analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Iq3x8aDXWF.dat

Full analysis: https://app.any.run/tasks/ec0521aa-6582-45ba-8b40-dcadee42a129
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Analysis date: April 01, 2023, 07:55:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

20C4C67957308B8AB745C1DFCE6F5A74

SHA1:

A1FC22BF580AAAB91C75473BCFE1F023C21E3587

SHA256:

2DABADFBF69F447B4AA55EE9ED435BFE999EC47FA25140EA3AC7E0E4F9D7013E

SSDEEP:

6144:tIp4Y1c1tGUGHGJksYOFGwTwRqWzUTMfVHqpdtIY:tIp4Y1vHGJNtF5TwRqWzU9d7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • QBOT detected by memory dumps

      • wermgr.exe (PID: 3604)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 1048)
  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 1048)
      • explorer.exe (PID: 3616)
      • wmpnscfg.exe (PID: 3884)
    • The process checks LSA protection

      • wermgr.exe (PID: 3604)
      • explorer.exe (PID: 3616)
      • wmpnscfg.exe (PID: 3884)
    • Reads the computer name

      • wmpnscfg.exe (PID: 3884)
    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3884)
    • Checks supported languages

      • wmpnscfg.exe (PID: 3884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Qbot

(PID) Process(3604) wermgr.exe
Botnetobama247
Campaign1680268923
Version404.909
C2 (120)103.113.68.33:443
103.140.174.20:2222
104.35.24.154:443
109.159.119.176:2222
109.218.244.210:2222
116.72.250.18:443
116.74.163.227:443
119.82.123.160:443
12.172.173.82:20
12.172.173.82:2087
12.172.173.82:21
12.172.173.82:32101
12.172.173.82:465
12.172.173.82:50001
12.172.173.82:993
12.172.173.82:995
125.99.76.102:443
136.35.241.159:443
142.126.173.85:2222
151.62.55.207:443
151.65.57.194:443
161.142.103.5:995
162.248.14.107:443
172.115.17.50:443
173.178.151.233:443
174.118.63.123:443
174.4.89.3:443
174.58.146.57:443
176.133.4.230:995
176.142.207.63:443
178.152.121.81:443
178.175.187.254:443
184.153.132.82:443
184.161.74.73:443
197.0.175.118:443
197.204.216.170:443
198.2.51.242:993
2.237.150.131:2222
2.98.147.157:995
200.84.207.143:2222
201.244.108.183:995
202.142.98.62:443
209.93.207.224:2222
213.66.245.200:2222
213.91.235.146:443
217.165.69.89:2222
24.117.237.157:443
24.236.90.196:2078
27.109.19.90:2078
27.99.32.26:2222
31.48.18.52:443
35.143.97.145:995
37.14.229.220:2222
41.228.56.8:995
45.243.143.141:995
45.50.233.214:443
47.132.248.132:443
47.149.137.40:443
47.16.74.194:2222
47.21.51.138:443
47.34.30.133:443
49.245.95.124:2222
50.68.204.71:443
50.68.204.71:993
65.94.84.173:2222
66.35.127.94:2222
67.10.2.240:995
67.219.197.94:443
69.133.162.35:443
70.112.206.5:443
70.48.189.240:2222
70.51.153.108:2222
71.171.83.69:443
71.31.100.192:443
71.38.155.217:443
72.134.124.16:443
72.200.109.104:443
72.203.216.98:2222
72.88.245.71:443
74.66.134.24:443
74.92.243.115:50000
75.143.236.149:443
75.90.114.237:995
76.170.252.153:995
77.86.98.236:443
78.16.156.25:443
78.192.109.105:2222
78.218.230.28:443
78.69.251.252:2222
78.92.133.215:443
80.42.186.99:2222
81.150.42.123:443
81.229.117.95:2222
82.155.108.153:443
84.155.13.118:995
84.216.198.124:6881
84.35.26.14:995
85.231.105.49:2222
85.241.180.94:443
86.130.9.243:2222
86.143.119.184:995
86.154.216.221:2222
86.225.214.138:2222
86.97.67.62:2222
86.98.23.66:443
87.202.101.164:50000
87.223.92.143:443
90.93.132.149:2222
91.160.70.68:32100
91.68.227.219:443
92.136.51.189:2222
92.154.17.149:2222
92.186.32.33:2222
92.97.45.55:2222
93.150.183.229:2222
94.30.31.47:50000
94.30.98.134:32100
95.60.243.24:995
96.87.28.170:2222
98.145.23.67:443
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, No line numbers, 32-bit, No debug, DLL
PEType: PE32
LinkerVersion: 2.35
CodeSize: 108032
InitializedDataSize: 170496
UninitializedDataSize: 512
EntryPoint: 0x13b0
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 5.2.5.0
ProductVersionNumber: 5.2.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: The Tukaani Project <https://tukaani.org/>
FileDescription: liblzma data compression library
FileVersion: 5.2.5
InternalName: liblzma
OriginalFileName: liblzma.dll
ProductName: XZ Utils <https://tukaani.org/xz/>
ProductVersion: 5.2.5

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 01-Jan-1970 00:00:00
Detected languages:
  • English - United States
Debug artifacts:
  • Embedded COFF debugging symbols
CompanyName: The Tukaani Project <https://tukaani.org/>
FileDescription: liblzma data compression library
FileVersion: 5.2.5
InternalName: liblzma
OriginalFilename: liblzma.dll
ProductName: XZ Utils <https://tukaani.org/xz/>
ProductVersion: 5.2.5

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 11
Time date stamp: 01-Jan-1970 00:00:00
Pointer to Symbol Table: 0x00029E00
Number of symbols: 46
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_DLL
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001A444
0x0001A600
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.19564
.data
0x0001C000
0x00000028
0x00000200
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.485178
.rdata
0x0001D000
0x000079EC
0x00007A00
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.17144
/4
0x00025000
0x000052E4
0x00005400
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.88237
.bss
0x0002B000
0x0000008C
0x00000000
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.edata
0x0002C000
0x00000C2C
0x00000E00
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.78958
.idata
0x0002D000
0x00000484
0x00000600
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.10864
.CRT
0x0002E000
0x0000002C
0x00000200
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.190489
.tls
0x0002F000
0x00000008
0x00000200
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00030000
0x0001A756
0x0001B000
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.91669

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.44387
756
UNKNOWN
English - United States
RT_VERSION

Imports

KERNEL32.dll
msvcrt.dll

Exports

Title
Ordinal
Address
Uzma_alone_decoder
1
0x00009670
Uzma_alone_encoder
2
0x00004B60
Uzma_auto_decoder
3
0x00009A10
Uzma_block_buffer_bound
4
0x00005220
Uzma_block_buffer_decode
5
0x00009A90
Uzma_block_buffer_encode
6
0x00005270
Uzma_block_compressed_size
7
0x00001E50
Uzma_block_decoder
8
0x0000A1C0
Uzma_block_encoder
9
0x00005750
Uzma_block_header_decode
10
0x0000A230
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe explorer.exe no specs cmd.exe no specs rundll32.exe no specs #QBOT wermgr.exe no specs ping.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2688"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\Iq3x8aDXWF.dat.exe", Uzma_alone_decoderC:\Windows\System32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\imagehlp.dll
3616"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1048"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3488rundll32 Iq3x8aDXWF.dat.exe,X555C:\Windows\System32\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3604C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
6.1.7601.24521 (win7sp1_ldr_escrow.190909-1704)
Modules
Images
c:\windows\system32\wermgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Qbot
(PID) Process(3604) wermgr.exe
Botnetobama247
Campaign1680268923
Version404.909
C2 (120)103.113.68.33:443
103.140.174.20:2222
104.35.24.154:443
109.159.119.176:2222
109.218.244.210:2222
116.72.250.18:443
116.74.163.227:443
119.82.123.160:443
12.172.173.82:20
12.172.173.82:2087
12.172.173.82:21
12.172.173.82:32101
12.172.173.82:465
12.172.173.82:50001
12.172.173.82:993
12.172.173.82:995
125.99.76.102:443
136.35.241.159:443
142.126.173.85:2222
151.62.55.207:443
151.65.57.194:443
161.142.103.5:995
162.248.14.107:443
172.115.17.50:443
173.178.151.233:443
174.118.63.123:443
174.4.89.3:443
174.58.146.57:443
176.133.4.230:995
176.142.207.63:443
178.152.121.81:443
178.175.187.254:443
184.153.132.82:443
184.161.74.73:443
197.0.175.118:443
197.204.216.170:443
198.2.51.242:993
2.237.150.131:2222
2.98.147.157:995
200.84.207.143:2222
201.244.108.183:995
202.142.98.62:443
209.93.207.224:2222
213.66.245.200:2222
213.91.235.146:443
217.165.69.89:2222
24.117.237.157:443
24.236.90.196:2078
27.109.19.90:2078
27.99.32.26:2222
31.48.18.52:443
35.143.97.145:995
37.14.229.220:2222
41.228.56.8:995
45.243.143.141:995
45.50.233.214:443
47.132.248.132:443
47.149.137.40:443
47.16.74.194:2222
47.21.51.138:443
47.34.30.133:443
49.245.95.124:2222
50.68.204.71:443
50.68.204.71:993
65.94.84.173:2222
66.35.127.94:2222
67.10.2.240:995
67.219.197.94:443
69.133.162.35:443
70.112.206.5:443
70.48.189.240:2222
70.51.153.108:2222
71.171.83.69:443
71.31.100.192:443
71.38.155.217:443
72.134.124.16:443
72.200.109.104:443
72.203.216.98:2222
72.88.245.71:443
74.66.134.24:443
74.92.243.115:50000
75.143.236.149:443
75.90.114.237:995
76.170.252.153:995
77.86.98.236:443
78.16.156.25:443
78.192.109.105:2222
78.218.230.28:443
78.69.251.252:2222
78.92.133.215:443
80.42.186.99:2222
81.150.42.123:443
81.229.117.95:2222
82.155.108.153:443
84.155.13.118:995
84.216.198.124:6881
84.35.26.14:995
85.231.105.49:2222
85.241.180.94:443
86.130.9.243:2222
86.143.119.184:995
86.154.216.221:2222
86.225.214.138:2222
86.97.67.62:2222
86.98.23.66:443
87.202.101.164:50000
87.223.92.143:443
90.93.132.149:2222
91.160.70.68:32100
91.68.227.219:443
92.136.51.189:2222
92.154.17.149:2222
92.186.32.33:2222
92.97.45.55:2222
93.150.183.229:2222
94.30.31.47:50000
94.30.98.134:32100
95.60.243.24:995
96.87.28.170:2222
98.145.23.67:443
3892ping -n 3 yahoo.comC:\Windows\System32\PING.EXEwermgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
3884"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
630
Read events
622
Write events
2
Delete events
6

Modification events

(PID) Process:(3604) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:9abda0b5
Value:
78FD41573BD99A1F72AB7870315B0E3453028C2CB868FED0AF9ED99462BC4217A1D271A8EA0356DF43535841214A5F0FFC6490664BB2D686
(PID) Process:(3884) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{B21E441B-43BF-4047-8ED5-55A41F39C578}\{2AFAFD8E-8154-4106-9133-D0D1DEF16A3F}
Operation:delete keyName:(default)
Value:
(PID) Process:(3884) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{B21E441B-43BF-4047-8ED5-55A41F39C578}
Operation:delete keyName:(default)
Value:
(PID) Process:(3884) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{FF8103AF-F056-4683-9140-A80EF8023750}
Operation:delete keyName:(default)
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
yahoo.com
  • 74.6.231.20
  • 74.6.231.21
  • 98.137.11.163
  • 98.137.11.164
  • 74.6.143.25
  • 74.6.143.26
whitelisted

Threats

No threats detected
No debug info