163.161.79:443
70.168.130.172:995
71.163.222.223:443
71.187.170.235:443
71.199.192.62:443
71.41.184.10:3389
71.63.120.101:443
71.74.12.34:443
72.240.200.181:2222
72.252.201.69:443
73.151.236.31:443
73.25.124.140:2222
74.222.204.82:995
75.137.47.174:443
75.188.35.168:443
75.67.192.125:443
76.168.147.166:993
76.25.142.196:443
76.94.200.148:995
77.27.207.217:995
78.63.226.32:443
78.97.207.104:443
80.227.5.69:443
81.214.126.173:2222
82.12.157.95:995
83.110.103.152:443
83.110.9.71:2222
83.196.56.65:2222
84.72.35.226:443
86.220.60.247:2222
86.236.77.68:2222
89.137.211.239:995
90.87.245.154:2222
92.59.35.196:2222
92.96.3.180:2078
95.77.223.148:443
96.21.251.127:2222
96.253.46.210:443
96.37.113.36:993
96.61.23.88:995
97.69.160.4:2222
98.192.185.86:443
98.252.118.134:443
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (176)/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
from
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "%s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%S.%06d
%SystemRoot%\SysWOW64\OneDriveSetup.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\msra.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\OneDriveSetup.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\msra.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$%s = \"%s\"; & $%s"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$%s = \\\"%s\\\\; & $%s\"
%s\system32\
*/*
.cfg
.dat
.dll
.exe
.lnk
/t4
1234567890
3719
5812
A3E64E55_pr;VBoxVideo
ALLUSERSPROFILE
AvastSvc.exe
ByteFence.exe
C:\INTERNAL\__empty
Caption
Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
CommandLine
Content-Type: application/x-www-form-urlencoded
Create
FALSE
Initializing database...
LastBootUpTime
LocalLow
MBAMService.exe;mbamgui.exe
Microsoft
Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
MsMpEng.exe
NTUSER.DAT
Name
Packages
ProfileImagePath
ProgramData
ROOT\CIMV2
Red Hat VirtIO;QEMU
S:(ML;;NW;;;LW)
SAVAdminService.exe;SavService.exe
SELECT * FROM AntiVirusProduct
SELECT * FROM Win32_OperatingSystem
SELECT * FROM Win32_Processor
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Self test FAILED!!!
Self test OK.
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
Software\Microsoft
SpyNetReporting
SubmitSamplesConsent
SysWOW64
System32
SystemRoot
TRUE
VIRTUAL-PC
Virtual
WBJ_IGNORE
WQL
WRSA.exe
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
Win32_Bios
Win32_ComputerSystem
Win32_DiskDrive
Win32_PhysicalMemory
Win32_PnPEntity
Win32_Process
Win32_Product
Winsta0
\System32\WindowsPowerShell\v1.0\powershell.exe
\\.\pipe\
\sf2.dll
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abcdefghijklmnopqrstuvwxyz
advapi32.dll
amstream.dll
application/x-shockwave-flash
arp -a
artifact.exe;mlwr_smpl;sample;sandbox;cuckoo-;virus
aswhooka.dll
aswhookx.dll
at.exe %u:%u "%s" /I
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c:\ProgramData
c:\\
c:\hiberfil.sysss
ccSvcHst.exe
cmd /c set
cmd.exe
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cscript.exe
displayName
dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
fmon.exe
fshoster32.exe
https
image/gif
image/jpeg
image/pjpeg
ipconfig /all
iphlpapi.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
kernel32.dll
mcshield.exe
mpr.dll
net localgroup
net share
net view /all
netapi32.dll
netstat -nao
nltest /domain_trusts /all_trusts
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.%s
ntdll.dll
open
powershell.exe
qwinsta
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
regsvr32.exe -s
root\SecurityCenter2
route print
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
schtasks.exe /Delete /F /TN %u
select
setupapi.dll
shell32.dll
shlwapi.dll
snxhk_border_mywnd
srvpost.exe;frida-winjector-helper-32.exe;frida-winjector-helper-64.exe
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
type=0x%04X
urlmon.dll
user32.dll
userenv.dll
vbs
vkise.exe;isesrv.exe;cmdagent.exe
wbj.go
whoami /all
wininet.dll
winsta0\default
wmic process call create 'expand "%S" "%S"'
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
8060C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
6 902
Read events
6 892
Write events
10
Delete events
0

Modification events

(PID) Process:(7900) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fsoevvgju
Operation:writeName:5abfd512
Value:
D9F3910A8FF44EB3F41A1C3354DBA3CA4C3E480ED8CA466ECC324D4F38EAA49B30EF4CEE3EB6D6F380F4A94A4DDB4C1BE2BF90BE363C7E6D5CEF8AE2D839A1AFE7C5FB5D7B212D3F7EA6560561
(PID) Process:(7900) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fsoevvgju
Operation:writeName:6f20055c
Value:
0EACADBB802B84C6BACE15DA5102C8485A8D3BDD3EB8D990BF4A24BE47966DBF54B8DCC4C1719910F850B330427F74310EE7E7671A7394AC15D7780AB468EB12970DAD7AECD0CEDB9DECE2155861F8F94A670AEBF83915F052E812567A08095B9BBC155A5392111BAE253928607D46852B114FDCB27A1416C5DEAF60A1E630FF7F016CE4DBB3FEFC5C1E9EA958C88A9A7573CBD98A628F999DEA79C812652BFE081705BD911622795758FF073578D104037AF504C1CF8217FD75A855FE3D1F567436B86017B34F4CE733F64366F16130889AD9AF52
(PID) Process:(7900) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fsoevvgju
Operation:writeName:6d612520
Value:
B4A2A51F60278E8D4D29E48A8578932181F51B6AA0212E5A3889BE54D8B557FE770A4BEE4E241CFA3BA5C8871F488C9AC2266FDF25713E79D8E3C5382163
(PID) Process:(7900) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fsoevvgju
Operation:writeName:d5dd4245
Value:
EB76631285F65E2DE31A9915C7E47853CD3B
(PID) Process:(7900) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fsoevvgju
Operation:writeName:a8d50dcf
Value:
FA5C58B2E12CE10BE8FE6324E7B9A4FFA5AA26BE8FC6875393700A686C344CF25790
(PID) Process:(7900) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fsoevvgju
Operation:writeName:10696aaa
Value:
CCCE4864190610F59F3EDE71ACDACAAC3ACF106482754BCD3222AD479149059BEA66A1152E1991D9726A8AEC97575C0DAF152A679368AAF74C53761A79FC2E752CF3D2BB29E2F0CC8DFE694832A986919E0514C30A
(PID) Process:(7900) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fsoevvgju
Operation:writeName:d79c6239
Value:
B89873245DA9E93BCBEFFF2E84851649C2162A00DB7A25601BF3CAC04771A64C14AAD56E1FB48F46135646FAE3B55CE0F70CAC88BE529C03200E66B3D65DF81521
(PID) Process:(7900) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fsoevvgju
Operation:writeName:25f6bae4
Value:
D78B187B3ED429837F3A888AC30CBBAE9FE1F3F555E4C7F1668EDD1E6D88C40DC8AD02C39437410E125CE12D6053042F0A3C544EB4C44720B74C8F561B774517521D8C88E72CC0F6053A0F7D8FA5DC9BC0BF3448D5ABC98C885B69A7D2
(PID) Process:(7900) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fsoevvgju
Operation:writeName:5abfd512
Value:
D9F3860A8FF47B474086A841DA45321E2F1DD887C5AB33443A5D1AA846FF3AE8A694707498F2545CB2F68F0DB99709917C04321DA03AE1D21B4F7783968B55532E939035A029112E3255DD10DBD677635E8AA7F69DE9C588EF4038B6A61CDEED0D79
(PID) Process:(7900) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fsoevvgju
Operation:writeName:5abfd512
Value:
D9F3860A8FF47B474086A841DA45321E2F1DD887C5AB3344345C19A846FF3AE8A694707498F2545CB2F68F0DB99709917C04321DA03AE1D21B4F7783968B55532E939035A029112E3255DD10DBD677635E8AA7F69DE9C588EF4038B6A61CDEED0D79
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7900explorer.exeC:\Users\admin\AppData\Local\Temp\2021-09-20-Qakbot-DLL-example-01.bin.dllexecutable
MD5:FEE8CFB28E89A53AB40107604318CB4A
SHA256:9562EB40F68A25ED8B4F2CB43ACB63164BB57EE943E87877A17BED211922793D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
30
DNS requests
11
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7512
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8060
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7152
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7152
SIHClient.exe
13.95.31.18:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 20.189.173.15
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
  • 2603:1030:800:5::bfee:a08d
whitelisted
18.31.95.13.in-addr.arpa
unknown
d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2021-09-20-Qakbot-DLL-example-01.bin