File name:

1b051fe4bc3287f3db89b731ccab8d453608fa91ae9763804440f670ece181c5

Full analysis: https://app.any.run/tasks/b5a722df-47d8-47a6-b4f0-f130a2833306
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: June 14, 2022, 23:22:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:

83A25E3583928E2E13683A79B6B10890

SHA1:

252E2BB28031159563919DFEE6CE5972E36EE05A

SHA256:

1B051FE4BC3287F3DB89B731CCAB8D453608FA91AE9763804440F670ECE181C5

SSDEEP:

12288:2helIk3mnXCDHlvxIDmgiSbqtAghJwznk9x5n52oyPzv0PosefMyvgulSMyvgul5:jKkMilvxqm2G2W92/zMPXy5Hy5eg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • explorer.exe (PID: 3612)

    • QBOT detected by memory dumps

      • explorer.exe (PID: 3612)

  • SUSPICIOUS

    • Drops a file with a compile date too recent

      • explorer.exe (PID: 3612)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 3612)

  • INFO

    • Checks supported languages

      • rundll32.exe (PID: 2220)
      • explorer.exe (PID: 3612)

    • Loads main object executable

      • rundll32.exe (PID: 2220)

    • Reads the computer name

      • rundll32.exe (PID: 2220)
      • explorer.exe (PID: 3612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Qbot

(PID) Process(3612) explorer.exe
Botnetobama189
Campaign1655107308
Version1027.688
C2 (123)91.177.173.10:995
117.248.109.38:21
182.191.92.203:995
39.52.38.164:995
217.165.84.253:993
84.241.8.23:32103
82.152.39.39:443
202.134.152.2:2222
122.118.131.132:995
120.150.218.241:995
222.169.71.98:2222
37.34.253.233:443
93.48.80.198:995
148.0.55.173:443
175.145.235.37:443
41.130.140.32:993
120.61.0.71:443
89.101.97.139:443
62.204.41.187:443
62.204.41.187:2222
62.204.41.187:61201
67.209.195.198:443
80.11.74.81:2222
92.132.172.197:2222
41.84.249.88:995
39.41.116.234:995
67.165.206.193:993
173.21.10.71:2222
148.64.96.100:443
172.115.177.204:2222
186.90.153.162:2222
32.221.224.140:995
108.60.213.141:443
63.143.92.99:995
24.43.99.75:443
174.69.215.101:443
85.101.222.204:443
76.25.142.196:443
39.44.146.220:995
5.32.41.45:443
1.161.123.53:995
74.14.5.179:2222
62.204.41.187:995
24.178.196.158:2222
83.110.92.106:443
86.97.9.190:443
62.204.41.187:443
62.204.41.187:2222
41.228.22.180:443
38.70.253.226:2222
47.23.89.60:993
45.46.53.140:2222
82.41.63.217:443
173.174.216.62:443
189.223.102.22:443
69.14.172.24:443
102.182.232.3:995
86.97.247.161:1194
94.36.193.176:2222
200.100.126.210:32101
114.137.226.124:443
104.34.212.7:32103
41.38.167.179:995
62.204.41.187:443
37.210.156.247:2222
86.195.158.178:2222
187.149.236.5:443
201.172.23.68:2222
70.51.135.90:2222
77.200.155.99:443
191.112.21.157:443
179.158.105.44:443
125.24.187.231:443
180.129.108.214:995
39.44.235.10:995
109.228.220.196:443
39.49.82.115:995
58.105.167.36:50000
190.252.242.69:443
197.94.94.206:443
62.204.41.187:990
191.34.120.8:443
62.204.41.187:443
72.252.157.93:993
62.204.41.187:995
201.1.202.82:32101
187.207.131.50:61202
76.70.9.169:2222
62.204.41.187:80
62.204.41.187:2078
189.253.206.105:443
176.67.56.94:443
62.204.41.187:443
103.116.178.85:995
197.87.182.115:443
143.0.219.6:995
109.12.111.14:443
189.146.87.77:443
47.157.227.70:443
24.139.72.117:443
79.80.80.29:2222
187.189.168.121:22
193.136.1.58:443
37.186.54.96:995
40.134.246.185:995
90.120.209.197:2078
96.37.113.36:993
86.97.247.161:2222
37.208.135.172:6883
72.27.33.160:443
208.101.82.0:443
89.86.33.217:443
189.37.80.240:443
86.98.149.168:2222
103.207.85.38:995
71.24.118.253:443
217.165.176.49:2222
109.178.178.110:995
121.7.223.45:2222
47.156.131.10:443
177.209.202.242:2222
41.86.42.158:995
106.51.48.170:50001
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (179)ipconfig /all
ProfileImagePath
/t4
ERROR: GetModuleFileNameW() failed with error: %u
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
net share
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nltest /domain_trusts /all_trusts
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
net localgroup
powershell.exe
Self check
Self test OK.
102
qwinsta
%s "$%s = \"%s\"; & $%s"
jHxastDcds)oMc=jvh7wdUhxcsdt2
route print
.lnk
arp -a
error res='%s' err=%d len=%u
amstream.dll
schtasks.exe /Delete /F /TN %u
whoami /all
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
\System32\WindowsPowerShell\v1.0\powershell.exe
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "%s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
103
c:\ProgramData
at.exe %u:%u "%s" /I
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SELF_TEST_1
net view /all
Self check ok!
netstat -nao
ProgramData
\System32\WindowsPowerShel1\v1.0\powershel1.exe
cmd /c set
Self test FAILED!!!
regsvr32.exe -s
Microsoft
%s \"$%s = \\\"%s\\\\; & $%s\"
1234567890
%SystemRoot%\SysWOW64\msra.exe
.dll
abcdefghijklmnopqrstuvwxyz
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
%SystemRoot%\System32\mobsync.exe
advapi32.dll
Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Win32_Product
System32
winsta0\default
C:\INTERNAL\__empty
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
urlmon.dll
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
.dat
open
setupapi.dll
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
%SystemRoot%\System32\xwizard.exe
LastBootUpTime
fmon.exe
SELECT * FROM AntiVirusProduct
aabcdeefghiijklmnoopqrstuuvwxyyz
shlwapi.dll
%SystemRoot%\SysWOW64\explorer.exe
.exe
ntdll.dll
user32.dll
select
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Win32_PhysicalMemory
frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;PETools.ex...
vbs
wpcap.dll
Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
%ProgramFiles%\Internet Explorer\iexplore.exe
Win32_PnPEntity
%SystemRoot%\explorer.exe
Win32_DiskDrive
crypt32.dll
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
wbj.go
%SystemRoot%\System32\msra.exe
%SystemRoot%\SysWOW64\xwizard.exe
AvastSvc.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\OneDriveSetup.exe
ALLUSERSPROFILE
FALSE
SAVAdminService.exe;SavService.exe
c:\hiberfil.sysss
wininet.dll
WQL
Win32_Bios
cmd.exe
ccSvcHst.exe
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
iphlpapi.dll
image/gif
Win32_Process
Content-Type: application/x-www-form-urlencoded
fshoster32.exe
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
MBAMService.exe;mbamgui.exe
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
image/pjpeg
\\.\pipe\
.cfg
NTUSER.DAT
SystemRoot
ROOT\CIMV2
Winsta0
shell32.dll
SpyNetReporting
Initializing database...
rundll32.exe
SubmitSamplesConsent
dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
root\SecurityCenter2
ByteFence.exe
image/jpeg
Caption
%SystemRoot%\System32\OneDriveSetup.exe
mpr.dll
c:\\
MsMpEng.exe
from
Win32_ComputerSystem
SysWOW64
\sf2.dll
snxhk_border_mywnd
TRUE
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
*/*
%SystemRoot%\SysWOW64\explorer.exe
wmic process call create 'expand "%S" "%S"'
mcshield.exe
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Create
bdagent.exe;vsserv.exe;vsservppl.exe
avp.exe;kavtray.exe
CommandLine
https
%S.%06d
LocalLow
WRSA.exe
aswhooka.dll
SOFTWARE\Microsoft\Windows Defender\SpyNet
netapi32.dll
application/x-shockwave-flash
%s\system32\
SELECT * FROM Win32_Processor
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
ws2_32.dll
displayName
aswhookx.dll
cscript.exe
type=0x%04X
S:(ML;;NW;;;LW)
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
userenv.dll
SELECT * FROM Win32_OperatingSystem
Packages
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
WBJ_IGNORE
%SystemRoot%\explorer.exe
Software\Microsoft
kernel32.dll
Name
egui.exe;ekrn.exe
vkise.exe;isesrv.exe;cmdagent.exe
wtsapi32.dll
Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (57.2)
.exe | Win32 Executable (generic) (18.2)
.exe | Win16/32 Executable Delphi generic (8.3)
.exe | Generic Win/DOS Executable (8)
.exe | DOS Executable Generic (8)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x8b66c
UninitializedDataSize: -
InitializedDataSize: 513024
CodeSize: 568320
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 1992:06:20 00:22:17+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jun-1992 22:22:17
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 19-Jun-1992 22:22:17
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_DLL
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
0x00001000
0x0008AA74
0x0008AC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.56053
DATA
0x0008C000
0x00002D30
0x00002E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.00194
BSS
0x0008F000
0x00000F11
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00090000
0x00002366
0x00002400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.98751
.reloc
0x00093000
0x0000B718
0x0000B800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
6.62416
.rsrc
0x0009F000
0x0006CA00
0x0006CA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
5.81606

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.85232
744
UNKNOWN
English - United States
RT_ICON
2
2.80231
308
UNKNOWN
UNKNOWN
RT_CURSOR
3
3.00046
308
UNKNOWN
UNKNOWN
RT_CURSOR
4
2.56318
308
UNKNOWN
UNKNOWN
RT_CURSOR
5
2.6949
308
UNKNOWN
UNKNOWN
RT_CURSOR
6
2.62527
308
UNKNOWN
UNKNOWN
RT_CURSOR
7
2.91604
308
UNKNOWN
UNKNOWN
RT_CURSOR
4070
2.84564
428
UNKNOWN
UNKNOWN
RT_STRING
4071
3.16259
840
UNKNOWN
UNKNOWN
RT_STRING
4072
3.14046
956
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
comctl32.dll
gdi32.dll
kernel32.dll
ole32.dll
oleaut32.dll
user32.dll
version.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs #QBOT explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2220"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\1b051fe4bc3287f3db89b731ccab8d453608fa91ae9763804440f670ece181c5.exe", #1C:\Windows\System32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
3612C:\Windows\explorer.exeC:\Windows\explorer.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Qbot
(PID) Process(3612) explorer.exe
Botnetobama189
Campaign1655107308
Version1027.688
C2 (123)91.177.173.10:995
117.248.109.38:21
182.191.92.203:995
39.52.38.164:995
217.165.84.253:993
84.241.8.23:32103
82.152.39.39:443
202.134.152.2:2222
122.118.131.132:995
120.150.218.241:995
222.169.71.98:2222
37.34.253.233:443
93.48.80.198:995
148.0.55.173:443
175.145.235.37:443
41.130.140.32:993
120.61.0.71:443
89.101.97.139:443
62.204.41.187:443
62.204.41.187:2222
62.204.41.187:61201
67.209.195.198:443
80.11.74.81:2222
92.132.172.197:2222
41.84.249.88:995
39.41.116.234:995
67.165.206.193:993
173.21.10.71:2222
148.64.96.100:443
172.115.177.204:2222
186.90.153.162:2222
32.221.224.140:995
108.60.213.141:443
63.143.92.99:995
24.43.99.75:443
174.69.215.101:443
85.101.222.204:443
76.25.142.196:443
39.44.146.220:995
5.32.41.45:443
1.161.123.53:995
74.14.5.179:2222
62.204.41.187:995
24.178.196.158:2222
83.110.92.106:443
86.97.9.190:443
62.204.41.187:443
62.204.41.187:2222
41.228.22.180:443
38.70.253.226:2222
47.23.89.60:993
45.46.53.140:2222
82.41.63.217:443
173.174.216.62:443
189.223.102.22:443
69.14.172.24:443
102.182.232.3:995
86.97.247.161:1194
94.36.193.176:2222
200.100.126.210:32101
114.137.226.124:443
104.34.212.7:32103
41.38.167.179:995
62.204.41.187:443
37.210.156.247:2222
86.195.158.178:2222
187.149.236.5:443
201.172.23.68:2222
70.51.135.90:2222
77.200.155.99:443
191.112.21.157:443
179.158.105.44:443
125.24.187.231:443
180.129.108.214:995
39.44.235.10:995
109.228.220.196:443
39.49.82.115:995
58.105.167.36:50000
190.252.242.69:443
197.94.94.206:443
62.204.41.187:990
191.34.120.8:443
62.204.41.187:443
72.252.157.93:993
62.204.41.187:995
201.1.202.82:32101
187.207.131.50:61202
76.70.9.169:2222
62.204.41.187:80
62.204.41.187:2078
189.253.206.105:443
176.67.56.94:443
62.204.41.187:443
103.116.178.85:995
197.87.182.115:443
143.0.219.6:995
109.12.111.14:443
189.146.87.77:443
47.157.227.70:443
24.139.72.117:443
79.80.80.29:2222
187.189.168.121:22
193.136.1.58:443
37.186.54.96:995
40.134.246.185:995
90.120.209.197:2078
96.37.113.36:993
86.97.247.161:2222
37.208.135.172:6883
72.27.33.160:443
208.101.82.0:443
89.86.33.217:443
189.37.80.240:443
86.98.149.168:2222
103.207.85.38:995
71.24.118.253:443
217.165.176.49:2222
109.178.178.110:995
121.7.223.45:2222
47.156.131.10:443
177.209.202.242:2222
41.86.42.158:995
106.51.48.170:50001
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (179)ipconfig /all
ProfileImagePath
/t4
ERROR: GetModuleFileNameW() failed with error: %u
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
net share
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nltest /domain_trusts /all_trusts
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
net localgroup
powershell.exe
Self check
Self test OK.
102
qwinsta
%s "$%s = \"%s\"; & $%s"
jHxastDcds)oMc=jvh7wdUhxcsdt2
route print
.lnk
arp -a
error res='%s' err=%d len=%u
amstream.dll
schtasks.exe /Delete /F /TN %u
whoami /all
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
\System32\WindowsPowerShell\v1.0\powershell.exe
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "%s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
103
c:\ProgramData
at.exe %u:%u "%s" /I
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SELF_TEST_1
net view /all
Self check ok!
netstat -nao
ProgramData
\System32\WindowsPowerShel1\v1.0\powershel1.exe
cmd /c set
Self test FAILED!!!
regsvr32.exe -s
Microsoft
%s \"$%s = \\\"%s\\\\; & $%s\"
1234567890
%SystemRoot%\SysWOW64\msra.exe
.dll
abcdefghijklmnopqrstuvwxyz
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
%SystemRoot%\System32\mobsync.exe
advapi32.dll
Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Win32_Product
System32
winsta0\default
C:\INTERNAL\__empty
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
urlmon.dll
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
.dat
open
setupapi.dll
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
%SystemRoot%\System32\xwizard.exe
LastBootUpTime
fmon.exe
SELECT * FROM AntiVirusProduct
aabcdeefghiijklmnoopqrstuuvwxyyz
shlwapi.dll
%SystemRoot%\SysWOW64\explorer.exe
.exe
ntdll.dll
user32.dll
select
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Win32_PhysicalMemory
frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;PETools.ex...
vbs
wpcap.dll
Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
%ProgramFiles%\Internet Explorer\iexplore.exe
Win32_PnPEntity
%SystemRoot%\explorer.exe
Win32_DiskDrive
crypt32.dll
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
wbj.go
%SystemRoot%\System32\msra.exe
%SystemRoot%\SysWOW64\xwizard.exe
AvastSvc.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\OneDriveSetup.exe
ALLUSERSPROFILE
FALSE
SAVAdminService.exe;SavService.exe
c:\hiberfil.sysss
wininet.dll
WQL
Win32_Bios
cmd.exe
ccSvcHst.exe
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
iphlpapi.dll
image/gif
Win32_Process
Content-Type: application/x-www-form-urlencoded
fshoster32.exe
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
MBAMService.exe;mbamgui.exe
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
image/pjpeg
\\.\pipe\
.cfg
NTUSER.DAT
SystemRoot
ROOT\CIMV2
Winsta0
shell32.dll
SpyNetReporting
Initializing database...
rundll32.exe
SubmitSamplesConsent
dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
root\SecurityCenter2
ByteFence.exe
image/jpeg
Caption
%SystemRoot%\System32\OneDriveSetup.exe
mpr.dll
c:\\
MsMpEng.exe
from
Win32_ComputerSystem
SysWOW64
\sf2.dll
snxhk_border_mywnd
TRUE
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
*/*
%SystemRoot%\SysWOW64\explorer.exe
wmic process call create 'expand "%S" "%S"'
mcshield.exe
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Create
bdagent.exe;vsserv.exe;vsservppl.exe
avp.exe;kavtray.exe
CommandLine
https
%S.%06d
LocalLow
WRSA.exe
aswhooka.dll
SOFTWARE\Microsoft\Windows Defender\SpyNet
netapi32.dll
application/x-shockwave-flash
%s\system32\
SELECT * FROM Win32_Processor
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
ws2_32.dll
displayName
aswhookx.dll
cscript.exe
type=0x%04X
S:(ML;;NW;;;LW)
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
userenv.dll
SELECT * FROM Win32_OperatingSystem
Packages
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
WBJ_IGNORE
%SystemRoot%\explorer.exe
Software\Microsoft
kernel32.dll
Name
egui.exe;ekrn.exe
vkise.exe;isesrv.exe;cmdagent.exe
wtsapi32.dll
Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Total events
68
Read events
59
Write events
9
Delete events
0

Modification events

(PID) Process:(3612) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:9abda0b5
Value:
78FD41573BD99A1F72AB7870315B0E3453028C2CB868FED0AF9ED99462BC4217A1D271A8EA0356DF43535841214A5F0FFC6490664BB2D686
(PID) Process:(3612) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:af2270fb
Value:
1671B1CB492C5556C055EBE1070186F4539120B65789D71DB758F7249231D7EFE81C8ECAE56FBF12EB97D74FCE28A7C64420349CAD704EF46C08C28785325DA04EC55E6E8CDFA42531F0946B3321C8CB01D1E8F360D47B846A3463E7919A5EE78CEB4A7EF37FE781B04F1E724F76D4D471D962C1AF767DCD901BB854F670DB2AAFDA7EC62D66B8100666C6C42D912507FAFC5C6C86059C6523A7917E99DBC84F0152E8C16D170DA625DEE8DB4EFDD0BAFE8AC174238FCFCE5B284F9E110924B2CA4C60EE9A086EC4EA53370598DCA4606D
(PID) Process:(3612) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:ad635087
Value:
3F5FCA242F6BC310CEAAC572F217631E80818206CC63DD11A011436B60540631896528F881B58F8D7524A62F733EFFF1B65DEC863701EF377DB32346C7CAEBF22254622CA4CA2148A5E14D101F2C82D3E373B8F7A28CCE6187EAD42B23EA18A1DBE81CA2
(PID) Process:(3612) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:15df37e2
Value:
B713EAE0E8A1DA414556759AEE27CDB49337DE281B7CD536F5A49F5F12F547236F38C1FF725361EDEDE0697F35E8F8FC5B
(PID) Process:(3612) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:68d77868
Value:
FDAA9851894C6483FEE566C238A829AC7D067B43784036B67ED14F73523A690DA110E0822121380F4474A045F950DFA5F4E571D81A3BCB4FC46D8D17CE5B0104C618671B46604225C4157F1D8E2C771823C93812AC68E744F8CD1B185F4C90181B
(PID) Process:(3612) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:d06b1f0d
Value:
AD659A1C351590EE35FA6C5D5B9329BE52522392BC1E5EA22C4E1317AC8AAFA82D2B77C6901735FBCC06F5399FAF61D3F005B0319A198178E5B939362F98C9D3FD8BFE4DE91FFF0E3F3018A7FAC315D2389211532683CF1C7B58608894E81C4B
(PID) Process:(3612) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:179e179e
Value:
18D68B559E5454ADB2821576418B7B92AAA117E47E6BE147A40EF6C8A0FA223B37FB4E249371D2480F29E54823A6A221329EF6424F46D87A19FE0794B298D319B418155A4366B3FE
(PID) Process:(3612) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:e5f4cf43
Value:
2BF73CCC9ED9C701D708F5D28211873DDE7DD93558AF6796436756F202AE4D70E074748CB258856424
(PID) Process:(3612) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:9abda0b5
Value:
78FD56573BD9AF68E2E8B224399AEC08954AA6912D0281D2551EE60CC8377942D4EC0D3FEECDEC230CD8B164A163762742B72E187D4E6D08D27D035F5E8C4C61A83C0095B69099EBCE0C386560
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3612explorer.exeC:\Users\admin\AppData\Local\Temp\1b051fe4bc3287f3db89b731ccab8d453608fa91ae9763804440f670ece181c5.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1b051fe4bc3287f3db89b731ccab8d453608fa91ae9763804440f670ece181c5