| File name: | qtranslate-6-10-0.exe |
| Full analysis: | https://app.any.run/tasks/0ffe3fef-0ea3-4da9-9500-715ac4df844b |
| Verdict: | Malicious activity |
| Analysis date: | December 10, 2024, 03:37:58 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | E23FFECB44C814AAA4708D56AB5B144B |
| SHA1: | 202311D615685E7BAAA41DC149B5A76A69C05A0E |
| SHA256: | D395AF3C10E18C944CF8ADE76A650623DC23E050EAF652FF31056C84077A013C |
| SSDEEP: | 24576:GYnrVnqxCGl2NN5SSbyE3dJfz7oHf2qj2HHmR:bnRqMzlPNJfzfHg |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executable content was dropped or overwritten
- qtranslate-6-10-0.exe (PID: 6812)
Malware-specific behavior (creating "System.dll" in Temp)
- qtranslate-6-10-0.exe (PID: 6812)
Creates a software uninstall entry
- qtranslate-6-10-0.exe (PID: 6812)
Searches for installed software
- QTranslate.exe (PID: 6872)
The process creates files with name similar to system file names
- qtranslate-6-10-0.exe (PID: 6812)
INFO
Checks supported languages
- qtranslate-6-10-0.exe (PID: 6812)
- QTranslate.exe (PID: 6872)
Create files in a temporary directory
- qtranslate-6-10-0.exe (PID: 6812)
Creates files or folders in the user directory
- qtranslate-6-10-0.exe (PID: 6812)
Reads the computer name
- qtranslate-6-10-0.exe (PID: 6812)
- QTranslate.exe (PID: 6872)
Creates files in the program directory
- qtranslate-6-10-0.exe (PID: 6812)
Checks proxy server information
- QTranslate.exe (PID: 6872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:09:25 21:56:47+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 141824 |
| UninitializedDataSize: | 2048 |
| EntryPoint: | 0x3640 |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
115
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6664 | "C:\Users\admin\Desktop\qtranslate-6-10-0.exe" | C:\Users\admin\Desktop\qtranslate-6-10-0.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 6812 | "C:\Users\admin\Desktop\qtranslate-6-10-0.exe" | C:\Users\admin\Desktop\qtranslate-6-10-0.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 6872 | "C:\Program Files (x86)\QTranslate\QTranslate.exe" | C:\Program Files (x86)\QTranslate\QTranslate.exe | qtranslate-6-10-0.exe | ||||||||||||
User: admin Company: QuestSoft Integrity Level: HIGH Description: QTranslate Version: 6.10.0.0 Modules
| |||||||||||||||
Total events
701
Read events
693
Write events
8
Delete events
0
Modification events
| (PID) Process: | (6812) qtranslate-6-10-0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QTranslate |
| Operation: | write | Name: | DisplayName |
Value: QTranslate 6.10.0 | |||
| (PID) Process: | (6812) qtranslate-6-10-0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QTranslate |
| Operation: | write | Name: | UninstallString |
Value: C:\Program Files (x86)\QTranslate\Uninstall.exe | |||
| (PID) Process: | (6812) qtranslate-6-10-0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QTranslate |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files (x86)\QTranslate\QTranslate.exe | |||
| (PID) Process: | (6812) qtranslate-6-10-0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QTranslate |
| Operation: | write | Name: | DisplayVersion |
Value: 6.10.0 | |||
| (PID) Process: | (6812) qtranslate-6-10-0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QTranslate |
| Operation: | write | Name: | URLInfoAbout |
Value: https://quest-app.appspot.com/ | |||
| (PID) Process: | (6812) qtranslate-6-10-0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QTranslate |
| Operation: | write | Name: | Publisher |
Value: QuestSoft | |||
| (PID) Process: | (6872) QTranslate.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\qtranslate.exe |
| Operation: | write | Name: | JScriptSetScriptStateStarted |
Value: 3DAA130000000000 | |||
| (PID) Process: | (6872) QTranslate.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings |
| Operation: | write | Name: | JITDebug |
Value: 0 | |||
Executable files
6
Suspicious files
15
Text files
112
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6812 | qtranslate-6-10-0.exe | C:\Program Files (x86)\QTranslate\Services\Babylon Dictionary\Service.ico | image | |
MD5:E3128633E94A0C352375D0FFFC497052 | SHA256:47068C0E950F0EE240E38F2F0C3DCF305633B423D4D81FC522F5F2AF8A6AC79B | |||
| 6812 | qtranslate-6-10-0.exe | C:\Program Files (x86)\QTranslate\Services\ABBYY Lingvo Live\Service.js | html | |
MD5:CAD24AB28FF0A3050DD1B2F664562C4F | SHA256:4C0EF8506FF322CE78A29488B90E04F3DD16E55A5BF93E5DDEE0282F637D04E0 | |||
| 6812 | qtranslate-6-10-0.exe | C:\Program Files (x86)\QTranslate\Services\Google Search\Service.ico | image | |
MD5:1E7F652C531C17CC60BC6703458DC881 | SHA256:E5EFB0B5C0BC1E9E5B258FBD482709CB303AC7638E38B000C0887AEB3FD1A026 | |||
| 6812 | qtranslate-6-10-0.exe | C:\Program Files (x86)\QTranslate\Services\Babylon\Service.js | text | |
MD5:8595F4DEF5FB61F7D36EAE11568DF1B4 | SHA256:C12E825D73CBF78CE3BE414A3BBBD2CDF7FF9BB4AE1FA2CDA33C1BBF4947C324 | |||
| 6812 | qtranslate-6-10-0.exe | C:\Program Files (x86)\QTranslate\Services\ImTranslator\Service.ico | image | |
MD5:D723854C3700E43193A7C24F2680E68C | SHA256:627357769CD625D5CCAFD3671C5BAD2882B47EC3CB031ED6E2FD2B979DCD2B89 | |||
| 6812 | qtranslate-6-10-0.exe | C:\Program Files (x86)\QTranslate\Services\ABBYY Lingvo Live\Service.ico | image | |
MD5:199E649A59A9582A1EFE8D50DEF9CCB2 | SHA256:56D583D80ADAC1307B023E01E2B61FE06874511315E3618826DBC7694CD1A6AE | |||
| 6812 | qtranslate-6-10-0.exe | C:\Users\admin\AppData\Local\Temp\nsy6084.tmp\modern-header.bmp | image | |
MD5:FA91E636C40B029E183FD04932DCD35E | SHA256:7EC3906768AE3DEBB2FEB86F130AB78D0ED3BE1DD7A6DAD84362DF8C3ACF515C | |||
| 6812 | qtranslate-6-10-0.exe | C:\Program Files (x86)\QTranslate\Services\Baidu\Service.ico | image | |
MD5:5B4CC3021A48FCEA2BF090284C96CDD8 | SHA256:1B58896134A1AF56EC2DDBD4E1F68B64D31EBD3DC0351BC7FE5C17120833D5EB | |||
| 6812 | qtranslate-6-10-0.exe | C:\Program Files (x86)\QTranslate\Services\Babylon\Service.ico | image | |
MD5:E3128633E94A0C352375D0FFFC497052 | SHA256:47068C0E950F0EE240E38F2F0C3DCF305633B423D4D81FC522F5F2AF8A6AC79B | |||
| 6812 | qtranslate-6-10-0.exe | C:\Users\admin\AppData\Local\Temp\nsy6084.tmp\nsDialogs.dll | executable | |
MD5:6C3F8C94D0727894D706940A8A980543 | SHA256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
23
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6872 | QTranslate.exe | POST | 307 | 213.180.204.29:80 | http://speller.yandex.net/services/spellservice.json/checkText | unknown | — | — | whitelisted |
— | — | POST | 204 | 92.123.104.34:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | whitelisted |
— | — | POST | 200 | 213.180.204.29:443 | https://speller.yandex.net/services/spellservice.json/checkText | unknown | text | 258 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.251:5353 | — | — | — | unknown |
— | — | 224.0.0.252:5355 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5064 | SearchApp.exe | 92.123.104.34:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
6872 | QTranslate.exe | 213.180.204.29:80 | speller.yandex.net | YANDEX LLC | RU | whitelisted |
6872 | QTranslate.exe | 213.180.204.29:443 | speller.yandex.net | YANDEX LLC | RU | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.bing.com |
| whitelisted |
speller.yandex.net |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |