File name:

Azure cracked by jdun.rar

Full analysis: https://app.any.run/tasks/21a1edbc-2e18-4764-8c2b-8594fa2a5710
Verdict: Malicious activity
Analysis date: May 22, 2025, 16:40:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

AB9B5AF6CDA29F2EACFEF7654CDE9B00

SHA1:

26230FF95E73E1DACCAB420473856417DAC024CD

SHA256:

6B1642A20128D8E89E70C4D9C905358D0B0C86D4EDF76B6BC740105D3E371EB8

SSDEEP:

12288:jZrRMaWt0bhuvT8vOI1Yc6QIEqb/ADwEVljK:jZlU0bhuvT8vOI1YgIEqLAkEVM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6944)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Azure Exploit.exe (PID: 4724)

    • Reads security settings of Internet Explorer

      • Azure Exploit.exe (PID: 4724)
      • Azure Exploit.exe (PID: 208)
      • Azure Exploit.exe (PID: 6112)
      • Azure Exploit.exe (PID: 6972)

    • Start notepad (likely ransomware note)

      • Azure Exploit.exe (PID: 4724)
      • Azure Exploit.exe (PID: 208)
      • Azure Exploit.exe (PID: 6972)
      • Azure Exploit.exe (PID: 6112)
      • Azure Exploit.exe (PID: 5576)

    • Executes application which crashes

      • AzureExploit.exe (PID: 5048)
      • AzureExploit.exe (PID: 1812)
      • AzureExploit.exe (PID: 4272)
      • AzureExploit.exe (PID: 736)

  • INFO

    • Manual execution by a user

      • Azure Exploit.exe (PID: 4724)
      • cmd.exe (PID: 5984)
      • Azure Exploit.exe (PID: 6112)
      • Azure Exploit.exe (PID: 6972)
      • Azure Exploit.exe (PID: 5576)

    • Checks supported languages

      • Azure Exploit.exe (PID: 4724)
      • AzureExploit.exe (PID: 1812)
      • AzureExploit.exe (PID: 5048)
      • Azure Exploit.exe (PID: 208)
      • Azure Exploit.exe (PID: 6972)
      • AzureExploit.exe (PID: 4272)
      • Azure Exploit.exe (PID: 6112)
      • AzureExploit.exe (PID: 736)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6944)

    • Reads the computer name

      • Azure Exploit.exe (PID: 4724)
      • AzureExploit.exe (PID: 1812)
      • AzureExploit.exe (PID: 5048)
      • Azure Exploit.exe (PID: 208)
      • AzureExploit.exe (PID: 4272)
      • Azure Exploit.exe (PID: 6112)
      • Azure Exploit.exe (PID: 6972)
      • AzureExploit.exe (PID: 736)

    • Create files in a temporary directory

      • Azure Exploit.exe (PID: 4724)
      • Azure Exploit.exe (PID: 208)
      • Azure Exploit.exe (PID: 6112)
      • Azure Exploit.exe (PID: 6972)

    • Process checks computer location settings

      • Azure Exploit.exe (PID: 4724)
      • Azure Exploit.exe (PID: 208)
      • Azure Exploit.exe (PID: 6972)
      • Azure Exploit.exe (PID: 6112)

    • Reads the machine GUID from the registry

      • AzureExploit.exe (PID: 1812)
      • AzureExploit.exe (PID: 5048)
      • AzureExploit.exe (PID: 4272)
      • AzureExploit.exe (PID: 736)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6184)
      • notepad.exe (PID: 5404)
      • notepad.exe (PID: 3300)
      • notepad.exe (PID: 3096)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 3240)
      • WerFault.exe (PID: 3888)
      • WerFault.exe (PID: 6036)
      • WerFault.exe (PID: 732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 44974
UncompressedSize: 97792
OperatingSystem: Win32
ArchivedFileName: Azure cracked by jdun/Azure Exploit.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
30
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe no specs rundll32.exe no specs azure exploit.exe azureexploit.exe conhost.exe no specs notepad.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs azure exploit.exe no specs azureexploit.exe conhost.exe no specs notepad.exe no specs werfault.exe no specs azure exploit.exe azureexploit.exe conhost.exe no specs notepad.exe no specs werfault.exe no specs azure exploit.exe no specs azureexploit.exe conhost.exe no specs notepad.exe no specs werfault.exe no specs azure exploit.exe no specs azureexploit.exe no specs conhost.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Users\admin\Desktop\Azure cracked by jdun\Azure Exploit.exe"C:\Users\admin\Desktop\Azure cracked by jdun\Azure Exploit.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\azure cracked by jdun\azure exploit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAzureExploit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
732C:\WINDOWS\system32\WerFault.exe -u -p 736 -s 760C:\Windows\System32\WerFault.exeAzureExploit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
736"C:\Users\admin\AppData\Local\Temp\AzureExploit.exe" C:\Users\admin\AppData\Local\Temp\AzureExploit.exe
Azure Exploit.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AzureExploit
Exit code:
3762504530
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\azureexploit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
920C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAzureExploit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1812"C:\Users\admin\AppData\Local\Temp\AzureExploit.exe" C:\Users\admin\AppData\Local\Temp\AzureExploit.exe
Azure Exploit.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AzureExploit
Exit code:
3762504530
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\azureexploit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAzureExploit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3096"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Thankyou.txtC:\Windows\SysWOW64\notepad.exeAzure Exploit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\win32u.dll
Total events
14 621
Read events
14 566
Write events
52
Delete events
3

Modification events

(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Azure cracked by jdun.rar
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6944) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4724) Azure Exploit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(4724) Azure Exploit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
Operation:writeName:txtfile
Value:
Executable files
3
Suspicious files
6
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
3888WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AzureExploit.exe_9fdd92193e4c94f93bfa02a189087587ba088e2_605a36a7_adf88c3c-fd2f-4928-aa9d-3d6881a7fe5e\Report.wer
MD5:
SHA256:
3888WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\AzureExploit.exe.1812.dmp
MD5:
SHA256:
3240WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AzureExploit.exe_9fdd92193e4c94f93bfa02a189087587ba088e2_605a36a7_4dc4ac56-da65-4c45-bf61-13ad606f06f5\Report.wer
MD5:
SHA256:
3240WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\AzureExploit.exe.5048.dmp
MD5:
SHA256:
6036WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AzureExploit.exe_9fdd92193e4c94f93bfa02a189087587ba088e2_605a36a7_37b0fcab-3528-4ce9-9178-9577917d1fc0\Report.wer
MD5:
SHA256:
6036WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\AzureExploit.exe.4272.dmp
MD5:
SHA256:
732WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AzureExploit.exe_9fdd92193e4c94f93bfa02a189087587ba088e2_605a36a7_63c4e44f-6676-42f6-b1d3-b6b65f1b3c9d\Report.wer
MD5:
SHA256:
732WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\AzureExploit.exe.736.dmp
MD5:
SHA256:
6944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6944.37468\Azure cracked by jdun\Azure Exploit.exeexecutable
MD5:EC22B01F2C0DD6EAE223C96567025821
SHA256:65CB323DBF3C7A1C1ECB0EE2DE55FD9A72621482261BCC8F823C77B09F5221F3
4724Azure Exploit.exeC:\Users\admin\AppData\Local\Temp\Thankyou.txttext
MD5:E284EFF24E5213D152ABC8056E1E036A
SHA256:65F314160D722001660D57F261811C49E3CDF5D93810515CDCB32049BCB98FFA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
18
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5552
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5552
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5552
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.75
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.71
  • 40.126.31.3
  • 20.190.159.23
  • 40.126.31.0
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Azure cracked by jdun.rar