File name:

qbittorrent_5.0.3_x64_setup.exe

Full analysis: https://app.any.run/tasks/d1dc5900-e015-47fd-9480-1a33ad0aaded
Verdict: Malicious activity
Analysis date: January 21, 2025, 16:00:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

83505C82E83BD2E61BD67DFCF30724CF

SHA1:

5FBDE5F904A7C0E1346B9BCEF4A66A7A7DD7E5B9

SHA256:

878CA7E3FB7A90A937AFDBE080C055877B4C6334A9589D27E092FD6737A0716F

SSDEEP:

393216:f1xBlT914yYKjqv+m6x1IJybK6rvnwzd6AEDehv8A:fDfx1yyqv+m6xqJEK6UOU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

    • Executable content was dropped or overwritten

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)
      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

    • Application launched itself

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

    • There is functionality for taking screenshot (YARA)

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)
      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

    • The process creates files with name similar to system file names

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

    • Creates a software uninstall entry

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

  • INFO

    • Reads the computer name

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)
      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)
      • qbittorrent.exe (PID: 6932)

    • The sample compiled with english language support

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)
      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

    • Process checks computer location settings

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

    • Create files in a temporary directory

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)
      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

    • Checks supported languages

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)
      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)
      • qbittorrent.exe (PID: 6932)

    • Creates files in the program directory

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6812)

    • The process uses the downloaded file

      • qbittorrent_5.0.3_x64_setup.exe (PID: 6672)

    • Creates files or folders in the user directory

      • qbittorrent.exe (PID: 6932)

    • Reads the machine GUID from the registry

      • qbittorrent.exe (PID: 6932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:09:43+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3645
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.0.3.0
ProductVersionNumber: 5.0.3.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: The qBittorrent project
FileDescription: qBittorrent - A Bittorrent Client
FileVersion: 5.0.3
LegalCopyright: Copyright ©2006-2024 The qBittorrent project
ProductName: qBittorrent
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start qbittorrent_5.0.3_x64_setup.exe qbittorrent_5.0.3_x64_setup.exe qbittorrent.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6672"C:\Users\admin\Desktop\qbittorrent_5.0.3_x64_setup.exe" C:\Users\admin\Desktop\qbittorrent_5.0.3_x64_setup.exe
explorer.exe
User:
admin
Company:
The qBittorrent project
Integrity Level:
MEDIUM
Description:
qBittorrent - A Bittorrent Client
Exit code:
0
Version:
5.0.3
Modules
Images
c:\users\admin\desktop\qbittorrent_5.0.3_x64_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6812"C:\Users\admin\Desktop\qbittorrent_5.0.3_x64_setup.exe" /UAC:40206 /NCRC C:\Users\admin\Desktop\qbittorrent_5.0.3_x64_setup.exe
qbittorrent_5.0.3_x64_setup.exe
User:
admin
Company:
The qBittorrent project
Integrity Level:
HIGH
Description:
qBittorrent - A Bittorrent Client
Exit code:
0
Version:
5.0.3
Modules
Images
c:\users\admin\desktop\qbittorrent_5.0.3_x64_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6932"C:\Program Files\qBittorrent\qbittorrent.exe" C:\Program Files\qBittorrent\qbittorrent.exe
qbittorrent_5.0.3_x64_setup.exe
User:
admin
Company:
The qBittorrent Project
Integrity Level:
MEDIUM
Description:
qBittorrent - A Bittorrent Client
Version:
v5.0.3
Modules
Images
c:\program files\qbittorrent\qbittorrent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
3 941
Read events
3 922
Write events
19
Delete events
0

Modification events

(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent
Operation:writeName:InstallLocation
Value:
C:\Program Files\qBittorrent
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent\Capabilities
Operation:writeName:ApplicationDescription
Value:
A BitTorrent client in Qt
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent\Capabilities
Operation:writeName:ApplicationName
Value:
qBittorrent
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent\Capabilities\FileAssociations
Operation:writeName:.torrent
Value:
qBittorrent.File.Torrent
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\qBittorrent\Capabilities\UrlAssociations
Operation:writeName:magnet
Value:
qBittorrent.Url.Magnet
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.torrent
Operation:writeName:Content Type
Value:
application/x-bittorrent
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet
Operation:writeName:Content Type
Value:
application/x-magnet
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\magnet
Operation:writeName:URL Protocol
Value:
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\qBittorrent
Operation:writeName:DisplayName
Value:
qBittorrent
(PID) Process:(6812) qbittorrent_5.0.3_x64_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\qBittorrent
Operation:writeName:UninstallString
Value:
"C:\Program Files\qBittorrent\uninst.exe"
Executable files
11
Suspicious files
42
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
6812qbittorrent_5.0.3_x64_setup.exeC:\Program Files\qBittorrent\qbittorrent.exe
MD5:
SHA256:
6812qbittorrent_5.0.3_x64_setup.exeC:\Program Files\qBittorrent\qbittorrent.pdb
MD5:
SHA256:
6812qbittorrent_5.0.3_x64_setup.exeC:\Users\admin\AppData\Local\Temp\nsm8DDE.tmp\System.dllexecutable
MD5:4ADD245D4BA34B04F213409BFE504C07
SHA256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
6812qbittorrent_5.0.3_x64_setup.exeC:\Users\admin\AppData\Local\Temp\nsm8DDE.tmp\LangDLL.dllexecutable
MD5:50016010FB0D8DB2BC4CD258CEB43BE5
SHA256:32230128C18574C1E860DFE4B17FE0334F685740E27BC182E0D525A8948C9C2E
6672qbittorrent_5.0.3_x64_setup.exeC:\Users\admin\AppData\Local\Temp\nsz890B.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
6812qbittorrent_5.0.3_x64_setup.exeC:\Users\admin\AppData\Local\Temp\nsm8DDE.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
6812qbittorrent_5.0.3_x64_setup.exeC:\Program Files\qBittorrent\translations\qtbase_de.qmqm
MD5:F77CC111780332FB6D3E68393F5337D6
SHA256:8E6C0B5A773E36D60942795E8971D729439D77A8613EC466FC24D0F73A2CE663
6812qbittorrent_5.0.3_x64_setup.exeC:\Program Files\qBittorrent\translations\qtbase_da.qmbinary
MD5:859CE522A233AF31ED8D32822DA7755B
SHA256:7D1E5CA3310B54D104C19BF2ABD402B38E584E87039A70E153C4A9AF74B25C22
6812qbittorrent_5.0.3_x64_setup.exeC:\Program Files\qBittorrent\translations\qt_sl.qmbinary
MD5:D35A0FE35476BE8BD149CEE46E42B5E9
SHA256:C44E0313A9414CC0E490B65B0C036FA11BCA959353B228886547BC2C8492034F
6812qbittorrent_5.0.3_x64_setup.exeC:\Program Files\qBittorrent\translations\qt_lt.qmbinary
MD5:8992B652D1499F5D2F12674F3F875A35
SHA256:47EB5F97467DF769261421D54A5BEA1131C9FB9B6388791D38BB6574335B64BF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
26
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
104.26.5.15:443
https://download.db-ip.com/free/dbip-country-lite-2025-01.mmdb.gz
unknown
compressed
3.45 Mb
whitelisted
GET
200
172.67.34.122:443
https://www.fosshub.com/feed/5b8793a7f9ee5a5c3e97a3b2.xml
unknown
xml
6.83 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6932
qbittorrent.exe
192.168.100.2:5351
whitelisted
6932
qbittorrent.exe
82.221.103.244:6881
router.utorrent.com
whitelisted
6932
qbittorrent.exe
87.98.162.88:6881
dht.transmissionbt.com
suspicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.18
  • 2.16.164.72
  • 2.16.164.114
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
dht.libtorrent.org
  • 185.157.221.247
unknown
dht.transmissionbt.com
  • 212.129.33.59
  • 87.98.162.88
unknown
router.bittorrent.com
  • 67.215.246.10
whitelisted
router.utorrent.com
  • 82.221.103.244
whitelisted
dht.aelitis.com
  • 34.229.89.117
malicious
download.db-ip.com
  • 104.26.4.15
  • 104.26.5.15
  • 172.67.75.166
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
qbittorrent_5.0.3_x64_setup.exe