File name:

MUH030425.exe

Full analysis: https://app.any.run/tasks/85bf7912-fea4-4a73-b94d-c62f93b9cfb1
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: March 04, 2025, 08:39:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
m0yv
stealer
azorult
sinkhole
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

7958C012F2EFC42CC7FF436D3377ABCC

SHA1:

D854A2CB11B56D64DD7F87EE91EA47F305CE82BF

SHA256:

B5C538F89CA2E3D9A8085BC387D85F7F50E9470975FFEC25FE040C26226BECCB

SSDEEP:

49152:dAVaKZ0AeijfdOpeqKZbA6JaZR9mFgRfROrFdVMFo7Qwq7t2IfLeBc7izkezef3+:dcaK2PaiFKZbABZR7irRMG7tq52INizl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • MUH030425.exe (PID: 1020)

    • Connects to the CnC server

      • RegSvcs.exe (PID: 7152)

    • AZORULT has been detected (SURICATA)

      • RegSvcs.exe (PID: 7152)

    • Actions looks like stealing of personal data

      • RegSvcs.exe (PID: 7152)

    • Starts CMD.EXE for self-deleting

      • RegSvcs.exe (PID: 7152)

    • AZORULT has been detected (YARA)

      • RegSvcs.exe (PID: 7152)

    • M0YV has been detected (YARA)

      • RegSvcs.exe (PID: 7152)

    • Steals credentials from Web Browsers

      • RegSvcs.exe (PID: 7152)

    • M0YV mutex has been found

      • RegSvcs.exe (PID: 7152)

    • AZORULT mutex has been detected

      • RegSvcs.exe (PID: 7152)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Reads security settings of Internet Explorer

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Executes application which crashes

      • MUH030425.exe (PID: 1020)

    • Process drops legitimate windows executable

      • RegSvcs.exe (PID: 7152)

    • Contacting a server suspected of hosting an CnC

      • RegSvcs.exe (PID: 7152)

    • The process drops C-runtime libraries

      • RegSvcs.exe (PID: 7152)

    • The process drops Mozilla's DLL files

      • RegSvcs.exe (PID: 7152)

    • Searches for installed software

      • RegSvcs.exe (PID: 7152)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 664)

    • Starts CMD.EXE for commands execution

      • RegSvcs.exe (PID: 7152)

    • There is functionality for taking screenshot (YARA)

      • RegSvcs.exe (PID: 7152)

    • Deletes system .NET executable

      • cmd.exe (PID: 664)

  • INFO

    • Checks supported languages

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Reads the computer name

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Creates files or folders in the user directory

      • RegSvcs.exe (PID: 7152)
      • MUH030425.exe (PID: 1020)
      • WerFault.exe (PID: 4268)

    • Reads the machine GUID from the registry

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Create files in a temporary directory

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Process checks computer location settings

      • MUH030425.exe (PID: 1020)
      • RegSvcs.exe (PID: 7152)

    • Checks proxy server information

      • RegSvcs.exe (PID: 7152)
      • slui.exe (PID: 6752)

    • The sample compiled with english language support

      • RegSvcs.exe (PID: 7152)

    • Reads CPU info

      • RegSvcs.exe (PID: 7152)

    • Reads the software policy settings

      • slui.exe (PID: 6752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

azorult

(PID) Process(7152) RegSvcs.exe
Hostshttp://k1d5.icu/TP341/index.php
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:04 08:03:06+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 1621504
InitializedDataSize: 34304
UninitializedDataSize: -
EntryPoint: 0x18dd8a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.3.2.0
ProductVersionNumber: 1.3.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: InSim packet sniffer for the racing simulator Live for Speed
CompanyName: -
FileDescription: InSimSniffer
FileVersion: 1.3.2.0
InternalName: pixuBt.exe
LegalCopyright: Copyright © Alex McBride 2009 - 2012
LegalTrademarks: -
OriginalFileName: pixuBt.exe
ProductName: InSimSniffer
ProductVersion: 1.3.2.0
AssemblyVersion: 1.3.2.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start muh030425.exe schtasks.exe no specs conhost.exe no specs #M0YV regsvcs.exe werfault.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\WINDOWS\system32\cmd.exe" /c C:\WINDOWS\system32\timeout.exe 3 & del "RegSvcs.exe"C:\Windows\SysWOW64\cmd.exeRegSvcs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1020"C:\Users\admin\Desktop\MUH030425.exe" C:\Users\admin\Desktop\MUH030425.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
InSimSniffer
Exit code:
3762504530
Version:
1.3.2.0
Modules
Images
c:\users\admin\desktop\muh030425.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
1180"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\admin\AppData\Local\Temp\tmp6109.tmp"C:\Windows\SysWOW64\schtasks.exeMUH030425.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2268C:\WINDOWS\system32\timeout.exe 3 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4268C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1020 -s 1852C:\Windows\SysWOW64\WerFault.exeMUH030425.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6752C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7152"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
MUH030425.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
azorult
(PID) Process(7152) RegSvcs.exe
Hostshttp://k1d5.icu/TP341/index.php
Total events
6 390
Read events
6 387
Write events
3
Delete events
0

Modification events

(PID) Process:(7152) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7152) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7152) RegSvcs.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
56
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4268WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MUH030425.exe_1db42179d057652d3e28b63f8b6b7dee6f9cb85_2bfe8698_e460f056-f8df-46f0-af0e-a477bede7cc5\Report.wer
MD5:
SHA256:
4268WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\MUH030425.exe.1020.dmp
MD5:
SHA256:
1020MUH030425.exeC:\Users\admin\AppData\Local\Temp\tmp6109.tmpxml
MD5:7AA6E325FB4AE0672B4B0C1E8FA170E1
SHA256:CA60EDC9C456F26450894B55A75DA624198F9E4650EA265E42C3D36ABB228797
7152RegSvcs.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeexecutable
MD5:BA7F11A5E1A2D13A17124C118701AD91
SHA256:866F5B324D7C53D0956EA4100FAF50CB99B6C3B254B8803A11F8D5C37005D296
4268WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6772.tmp.WERInternalMetadata.xmlbinary
MD5:79334BDF34A9AC973292A78F15CC18CB
SHA256:0CBCA17CFB0D0423E8E891F09996DCE2065B315F3295AF56A2825C7A4C4EC9E4
7152RegSvcs.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:902803D53A5035D74A00B96F93069AC2
SHA256:196BAA02998C22643F368983026387F5A549E978BBB04E499739FD3EF14E9455
7152RegSvcs.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:4E07F7313810911920F36B20A7085911
SHA256:76DF4333CB48E4B5A5CA200323AE98A4D8BECD47EC7E02FAB7164234A56F65F4
7152RegSvcs.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:4C2D48876698F2E429FDBFB87CA93423
SHA256:64BAFD663D1313F68F7B641A43671D3A236D45274A7A035009959DC0A5B2091A
7152RegSvcs.exeC:\Users\admin\AppData\Local\Temp\0693739D\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:E2F648AE40D234A3892E1455B4DBBE05
SHA256:C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
7152RegSvcs.exeC:\Users\admin\AppData\Local\Temp\0693739D\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:88FF191FD8648099592ED28EE6C442A5
SHA256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
30
DNS requests
12
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7152
RegSvcs.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/w
unknown
malicious
7152
RegSvcs.exe
POST
200
104.21.16.1:80
http://k1d5.icu/TP341/index.php
unknown
malicious
7152
RegSvcs.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/as
unknown
malicious
7152
RegSvcs.exe
POST
200
44.221.84.105:80
http://npukfztj.biz/heyfomqfqb
unknown
malicious
7152
RegSvcs.exe
POST
302
72.52.178.23:80
http://przvgke.biz/rcqfmuue
unknown
unknown
7152
RegSvcs.exe
POST
200
104.21.16.1:80
http://k1d5.icu/TP341/index.php
unknown
malicious
7152
RegSvcs.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/ndai
unknown
malicious
7152
RegSvcs.exe
GET
200
13.248.148.254:80
http://ww12.przvgke.biz/rcqfmuue?usid=26&utid=11017518076
unknown
unknown
7152
RegSvcs.exe
POST
302
72.52.178.23:80
http://przvgke.biz/gthkbjvdpmebnlo
unknown
unknown
7152
RegSvcs.exe
GET
200
13.248.148.254:80
http://ww12.przvgke.biz/gthkbjvdpmebnlo?usid=26&utid=11017518382
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
7152
RegSvcs.exe
104.21.16.1:80
k1d5.icu
CLOUDFLARENET
malicious
7152
RegSvcs.exe
54.244.188.177:80
pywolwnvd.biz
AMAZON-02
US
malicious
7152
RegSvcs.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
malicious
7152
RegSvcs.exe
44.221.84.105:80
npukfztj.biz
AMAZON-AES
US
malicious
7152
RegSvcs.exe
72.52.178.23:80
przvgke.biz
LIQUIDWEB
US
unknown
7152
RegSvcs.exe
13.248.148.254:80
ww12.przvgke.biz
AMAZON-02
US
unknown
780
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
k1d5.icu
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.96.1
  • 104.21.64.1
  • 104.21.80.1
  • 104.21.48.1
  • 104.21.32.1
malicious
pywolwnvd.biz
  • 54.244.188.177
malicious
ssbzmoy.biz
  • 18.141.10.107
malicious
cvgrf.biz
  • 54.244.188.177
malicious
npukfztj.biz
  • 44.221.84.105
malicious
przvgke.biz
  • 72.52.178.23
unknown
ww12.przvgke.biz
  • 13.248.148.254
  • 76.223.26.96
unknown
zlenh.biz
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
7152
RegSvcs.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/AZORult V3.3 Client Checkin M15
7152
RegSvcs.exe
Malware Command and Control Activity Detected
ET MALWARE AZORult v3.3 Server Response M2
7152
RegSvcs.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7152
RegSvcs.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
7152
RegSvcs.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7152
RegSvcs.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
7152
RegSvcs.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
7152
RegSvcs.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2196
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MUH030425.exe