General Info Watch the FULL Interactive Analysis at ANY.RUN!

File name

ALL FILES 00001.zip

Verdict
Malicious activity
Analysis date
2/10/2019, 17:20:34
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
azorult
Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

eda5d1f5a507a85fba6d34bd835e9d5c

SHA1

d64093833ce6596fc75ea88fecfc4e622ebe332b

SHA256

0acfd55e26f4419f32e0ba35b33f42e235d7961d875e3b202030e98cb2d2e8f5

SSDEEP

49152:FGyjJVa49pjcH+YW38tEPk/MMYEZnDnUmePttirIXQBh99:FGyntc2cik/vYEZnDnUmuXQd9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • WScript.exe (PID: 3308)
Application was dropped or rewritten from another process
  • filename.exe (PID: 3588)
  • filename.exe (PID: 3500)
  • eScfbGVynncWo.exe (PID: 3644)
AZORULT was detected
  • filename.exe (PID: 3588)
Connects to CnC server
  • filename.exe (PID: 3588)
Actions looks like stealing of personal data
  • filename.exe (PID: 3588)
Loads dropped or rewritten executable
  • filename.exe (PID: 3588)
Executes scripts
  • WinRAR.exe (PID: 3516)
  • eScfbGVynncWo.exe (PID: 3644)
Executable content was dropped or overwritten
  • WScript.exe (PID: 2164)
  • eScfbGVynncWo.exe (PID: 3644)
  • filename.exe (PID: 3588)
Starts itself from another location
  • eScfbGVynncWo.exe (PID: 3644)
Application launched itself
  • filename.exe (PID: 3500)
Reads the cookies of Google Chrome
  • filename.exe (PID: 3588)
Reads the cookies of Mozilla Firefox
  • filename.exe (PID: 3588)
Starts CMD.EXE for commands execution
  • filename.exe (PID: 3588)
Dropped object may contain Bitcoin addresses
  • WinRAR.exe (PID: 3516)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2019:02:09 22:04:21
ZipCRC:
0x41f39fef
ZipCompressedSize:
2083386
ZipUncompressedSize:
3316146
ZipFileName:
ALL.FILES00001.js

Screenshots

Processes

Total processes
39
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

+
start drop and start drop and start winrar.exe no specs wscript.exe escfbgvynncwo.exe wscript.exe filename.exe no specs #AZORULT filename.exe cmd.exe no specs timeout.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3516
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\ALL FILES 00001.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wshext.dll
c:\windows\system32\wscript.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

PID
2164
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3516.15836\ALL.FILES00001.js"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\jscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\escfbgvynncwo.exe

PID
3644
CMD
"C:\Users\admin\AppData\Local\Temp\eScfbGVynncWo.exe"
Path
C:\Users\admin\AppData\Local\Temp\eScfbGVynncWo.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
ammi2
Description
wheelerdealer7
Version
1.06.0006
Modules
Image
c:\users\admin\appdata\local\temp\escfbgvynncwo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wscript.exe
c:\users\admin\appdata\local\temp\subfolder\filename.exe

PID
3308
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\subfolder\filename.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
eScfbGVynncWo.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll

PID
3500
CMD
"C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe"
Path
C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe
Indicators
No indicators
Parent process
eScfbGVynncWo.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
ammi2
Description
wheelerdealer7
Version
1.06.0006
Modules
Image
c:\users\admin\appdata\local\temp\subfolder\filename.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll

PID
3588
CMD
C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe"
Path
C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe
Indicators
Parent process
filename.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
ammi2
Description
wheelerdealer7
Version
1.06.0006
Modules
Image
c:\users\admin\appdata\local\temp\subfolder\filename.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crtdll.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\users\admin\appdata\local\temp\2fda\nss3.dll
c:\users\admin\appdata\local\temp\2fda\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\users\admin\appdata\local\temp\2fda\msvcp140.dll
c:\users\admin\appdata\local\temp\2fda\vcruntime140.dll
c:\users\admin\appdata\local\temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\users\admin\appdata\local\temp\2fda\api-ms-win-crt-string-l1-1-0.dll
c:\users\admin\appdata\local\temp\2fda\api-ms-win-crt-heap-l1-1-0.dll
c:\users\admin\appdata\local\temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll
c:\users\admin\appdata\local\temp\2fda\api-ms-win-crt-convert-l1-1-0.dll
c:\users\admin\appdata\local\temp\2fda\api-ms-win-crt-locale-l1-1-0.dll
c:\users\admin\appdata\local\temp\2fda\api-ms-win-crt-math-l1-1-0.dll
c:\users\admin\appdata\local\temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
c:\users\admin\appdata\local\temp\2fda\api-ms-win-crt-time-l1-1-0.dll
c:\users\admin\appdata\local\temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
c:\users\admin\appdata\local\temp\2fda\api-ms-win-crt-environment-l1-1-0.dll
c:\users\admin\appdata\local\temp\2fda\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\users\admin\appdata\local\temp\2fda\softokn3.dll
c:\users\admin\appdata\local\temp\2fda\freebl3.dll
c:\windows\system32\vaultcli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\mlang.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
3180
CMD
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "filename.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
filename.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\timeout.exe

PID
4008
CMD
C:\Windows\system32\timeout.exe 3
Path
C:\Windows\system32\timeout.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
timeout - pauses command processing
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
1240
Read events
1199
Write events
41
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3516
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3516
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3516
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3516
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\ALL FILES 00001.zip
3516
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3516
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3516
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3516
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3516
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\System32\wshext.dll,-4804
JScript Script File
3516
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3516
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2164
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2164
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3644
eScfbGVynncWo.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3644
eScfbGVynncWo.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3308
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Registry Key Name
C:\Users\admin\AppData\Local\Temp\subfolder\filename.vbs -BB
3588
filename.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\filename_RASAPI32
EnableFileTracing
0
3588
filename.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\filename_RASAPI32
EnableConsoleTracing
0
3588
filename.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\filename_RASAPI32
FileTracingMask
4294901760
3588
filename.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\filename_RASAPI32
ConsoleTracingMask
4294901760
3588
filename.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\filename_RASAPI32
MaxFileSize
1048576
3588
filename.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\filename_RASAPI32
FileDirectory
%windir%\tracing
3588
filename.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\filename_RASMANCS
EnableFileTracing
0
3588
filename.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\filename_RASMANCS
EnableConsoleTracing
0
3588
filename.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\filename_RASMANCS
FileTracingMask
4294901760
3588
filename.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\filename_RASMANCS
ConsoleTracingMask
4294901760
3588
filename.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\filename_RASMANCS
MaxFileSize
1048576
3588
filename.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\filename_RASMANCS
FileDirectory
%windir%\tracing
3588
filename.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3588
filename.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3588
filename.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3588
filename.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
50
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID Process Filename Type
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\mozglue.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\vcruntime140.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\softokn3.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\freebl3.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\nssdbm3.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\msvcp140.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\ucrtbase.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll executable
3644 eScfbGVynncWo.exe C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\nss3.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll executable
2164 WScript.exe C:\Users\admin\AppData\Local\Temp\eScfbGVynncWo.exe executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll executable
3588 filename.exe C:\Users\admin\AppData\Local\Temp\24227187228846222691837.tmp ––
3588 filename.exe C:\Users\admin\AppData\Local\Temp\24281259919670615201182.tmp ––
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2428156535541778675644.tmp ––
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2428109898041475556228.tmp ––
3588 filename.exe C:\Users\admin\AppData\Local\Temp\24280931563801779194214.tmp-shm ––
3588 filename.exe C:\Users\admin\AppData\Local\Temp\24280931563801779194214.tmp ––
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2428078889383352694758.tmp ––
3588 filename.exe C:\Users\admin\AppData\Local\Temp\242810987659556188047.tmp ––
3500 filename.exe C:\Users\admin\AppData\Local\Temp\~DF112BE546E6F2790D.TMP binary
3644 eScfbGVynncWo.exe C:\Users\admin\AppData\Local\Temp\~DF79D10BC1AC5D8F57.TMP binary
3588 filename.exe C:\Users\admin\AppData\Local\Temp\2428156535541778675644.tmp-shm ––
3644 eScfbGVynncWo.exe C:\Users\admin\AppData\Local\Temp\subfolder\filename.vbs text
3588 filename.exe C:\Users\admin\AppData\Local\Temp\24281403442371774629897.tmp ––
3516 WinRAR.exe C:\Users\admin\AppData\Local\Temp\Rar$DIa3516.15836\ALL.FILES00001.js text

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
7

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3588 filename.exe POST 200 162.244.92.133:80 http://k-antivirus.com/index.php US
text
txt
malicious
3588 filename.exe POST 200 162.244.92.133:80 http://k-antivirus.com/index.php US
binary
text
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3588 filename.exe 162.244.92.133:80 FranTech Solutions US malicious

DNS requests

Domain IP Reputation
k-antivirus.com 162.244.92.133
malicious

Threats

PID Process Class Message
3588 filename.exe A Network Trojan was detected ET TROJAN AZORult Variant.4 Checkin M2
3588 filename.exe A Network Trojan was detected MALWARE [PTsecurity] AZORult client request
3588 filename.exe A Network Trojan was detected MALWARE [PTsecurity] AZORult HTTP Header
3588 filename.exe A Network Trojan was detected MALWARE [PTsecurity] AZORult HTTP Header
3588 filename.exe A Network Trojan was detected MALWARE [PTsecurity] AZORult client request
3588 filename.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)

1 ETPRO signatures available at the full report

Debug output strings

No debug info.