File name:

498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28

Full analysis: https://app.any.run/tasks/e584a8c4-c377-4888-8c4b-3fd33eb8c4ae
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: January 10, 2025, 23:33:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
sinkhole
stealer
azorult
evasion
quasar
rat
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

B342FC1721147D746388D4BF6C987A04

SHA1:

BCB7F37269B927D2607578804BE99CE1EB85F72A

SHA256:

498421E2892EF6A315F64BE9517F62BF98434AC422D2EB881BFE6C6B6C92CB28

SSDEEP:

98304:GAGQX21RBt7QjTmcaTH/vU4do9Pcjq1GvXB1sg58N32+Rr181vWDZT3FcIwEAiRr:zv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • SystemPropertiesPerformance.exe (PID: 444)

    • QUASAR mutex has been found

      • windef.exe (PID: 5200)
      • winsock.exe (PID: 5316)
      • windef.exe (PID: 3208)

    • Connects to the CnC server

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 2408)
      • SystemPropertiesPerformance.exe (PID: 2132)

    • AZORULT has been detected (SURICATA)

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 2408)
      • SystemPropertiesPerformance.exe (PID: 2132)

    • Request for a sinkholed resource

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 2408)

    • Changes the autorun value in the registry

      • windef.exe (PID: 5200)
      • winsock.exe (PID: 5316)

    • QUASAR has been detected (YARA)

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • winsock.exe (PID: 5316)
      • SystemPropertiesPerformance.exe (PID: 444)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 2408)
      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • SystemPropertiesPerformance.exe (PID: 444)
      • SystemPropertiesPerformance.exe (PID: 2132)

    • Application launched itself

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • SystemPropertiesPerformance.exe (PID: 444)

    • Executes application which crashes

      • vnc.exe (PID: 4624)
      • vnc.exe (PID: 2600)

    • Executable content was dropped or overwritten

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • windef.exe (PID: 5200)

    • Contacting a server suspected of hosting an CnC

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 2408)
      • SystemPropertiesPerformance.exe (PID: 2132)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • windef.exe (PID: 5200)
      • winsock.exe (PID: 5316)

    • Starts itself from another location

      • windef.exe (PID: 5200)

    • Connects to unusual port

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 2408)
      • SystemPropertiesPerformance.exe (PID: 2132)

    • The process executes via Task Scheduler

      • SystemPropertiesPerformance.exe (PID: 444)

  • INFO

    • Reads mouse settings

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • SystemPropertiesPerformance.exe (PID: 444)

    • Reads the machine GUID from the registry

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 2408)
      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • windef.exe (PID: 5200)
      • winsock.exe (PID: 5316)
      • SystemPropertiesPerformance.exe (PID: 444)
      • windef.exe (PID: 3208)
      • SystemPropertiesPerformance.exe (PID: 2132)

    • Reads the computer name

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 2408)
      • windef.exe (PID: 5200)
      • winsock.exe (PID: 5316)
      • SystemPropertiesPerformance.exe (PID: 444)
      • windef.exe (PID: 3208)
      • SystemPropertiesPerformance.exe (PID: 2132)

    • Checks supported languages

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 2408)
      • vnc.exe (PID: 4624)
      • windef.exe (PID: 5200)
      • winsock.exe (PID: 5316)
      • vnc.exe (PID: 2600)
      • SystemPropertiesPerformance.exe (PID: 444)
      • windef.exe (PID: 3208)
      • SystemPropertiesPerformance.exe (PID: 2132)

    • Process checks computer location settings

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • SystemPropertiesPerformance.exe (PID: 444)

    • Checks proxy server information

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 2408)
      • windef.exe (PID: 5200)
      • winsock.exe (PID: 5316)
      • SystemPropertiesPerformance.exe (PID: 2132)
      • WerFault.exe (PID: 5340)

    • The sample compiled with english language support

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)

    • Create files in a temporary directory

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • SystemPropertiesPerformance.exe (PID: 444)

    • The process uses the downloaded file

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • windef.exe (PID: 5200)
      • winsock.exe (PID: 5316)
      • SystemPropertiesPerformance.exe (PID: 444)

    • Disables trace logs

      • windef.exe (PID: 5200)
      • winsock.exe (PID: 5316)

    • Creates files or folders in the user directory

      • windef.exe (PID: 5200)
      • winsock.exe (PID: 5316)
      • WerFault.exe (PID: 5340)

    • The process uses AutoIt

      • 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe (PID: 5008)
      • SystemPropertiesPerformance.exe (PID: 444)

    • Reads the software policy settings

      • WerFault.exe (PID: 5340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (17.3)
.dll | Win32 Dynamic Link Library (generic) (4.1)
.exe | Win32 Executable (generic) (2.8)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:03:12 13:38:44+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 581120
InitializedDataSize: 1527296
UninitializedDataSize: -
EntryPoint: 0x27dcd
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Adobe Download Manager
OriginalFileName: Adobe Download Manager
CompanyName: Adobe Systems Incorporated
FileVersion: ...
LegalCopyright: Copyright 2018 Adobe Incorporated. All rights reserved.
ProductName: Adobe Download Manager
ProductVersion: ...
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
18
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #QUASAR 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe vnc.exe svchost.exe no specs #QUASAR windef.exe #AZORULT 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe schtasks.exe no specs conhost.exe no specs werfault.exe svchost.exe #QUASAR winsock.exe #QUASAR systempropertiesperformance.exe no specs vnc.exe svchost.exe no specs #QUASAR windef.exe no specs werfault.exe #AZORULT systempropertiesperformance.exe schtasks.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5008"C:\Users\admin\Desktop\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe" C:\Users\admin\Desktop\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Download Manager
Version:
...
Modules
Images
c:\users\admin\desktop\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
4624"C:\Users\admin\AppData\Local\Temp\vnc.exe" C:\Users\admin\AppData\Local\Temp\vnc.exe
498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\vnc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
132C:\WINDOWS\system32\svchost.exe -kC:\Windows\System32\svchost.exevnc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
5200"C:\Users\admin\AppData\Local\Temp\windef.exe" C:\Users\admin\AppData\Local\Temp\windef.exe
498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.3.0.0
Modules
Images
c:\users\admin\appdata\local\temp\windef.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2408"C:\Users\admin\Desktop\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe"C:\Users\admin\Desktop\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Download Manager
Exit code:
0
Version:
...
Modules
Images
c:\users\admin\desktop\498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5588"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /FC:\Windows\SysWOW64\schtasks.exe498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5096C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4624 -s 584C:\Windows\SysWOW64\WerFault.exe
vnc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5316"C:\Users\admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\admin\AppData\Roaming\SubDir\winsock.exe
windef.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.3.0.0
Modules
Images
c:\users\admin\appdata\roaming\subdir\winsock.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
17 371
Read events
17 335
Write events
36
Delete events
0

Modification events

(PID) Process:(2408) 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2408) 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2408) 498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5200) windef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\windef_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5200) windef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\windef_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5200) windef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\windef_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5200) windef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\windef_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5200) windef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\windef_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5200) windef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\windef_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5200) windef.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\windef_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
4
Suspicious files
5
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
5096WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vnc.exe_11dadb6a71afb88abcfcb9dd2dff3abfa557f294_c40a04ad_77721ed9-b56e-4ff6-bfd5-d55449199c4f\Report.wer
MD5:
SHA256:
5340WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vnc.exe_11dadb6a71afb88abcfcb9dd2dff3abfa557f294_c40a04ad_f9b3893d-dc5e-40dd-9c9e-265385789997\Report.wer
MD5:
SHA256:
5008498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exeC:\Users\admin\AppData\Local\Temp\vnc.exeexecutable
MD5:B8BA87EE4C3FC085A2FED0D839AADCE1
SHA256:4E8A99CD33C9E5C747A3CE8F1A3E17824846F4A8F7CB0631AEBD0815DB2CE3A4
5340WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER417D.tmp.WERInternalMetadata.xmlxml
MD5:D84A8DBE63E1B07D73C077407B850E6D
SHA256:59B134E250F5535852AF06B3D053A73729027CE856DEC6478AF512998DD82D8D
5340WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER413D.tmp.dmpbinary
MD5:29494DB52636CF62D4B8DA2C0D452344
SHA256:840F640B4FC65987D275A8A66810C9A4116BA03DD2442F7BF593E2D0FE8A44A0
5008498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exeC:\Users\admin\AppData\Local\Temp\windef.exeexecutable
MD5:B4A202E03D4135484D0E730173ABCC72
SHA256:7050608D53F80269DF951D00883ED79815C060CE7678A76B5C3F6A2A985BEEA9
5096WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7D9F.tmp.dmpbinary
MD5:41C70750095A955CC37CF5A680F5145F
SHA256:87CC221C56F0D2AAB9FAFA5A4337836BDC1A725BABA7FCD167F269DB447D1AC7
5008498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exeC:\Users\admin\btpanui\SystemPropertiesPerformance.exeexecutable
MD5:F5C34D85C502584E561780095BD5BEC2
SHA256:EEF0ECDD8C44CF267FC5950501459432FB283B4A3AC54AA8EC2C56B27ECEC230
5200windef.exeC:\Users\admin\AppData\Roaming\SubDir\winsock.exeexecutable
MD5:B4A202E03D4135484D0E730173ABCC72
SHA256:7050608D53F80269DF951D00883ED79815C060CE7678A76B5C3F6A2A985BEEA9
5096WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7E4C.tmp.WERInternalMetadata.xmlxml
MD5:9D0E46AE763E8B7259E7AACF1A06764A
SHA256:A34CC4A552810878BCF46368E61372EB83264AD98A8E815827A0BD959239BD01
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
32
DNS requests
12
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2132
SystemPropertiesPerformance.exe
POST
200
44.221.84.105:8000
http://0x21.in:8000/_az/
unknown
malicious
2132
SystemPropertiesPerformance.exe
POST
44.221.84.105:8000
http://0x21.in:8000/_az/
unknown
malicious
1356
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2408
498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
POST
200
44.221.84.105:8000
http://0x21.in:8000/_az/
unknown
malicious
5200
windef.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
shared
1356
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2408
498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
POST
44.221.84.105:8000
http://0x21.in:8000/_az/
unknown
malicious
5316
winsock.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1356
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
2408
498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28.exe
44.221.84.105:8000
0x21.in
AMAZON-AES
US
malicious
1356
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5096
WerFault.exe
104.208.16.94:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1356
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
google.com
  • 142.250.185.238
whitelisted
0x21.in
  • 44.221.84.105
malicious
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
watson.events.data.microsoft.com
  • 104.208.16.94
  • 20.189.173.20
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
ip-api.com
  • 208.95.112.1
shared
self.events.data.microsoft.com
  • 20.42.65.84
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
Malware Command and Control Activity Detected
ET MALWARE Win32/AZORult V3.2 Client Checkin M13
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
Malware Command and Control Activity Detected
ET MALWARE Win32/AZORult V3.2 Client Checkin M13
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
A Network Trojan was detected
ET MALWARE Common RAT Connectivity Check Observed
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
A Network Trojan was detected
ET MALWARE Common RAT Connectivity Check Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
498421e2892ef6a315f64be9517f62bf98434ac422d2eb881bfe6c6b6c92cb28