File name:

qbittorrent_5.1.2_x64_setup1.exe

Full analysis: https://app.any.run/tasks/0c7fe885-846b-469e-bb20-f7c86d0ef80f
Verdict: Malicious activity
Analysis date: July 18, 2025, 10:02:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

FAD8B641B13837C591DCF83857573C67

SHA1:

448AFBEFB2462167AFCBE80A07FEA1D644706A71

SHA256:

4731B850CF028C54F7254E1466D3CE281D0FA43EB0A7F1D3E371ABA94E0D62AE

SSDEEP:

393216:tgcqCMEF6elReXkhig2rAmImmutB4lnys9y0+52Ee:tNMEF6EhiHGmmiB4Isg0+85

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 3288)

    • Executable content was dropped or overwritten

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 3288)
      • qbittorrent_5.1.2_x64_setup1.exe (PID: 4724)

    • Application launched itself

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 3288)

    • The process creates files with name similar to system file names

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 4724)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 4724)

    • There is functionality for taking screenshot (YARA)

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 3288)
      • qbittorrent_5.1.2_x64_setup1.exe (PID: 4724)

    • Creates a software uninstall entry

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 4724)

    • Checks for external IP

      • qbittorrent.exe (PID: 3840)

  • INFO

    • Checks supported languages

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 3288)
      • qbittorrent_5.1.2_x64_setup1.exe (PID: 4724)
      • qbittorrent.exe (PID: 3840)

    • The sample compiled with english language support

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 3288)
      • qbittorrent_5.1.2_x64_setup1.exe (PID: 4724)

    • Create files in a temporary directory

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 3288)
      • qbittorrent_5.1.2_x64_setup1.exe (PID: 4724)

    • Reads the computer name

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 3288)
      • qbittorrent_5.1.2_x64_setup1.exe (PID: 4724)
      • qbittorrent.exe (PID: 3840)

    • Process checks computer location settings

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 3288)

    • Creates files in the program directory

      • qbittorrent_5.1.2_x64_setup1.exe (PID: 4724)

    • Reads the machine GUID from the registry

      • qbittorrent.exe (PID: 3840)

    • Creates files or folders in the user directory

      • qbittorrent.exe (PID: 3840)

    • Checks proxy server information

      • slui.exe (PID: 5468)

    • Reads the software policy settings

      • slui.exe (PID: 5468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:08 23:05:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x369f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.1.2.0
ProductVersionNumber: 5.1.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: The qBittorrent project
FileDescription: qBittorrent - A Bittorrent Client
FileVersion: 5.1.2
LegalCopyright: Copyright ©2006-2025 The qBittorrent project
ProductName: qBittorrent
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start qbittorrent_5.1.2_x64_setup1.exe qbittorrent_5.1.2_x64_setup1.exe qbittorrent.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3288"C:\Users\admin\Desktop\qbittorrent_5.1.2_x64_setup1.exe" C:\Users\admin\Desktop\qbittorrent_5.1.2_x64_setup1.exe
explorer.exe
User:
admin
Company:
The qBittorrent project
Integrity Level:
MEDIUM
Description:
qBittorrent - A Bittorrent Client
Exit code:
0
Version:
5.1.2
Modules
Images
c:\users\admin\desktop\qbittorrent_5.1.2_x64_setup1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3840"C:\Program Files\qBittorrent\qbittorrent.exe" C:\Program Files\qBittorrent\qbittorrent.exe
qbittorrent_5.1.2_x64_setup1.exe
User:
admin
Company:
The qBittorrent Project
Integrity Level:
MEDIUM
Description:
qBittorrent - A Bittorrent Client
Version:
v5.1.2
Modules
Images
c:\program files\qbittorrent\qbittorrent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\msvcrt.dll
4724"C:\Users\admin\Desktop\qbittorrent_5.1.2_x64_setup1.exe" /UAC:80300 /NCRC C:\Users\admin\Desktop\qbittorrent_5.1.2_x64_setup1.exe
qbittorrent_5.1.2_x64_setup1.exe
User:
admin
Company:
The qBittorrent project
Integrity Level:
HIGH
Description:
qBittorrent - A Bittorrent Client
Exit code:
0
Version:
5.1.2
Modules
Images
c:\users\admin\desktop\qbittorrent_5.1.2_x64_setup1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5468C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 339
Read events
7 320
Write events
19
Delete events
0

Modification events

(PID) Process:(4724) qbittorrent_5.1.2_x64_setup1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent
Operation:writeName:InstallLocation
Value:
C:\Program Files\qBittorrent
(PID) Process:(4724) qbittorrent_5.1.2_x64_setup1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent\Capabilities
Operation:writeName:ApplicationDescription
Value:
A BitTorrent client in Qt
(PID) Process:(4724) qbittorrent_5.1.2_x64_setup1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent\Capabilities
Operation:writeName:ApplicationName
Value:
qBittorrent
(PID) Process:(4724) qbittorrent_5.1.2_x64_setup1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent\Capabilities\FileAssociations
Operation:writeName:.torrent
Value:
qBittorrent.File.Torrent
(PID) Process:(4724) qbittorrent_5.1.2_x64_setup1.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem
Operation:writeName:LongPathsEnabled
Value:
1
(PID) Process:(4724) qbittorrent_5.1.2_x64_setup1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent
Operation:writeName:Installer Language
Value:
1033
(PID) Process:(4724) qbittorrent_5.1.2_x64_setup1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent\Capabilities\UrlAssociations
Operation:writeName:magnet
Value:
qBittorrent.Url.Magnet
(PID) Process:(4724) qbittorrent_5.1.2_x64_setup1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.torrent
Operation:writeName:Content Type
Value:
application/x-bittorrent
(PID) Process:(4724) qbittorrent_5.1.2_x64_setup1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet
Operation:writeName:Content Type
Value:
application/x-magnet
(PID) Process:(4724) qbittorrent_5.1.2_x64_setup1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet
Operation:writeName:URL Protocol
Value:
Executable files
8
Suspicious files
43
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4724qbittorrent_5.1.2_x64_setup1.exeC:\Program Files\qBittorrent\qbittorrent.exe
MD5:
SHA256:
4724qbittorrent_5.1.2_x64_setup1.exeC:\Program Files\qBittorrent\qbittorrent.pdb
MD5:
SHA256:
4724qbittorrent_5.1.2_x64_setup1.exeC:\Users\admin\AppData\Local\Temp\nstE1E1.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
4724qbittorrent_5.1.2_x64_setup1.exeC:\Program Files\qBittorrent\translations\qtbase_da.qmbinary
MD5:859CE522A233AF31ED8D32822DA7755B
SHA256:7D1E5CA3310B54D104C19BF2ABD402B38E584E87039A70E153C4A9AF74B25C22
4724qbittorrent_5.1.2_x64_setup1.exeC:\Program Files\qBittorrent\translations\qtbase_ca.qmbinary
MD5:79172E893F4E5F8315542BCC6DC409A5
SHA256:005B0AA0C9A5B930DFDD870661958A8069BBEC862D75F98BCE20BF7401BEA13D
4724qbittorrent_5.1.2_x64_setup1.exeC:\Program Files\qBittorrent\translations\qtbase_ar.qmbinary
MD5:A7E4D0BA0FC5DF07F62CC66EC9878979
SHA256:E03FE68D83201543698FD7FE267DD5DFC5BFD195147E74FF2F19AC3491401263
4724qbittorrent_5.1.2_x64_setup1.exeC:\Program Files\qBittorrent\translations\qtbase_bg.qmbinary
MD5:660413AD666A6B31A1ACF8F216781D6E
SHA256:E448AC9E3F16C29EB27AF3012EFE21052DAA78FABFB34CD6DFF2F69EE3BD3CDB
4724qbittorrent_5.1.2_x64_setup1.exeC:\Program Files\qBittorrent\translations\qtbase_de.qmbinary
MD5:9939E0CE10C52C0616AB39962297C3FB
SHA256:580CD7625A62F5ACA4EBDF50830DD9D2B7C3757917EBF05EEA0834A256151A43
4724qbittorrent_5.1.2_x64_setup1.exeC:\Program Files\qBittorrent\translations\qtbase_cs.qmbinary
MD5:C57D0DE9D8458A5BEB2114E47B0FDE47
SHA256:03028B42DF5479270371E4C3BDC7DF2F56CBBE6DDA956A2864AC6F6415861FE8
3288qbittorrent_5.1.2_x64_setup1.exeC:\Users\admin\AppData\Local\Temp\nsxDEA5.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
52
DNS requests
23
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5468
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5468
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
172.66.135.186:443
https://www.fosshub.com/feed/5b8793a7f9ee5a5c3e97a3b2.xml
unknown
xml
2.96 Kb
unknown
GET
200
172.67.75.166:443
https://download.db-ip.com/free/dbip-country-lite-2025-07.mmdb.gz
unknown
compressed
3.51 Mb
whitelisted
POST
200
40.126.32.72:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
40.126.32.74:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5468
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5468
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
dht.libtorrent.org
  • 185.157.221.247
unknown
dht.transmissionbt.com
  • 87.98.162.88
  • 212.129.33.59
unknown
router.bittorrent.com
  • 67.215.246.10
whitelisted
download.db-ip.com
  • 172.67.75.166
  • 104.26.4.15
  • 104.26.5.15
whitelisted
www.fosshub.com
  • 172.66.136.214
  • 172.66.135.186
unknown
www.qbittorrent.org
  • 104.21.96.1
  • 104.21.16.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.32.1
  • 104.21.112.1
  • 104.21.64.1
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (db-ip .com) in DNS Lookup
3840
qbittorrent.exe
Misc activity
ET INFO Observed External IP Lookup Domain (db-ip .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
qbittorrent_5.1.2_x64_setup1.exe