analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

womanizee.dll

Full analysis: https://app.any.run/tasks/bb9f32b5-28c7-4bb1-8ca7-570287583d76
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: October 05, 2022, 00:37:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:

91D2D62ED8DA884094C111BEF5A1660E

SHA1:

80ACF778171CEE3E34E16EACE73CD3F695C1F52C

SHA256:

984D2854F4ABF3B2640AD5D6AA5031AE26F02B561B3FD0A284AAFE272B6C0C11

SSDEEP:

12288:nieL1vc1PdFjpmw5qS6xnGWvE/N285UT+QD1lNMA:i81IFnqnvEl5w9M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • wermgr.exe (PID: 1760)

    • QBOT detected by memory dumps

      • wermgr.exe (PID: 1760)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • wermgr.exe (PID: 1760)

    • Drops a file with a compile date too recent

      • wermgr.exe (PID: 1760)

  • INFO

    • Reads the computer name

      • rundll32.exe (PID: 2948)
      • wermgr.exe (PID: 1760)

    • Checks supported languages

      • rundll32.exe (PID: 2948)
      • wermgr.exe (PID: 1760)

    • Loads main object executable

      • rundll32.exe (PID: 2948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Qbot

(PID) Process(1760) wermgr.exe
Strings (188)Start screenshot
at.exe %u:%u "%s" /I
powershell.exe -encodedCommand
amstream.dll
Self check
arp -a
c:\ProgramData
nltest /domain_trusts /all_trusts
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Self test OK.
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
\System32\WindowsPowerShell\v1.0\powershell.exe
net view
\System32\WindowsPowerShel1\v1.0\powershel1.exe
error res='%s' err=%d len=%u
net share
qwinsta
route print
.lnk
regsvr32.exe
Self test FAILED!!!
ProfileImagePath
schtasks.exe /Delete /F /TN %u
"%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
netstat -nao
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
/t5
whoami /all
Self check ok!
ProgramData
powershell.exe -encodedCommand %S
89210af9
3c91e639
%s "$%s = \"%s\"; & $%s"
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ERROR: GetModuleFileNameW() failed with error: %u
ipconfig /all
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
%s \"$%s = \\\"%s\\\\; & $%s\"
net localgroup
powershell.exe
cmd /c set
Microsoft
SELF_TEST_1
%SystemRoot%\explorer.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
WBJ_IGNORE
*/*
SELECT * FROM Win32_Processor
root\SecurityCenter2
Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
\sf2.dll
Win32_Bios
.cfg
wpcap.dll
type=0x%04X
c:\hiberfil.sysss
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
bcrypt.dll
Win32_ComputerSystem
%SystemRoot%\SysWOW64\explorer.exe
FALSE
%S.%06d
Win32_Product
abcdefghijklmnopqrstuvwxyz
image/pjpeg
egui.exe;ekrn.exe
https
Create
%SystemRoot%\SysWOW64\msra.exe
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SubmitSamplesConsent
%ProgramFiles%\Internet Explorer\iexplore.exe
from
kernel32.dll
%s\system32\
\\.\pipe\
userenv.dll
ntdll.dll
ccSvcHst.exe
LocalLow
NTUSER.DAT
select
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Software\Microsoft
Win32_PhysicalMemory
wtsapi32.dll
ws2_32.dll
shell32.dll
Initializing database...
winsta0\default
S:(ML;;NW;;;LW)
snxhk_border_mywnd
%SystemRoot%\System32\msra.exe
TRUE
image/gif
APPDATA
vbs
image/jpeg
%SystemRoot%\SysWOW64\wermgr.exe
dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
ALLUSERSPROFILE
wininet.dll
urlmon.dll
Packages
SELECT * FROM Win32_OperatingSystem
Winsta0
%SystemRoot%\SysWOW64\explorer.exe
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Caption
ROOT\CIMV2
%SystemRoot%\System32\OneDriveSetup.exe
c:\\
aswhooka.dll
aabcdeefghiijklmnoopqrstuuvwxyyz
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
mpr.dll
%SystemRoot%\SysWOW64\xwizard.exe
Name
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
LastBootUpTime
%SystemRoot%\System32\wermgr.exe
avp.exe;kavtray.exe
Win32_Process
1234567890
%SystemRoot%\System32\mobsync.exe
rundll32.exe
fshoster32.exe
SystemRoot
advapi32.dll
SpyNetReporting
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
SAVAdminService.exe;SavService.exe
Win32_DiskDrive
cmd.exe
%SystemRoot%\SysWOW64\mobsync.exe
.dat
open
%SystemRoot%\System32\xwizard.exe
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
user32.dll
bdagent.exe;vsserv.exe;vsservppl.exe
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
MsMpEng.exe
Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
.dll
setupapi.dll
WRSA.exe
System32
application/x-shockwave-flash
netapi32.dll
SysWOW64
frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;PETools.ex...
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
vkise.exe;isesrv.exe;cmdagent.exe
MBAMService.exe;mbamgui.exe
iphlpapi.dll
SOFTWARE\Microsoft\Windows Defender\SpyNet
CommandLine
wbj.go
shlwapi.dll
Win32_PnPEntity
cscript.exe
LOCALAPPDATA
C:\INTERNAL\__empty
SELECT * FROM AntiVirusProduct
aswhookx.dll
%SystemRoot%\explorer.exe
mcshield.exe
.exe
pstorec.dll
%SystemRoot%\SysWOW64\OneDriveSetup.exe
wmic process call create 'expand "%S" "%S"'
fmon.exe
Content-Type: application/x-www-form-urlencoded
displayName
AvastSvc.exe
ByteFence.exe
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
WQL
crypt32.dll
C2 (118)217.165.146.158:993
41.97.179.58:443
86.132.13.49:2078
197.203.50.195:443
85.245.143.94:443
86.196.181.62:2222
102.190.190.242:995
105.184.133.198:995
179.111.23.186:32101
179.251.119.206:995
84.3.85.30:443
39.44.5.104:995
197.41.235.69:995
193.3.19.137:443
186.81.122.168:443
103.173.121.17:443
41.104.80.233:443
102.189.184.12:995
156.199.90.139:443
14.168.180.223:443
41.140.98.37:995
156.205.3.210:993
139.228.33.176:2222
134.35.12.0:443
49.205.197.13:443
131.100.40.13:995
73.252.27.208:995
82.217.55.20:443
176.177.136.35:443
180.232.159.9:443
41.68.209.102:995
186.90.144.235:2222
191.92.125.254:443
41.96.204.133:443
58.186.75.42:443
85.86.242.245:443
187.193.143.111:443
200.175.173.80:443
197.49.68.15:995
186.50.139.45:995
41.68.155.190:443
186.72.236.88:995
187.150.143.159:443
105.69.189.28:995
160.177.207.113:8443
41.102.97.28:443
193.254.32.156:443
88.168.84.62:443
156.218.169.48:995
41.105.159.42:443
186.53.115.151:995
186.48.206.63:995
151.231.60.200:2083
196.217.32.15:443
102.157.212.143:443
189.189.89.32:443
181.177.156.209:443
85.94.178.73:995
201.209.4.2:443
41.69.236.243:995
74.133.189.36:443
149.126.159.254:443
41.104.132.166:443
188.157.6.170:443
197.160.22.10:443
187.189.68.8:443
109.128.221.164:995
92.98.73.123:443
154.237.235.43:995
212.102.56.47:443
110.238.39.214:443
185.233.79.238:995
154.237.60.254:995
181.206.46.7:443
186.16.163.94:443
75.71.96.226:995
181.105.32.5:443
41.227.228.31:443
197.203.142.42:443
193.3.19.137:443
118.174.89.216:443
41.107.112.236:995
105.96.207.25:443
111.125.157.230:443
68.224.229.42:443
190.44.40.48:995
88.232.207.24:443
72.88.245.71:443
119.82.111.158:443
100.1.5.250:995
96.234.66.76:995
186.64.67.34:443
197.94.84.128:443
41.96.130.46:80
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
76.169.76.44:2222
68.53.110.74:995
41.69.103.179:995
194.166.205.204:995
89.211.223.138:2222
85.98.206.165:995
177.103.94.155:32101
72.66.96.129:995
176.42.245.2:995
186.154.92.181:443
88.231.221.198:995
102.38.97.229:995
45.51.148.111:993
87.243.113.104:995
84.38.133.191:443
123.240.131.1:443
191.84.204.214:995
91.116.160.252:443
151.234.63.48:990
99.253.251.74:443
41.40.146.5:995
Version1027.895
Campaign1664363417
Botnetobama207
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (57.2)
.exe | Win32 Executable (generic) (18.2)
.exe | Win16/32 Executable Delphi generic (8.3)
.exe | Generic Win/DOS Executable (8)
.exe | DOS Executable Generic (8)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: -
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: 26
e_oemid: -
e_oeminfo: -
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 6
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_DLL
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
373884
374272
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.51292
DATA
380928
6584
6656
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.58771
BSS
389120
4141
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
397312
8102
8192
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.00912
.reloc
405504
28932
29184
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
6.62305
.rsrc
438272
292864
292864
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
4.82371

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.6633
308
UNKNOWN
UNKNOWN
RT_CURSOR
2
2.80231
308
UNKNOWN
UNKNOWN
RT_CURSOR
3
3.00046
308
UNKNOWN
UNKNOWN
RT_CURSOR
4
2.56318
308
UNKNOWN
UNKNOWN
RT_CURSOR
5
2.6949
308
UNKNOWN
UNKNOWN
RT_CURSOR
6
2.62527
308
UNKNOWN
UNKNOWN
RT_CURSOR
7
2.91604
308
UNKNOWN
UNKNOWN
RT_CURSOR
4077
2.89392
332
UNKNOWN
UNKNOWN
RT_STRING
4078
3.12374
876
UNKNOWN
UNKNOWN
RT_STRING
4079
3.15437
944
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
gdi32.dll
kernel32.dll
kernel32.dll (#2)
kernel32.dll (#3)
kernel32.dll (#4)
oleaut32.dll
oleaut32.dll (#2)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs #QBOT wermgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
2948"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\womanizee.dll", #1C:\Windows\System32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1760C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
6.1.7601.24521 (win7sp1_ldr_escrow.190909-1704)
Qbot
(PID) Process(1760) wermgr.exe
Strings (188)Start screenshot
at.exe %u:%u "%s" /I
powershell.exe -encodedCommand
amstream.dll
Self check
arp -a
c:\ProgramData
nltest /domain_trusts /all_trusts
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Self test OK.
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
\System32\WindowsPowerShell\v1.0\powershell.exe
net view
\System32\WindowsPowerShel1\v1.0\powershel1.exe
error res='%s' err=%d len=%u
net share
qwinsta
route print
.lnk
regsvr32.exe
Self test FAILED!!!
ProfileImagePath
schtasks.exe /Delete /F /TN %u
"%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
netstat -nao
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
/t5
whoami /all
Self check ok!
ProgramData
powershell.exe -encodedCommand %S
89210af9
3c91e639
%s "$%s = \"%s\"; & $%s"
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ERROR: GetModuleFileNameW() failed with error: %u
ipconfig /all
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
%s \"$%s = \\\"%s\\\\; & $%s\"
net localgroup
powershell.exe
cmd /c set
Microsoft
SELF_TEST_1
%SystemRoot%\explorer.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
WBJ_IGNORE
*/*
SELECT * FROM Win32_Processor
root\SecurityCenter2
Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
\sf2.dll
Win32_Bios
.cfg
wpcap.dll
type=0x%04X
c:\hiberfil.sysss
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
bcrypt.dll
Win32_ComputerSystem
%SystemRoot%\SysWOW64\explorer.exe
FALSE
%S.%06d
Win32_Product
abcdefghijklmnopqrstuvwxyz
image/pjpeg
egui.exe;ekrn.exe
https
Create
%SystemRoot%\SysWOW64\msra.exe
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SubmitSamplesConsent
%ProgramFiles%\Internet Explorer\iexplore.exe
from
kernel32.dll
%s\system32\
\\.\pipe\
userenv.dll
ntdll.dll
ccSvcHst.exe
LocalLow
NTUSER.DAT
select
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Software\Microsoft
Win32_PhysicalMemory
wtsapi32.dll
ws2_32.dll
shell32.dll
Initializing database...
winsta0\default
S:(ML;;NW;;;LW)
snxhk_border_mywnd
%SystemRoot%\System32\msra.exe
TRUE
image/gif
APPDATA
vbs
image/jpeg
%SystemRoot%\SysWOW64\wermgr.exe
dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
ALLUSERSPROFILE
wininet.dll
urlmon.dll
Packages
SELECT * FROM Win32_OperatingSystem
Winsta0
%SystemRoot%\SysWOW64\explorer.exe
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Caption
ROOT\CIMV2
%SystemRoot%\System32\OneDriveSetup.exe
c:\\
aswhooka.dll
aabcdeefghiijklmnoopqrstuuvwxyyz
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
mpr.dll
%SystemRoot%\SysWOW64\xwizard.exe
Name
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
LastBootUpTime
%SystemRoot%\System32\wermgr.exe
avp.exe;kavtray.exe
Win32_Process
1234567890
%SystemRoot%\System32\mobsync.exe
rundll32.exe
fshoster32.exe
SystemRoot
advapi32.dll
SpyNetReporting
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
SAVAdminService.exe;SavService.exe
Win32_DiskDrive
cmd.exe
%SystemRoot%\SysWOW64\mobsync.exe
.dat
open
%SystemRoot%\System32\xwizard.exe
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
user32.dll
bdagent.exe;vsserv.exe;vsservppl.exe
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
MsMpEng.exe
Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
.dll
setupapi.dll
WRSA.exe
System32
application/x-shockwave-flash
netapi32.dll
SysWOW64
frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;PETools.ex...
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
vkise.exe;isesrv.exe;cmdagent.exe
MBAMService.exe;mbamgui.exe
iphlpapi.dll
SOFTWARE\Microsoft\Windows Defender\SpyNet
CommandLine
wbj.go
shlwapi.dll
Win32_PnPEntity
cscript.exe
LOCALAPPDATA
C:\INTERNAL\__empty
SELECT * FROM AntiVirusProduct
aswhookx.dll
%SystemRoot%\explorer.exe
mcshield.exe
.exe
pstorec.dll
%SystemRoot%\SysWOW64\OneDriveSetup.exe
wmic process call create 'expand "%S" "%S"'
fmon.exe
Content-Type: application/x-www-form-urlencoded
displayName
AvastSvc.exe
ByteFence.exe
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
WQL
crypt32.dll
C2 (118)217.165.146.158:993
41.97.179.58:443
86.132.13.49:2078
197.203.50.195:443
85.245.143.94:443
86.196.181.62:2222
102.190.190.242:995
105.184.133.198:995
179.111.23.186:32101
179.251.119.206:995
84.3.85.30:443
39.44.5.104:995
197.41.235.69:995
193.3.19.137:443
186.81.122.168:443
103.173.121.17:443
41.104.80.233:443
102.189.184.12:995
156.199.90.139:443
14.168.180.223:443
41.140.98.37:995
156.205.3.210:993
139.228.33.176:2222
134.35.12.0:443
49.205.197.13:443
131.100.40.13:995
73.252.27.208:995
82.217.55.20:443
176.177.136.35:443
180.232.159.9:443
41.68.209.102:995
186.90.144.235:2222
191.92.125.254:443
41.96.204.133:443
58.186.75.42:443
85.86.242.245:443
187.193.143.111:443
200.175.173.80:443
197.49.68.15:995
186.50.139.45:995
41.68.155.190:443
186.72.236.88:995
187.150.143.159:443
105.69.189.28:995
160.177.207.113:8443
41.102.97.28:443
193.254.32.156:443
88.168.84.62:443
156.218.169.48:995
41.105.159.42:443
186.53.115.151:995
186.48.206.63:995
151.231.60.200:2083
196.217.32.15:443
102.157.212.143:443
189.189.89.32:443
181.177.156.209:443
85.94.178.73:995
201.209.4.2:443
41.69.236.243:995
74.133.189.36:443
149.126.159.254:443
41.104.132.166:443
188.157.6.170:443
197.160.22.10:443
187.189.68.8:443
109.128.221.164:995
92.98.73.123:443
154.237.235.43:995
212.102.56.47:443
110.238.39.214:443
185.233.79.238:995
154.237.60.254:995
181.206.46.7:443
186.16.163.94:443
75.71.96.226:995
181.105.32.5:443
41.227.228.31:443
197.203.142.42:443
193.3.19.137:443
118.174.89.216:443
41.107.112.236:995
105.96.207.25:443
111.125.157.230:443
68.224.229.42:443
190.44.40.48:995
88.232.207.24:443
72.88.245.71:443
119.82.111.158:443
100.1.5.250:995
96.234.66.76:995
186.64.67.34:443
197.94.84.128:443
41.96.130.46:80
88.245.168.200:2222
110.4.255.247:443
89.211.217.38:995
76.169.76.44:2222
68.53.110.74:995
41.69.103.179:995
194.166.205.204:995
89.211.223.138:2222
85.98.206.165:995
177.103.94.155:32101
72.66.96.129:995
176.42.245.2:995
186.154.92.181:443
88.231.221.198:995
102.38.97.229:995
45.51.148.111:993
87.243.113.104:995
84.38.133.191:443
123.240.131.1:443
191.84.204.214:995
91.116.160.252:443
151.234.63.48:990
99.253.251.74:443
41.40.146.5:995
Version1027.895
Campaign1664363417
Botnetobama207
Total events
68
Read events
58
Write events
10
Delete events
0

Modification events

(PID) Process:(1760) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:9abda0b5
Value:
78FD41573BD99A1F72AB7870315B0E3453028C2CB868FED0AF9ED99462BC4217A1D271A8EA0356DF43535841214A5F0FFC6490664BB2D686
(PID) Process:(1760) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:af2270fb
Value:
1671B1CB492C5556C055EBE1070186F4539120B65789D71DB758F7249231D7EFE81C8ECAE56FBF12EB97D74FCE28A7C64420349CAD704EF46C08C28785325DA04EC55E6E8CDFA42531F0946B3321C8CB01D1E8F360D47B846A3463E7919A5EE78CEB4A7EF37FE781B04F1E724F76D4D471D962C1AF767DCD901BB854F670DB2AAFDA7EC62D66B8100666C6C42D912507FAFC5C6C86059C6523A7917E99DBC84F0152E8C16D170DA625DEE8DB4EFDD0BAFE8AC174238FCFCE5B284F9E110924B2CA4C60EE9A086EC4EA53370598DCA4606D
(PID) Process:(1760) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:ad635087
Value:
3F5FCA242F6BC310CEAAC572F217631E80818206CC63DD11A011436B60540631896528F881B58F8D7524A62F733EFFF1B65DEC863701EF377DB32346C7CAEBF22254622CA4CA2148A5E14D101F2C82D3E373B8F7A28CCE6187EAD42B23EA18A1DBE81CA2
(PID) Process:(1760) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:15df37e2
Value:
B713EAE0E8A1DA4145567599E629CDB49337DE281B7CD536F5A49F5F12F547236F38C1FF725361EDEDE0697F35E8F8FC5B
(PID) Process:(1760) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:68d77868
Value:
FDAA9851894C11466CE466C238A829AC7D067B43784036B67ED14F73523A690DA110E0822121380F4474A045F950DFA5F4E571D81A3BCB4FC46D8D17CE5B0104C618671B46604225C4157F1D8E2C771823C93812AC68E744F8CD1B185F4C90181B
(PID) Process:(1760) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:d06b1f0d
Value:
AD659A1C35153227A0FB6C5D5B9329BE52522392BC1E5EA22C4E1317AC8AAFA82D2B77C6901735FBCC06F5399FAF61D3F005B0319A198178E5B939362F98C9D3FD8BFE4DE91FFF0E3F3018A7FAC315D2389211532683CF1C7B58608894E81C4B
(PID) Process:(1760) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:179e179e
Value:
18D68B559E54F66427831576418B7B92AAA117E47E6BE147A40EF6C8A0FA223B37FB4E249371D2480F29E54823A6A221329EF6424F46D87A19FE0794B298D319B418155A4366B3FE
(PID) Process:(1760) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:e5f4cf43
Value:
2BF73CCC9ED93B09D708F5D28211873DDE7DD93558AF6796436756F202AE4D70E074748CB258856424
(PID) Process:(1760) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:9abda0b5
Value:
78FD56573BD9A968E2E8B224399AEC08954AA6922C0986DA5E11E60CC8377942D4EC0D3FEECDEC230CD8B164A163762742B72E187D4E6D08D27D035F5E8C4C61A83C0095B69099EBCE0C386560
(PID) Process:(1760) wermgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:9abda0b5
Value:
78FD56573BD9A968E2E8B224399AEC08954AA6922C0986DA581EE40CC8377942D4EC0D3FEECDEC230CD8B164A163762742B72E187D4E6D08D27D035F5E8C4C61A83C0095B69099EBCE0C386560
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1760wermgr.exeC:\Users\admin\AppData\Local\Temp\womanizee.dllexecutable
MD5:6C45AA6E3103E11C1486A30761328B31
SHA256:6F517C83A81FEAAAD66CF5D9A2531446968FE6614A0A812BDEF4584176484CA0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
womanizee.dll