File name:

payload.dll

Full analysis: https://app.any.run/tasks/b4344dcc-118b-4396-ba72-70ae8daf8260
Verdict: Malicious activity
Threats:

Qbot is a banking Trojan — a malware designed to collect banking information from victims. Qbot targets organizations mostly in the US. It is equipped with various sophisticated evasion and info-stealing functions and worm-like functionality, and a strong persistence mechanism.

Malware Trends Tracker     >>>
Analysis date: January 08, 2024, 03:52:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
qbot
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:

63865150F22172ECC203F90CDCB92A2B

SHA1:

97512595836ED3AFFFB2B4097237314007DE72B1

SHA256:

C7826264D835554596373A9302C11BB63E2DF68E5028ED364F267A7884C14576

SSDEEP:

3072:0lKn7JLhLg8scarBtzQE1Q75qLOnUxYovgW7bMXGCvS:H5E1QwSUS27brCv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QBOT has been detected (YARA)

      • explorer.exe (PID: 1776)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Drops the executable file immediately after the start

      • explorer.exe (PID: 1776)
      • rundll32.exe (PID: 2044)

    • Create files in a temporary directory

      • explorer.exe (PID: 1776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Qbot

(PID) Process(1776) explorer.exe
Botnetobama112
Campaign1633682302
Version402.363
C2 (144)103.142.10.177:443
103.148.120.144:443
103.157.122.198:995
103.246.130.114:1194
103.246.130.122:20
103.246.130.2:20
103.246.130.35:21
105.198.236.99:443
109.12.111.14:443
110.174.64.179:995
120.150.218.241:995
120.151.47.189:443
122.11.220.212:2222
124.123.42.115:2222
131.191.107.34:995
136.232.34.70:443
140.82.49.12:443
147.92.51.49:443
159.2.51.200:2222
162.210.220.137:443
167.248.100.227:443
167.248.111.245:443
167.248.117.81:443
167.248.126.223:443
167.248.54.34:2222
167.248.99.149:443
173.21.10.71:2222
173.25.162.221:443
173.63.245.129:443
174.54.193.186:443
174.54.58.170:443
174.59.35.191:443
177.170.201.134:995
177.94.125.59:995
177.94.21.110:995
181.118.183.94:443
181.4.53.6:443
181.4.53.6:465
181.84.114.46:443
182.176.180.73:443
185.250.148.74:443
186.32.163.199:443
187.101.25.96:32100
187.172.240.28:443
187.250.159.104:443
188.210.210.122:443
188.50.169.158:443
188.50.26.190:995
189.131.221.201:443
189.136.217.97:995
189.224.181.39:443
190.198.206.189:2222
191.191.38.8:443
196.117.226.146:995
197.90.147.89:61201
199.27.127.129:443
2.222.167.138:443
2.99.100.134:2222
200.232.214.222:995
201.6.246.227:995
201.93.111.2:995
202.134.178.157:443
202.165.32.158:2222
203.213.107.174:443
206.47.134.234:2222
209.142.97.161:995
209.50.20.255:443
216.201.162.158:443
217.17.56.163:2078
217.17.56.163:2222
220.255.25.28:2222
24.119.214.7:443
24.139.72.117:443
24.152.219.253:995
24.171.50.5:443
24.229.150.54:995
24.32.174.175:443
24.55.112.61:443
27.223.92.142:995
37.117.191.19:2222
37.210.152.224:995
38.10.197.234:443
39.52.229.8:995
4.34.193.180:995
40.131.140.155:995
41.228.22.180:443
41.86.42.158:443
41.86.42.158:995
42.60.70.14:443
45.46.53.140:2222
47.22.148.6:443
47.40.196.233:2222
49.33.237.65:443
50.54.32.149:443
63.143.92.99:995
63.70.164.200:443
66.103.170.104:2222
66.177.215.152:0
66.177.215.152:443
66.177.215.152:50010
67.165.206.193:993
68.117.229.117:443
68.13.157.69:443
68.186.192.69:443
68.204.7.158:443
69.30.186.190:443
71.74.12.34:443
72.173.78.211:443
72.196.22.184:443
72.252.201.69:443
73.130.180.25:443
73.140.38.124:443
73.151.236.31:443
73.230.205.91:443
73.25.124.140:2222
73.52.50.32:443
73.77.87.137:443
73.77.87.137:995
74.72.237.54:443
75.163.81.130:995
75.188.35.168:443
75.66.88.33:443
75.75.179.226:443
76.25.142.196:443
76.84.225.21:443
76.84.226.17:443
76.84.230.103:443
76.84.32.159:443
77.57.204.78:443
80.6.192.58:443
81.241.252.59:2078
81.250.153.227:2222
85.109.229.54:995
86.8.177.143:443
89.101.97.139:443
89.137.52.44:443
93.48.58.123:2222
94.200.181.154:443
96.46.103.109:2222
96.46.103.226:443
96.57.188.174:2078
97.98.130.50:443
98.157.235.126:443
98.22.92.139:995
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (176)/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
from
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "%s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%S.%06d
%SystemRoot%\SysWOW64\OneDriveSetup.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\msra.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\OneDriveSetup.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\msra.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$%s = \"%s\"; & $%s"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$%s = \\\"%s\\\\; & $%s\"
%s\system32\
*/*
.cfg
.dat
.dll
.exe
.lnk
/t4
1234567890
3719
5812
A3E64E55_pr;VBoxVideo
ALLUSERSPROFILE
AvastSvc.exe
ByteFence.exe
C:\INTERNAL\__empty
Caption
Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
CommandLine
Content-Type: application/x-www-form-urlencoded
Create
FALSE
Initializing database...
LastBootUpTime
LocalLow
MBAMService.exe;mbamgui.exe
Microsoft
Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
MsMpEng.exe
NTUSER.DAT
Name
Packages
ProfileImagePath
ProgramData
ROOT\CIMV2
Red Hat VirtIO;QEMU
S:(ML;;NW;;;LW)
SAVAdminService.exe;SavService.exe
SELECT * FROM AntiVirusProduct
SELECT * FROM Win32_OperatingSystem
SELECT * FROM Win32_Processor
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Self test FAILED!!!
Self test OK.
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
Software\Microsoft
SpyNetReporting
SubmitSamplesConsent
SysWOW64
System32
SystemRoot
TRUE
VIRTUAL-PC
Virtual
WBJ_IGNORE
WQL
WRSA.exe
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
Win32_Bios
Win32_ComputerSystem
Win32_DiskDrive
Win32_PhysicalMemory
Win32_PnPEntity
Win32_Process
Win32_Product
Winsta0
\System32\WindowsPowerShell\v1.0\powershell.exe
\\.\pipe\
\sf2.dll
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abcdefghijklmnopqrstuvwxyz
advapi32.dll
amstream.dll
application/x-shockwave-flash
arp -a
artifact.exe;mlwr_smpl;sample;sandbox;cuckoo-;virus
aswhooka.dll
aswhookx.dll
at.exe %u:%u "%s" /I
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c:\ProgramData
c:\\
c:\hiberfil.sysss
ccSvcHst.exe
cmd /c set
cmd.exe
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cscript.exe
displayName
dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
fmon.exe
fshoster32.exe
https
image/gif
image/jpeg
image/pjpeg
ipconfig /all
iphlpapi.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
kernel32.dll
mcshield.exe
mpr.dll
net localgroup
net share
net view /all
netapi32.dll
netstat -nao
nltest /domain_trusts /all_trusts
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.%s
ntdll.dll
open
powershell.exe
qwinsta
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
regsvr32.exe -s
root\SecurityCenter2
route print
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
schtasks.exe /Delete /F /TN %u
select
setupapi.dll
shell32.dll
shlwapi.dll
snxhk_border_mywnd
srvpost.exe;frida-winjector-helper-32.exe;frida-winjector-helper-64.exe
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
type=0x%04X
urlmon.dll
user32.dll
userenv.dll
vbs
vkise.exe;isesrv.exe;cmdagent.exe
wbj.go
whoami /all
wininet.dll
winsta0\default
wmic process call create 'expand "%S" "%S"'
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:27 18:30:19+02:00
ImageFileCharacteristics: Executable, 32-bit, DLL
PEType: PE32
LinkerVersion: 14.29
CodeSize: 92160
InitializedDataSize: 29696
UninitializedDataSize: -
EntryPoint: 0x5f63
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe #QBOT explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1776C:\Windows\explorer.exeC:\Windows\explorer.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Qbot
(PID) Process(1776) explorer.exe
Botnetobama112
Campaign1633682302
Version402.363
C2 (144)103.142.10.177:443
103.148.120.144:443
103.157.122.198:995
103.246.130.114:1194
103.246.130.122:20
103.246.130.2:20
103.246.130.35:21
105.198.236.99:443
109.12.111.14:443
110.174.64.179:995
120.150.218.241:995
120.151.47.189:443
122.11.220.212:2222
124.123.42.115:2222
131.191.107.34:995
136.232.34.70:443
140.82.49.12:443
147.92.51.49:443
159.2.51.200:2222
162.210.220.137:443
167.248.100.227:443
167.248.111.245:443
167.248.117.81:443
167.248.126.223:443
167.248.54.34:2222
167.248.99.149:443
173.21.10.71:2222
173.25.162.221:443
173.63.245.129:443
174.54.193.186:443
174.54.58.170:443
174.59.35.191:443
177.170.201.134:995
177.94.125.59:995
177.94.21.110:995
181.118.183.94:443
181.4.53.6:443
181.4.53.6:465
181.84.114.46:443
182.176.180.73:443
185.250.148.74:443
186.32.163.199:443
187.101.25.96:32100
187.172.240.28:443
187.250.159.104:443
188.210.210.122:443
188.50.169.158:443
188.50.26.190:995
189.131.221.201:443
189.136.217.97:995
189.224.181.39:443
190.198.206.189:2222
191.191.38.8:443
196.117.226.146:995
197.90.147.89:61201
199.27.127.129:443
2.222.167.138:443
2.99.100.134:2222
200.232.214.222:995
201.6.246.227:995
201.93.111.2:995
202.134.178.157:443
202.165.32.158:2222
203.213.107.174:443
206.47.134.234:2222
209.142.97.161:995
209.50.20.255:443
216.201.162.158:443
217.17.56.163:2078
217.17.56.163:2222
220.255.25.28:2222
24.119.214.7:443
24.139.72.117:443
24.152.219.253:995
24.171.50.5:443
24.229.150.54:995
24.32.174.175:443
24.55.112.61:443
27.223.92.142:995
37.117.191.19:2222
37.210.152.224:995
38.10.197.234:443
39.52.229.8:995
4.34.193.180:995
40.131.140.155:995
41.228.22.180:443
41.86.42.158:443
41.86.42.158:995
42.60.70.14:443
45.46.53.140:2222
47.22.148.6:443
47.40.196.233:2222
49.33.237.65:443
50.54.32.149:443
63.143.92.99:995
63.70.164.200:443
66.103.170.104:2222
66.177.215.152:0
66.177.215.152:443
66.177.215.152:50010
67.165.206.193:993
68.117.229.117:443
68.13.157.69:443
68.186.192.69:443
68.204.7.158:443
69.30.186.190:443
71.74.12.34:443
72.173.78.211:443
72.196.22.184:443
72.252.201.69:443
73.130.180.25:443
73.140.38.124:443
73.151.236.31:443
73.230.205.91:443
73.25.124.140:2222
73.52.50.32:443
73.77.87.137:443
73.77.87.137:995
74.72.237.54:443
75.163.81.130:995
75.188.35.168:443
75.66.88.33:443
75.75.179.226:443
76.25.142.196:443
76.84.225.21:443
76.84.226.17:443
76.84.230.103:443
76.84.32.159:443
77.57.204.78:443
80.6.192.58:443
81.241.252.59:2078
81.250.153.227:2222
85.109.229.54:995
86.8.177.143:443
89.101.97.139:443
89.137.52.44:443
93.48.58.123:2222
94.200.181.154:443
96.46.103.109:2222
96.46.103.226:443
96.57.188.174:2078
97.98.130.50:443
98.157.235.126:443
98.22.92.139:995
SaltjHxastDcds)oMc=jvh7wdUhxcsdt2
Strings (176)/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
from
"%s\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn %s /tr "%s" /SC ONCE /Z /ST %02u:%02u /ET %02u:%02u
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe
%S.%06d
%SystemRoot%\SysWOW64\OneDriveSetup.exe
%SystemRoot%\SysWOW64\explorer.exe
%SystemRoot%\SysWOW64\mobsync.exe
%SystemRoot%\SysWOW64\msra.exe
%SystemRoot%\SysWOW64\xwizard.exe
%SystemRoot%\System32\OneDriveSetup.exe
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\System32\msra.exe
%SystemRoot%\System32\xwizard.exe
%SystemRoot%\explorer.exe
%s "$%s = \"%s\"; & $%s"
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
%s \"$%s = \\\"%s\\\\; & $%s\"
%s\system32\
*/*
.cfg
.dat
.dll
.exe
.lnk
/t4
1234567890
3719
5812
A3E64E55_pr;VBoxVideo
ALLUSERSPROFILE
AvastSvc.exe
ByteFence.exe
C:\INTERNAL\__empty
Caption
Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
CommandLine
Content-Type: application/x-www-form-urlencoded
Create
FALSE
Initializing database...
LastBootUpTime
LocalLow
MBAMService.exe;mbamgui.exe
Microsoft
Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
MsMpEng.exe
NTUSER.DAT
Name
Packages
ProfileImagePath
ProgramData
ROOT\CIMV2
Red Hat VirtIO;QEMU
S:(ML;;NW;;;LW)
SAVAdminService.exe;SavService.exe
SELECT * FROM AntiVirusProduct
SELECT * FROM Win32_OperatingSystem
SELECT * FROM Win32_Processor
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
SOFTWARE\Microsoft\Windows Defender\SpyNet
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Self test FAILED!!!
Self test OK.
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul)
Software\Microsoft
SpyNetReporting
SubmitSamplesConsent
SysWOW64
System32
SystemRoot
TRUE
VIRTUAL-PC
Virtual
WBJ_IGNORE
WQL
WRSA.exe
WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject")...
Win32_Bios
Win32_ComputerSystem
Win32_DiskDrive
Win32_PhysicalMemory
Win32_PnPEntity
Win32_Process
Win32_Product
Winsta0
\System32\WindowsPowerShell\v1.0\powershell.exe
\\.\pipe\
\sf2.dll
aabcdeefghiijklmnoopqrstuuvwxyyz
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
abcdefghijklmnopqrstuvwxyz
advapi32.dll
amstream.dll
application/x-shockwave-flash
arp -a
artifact.exe;mlwr_smpl;sample;sandbox;cuckoo-;virus
aswhooka.dll
aswhookx.dll
at.exe %u:%u "%s" /I
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
avp.exe;kavtray.exe
bdagent.exe;vsserv.exe;vsservppl.exe
c:\ProgramData
c:\\
c:\hiberfil.sysss
ccSvcHst.exe
cmd /c set
cmd.exe
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
crypt32.dll
cscript.exe
displayName
dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
egui.exe;ekrn.exe
error res='%s' err=%d len=%u
fmon.exe
fshoster32.exe
https
image/gif
image/jpeg
image/pjpeg
ipconfig /all
iphlpapi.dll
jHxastDcds)oMc=jvh7wdUhxcsdt2
kernel32.dll
mcshield.exe
mpr.dll
net localgroup
net share
net view /all
netapi32.dll
netstat -nao
nltest /domain_trusts /all_trusts
nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.%s
ntdll.dll
open
powershell.exe
qwinsta
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
regsvr32.exe -s
root\SecurityCenter2
route print
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
schtasks.exe /Delete /F /TN %u
select
setupapi.dll
shell32.dll
shlwapi.dll
snxhk_border_mywnd
srvpost.exe;frida-winjector-helper-32.exe;frida-winjector-helper-64.exe
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe
type=0x%04X
urlmon.dll
user32.dll
userenv.dll
vbs
vkise.exe;isesrv.exe;cmdagent.exe
wbj.go
whoami /all
wininet.dll
winsta0\default
wmic process call create 'expand "%S" "%S"'
wpcap.dll
ws2_32.dll
wtsapi32.dll
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
2044"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\payload.dll.exe", #1C:\Windows\System32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
Total events
52
Read events
51
Write events
1
Delete events
0

Modification events

(PID) Process:(1776) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Ytfovlymmxqrt
Operation:writeName:9abda0b5
Value:
78FD41573BD99A1F72AB7870315B0E3453028C2CB868FED0AF9ED99462BC4217A1D271A8EA0356DF43535841214A5F0FFC6490664BB2D686
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1776explorer.exeC:\Users\admin\AppData\Local\Temp\payload.dll.exeexecutable
MD5:CBA640A92909128A10808620717A22DB
SHA256:670F888B70C59BF2076061D92C97C5C69A44D27A43346481F143E134E8E9F75E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
rundll32.exe
Hello qqq
rundll32.exe
Hello qqq
rundll32.exe
Hello qqq
rundll32.exe
Hello qqq
rundll32.exe
Hello qqq
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
payload.dll