If Qakbot was not previously installed, the following operations take place.
Initially, Qakbot checks if it is running in a honeypot or a system it wishes to avoid, such as virtual machines.
If Internet Explorer is running in protected mode (by using the ieframe.dll!IEIsProtectedModeProcess), Qakbot will end.
If MS Office or Project or Citrix are installed, Qakbot assumes it is not in a honeypot and will not check if it is in a virtual machine.
Otherwise, the threat checks a variety of settings to determine if it is running within a virtual machine and if so, it informs the attacker through a HTTP POST query and terminates. Recent variants would use the URL hxxp://bgstat.in/6.
However, one exception exists where even if a virtual machine is detected, if the file “c:\irc.log” file exists, • Qakbot proceeds. This was likely used for the attackers own testing purposes.