analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Setup.exe

Full analysis: https://app.any.run/tasks/a31659bf-8b7d-4cde-b87a-ca64df29be44
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: May 20, 2022, 18:21:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
azorult
darkcomet
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

29F28331FC1ABF5F5B3746B775DE663C

SHA1:

C41016F48C9F1308F1011174C461066F2BC794DA

SHA256:

62793F2523F2B2ABECAEB6C06649D98BBE9BE005BDCAF8E31559B47D9D41DE26

SSDEEP:

12288:t4jZ1tT8/4IsI3lFZWdqswtfp4Z1tT8l0CqM:tg1tT8/nsbG81tT8llq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • Setup.exe (PID: 3604)
      • SVCHOST32.EXE (PID: 2460)
      • SVCHOST.EXE (PID: 3904)
    • Actions looks like stealing of personal data

      • Setup.exe (PID: 3604)
      • SETUP.EXE (PID: 1604)
      • SETUP.EXE (PID: 3652)
      • SETUP.EXE (PID: 2844)
      • SETUP.EXE (PID: 1048)
      • SETUP.EXE (PID: 2520)
      • SETUP.EXE (PID: 240)
      • SETUP.EXE (PID: 3388)
      • SETUP.EXE (PID: 892)
      • SETUP.EXE (PID: 3324)
    • Disables Windows Defender

      • WINDOWS.EXE (PID: 2884)
      • WINDOWS.EXE (PID: 2956)
      • WINDOWS.EXE (PID: 2684)
      • WINDOWS.EXE (PID: 2528)
      • WINDOWS.EXE (PID: 1536)
      • WINDOWS.EXE (PID: 3496)
      • WINDOWS.EXE (PID: 2180)
      • svchost.exe (PID: 1604)
      • WINDOWS.EXE (PID: 2876)
    • Changes the autorun value in the registry

      • SVCHOST32.EXE (PID: 2460)
      • SVCHOST32.EXE (PID: 2524)
      • SVCHOST32.EXE (PID: 3256)
      • svchost.exe (PID: 1604)
    • Changes the login/logoff helper path in the registry

      • SVCHOST32.EXE (PID: 2460)
    • UAC/LUA settings modification

      • SVCHOST32.EXE (PID: 2524)
      • SVCHOST32.EXE (PID: 3256)
      • SVCHOST32.EXE (PID: 3976)
      • svchost.exe (PID: 1604)
      • SVCHOST32.EXE (PID: 4020)
      • SVCHOST32.EXE (PID: 2440)
      • SVCHOST32.EXE (PID: 3676)
      • SVCHOST32.EXE (PID: 3992)
    • Disables registry editing tools (regedit)

      • SVCHOST32.EXE (PID: 2524)
      • SVCHOST32.EXE (PID: 3256)
      • svchost.exe (PID: 1604)
      • SVCHOST32.EXE (PID: 3976)
      • SVCHOST32.EXE (PID: 4020)
      • SVCHOST32.EXE (PID: 2440)
      • SVCHOST32.EXE (PID: 3676)
      • SVCHOST32.EXE (PID: 3992)
    • Task Manager has been disabled (taskmgr)

      • SVCHOST32.EXE (PID: 2524)
      • SVCHOST32.EXE (PID: 3256)
      • svchost.exe (PID: 1604)
      • SVCHOST32.EXE (PID: 3976)
      • SVCHOST32.EXE (PID: 4020)
      • SVCHOST32.EXE (PID: 2440)
      • SVCHOST32.EXE (PID: 3676)
      • SVCHOST32.EXE (PID: 3992)
    • Changes firewall settings

      • SVCHOST32.EXE (PID: 2524)
      • SVCHOST32.EXE (PID: 3256)
      • SVCHOST32.EXE (PID: 3976)
      • svchost.exe (PID: 1604)
      • SVCHOST32.EXE (PID: 4020)
      • SVCHOST32.EXE (PID: 2440)
      • SVCHOST32.EXE (PID: 3676)
      • SVCHOST32.EXE (PID: 3992)
    • Creates or modifies windows services

      • SVCHOST32.EXE (PID: 2524)
      • SVCHOST32.EXE (PID: 3256)
      • SVCHOST32.EXE (PID: 3976)
      • svchost.exe (PID: 1604)
      • SVCHOST32.EXE (PID: 4020)
      • SVCHOST32.EXE (PID: 2440)
      • SVCHOST32.EXE (PID: 3676)
      • SVCHOST32.EXE (PID: 3992)
    • Changes Security Center notification settings

      • SVCHOST32.EXE (PID: 2524)
      • SVCHOST32.EXE (PID: 3256)
      • SVCHOST32.EXE (PID: 3976)
      • svchost.exe (PID: 1604)
      • SVCHOST32.EXE (PID: 4020)
      • SVCHOST32.EXE (PID: 2440)
      • SVCHOST32.EXE (PID: 3676)
      • SVCHOST32.EXE (PID: 3992)
    • Application was dropped or rewritten from another process

      • FILEMANAGER.EXE (PID: 1148)
      • SVCHOST32.EXE (PID: 2460)
      • SVCHOST64.EXE (PID: 2796)
      • FILEMANAGER.EXE (PID: 2936)
      • FILEMANAGER.EXE (PID: 368)
      • SVCHOST64.EXE (PID: 1956)
      • FILEMANAGER.EXE (PID: 3048)
      • FILEMANAGER.EXE (PID: 3432)
      • FILEMANAGER.EXE (PID: 2528)
      • SVCHOST.EXE (PID: 1956)
      • WINDOWS.EXE (PID: 2884)
      • SVCHOST.EXE (PID: 2416)
      • SVCHOST32.EXE (PID: 2524)
      • SVCHOST.EXE (PID: 3904)
      • SVCHOST.EXE (PID: 2352)
      • SVCHOST.EXE (PID: 1968)
      • WINDOWS.EXE (PID: 2956)
      • SVCHOST32.EXE (PID: 3976)
      • SVCHOST64.EXE (PID: 2640)
      • SVCHOST32.EXE (PID: 3256)
      • SVCHOST.EXE (PID: 2200)
      • SVCHOST64.EXE (PID: 4060)
      • svchost.exe (PID: 1604)
      • WINDOWS.EXE (PID: 2528)
      • WINDOWS.EXE (PID: 2684)
      • FILEMANAGER.EXE (PID: 3488)
      • SVCHOST.EXE (PID: 2448)
      • SVCHOST32.EXE (PID: 4020)
      • SVCHOST64.EXE (PID: 708)
      • WINDOWS.EXE (PID: 1536)
      • SVCHOST32.EXE (PID: 2440)
      • FILEMANAGER.EXE (PID: 3424)
      • SVCHOST64.EXE (PID: 1736)
      • WINDOWS.EXE (PID: 3496)
      • SVCHOST.EXE (PID: 2104)
      • SVCHOST32.EXE (PID: 3676)
      • FILEMANAGER.EXE (PID: 708)
      • SVCHOST64.EXE (PID: 3124)
      • WINDOWS.EXE (PID: 2180)
      • SVCHOST.EXE (PID: 1244)
      • svchost.exe (PID: 564)
      • SVCHOST32.EXE (PID: 3992)
      • WINDOWS.EXE (PID: 2876)
      • SVCHOST64.EXE (PID: 1688)
      • SVCHOST32.EXE (PID: 1828)
      • FILEMANAGER.EXE (PID: 1444)
      • SVCHOST64.EXE (PID: 4060)
      • WINDOWS.EXE (PID: 600)
    • Changes settings of System certificates

      • SVCHOST32.EXE (PID: 3256)
    • AZORULT detected by memory dumps

      • FILEMANAGER.EXE (PID: 1148)
    • Changes Windows auto-update feature

      • svchost.exe (PID: 1604)
    • Changes internet zones settings

      • SVCHOST32.EXE (PID: 4020)
    • DARKCOMET detected by memory dumps

      • SVCHOST32.EXE (PID: 2524)
  • SUSPICIOUS

    • Checks supported languages

      • Setup.exe (PID: 3604)
      • FILEMANAGER.EXE (PID: 1148)
      • SVCHOST.EXE (PID: 3904)
      • SVCHOST32.EXE (PID: 2460)
      • SVCHOST64.EXE (PID: 2796)
      • WINDOWS.EXE (PID: 2884)
      • SETUP.EXE (PID: 1604)
      • SVCHOST.EXE (PID: 2416)
      • FILEMANAGER.EXE (PID: 3432)
      • SETUP.EXE (PID: 3652)
      • SVCHOST32.EXE (PID: 2524)
      • powershell.exe (PID: 3592)
      • cmd.exe (PID: 2616)
      • SVCHOST64.EXE (PID: 1956)
      • WINDOWS.EXE (PID: 2956)
      • cmd.exe (PID: 2556)
      • FILEMANAGER.EXE (PID: 3048)
      • powershell.exe (PID: 2396)
      • SETUP.EXE (PID: 2844)
      • FILEMANAGER.EXE (PID: 368)
      • SVCHOST.EXE (PID: 1968)
      • SETUP.EXE (PID: 1048)
      • SVCHOST.EXE (PID: 2352)
      • FILEMANAGER.EXE (PID: 2936)
      • SETUP.EXE (PID: 2520)
      • FILEMANAGER.EXE (PID: 2528)
      • SVCHOST.EXE (PID: 1956)
      • SETUP.EXE (PID: 240)
      • SVCHOST32.EXE (PID: 3256)
      • SVCHOST64.EXE (PID: 2640)
      • SVCHOST64.EXE (PID: 4060)
      • SVCHOST32.EXE (PID: 3976)
      • WINDOWS.EXE (PID: 2528)
      • SVCHOST.EXE (PID: 2200)
      • WINDOWS.EXE (PID: 2684)
      • svchost.exe (PID: 1604)
      • SVCHOST32.EXE (PID: 4020)
      • SVCHOST.EXE (PID: 2448)
      • SETUP.EXE (PID: 3388)
      • SVCHOST64.EXE (PID: 708)
      • FILEMANAGER.EXE (PID: 3488)
      • WINDOWS.EXE (PID: 1536)
      • powershell.exe (PID: 3232)
      • SVCHOST32.EXE (PID: 2440)
      • WINDOWS.EXE (PID: 3496)
      • SVCHOST64.EXE (PID: 1736)
      • FILEMANAGER.EXE (PID: 3424)
      • powershell.exe (PID: 3968)
      • powershell.exe (PID: 580)
      • SETUP.EXE (PID: 892)
      • SVCHOST.EXE (PID: 2104)
      • powershell.exe (PID: 2624)
      • FILEMANAGER.EXE (PID: 708)
      • SVCHOST32.EXE (PID: 3676)
      • SVCHOST64.EXE (PID: 3124)
      • WINDOWS.EXE (PID: 2180)
      • SVCHOST.EXE (PID: 1244)
      • SETUP.EXE (PID: 3324)
      • svchost.exe (PID: 564)
      • powershell.exe (PID: 3168)
      • SVCHOST32.EXE (PID: 3992)
      • WINDOWS.EXE (PID: 2876)
      • SVCHOST64.EXE (PID: 1688)
      • SVCHOST32.EXE (PID: 1828)
      • SVCHOST64.EXE (PID: 4060)
      • FILEMANAGER.EXE (PID: 1444)
    • Reads the computer name

      • FILEMANAGER.EXE (PID: 1148)
      • Setup.exe (PID: 3604)
      • SVCHOST64.EXE (PID: 2796)
      • WINDOWS.EXE (PID: 2884)
      • SVCHOST32.EXE (PID: 2460)
      • SETUP.EXE (PID: 1604)
      • SVCHOST32.EXE (PID: 2524)
      • FILEMANAGER.EXE (PID: 3432)
      • powershell.exe (PID: 3592)
      • SETUP.EXE (PID: 3652)
      • SVCHOST64.EXE (PID: 1956)
      • FILEMANAGER.EXE (PID: 3048)
      • WINDOWS.EXE (PID: 2956)
      • powershell.exe (PID: 2396)
      • SETUP.EXE (PID: 2844)
      • FILEMANAGER.EXE (PID: 368)
      • SETUP.EXE (PID: 1048)
      • FILEMANAGER.EXE (PID: 2936)
      • SETUP.EXE (PID: 2520)
      • FILEMANAGER.EXE (PID: 2528)
      • SVCHOST64.EXE (PID: 2640)
      • SVCHOST32.EXE (PID: 3256)
      • SVCHOST64.EXE (PID: 4060)
      • svchost.exe (PID: 1604)
      • SETUP.EXE (PID: 240)
      • SVCHOST32.EXE (PID: 3976)
      • WINDOWS.EXE (PID: 2684)
      • SVCHOST32.EXE (PID: 4020)
      • WINDOWS.EXE (PID: 2528)
      • SVCHOST64.EXE (PID: 708)
      • WINDOWS.EXE (PID: 1536)
      • FILEMANAGER.EXE (PID: 3488)
      • powershell.exe (PID: 3232)
      • SETUP.EXE (PID: 3388)
      • SVCHOST32.EXE (PID: 2440)
      • WINDOWS.EXE (PID: 3496)
      • FILEMANAGER.EXE (PID: 3424)
      • powershell.exe (PID: 3968)
      • SVCHOST64.EXE (PID: 1736)
      • powershell.exe (PID: 580)
      • SVCHOST.EXE (PID: 1968)
      • SVCHOST.EXE (PID: 2416)
      • powershell.exe (PID: 2624)
      • SETUP.EXE (PID: 892)
      • FILEMANAGER.EXE (PID: 708)
      • SVCHOST64.EXE (PID: 3124)
      • SVCHOST.EXE (PID: 2352)
      • SVCHOST.EXE (PID: 1956)
      • SVCHOST32.EXE (PID: 3676)
      • SVCHOST.EXE (PID: 3904)
      • WINDOWS.EXE (PID: 2180)
      • SETUP.EXE (PID: 3324)
      • powershell.exe (PID: 3168)
      • SVCHOST64.EXE (PID: 1688)
      • SVCHOST32.EXE (PID: 3992)
      • SVCHOST.EXE (PID: 2448)
      • WINDOWS.EXE (PID: 2876)
      • SVCHOST32.EXE (PID: 1828)
      • FILEMANAGER.EXE (PID: 1444)
      • SVCHOST64.EXE (PID: 4060)
    • Drops a file with a compile date too recent

      • Setup.exe (PID: 3604)
      • SVCHOST32.EXE (PID: 2460)
      • SVCHOST.EXE (PID: 3904)
    • Application launched itself

      • Setup.exe (PID: 3604)
      • SETUP.EXE (PID: 1604)
      • SETUP.EXE (PID: 3652)
      • SETUP.EXE (PID: 2844)
      • SETUP.EXE (PID: 1048)
      • SETUP.EXE (PID: 2520)
      • SETUP.EXE (PID: 240)
      • SETUP.EXE (PID: 3388)
      • SETUP.EXE (PID: 892)
      • SETUP.EXE (PID: 3324)
    • Executable content was dropped or overwritten

      • Setup.exe (PID: 3604)
      • SVCHOST32.EXE (PID: 2460)
      • SVCHOST.EXE (PID: 3904)
    • Reads Environment values

      • FILEMANAGER.EXE (PID: 1148)
      • SVCHOST64.EXE (PID: 2796)
      • FILEMANAGER.EXE (PID: 3432)
      • SVCHOST64.EXE (PID: 1956)
      • FILEMANAGER.EXE (PID: 3048)
      • FILEMANAGER.EXE (PID: 368)
      • FILEMANAGER.EXE (PID: 2936)
      • FILEMANAGER.EXE (PID: 2528)
      • SVCHOST64.EXE (PID: 2640)
      • SVCHOST64.EXE (PID: 4060)
      • SVCHOST64.EXE (PID: 708)
      • FILEMANAGER.EXE (PID: 3488)
      • SVCHOST64.EXE (PID: 1736)
      • FILEMANAGER.EXE (PID: 3424)
      • FILEMANAGER.EXE (PID: 708)
      • SVCHOST64.EXE (PID: 3124)
      • SVCHOST64.EXE (PID: 1688)
      • FILEMANAGER.EXE (PID: 1444)
      • SVCHOST64.EXE (PID: 4060)
    • Creates executable files which already exist in Windows

      • Setup.exe (PID: 3604)
      • SVCHOST32.EXE (PID: 2460)
      • SVCHOST.EXE (PID: 3904)
    • Executes PowerShell scripts

      • WINDOWS.EXE (PID: 2884)
      • WINDOWS.EXE (PID: 2956)
      • WINDOWS.EXE (PID: 2684)
      • WINDOWS.EXE (PID: 2528)
      • WINDOWS.EXE (PID: 1536)
      • WINDOWS.EXE (PID: 3496)
      • WINDOWS.EXE (PID: 2180)
      • WINDOWS.EXE (PID: 2876)
    • Starts CMD.EXE for commands execution

      • SVCHOST32.EXE (PID: 2460)
    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2616)
      • cmd.exe (PID: 2556)
    • Reads the date of Windows installation

      • SVCHOST32.EXE (PID: 2460)
      • SETUP.EXE (PID: 3652)
      • SETUP.EXE (PID: 2844)
      • SETUP.EXE (PID: 1048)
      • SETUP.EXE (PID: 240)
      • SETUP.EXE (PID: 2520)
      • SETUP.EXE (PID: 3388)
      • SETUP.EXE (PID: 892)
    • Starts itself from another location

      • SVCHOST32.EXE (PID: 2460)
      • SVCHOST.EXE (PID: 3904)
    • Reads internet explorer settings

      • SVCHOST32.EXE (PID: 3976)
      • SVCHOST32.EXE (PID: 3256)
      • SVCHOST32.EXE (PID: 4020)
      • svchost.exe (PID: 1604)
      • SVCHOST32.EXE (PID: 2440)
      • SVCHOST32.EXE (PID: 3676)
    • Changes IE settings (feature browser emulation)

      • SVCHOST32.EXE (PID: 3976)
    • Modifies the phishing filter of IE

      • SVCHOST32.EXE (PID: 3976)
  • INFO

    • Checks Windows Trust Settings

      • powershell.exe (PID: 3592)
      • powershell.exe (PID: 2396)
      • powershell.exe (PID: 3232)
      • powershell.exe (PID: 580)
      • powershell.exe (PID: 2624)
      • powershell.exe (PID: 3968)
      • powershell.exe (PID: 3168)
    • Checks supported languages

      • notepad.exe (PID: 3052)
      • notepad.exe (PID: 664)
      • attrib.exe (PID: 128)
      • attrib.exe (PID: 2580)
    • Reads settings of System Certificates

      • powershell.exe (PID: 2396)
      • powershell.exe (PID: 3592)
      • SVCHOST32.EXE (PID: 3976)
      • svchost.exe (PID: 1604)
      • SVCHOST32.EXE (PID: 4020)
      • SVCHOST32.EXE (PID: 2440)
      • powershell.exe (PID: 3232)
    • Reads Microsoft Office registry keys

      • SVCHOST32.EXE (PID: 3976)
      • SVCHOST32.EXE (PID: 4020)
      • SVCHOST32.EXE (PID: 3256)
      • SVCHOST32.EXE (PID: 3676)
      • svchost.exe (PID: 1604)
      • SVCHOST32.EXE (PID: 2440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

azorult

(PID) Process(1148) FILEMANAGER.EXE
Hostshttp://195.245.112.115/index.php

DarkComet

(PID) Process(2524) SVCHOST32.EXE
Offline keyloggerTrue
PERS1
CHIDED1
CHIDEF1
SH101
SH91
SH81
SH71
SH61
SH51
SH41
SH31
SH11
File attrubutesTrue
Directory attributesTrue
Change Date0
MELT1
PersistanceTrue
Edit date2007-04-16
Registry keysvchost
Install pathsvchost\svchost.exe
COMBOPATH10
InstallTrue
gencodeDGviw0NSakYq
FWB0
sidGuest16
MutexDC_MUTEX-S8PPX4S
Version#KCMDDC51#
C2 (1)172.94.18.243:3000
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x3248
UninitializedDataSize: -
InitializedDataSize: 699392
CodeSize: 31232
LinkerVersion: 10
PEType: PE32
TimeStamp: 2011:07:03 11:05:04+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 03-Jul-2011 09:05:04
Detected languages:
  • English - United States
Debug artifacts:
  • C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 03-Jul-2011 09:05:04
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00007842
0x00007A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.48777
.rdata
0x00009000
0x0000319E
0x00003200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.92389
.data
0x0000D000
0x00001A84
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.57332
.rsrc
0x0000F000
0x000A57B0
0x000A5800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.92513
.reloc
0x000B5000
0x000013AA
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
4.12103

Resources

Title
Entropy
Size
Codepage
Language
Type
50
7.93188
15926
UNKNOWN
English - United States
RT_ICON
51
3.65175
67624
UNKNOWN
English - United States
RT_ICON
52
3.86582
16936
UNKNOWN
English - United States
RT_ICON
53
4.09319
9640
UNKNOWN
English - United States
RT_ICON
54
4.32919
4264
UNKNOWN
English - United States
RT_ICON
55
4.66038
1128
UNKNOWN
English - United States
RT_ICON
128
2.87162
90
UNKNOWN
English - United States
RT_GROUP_ICON
FILEMANAGER.EXE
6.30359
114688
Latin 1 / Western European
UNKNOWN
RBIND
SETUP.EXE
6.00819
54784
Latin 1 / Western European
UNKNOWN
RBIND
SVCHOST.EXE
5.52138
24064
Latin 1 / Western European
UNKNOWN
RBIND

Imports

KERNEL32.dll
SHELL32.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
75
Malicious processes
39
Suspicious processes
10

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start start drop and start drop and start setup.exe no specs setup.exe #AZORULT filemanager.exe setup.exe svchost.exe svchost32.exe svchost64.exe no specs windows.exe no specs filemanager.exe no specs powershell.exe no specs setup.exe svchost.exe no specs #DARKCOMET svchost32.exe cmd.exe no specs cmd.exe no specs svchost64.exe no specs notepad.exe windows.exe no specs notepad.exe attrib.exe no specs powershell.exe no specs attrib.exe no specs filemanager.exe no specs setup.exe svchost.exe no specs filemanager.exe no specs setup.exe svchost.exe no specs filemanager.exe no specs setup.exe svchost.exe no specs filemanager.exe no specs setup.exe svchost32.exe no specs svchost32.exe svchost64.exe no specs svchost64.exe no specs windows.exe no specs svchost.exe svchost.exe no specs windows.exe no specs filemanager.exe no specs setup.exe svchost32.exe no specs svchost.exe no specs powershell.exe no specs svchost64.exe no specs powershell.exe no specs windows.exe no specs svchost32.exe no specs svchost64.exe no specs filemanager.exe no specs windows.exe no specs powershell.exe no specs setup.exe powershell.exe no specs svchost.exe no specs svchost32.exe no specs filemanager.exe no specs setup.exe svchost64.exe no specs windows.exe no specs svchost.exe no specs powershell.exe no specs svchost.exe no specs svchost32.exe no specs svchost64.exe no specs windows.exe no specs svchost32.exe no specs filemanager.exe no specs powershell.exe no specs setup.exe no specs svchost64.exe no specs windows.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1636"C:\Users\admin\AppData\Local\Temp\Setup.exe" C:\Users\admin\AppData\Local\Temp\Setup.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
3604"C:\Users\admin\AppData\Local\Temp\Setup.exe" C:\Users\admin\AppData\Local\Temp\Setup.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1148"C:\Users\admin\AppData\Local\Temp\FILEMANAGER.EXE" C:\Users\admin\AppData\Local\Temp\FILEMANAGER.EXE
Setup.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\filemanager.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
azorult
(PID) Process(1148) FILEMANAGER.EXE
Hostshttp://195.245.112.115/index.php
1604"C:\Users\admin\AppData\Local\Temp\SETUP.EXE" C:\Users\admin\AppData\Local\Temp\SETUP.EXE
Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3904"C:\Users\admin\AppData\Local\Temp\SVCHOST.EXE" C:\Users\admin\AppData\Local\Temp\SVCHOST.EXE
Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
2460"C:\Users\admin\AppData\Local\Temp\SVCHOST32.EXE" C:\Users\admin\AppData\Local\Temp\SVCHOST32.EXE
Setup.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
HIGH
Description:
Remote Service Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\svchost32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2796"C:\Users\admin\AppData\Local\Temp\SVCHOST64.EXE" C:\Users\admin\AppData\Local\Temp\SVCHOST64.EXESetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\svchost64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2884"C:\Users\admin\AppData\Local\Temp\WINDOWS.EXE" C:\Users\admin\AppData\Local\Temp\WINDOWS.EXESetup.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
Windows
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\windows.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3432"C:\Users\admin\AppData\Local\Temp\FILEMANAGER.EXE" C:\Users\admin\AppData\Local\Temp\FILEMANAGER.EXESETUP.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\filemanager.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3592"powershell" Get-MpPreference -verboseC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWINDOWS.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
108 045
Read events
92 556
Write events
3 101
Delete events
0

Modification events

(PID) Process:(3604) Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3604) Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3604) Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3604) Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1148) FILEMANAGER.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1148) FILEMANAGER.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1148) FILEMANAGER.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1148) FILEMANAGER.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1148) FILEMANAGER.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2884) WINDOWS.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
Executable files
7
Suspicious files
8
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
3604Setup.exeC:\Users\admin\AppData\Local\Temp\FILEMANAGER.EXEexecutable
MD5:82352E916C23558C5357D9B381FD6BDA
SHA256:530E35D68B61FAFDF64DEFF557D7EC78209A56D9C49D10C4F58A3B24AD077F07
3604Setup.exeC:\Users\admin\AppData\Local\Temp\WINDOWS.EXEexecutable
MD5:8FF3198DBD93B447202687B8AA137F83
SHA256:8E0A8EC3A6504E973530C5CC92F9F304B5858BC7EAC627EB7D4D4347B407DD59
3604Setup.exeC:\Users\admin\AppData\Local\Temp\SVCHOST32.EXEexecutable
MD5:A4B1143D3A29F1CDA25B810649A0E094
SHA256:303C19A1D018426B798D99003027EA2DEA5E920193C23E99564E6CE2A6BA3177
3904SVCHOST.EXEC:\Users\admin\svchost.exeexecutable
MD5:4A171715CBE0338F978149346C4C4E8F
SHA256:42E4E13FB75B2D97C9ED24793AC3E1E00956E43E034A61B4A60FCAAD1806FE7E
3604Setup.exeC:\Users\admin\AppData\Local\Temp\SVCHOST.EXEexecutable
MD5:4A171715CBE0338F978149346C4C4E8F
SHA256:42E4E13FB75B2D97C9ED24793AC3E1E00956E43E034A61B4A60FCAAD1806FE7E
2460SVCHOST32.EXEC:\Users\admin\AppData\Local\Temp\svchost\svchost.exeexecutable
MD5:A4B1143D3A29F1CDA25B810649A0E094
SHA256:303C19A1D018426B798D99003027EA2DEA5E920193C23E99564E6CE2A6BA3177
3604Setup.exeC:\Users\admin\AppData\Local\Temp\SVCHOST64.EXEexecutable
MD5:381AC0493EE4B1175316533E6861D519
SHA256:1C9B2FF9F42F69BB77A25FA3015FDAD327ACA44374BD3380627D3F60A1BA21F0
3592powershell.exeC:\Users\admin\AppData\Local\Temp\np2aqkn3.cjc.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3232powershell.exeC:\Users\admin\AppData\Local\Temp\v0ox4ytp.3gl.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2396powershell.exeC:\Users\admin\AppData\Local\Temp\ivkfgnwv.xia.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1148
FILEMANAGER.EXE
POST
185.53.177.54:80
http://b.cracking.be/index.php
DE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1148
FILEMANAGER.EXE
185.53.177.54:80
b.cracking.be
Team Internet AG
DE
malicious
172.94.18.243:3000
Digital Energy Technologies Limited
DE
malicious
172.94.18.243:3001
Digital Energy Technologies Limited
DE
malicious
2524
SVCHOST32.EXE
172.94.18.243:3000
Digital Energy Technologies Limited
DE
malicious

DNS requests

Domain
IP
Reputation
b.cracking.be
  • 185.53.177.54
malicious

Threats

No threats detected
Process
Message
Setup.exe
C:\Users\admin\AppData\Local\Temp\FILEMANAGER.EXE
Setup.exe
C:\Users\admin\AppData\Local\Temp\SETUP.EXE
Setup.exe
C:\Users\admin\AppData\Local\Temp\SVCHOST.EXE
Setup.exe
C:\Users\admin\AppData\Local\Temp\SVCHOST32.EXE
SETUP.EXE
C:\Users\admin\AppData\Local\Temp\FILEMANAGER.EXE
Setup.exe
C:\Users\admin\AppData\Local\Temp\SVCHOST64.EXE
Setup.exe
C:\Users\admin\AppData\Local\Temp\WINDOWS.EXE
SETUP.EXE
C:\Users\admin\AppData\Local\Temp\SETUP.EXE
SETUP.EXE
C:\Users\admin\AppData\Local\Temp\SVCHOST.EXE
SETUP.EXE
C:\Users\admin\AppData\Local\Temp\FILEMANAGER.EXE