File name:

MUH030425.exe

Full analysis: https://app.any.run/tasks/85bf7912-fea4-4a73-b94d-c62f93b9cfb1
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: March 04, 2025, 08:39:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
m0yv
stealer
azorult
sinkhole
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

7958C012F2EFC42CC7FF436D3377ABCC

SHA1:

D854A2CB11B56D64DD7F87EE91EA47F305CE82BF

SHA256:

B5C538F89CA2E3D9A8085BC387D85F7F50E9470975FFEC25FE040C26226BECCB

SSDEEP:

49152:dAVaKZ0AeijfdOpeqKZbA6JaZR9mFgRfROrFdVMFo7Qwq7t2IfLeBc7izkezef3+:dcaK2PaiFKZbABZR7irRMG7tq52INizl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • MUH030425.exe (PID: 1020)

    • M0YV mutex has been found

      • RegSvcs.exe (PID: 7152)

    • AZORULT mutex has been detected

      • RegSvcs.exe (PID: 7152)

    • Connects to the CnC server

      • RegSvcs.exe (PID: 7152)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 7152)

    • AZORULT has been detected (SURICATA)

      • RegSvcs.exe (PID: 7152)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 7152)

    • Starts CMD.EXE for self-deleting

      • RegSvcs.exe (PID: 7152)

    • AZORULT has been detected (YARA)

      • RegSvcs.exe (PID: 7152)

    • M0YV has been detected (YARA)

      • RegSvcs.exe (PID: 7152)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Reads security settings of Internet Explorer

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Executes application which crashes

      • MUH030425.exe (PID: 1020)

    • Contacting a server suspected of hosting an CnC

      • RegSvcs.exe (PID: 7152)

    • The process drops Mozilla's DLL files

      • RegSvcs.exe (PID: 7152)

    • Searches for installed software

      • RegSvcs.exe (PID: 7152)

    • The process drops C-runtime libraries

      • RegSvcs.exe (PID: 7152)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 664)

    • Starts CMD.EXE for commands execution

      • RegSvcs.exe (PID: 7152)

    • Process drops legitimate windows executable

      • RegSvcs.exe (PID: 7152)

    • Deletes system .NET executable

      • cmd.exe (PID: 664)

    • There is functionality for taking screenshot (YARA)

      • RegSvcs.exe (PID: 7152)

  • INFO

    • Create files in a temporary directory

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Reads the machine GUID from the registry

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Checks supported languages

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Creates files or folders in the user directory

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)
      • WerFault.exe (PID: 4268)

    • Reads the computer name

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Process checks computer location settings

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Checks proxy server information

      • RegSvcs.exe (PID: 7152)
      • slui.exe (PID: 6752)

    • The sample compiled with english language support

      • RegSvcs.exe (PID: 7152)

    • Reads CPU info

      • RegSvcs.exe (PID: 7152)

    • Reads the software policy settings

      • slui.exe (PID: 6752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

azorult

(PID) Process(7152) RegSvcs.exe
Hostshttp://k1d5.icu/TP341/index.php
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:04 08:03:06+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 1621504
InitializedDataSize: 34304
UninitializedDataSize: -
EntryPoint: 0x18dd8a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.3.2.0
ProductVersionNumber: 1.3.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: InSim packet sniffer for the racing simulator Live for Speed
CompanyName: -
FileDescription: InSimSniffer
FileVersion: 1.3.2.0
InternalName: pixuBt.exe
LegalCopyright: Copyright © Alex McBride 2009 - 2012
LegalTrademarks: -
OriginalFileName: pixuBt.exe
ProductName: InSimSniffer
ProductVersion: 1.3.2.0
AssemblyVersion: 1.3.2.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start muh030425.exe schtasks.exe no specs conhost.exe no specs #M0YV regsvcs.exe werfault.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\WINDOWS\system32\cmd.exe" /c C:\WINDOWS\system32\timeout.exe 3 & del "RegSvcs.exe"C:\Windows\SysWOW64\cmd.exeRegSvcs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1020"C:\Users\admin\Desktop\MUH030425.exe" C:\Users\admin\Desktop\MUH030425.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
InSimSniffer
Exit code:
3762504530
Version:
1.3.2.0
Modules
Images
c:\users\admin\desktop\muh030425.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
1180"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\admin\AppData\Local\Temp\tmp6109.tmp"C:\Windows\SysWOW64\schtasks.exeMUH030425.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2268C:\WINDOWS\system32\timeout.exe 3 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4268C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1020 -s 1852C:\Windows\SysWOW64\WerFault.exeMUH030425.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6752C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7152"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
MUH030425.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
azorult
(PID) Process(7152) RegSvcs.exe
Hostshttp://k1d5.icu/TP341/index.php
Total events
6 390
Read events
6 387
Write events
3
Delete events
0

Modification events

(PID) Process:(7152) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7152) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7152) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
56
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4268WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MUH030425.exe_1db42179d057652d3e28b63f8b6b7dee6f9cb85_2bfe8698_e460f056-f8df-46f0-af0e-a477bede7cc5\Report.wer
MD5:
SHA256:
4268WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\MUH030425.exe.1020.dmp
MD5:
SHA256:
1020MUH030425.exeC:\Users\admin\AppData\Local\Temp\tmp6109.tmpxml
MD5:7AA6E325FB4AE0672B4B0C1E8FA170E1
SHA256:CA60EDC9C456F26450894B55A75DA624198F9E4650EA265E42C3D36ABB228797
7152RegSvcs.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:902803D53A5035D74A00B96F93069AC2
SHA256:196BAA02998C22643F368983026387F5A549E978BBB04E499739FD3EF14E9455
7152RegSvcs.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:4E07F7313810911920F36B20A7085911
SHA256:76DF4333CB48E4B5A5CA200323AE98A4D8BECD47EC7E02FAB7164234A56F65F4
7152RegSvcs.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeexecutable
MD5:74F0893C29B1F0D231533882F319FE7B
SHA256:D00C7E5DE6CBE7386B0779F211CA9EB84A958796FEAD9C5203B0F9ED474F5C58
7152RegSvcs.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeexecutable
MD5:917D49728AD29F2675AFBC8CA147C3A3
SHA256:B95230ABFA21AD818F4DCBA7A9A1E6AC0383C57D0ABC395F6B9A4F1FB4FE0808
7152RegSvcs.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeexecutable
MD5:82B4D67818AA0FCE2286633B99EA9265
SHA256:ADC929FC92ECF6C293C013971D78B631AC5BBA0E3735F3DE293B1C7D05A21664
7152RegSvcs.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:4C2D48876698F2E429FDBFB87CA93423
SHA256:64BAFD663D1313F68F7B641A43671D3A236D45274A7A035009959DC0A5B2091A
7152RegSvcs.exeC:\Users\admin\AppData\Local\Temp\0693739D\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:502263C56F931DF8440D7FD2FA7B7C00
SHA256:94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
30
DNS requests
12
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7152
RegSvcs.exe
POST
200
104.21.16.1:80
http://k1d5.icu/TP341/index.php
unknown
malicious
7152
RegSvcs.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/w
unknown
malicious
7152
RegSvcs.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/as
unknown
malicious
7152
RegSvcs.exe
POST
302
72.52.178.23:80
http://przvgke.biz/rcqfmuue
unknown
unknown
7152
RegSvcs.exe
POST
200
44.221.84.105:80
http://npukfztj.biz/heyfomqfqb
unknown
malicious
7152
RegSvcs.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/ndai
unknown
malicious
7152
RegSvcs.exe
GET
200
13.248.148.254:80
http://ww12.przvgke.biz/rcqfmuue?usid=26&utid=11017518076
unknown
unknown
7152
RegSvcs.exe
POST
200
104.21.16.1:80
http://k1d5.icu/TP341/index.php
unknown
malicious
7152
RegSvcs.exe
POST
302
72.52.178.23:80
http://przvgke.biz/gthkbjvdpmebnlo
unknown
unknown
7152
RegSvcs.exe
POST
200
18.141.10.107:80
http://knjghuig.biz/aust
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
7152
RegSvcs.exe
104.21.16.1:80
k1d5.icu
CLOUDFLARENET
malicious
7152
RegSvcs.exe
54.244.188.177:80
pywolwnvd.biz
AMAZON-02
US
malicious
7152
RegSvcs.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
malicious
7152
RegSvcs.exe
44.221.84.105:80
npukfztj.biz
AMAZON-AES
US
malicious
7152
RegSvcs.exe
72.52.178.23:80
przvgke.biz
LIQUIDWEB
US
unknown
7152
RegSvcs.exe
13.248.148.254:80
ww12.przvgke.biz
AMAZON-02
US
unknown
780
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
k1d5.icu
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.96.1
  • 104.21.64.1
  • 104.21.80.1
  • 104.21.48.1
  • 104.21.32.1
malicious
pywolwnvd.biz
  • 54.244.188.177
malicious
ssbzmoy.biz
  • 18.141.10.107
malicious
cvgrf.biz
  • 54.244.188.177
malicious
npukfztj.biz
  • 44.221.84.105
malicious
przvgke.biz
  • 72.52.178.23
unknown
ww12.przvgke.biz
  • 13.248.148.254
  • 76.223.26.96
unknown
zlenh.biz
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
7152
RegSvcs.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/AZORult V3.3 Client Checkin M15
7152
RegSvcs.exe
Malware Command and Control Activity Detected
ET MALWARE AZORult v3.3 Server Response M2
7152
RegSvcs.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7152
RegSvcs.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
7152
RegSvcs.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7152
RegSvcs.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
7152
RegSvcs.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7152
RegSvcs.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2196
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MUH030425.exe