File name:

qbittorrent_5.0.3_x64_setup.exe

Full analysis: https://app.any.run/tasks/d1dc5900-e015-47fd-9480-1a33ad0aaded
Verdict: Malicious activity
Analysis date: January 21, 2025, 16:00:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

83505C82E83BD2E61BD67DFCF30724CF

SHA1:

5FBDE5F904A7C0E1346B9BCEF4A66A7A7DD7E5B9

SHA256:

878CA7E3FB7A90A937AFDBE080C055877B4C6334A9589D27E092FD6737A0716F

SSDEEP:

393216:f1xBlT914yYKjqv+m6x1IJybK6rvnwzd6AEDehv8A:fDfx1yyqv+m6xqJEK6UOU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)
      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

    • Reads security settings of Internet Explorer

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

    • Application launched itself

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

    • The process creates files with name similar to system file names

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

    • Creates a software uninstall entry

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

    • There is functionality for taking screenshot (YARA)

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)
      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

  • INFO

    • Process checks computer location settings

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

    • Checks supported languages

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)
      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)
      • qbittorrent.exe (PID: 6932)

    • Reads the computer name

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)
      • qbittorrent.exe (PID: 6932)
      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

    • Create files in a temporary directory

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)
      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

    • Reads the machine GUID from the registry

      • qbittorrent.exe (PID: 6932)

    • The process uses the downloaded file

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

    • The sample compiled with english language support

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)
      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

    • Creates files in the program directory

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

    • Creates files or folders in the user directory

      • qbittorrent.exe (PID: 6932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:09:43+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3645
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.0.3.0
ProductVersionNumber: 5.0.3.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: The qBittorrent project
FileDescription: qBittorrent - A Bittorrent Client
FileVersion: 5.0.3
LegalCopyright: Copyright ©2006-2024 The qBittorrent project
ProductName: qBittorrent
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start qbittorrent_5.0.3_x64_setup.exe qbittorrent_5.0.3_x64_setup.exe qbittorrent.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6672"C:\Users\admin\Desktop\qbittorrent_5.0.3_x64_setup.exe" C:\Users\admin\Desktop\qbittorrent_5.0.3_x64_setup.exe
explorer.exe
User:
admin
Company:
The qBittorrent project
Integrity Level:
MEDIUM
Description:
qBittorrent - A Bittorrent Client
Exit code:
0
Version:
5.0.3
Modules
Images
c:\users\admin\desktop\qbittorrent_5.0.3_x64_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6812"C:\Users\admin\Desktop\qbittorrent_5.0.3_x64_setup.exe" /UAC:40206 /NCRC C:\Users\admin\Desktop\qbittorrent_5.0.3_x64_setup.exe
qbittorrent_5.0.3_x64_setup.exe
User:
admin
Company:
The qBittorrent project
Integrity Level:
HIGH
Description:
qBittorrent - A Bittorrent Client
Exit code:
0
Version:
5.0.3
Modules
Images
c:\users\admin\desktop\qbittorrent_5.0.3_x64_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6932"C:\Program Files\qBittorrent\qbittorrent.exe" C:\Program Files\qBittorrent\qbittorrent.exe
qbittorrent_5.0.3_x64_setup.exe
User:
admin
Company:
The qBittorrent Project
Integrity Level:
MEDIUM
Description:
qBittorrent - A Bittorrent Client
Version:
v5.0.3
Modules
Images
c:\program files\qbittorrent\qbittorrent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
3 941
Read events
3 922
Write events
19
Delete events
0

Modification events

(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent
Operation:writeName:InstallLocation
Value:
C:\Program Files\qBittorrent
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent\Capabilities
Operation:writeName:ApplicationDescription
Value:
A BitTorrent client in Qt
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent\Capabilities
Operation:writeName:ApplicationName
Value:
qBittorrent
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent\Capabilities\FileAssociations
Operation:writeName:.torrent
Value:
qBittorrent.File.Torrent
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent\Capabilities\UrlAssociations
Operation:writeName:magnet
Value:
qBittorrent.Url.Magnet
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.torrent
Operation:writeName:Content Type
Value:
application/x-bittorrent
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet
Operation:writeName:Content Type
Value:
application/x-magnet
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet
Operation:writeName:URL Protocol
Value:
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\qBittorrent
Operation:writeName:DisplayName
Value:
qBittorrent
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\qBittorrent
Operation:writeName:UninstallString
Value:
"C:\Program Files\qBittorrent\uninst.exe"
Executable files
11
Suspicious files
42
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
6812qbittorrent_5.0.3_x64_setup.exeC:\Program Files\qBittorrent\qbittorrent.exe
MD5:
SHA256:
6812qbittorrent_5.0.3_x64_setup.exeC:\Program Files\qBittorrent\qbittorrent.pdb
MD5:
SHA256:
6812qbittorrent_5.0.3_x64_setup.exeC:\Users\admin\AppData\Local\Temp\nsm8DDE.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
6812qbittorrent_5.0.3_x64_setup.exeC:\Users\admin\AppData\Local\Temp\nsm8DDE.tmp\System.dllexecutable
MD5:4ADD245D4BA34B04F213409BFE504C07
SHA256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
6812qbittorrent_5.0.3_x64_setup.exeC:\Users\admin\AppData\Local\Temp\nsm8DDE.tmp\nsDialogs.dllexecutable
MD5:1D8F01A83DDD259BC339902C1D33C8F1
SHA256:4B7D17DA290F41EBE244827CC295CE7E580DA2F7E9F7CC3EFC1ABC6898E3C9ED
6812qbittorrent_5.0.3_x64_setup.exeC:\Users\admin\AppData\Local\Temp\nsm8DDE.tmp\FindProcDLL.dllexecutable
MD5:B4FAF654DE4284A89EAF7D073E4E1E63
SHA256:C0948B2EC36A69F82C08935FAC4B212238B6792694F009B93B4BDB478C4F26E3
6812qbittorrent_5.0.3_x64_setup.exeC:\Program Files\qBittorrent\translations\qt_lt.qmbinary
MD5:8992B652D1499F5D2F12674F3F875A35
SHA256:47EB5F97467DF769261421D54A5BEA1131C9FB9B6388791D38BB6574335B64BF
6812qbittorrent_5.0.3_x64_setup.exeC:\Program Files\qBittorrent\qt.conftext
MD5:AF7F56A63958401DA8BEA1F5E419B2AF
SHA256:FDB8FA58A6FFC14771CA2B1EF6438061A6CBA638594D76D9021B91E755D030D3
6812qbittorrent_5.0.3_x64_setup.exeC:\Program Files\qBittorrent\translations\qt_sv.qmbinary
MD5:70487CB8D7F7C82BEDF886C3ABE44D7F
SHA256:0032C8CBAF79E836027F64696D012D3A7B89E5F5B8259E0331B97638ADF38CFF
6812qbittorrent_5.0.3_x64_setup.exeC:\Program Files\qBittorrent\translations\qtbase_ca.qmbinary
MD5:79172E893F4E5F8315542BCC6DC409A5
SHA256:005B0AA0C9A5B930DFDD870661958A8069BBEC862D75F98BCE20BF7401BEA13D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
26
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
172.67.34.122:443
https://www.fosshub.com/feed/5b8793a7f9ee5a5c3e97a3b2.xml
unknown
xml
6.83 Kb
GET
200
104.26.5.15:443
https://download.db-ip.com/free/dbip-country-lite-2025-01.mmdb.gz
unknown
compressed
3.45 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6932
qbittorrent.exe
192.168.100.2:5351
whitelisted
6932
qbittorrent.exe
82.221.103.244:6881
router.utorrent.com
whitelisted
6932
qbittorrent.exe
87.98.162.88:6881
dht.transmissionbt.com
suspicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.18
  • 2.16.164.72
  • 2.16.164.114
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
dht.libtorrent.org
  • 185.157.221.247
unknown
dht.transmissionbt.com
  • 212.129.33.59
  • 87.98.162.88
unknown
router.bittorrent.com
  • 67.215.246.10
whitelisted
router.utorrent.com
  • 82.221.103.244
whitelisted
dht.aelitis.com
  • 34.229.89.117
malicious
download.db-ip.com
  • 104.26.4.15
  • 104.26.5.15
  • 172.67.75.166
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
qbittorrent_5.0.3_x64_setup.exe