Malware analysis Azorult.exe Malicious activity | ANY.RUN

Add for printing

File name:	Azorult.exe
Full analysis:	https://app.any.run/tasks/5649d66d-b8f9-48e3-925f-80fc6f82d1c7
Verdict:	Malicious activity
Threats:	Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	February 13, 2024, 02:33:39
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	miner rat rms autoit evasion metamorfo opendir
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	5DF0CF8B8AA7E56884F71DA3720FB2C6
SHA1:	0610E911ADE5D666A45B41F771903170AF58A05A
SHA256:	DD396A3F66AD728660023CB116235F3CB1C35D679A155B08EC6A9CCAF966C360
SSDEEP:	196608:NjIrZDbMLq8TKqTNNRYWzmf1e4Qx/PMPTZPkTGX9sqiL/aVvTAs:N2Z4DRYWXdaZPGy9sJL/aVv/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Azorult.exe (PID: 3784)
  - wini.exe (PID: 2036)
  - cheat.exe (PID: 2804)
  - taskhost.exe (PID: 2040)
  - P.exe (PID: 1784)
  - R8.exe (PID: 2908)
  - Rar.exe (PID: 3232)
  - winlog.exe (PID: 2080)
  - taskhostw.exe (PID: 3548)
  - RDPWInst.exe (PID: 1264)
- Disables Windows Defender
  - Azorult.exe (PID: 3784)
- UAC/LUA settings modification
  - Azorult.exe (PID: 3784)
  - regedit.exe (PID: 2408)
- RMS is detected
  - regedit.exe (PID: 2408)
  - regedit.exe (PID: 2908)
  - rutserv.exe (PID: 1740)
- METAMORFO has been detected (YARA)
  - rutserv.exe (PID: 1740)
- Changes the Windows auto-update feature
  - powershell.exe (PID: 3016)
- Starts NET.EXE to view/add/change user profiles
  - cmd.exe (PID: 2672)
  - net.exe (PID: 1808)
- Starts NET.EXE to view/change users localgroup
  - net.exe (PID: 2484)
  - cmd.exe (PID: 2672)
  - net.exe (PID: 2308)
  - net.exe (PID: 2020)
  - net.exe (PID: 2748)
  - net.exe (PID: 2384)
  - net.exe (PID: 1864)
  - net.exe (PID: 3224)
  - net.exe (PID: 3556)
  - net.exe (PID: 2296)
- Uses Task Scheduler to autorun other applications
  - taskhost.exe (PID: 2040)
  - Azorult.exe (PID: 3784)
- Creates or modifies Windows services
  - RDPWInst.exe (PID: 1264)
- Changes appearance of the Explorer extensions
  - taskhostw.exe (PID: 3548)
- Starts NET.EXE to view/change login properties
  - cmd.exe (PID: 2672)
  - net.exe (PID: 2488)
- Changes the autorun value in the registry
  - taskhostw.exe (PID: 3548)
SUSPICIOUS
- Dropped object may contain URLs of mainers pools
  - Azorult.exe (PID: 3784)
- Executable content was dropped or overwritten
  - Azorult.exe (PID: 3784)
  - wini.exe (PID: 2036)
  - cheat.exe (PID: 2804)
  - taskhost.exe (PID: 2040)
  - P.exe (PID: 1784)
  - R8.exe (PID: 2908)
  - winlog.exe (PID: 2080)
  - Rar.exe (PID: 3232)
  - taskhostw.exe (PID: 3548)
  - RDPWInst.exe (PID: 1264)
- The process executes VB scripts
  - wini.exe (PID: 2036)
  - R8.exe (PID: 2908)
  - cmd.exe (PID: 3072)
- Reads the Internet Settings
  - wini.exe (PID: 2036)
  - wscript.exe (PID: 1692)
  - cheat.exe (PID: 2804)
  - ink.exe (PID: 2344)
  - winit.exe (PID: 2860)
  - R8.exe (PID: 2908)
  - wscript.exe (PID: 2168)
  - winlog.exe (PID: 2080)
  - winlogon.exe (PID: 3000)
  - cmd.exe (PID: 3072)
  - wscript.exe (PID: 2792)
  - RDPWInst.exe (PID: 1264)
  - Azorult.exe (PID: 3784)
  - taskhost.exe (PID: 2040)
  - taskhostw.exe (PID: 3548)
  - RDPWInst.exe (PID: 2636)
- Reads security settings of Internet Explorer
  - wini.exe (PID: 2036)
  - cheat.exe (PID: 2804)
  - ink.exe (PID: 2344)
  - winit.exe (PID: 2860)
  - R8.exe (PID: 2908)
  - winlog.exe (PID: 2080)
  - winlogon.exe (PID: 3000)
  - RDPWInst.exe (PID: 1264)
  - Azorult.exe (PID: 3784)
  - taskhost.exe (PID: 2040)
  - taskhostw.exe (PID: 3548)
  - RDPWInst.exe (PID: 2636)
- Starts CMD.EXE for commands execution
  - wscript.exe (PID: 1692)
  - Azorult.exe (PID: 3784)
  - winit.exe (PID: 2860)
  - wscript.exe (PID: 2168)
  - winlogon.exe (PID: 3000)
  - wscript.exe (PID: 2792)
  - winlogon.exe (PID: 2636)
  - taskhost.exe (PID: 2040)
  - taskhostw.exe (PID: 3548)
- Executing commands from a ".bat" file
  - wscript.exe (PID: 1692)
  - winit.exe (PID: 2860)
  - wscript.exe (PID: 2168)
  - winlogon.exe (PID: 3000)
  - wscript.exe (PID: 2792)
  - taskhost.exe (PID: 2040)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 1692)
  - wscript.exe (PID: 2168)
  - wscript.exe (PID: 2792)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 3940)
  - cmd.exe (PID: 2672)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 3940)
  - cmd.exe (PID: 4004)
  - cmd.exe (PID: 3072)
  - cmd.exe (PID: 3640)
- Reads the date of Windows installation
  - rutserv.exe (PID: 3180)
  - rutserv.exe (PID: 3724)
  - rutserv.exe (PID: 1740)
  - rutserv.exe (PID: 3164)
  - rfusclient.exe (PID: 3068)
  - rfusclient.exe (PID: 1560)
  - rfusclient.exe (PID: 2132)
- Executes as Windows Service
  - rutserv.exe (PID: 1740)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 3940)
  - cmd.exe (PID: 3640)
  - cmd.exe (PID: 2672)
- Connects to unusual port
  - rutserv.exe (PID: 1740)
- Starts SC.EXE for service management
  - cmd.exe (PID: 3940)
  - cmd.exe (PID: 3252)
  - cmd.exe (PID: 4084)
  - cmd.exe (PID: 4092)
  - cmd.exe (PID: 2496)
  - cmd.exe (PID: 2448)
  - cmd.exe (PID: 1288)
  - cmd.exe (PID: 3472)
  - cmd.exe (PID: 4036)
  - cmd.exe (PID: 3588)
  - cmd.exe (PID: 3624)
  - cmd.exe (PID: 2996)
  - cmd.exe (PID: 3668)
  - cmd.exe (PID: 1040)
  - cmd.exe (PID: 1776)
  - cmd.exe (PID: 1880)
  - cmd.exe (PID: 3948)
  - cmd.exe (PID: 3092)
  - cmd.exe (PID: 2208)
  - cmd.exe (PID: 3972)
  - cmd.exe (PID: 696)
  - cmd.exe (PID: 2372)
- The process creates files with name similar to system file names
  - cheat.exe (PID: 2804)
  - Azorult.exe (PID: 3784)
- Application launched itself
  - rfusclient.exe (PID: 1560)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 2904)
  - cmd.exe (PID: 2388)
  - cmd.exe (PID: 3128)
  - cmd.exe (PID: 3800)
  - cmd.exe (PID: 480)
  - cmd.exe (PID: 3520)
  - cmd.exe (PID: 1636)
  - cmd.exe (PID: 784)
  - cmd.exe (PID: 1172)
  - cmd.exe (PID: 2448)
  - cmd.exe (PID: 2752)
  - cmd.exe (PID: 2996)
  - cmd.exe (PID: 1196)
  - cmd.exe (PID: 3084)
  - cmd.exe (PID: 3464)
  - cmd.exe (PID: 3276)
  - cmd.exe (PID: 3052)
  - cmd.exe (PID: 3012)
  - cmd.exe (PID: 3336)
  - cmd.exe (PID: 2908)
  - cmd.exe (PID: 2672)
  - RDPWInst.exe (PID: 1264)
- Uses NETSH.EXE to change the status of the firewall
  - cmd.exe (PID: 2148)
- Reads settings of System Certificates
  - winit.exe (PID: 2860)
  - RDPWInst.exe (PID: 1264)
  - Azorult.exe (PID: 3784)
  - RDPWInst.exe (PID: 2636)
- The process verifies whether the antivirus software is installed
  - winit.exe (PID: 2860)
  - icacls.exe (PID: 3584)
  - icacls.exe (PID: 2344)
  - icacls.exe (PID: 3664)
  - icacls.exe (PID: 3224)
  - Azorult.exe (PID: 3784)
  - icacls.exe (PID: 2748)
  - icacls.exe (PID: 2308)
  - icacls.exe (PID: 296)
  - icacls.exe (PID: 2864)
  - icacls.exe (PID: 3240)
  - icacls.exe (PID: 2648)
  - icacls.exe (PID: 3872)
  - icacls.exe (PID: 3808)
  - icacls.exe (PID: 3024)
  - icacls.exe (PID: 2996)
- Uses ICACLS.EXE to modify access control lists
  - cmd.exe (PID: 1816)
  - cmd.exe (PID: 1928)
  - cmd.exe (PID: 2096)
  - cmd.exe (PID: 2364)
  - cmd.exe (PID: 2240)
  - cmd.exe (PID: 3324)
  - cmd.exe (PID: 2484)
  - cmd.exe (PID: 3800)
  - cmd.exe (PID: 3808)
  - cmd.exe (PID: 2584)
  - cmd.exe (PID: 3504)
  - cmd.exe (PID: 1036)
  - cmd.exe (PID: 984)
  - cmd.exe (PID: 3744)
  - cmd.exe (PID: 3000)
  - cmd.exe (PID: 2448)
  - cmd.exe (PID: 3008)
  - cmd.exe (PID: 2136)
  - cmd.exe (PID: 3412)
  - cmd.exe (PID: 3432)
  - cmd.exe (PID: 2132)
  - cmd.exe (PID: 1776)
  - cmd.exe (PID: 2348)
  - cmd.exe (PID: 1936)
  - cmd.exe (PID: 1404)
  - cmd.exe (PID: 3748)
  - cmd.exe (PID: 3256)
  - cmd.exe (PID: 2896)
  - cmd.exe (PID: 3212)
  - cmd.exe (PID: 1168)
  - cmd.exe (PID: 1696)
  - cmd.exe (PID: 3276)
  - cmd.exe (PID: 3972)
  - cmd.exe (PID: 1892)
  - cmd.exe (PID: 2240)
  - cmd.exe (PID: 2772)
  - cmd.exe (PID: 2640)
  - cmd.exe (PID: 2108)
  - cmd.exe (PID: 552)
  - cmd.exe (PID: 2020)
  - cmd.exe (PID: 1628)
  - cmd.exe (PID: 2112)
  - cmd.exe (PID: 2192)
  - cmd.exe (PID: 3156)
  - cmd.exe (PID: 3808)
  - cmd.exe (PID: 3692)
  - cmd.exe (PID: 3212)
  - cmd.exe (PID: 1836)
  - cmd.exe (PID: 4044)
  - cmd.exe (PID: 3588)
  - cmd.exe (PID: 3148)
  - cmd.exe (PID: 4056)
  - cmd.exe (PID: 3656)
  - cmd.exe (PID: 568)
  - cmd.exe (PID: 532)
  - cmd.exe (PID: 1424)
  - cmd.exe (PID: 1036)
  - cmd.exe (PID: 2788)
  - cmd.exe (PID: 2776)
  - cmd.exe (PID: 3044)
  - cmd.exe (PID: 4056)
  - cmd.exe (PID: 3624)
- Adds/modifies Windows certificates
  - winit.exe (PID: 2860)
  - Azorult.exe (PID: 3784)
- Checks for external IP
  - winit.exe (PID: 2860)
  - Azorult.exe (PID: 3784)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 3072)
  - cmd.exe (PID: 3640)
- Starts application with an unusual extension
  - cmd.exe (PID: 3072)
  - cmd.exe (PID: 2672)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 2540)
- Checks Windows Trust Settings
  - drvinst.exe (PID: 2780)
  - RDPWInst.exe (PID: 1264)
  - Azorult.exe (PID: 3784)
  - RDPWInst.exe (PID: 2636)
- Detected use of alternative data streams (AltDS)
  - taskhostw.exe (PID: 3548)
- Process uses IPCONFIG to clear DNS cache
  - cmd.exe (PID: 3636)
- Connects to FTP
  - taskhostw.exe (PID: 3548)
- The process executes via Task Scheduler
  - taskhostw.exe (PID: 1824)
  - taskhostw.exe (PID: 3780)
  - taskhostw.exe (PID: 3644)
  - taskhostw.exe (PID: 4032)
INFO
- Checks supported languages
  - Azorult.exe (PID: 3784)
  - wini.exe (PID: 2036)
  - winit.exe (PID: 2860)
  - rutserv.exe (PID: 3180)
  - rutserv.exe (PID: 3164)
  - rutserv.exe (PID: 3724)
  - rutserv.exe (PID: 1740)
  - rfusclient.exe (PID: 3068)
  - cheat.exe (PID: 2804)
  - rfusclient.exe (PID: 1560)
  - taskhost.exe (PID: 2040)
  - P.exe (PID: 1784)
  - ink.exe (PID: 2344)
  - rfusclient.exe (PID: 2132)
  - R8.exe (PID: 2908)
  - Rar.exe (PID: 3232)
  - chcp.com (PID: 3108)
  - winlogon.exe (PID: 3000)
  - winlog.exe (PID: 2080)
  - chcp.com (PID: 3496)
  - drvinst.exe (PID: 2780)
  - RDPWInst.exe (PID: 1264)
  - taskhostw.exe (PID: 3548)
  - winlogon.exe (PID: 2636)
  - wmpnscfg.exe (PID: 2996)
  - wmpnscfg.exe (PID: 2120)
  - wmpnscfg.exe (PID: 2536)
  - RDPWInst.exe (PID: 2636)
  - wmpnscfg.exe (PID: 2136)
  - taskhostw.exe (PID: 1824)
  - taskhostw.exe (PID: 3780)
  - taskhostw.exe (PID: 3644)
  - taskhostw.exe (PID: 4032)
- Reads mouse settings
  - Azorult.exe (PID: 3784)
  - winit.exe (PID: 2860)
  - taskhost.exe (PID: 2040)
  - taskhostw.exe (PID: 3548)
  - winlogon.exe (PID: 2636)
  - taskhostw.exe (PID: 1824)
  - taskhostw.exe (PID: 3644)
  - taskhostw.exe (PID: 3780)
  - taskhostw.exe (PID: 4032)
- Reads the computer name
  - Azorult.exe (PID: 3784)
  - wini.exe (PID: 2036)
  - rutserv.exe (PID: 3180)
  - rutserv.exe (PID: 3164)
  - rutserv.exe (PID: 3724)
  - rutserv.exe (PID: 1740)
  - rfusclient.exe (PID: 3068)
  - rfusclient.exe (PID: 1560)
  - cheat.exe (PID: 2804)
  - P.exe (PID: 1784)
  - ink.exe (PID: 2344)
  - rfusclient.exe (PID: 2132)
  - winit.exe (PID: 2860)
  - R8.exe (PID: 2908)
  - Rar.exe (PID: 3232)
  - winlog.exe (PID: 2080)
  - winlogon.exe (PID: 3000)
  - drvinst.exe (PID: 2780)
  - RDPWInst.exe (PID: 1264)
  - taskhost.exe (PID: 2040)
  - taskhostw.exe (PID: 3548)
  - wmpnscfg.exe (PID: 2536)
  - wmpnscfg.exe (PID: 2136)
  - RDPWInst.exe (PID: 2636)
  - wmpnscfg.exe (PID: 2996)
  - wmpnscfg.exe (PID: 2120)
  - taskhostw.exe (PID: 1824)
  - taskhostw.exe (PID: 4032)
  - taskhostw.exe (PID: 3644)
  - taskhostw.exe (PID: 3780)
- Creates files in the program directory
  - Azorult.exe (PID: 3784)
  - wini.exe (PID: 2036)
  - cheat.exe (PID: 2804)
  - taskhost.exe (PID: 2040)
  - P.exe (PID: 1784)
  - winit.exe (PID: 2860)
  - winlog.exe (PID: 2080)
  - RDPWInst.exe (PID: 1264)
  - taskhostw.exe (PID: 3548)
- Create files in a temporary directory
  - Azorult.exe (PID: 3784)
  - taskhost.exe (PID: 2040)
  - winit.exe (PID: 2860)
  - winlogon.exe (PID: 3000)
  - taskhostw.exe (PID: 3548)
- Reads Windows Product ID
  - rutserv.exe (PID: 3180)
  - rutserv.exe (PID: 3724)
  - rutserv.exe (PID: 1740)
  - rutserv.exe (PID: 3164)
  - rfusclient.exe (PID: 3068)
  - rfusclient.exe (PID: 1560)
  - rfusclient.exe (PID: 2132)
- Reads product name
  - rutserv.exe (PID: 3180)
  - rutserv.exe (PID: 3724)
  - rutserv.exe (PID: 3164)
  - rutserv.exe (PID: 1740)
  - rfusclient.exe (PID: 3068)
  - rfusclient.exe (PID: 1560)
  - ink.exe (PID: 2344)
  - rfusclient.exe (PID: 2132)
- Reads Environment values
  - rutserv.exe (PID: 3180)
  - rutserv.exe (PID: 3724)
  - rutserv.exe (PID: 1740)
  - rutserv.exe (PID: 3164)
  - rfusclient.exe (PID: 3068)
  - rfusclient.exe (PID: 1560)
  - ink.exe (PID: 2344)
  - rfusclient.exe (PID: 2132)
- Reads the machine GUID from the registry
  - ink.exe (PID: 2344)
  - winit.exe (PID: 2860)
  - drvinst.exe (PID: 2780)
  - RDPWInst.exe (PID: 1264)
  - taskhostw.exe (PID: 3548)
  - Azorult.exe (PID: 3784)
  - taskhost.exe (PID: 2040)
  - RDPWInst.exe (PID: 2636)
- Checks proxy server information
  - ink.exe (PID: 2344)
  - winit.exe (PID: 2860)
  - RDPWInst.exe (PID: 1264)
  - Azorult.exe (PID: 3784)
  - taskhost.exe (PID: 2040)
  - taskhostw.exe (PID: 3548)
  - RDPWInst.exe (PID: 2636)
- Reads CPU info
  - winit.exe (PID: 2860)
- Creates files or folders in the user directory
  - winit.exe (PID: 2860)
  - RDPWInst.exe (PID: 1264)
  - taskhost.exe (PID: 2040)
  - taskhostw.exe (PID: 3548)
  - Azorult.exe (PID: 3784)
  - RDPWInst.exe (PID: 2636)
- Reads the software policy settings
  - winit.exe (PID: 2860)
  - drvinst.exe (PID: 2780)
  - RDPWInst.exe (PID: 1264)
  - Azorult.exe (PID: 3784)
  - RDPWInst.exe (PID: 2636)
- Manual execution by a user
  - wmpnscfg.exe (PID: 2996)
  - wmpnscfg.exe (PID: 2536)
  - wmpnscfg.exe (PID: 2136)
  - wmpnscfg.exe (PID: 2120)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:11:19 10:51:15+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	581120
InitializedDataSize:	9926656
UninitializedDataSize:	-
EntryPoint:	0x27f4a
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (British)
CharacterSet:	Unicode

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

517

Monitored processes

339

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

296

icacls "C:\Program Files (x86)\AVAST Software" /deny admin:(OI)(CI)(F)

C:\Windows\System32\icacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

296

schtasks /Delete /TN "GoogleUpdateTaskMachineCore" /F

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

316

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\System32\icacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

316

C:\Windows\system32\cmd.exe /c gpupdate /force

C:\Windows\System32\cmd.exe

—

taskhostw.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

324

taskkill /f /im Rar.exe

C:\Windows\System32\taskkill.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll

480

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\System32\cmd.exe

—

Azorult.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

480

icacls "C:\Windows\Fonts\Mysql" /deny admin:(OI)(CI)(F)

C:\Windows\System32\icacls.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

480

schtasks /Delete /TN "GoogleUpdateTaskMachineUA" /F

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

532

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\cmd.exe

—

Azorult.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

552

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)

C:\Windows\System32\cmd.exe

—

Azorult.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

Add for printing

Total events

56 813

Read events

54 932

Write events

1 747

Delete events

134

Modification events


(PID) Process:	(3784) Azorult.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Operation:	write	Name:	John
Value: 0
(PID) Process:	(3784) Azorult.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	write	Name:	DisableAntiSpyware
Value: 1
(PID) Process:	(3784) Azorult.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
Operation:	write	Name:	DisableIOAVProtection
Value: 1
(PID) Process:	(3784) Azorult.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
Operation:	write	Name:	DisableBehaviorMonitoring
Value: 1
(PID) Process:	(3784) Azorult.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
Operation:	write	Name:	DisableOnAccessProtection
Value: 1
(PID) Process:	(3784) Azorult.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
Operation:	write	Name:	DisableRawWriteNotification
Value: 1
(PID) Process:	(3784) Azorult.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:	write	Name:	DisableBlockAltFirstSeen
Value: 1
(PID) Process:	(3784) Azorult.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:	write	Name:	LocalSettingOverrideSpynetRepting
Value: 0
(PID) Process:	(3784) Azorult.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:	write	Name:	SumbitSamplesConsent
Value: 2
(PID) Process:	(3784) Azorult.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
Operation:	write	Name:	Exclusions_Paths
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3784	Azorult.exe	C:\Programdata\Microsoft\Check\Check.txt		—
		MD5:—	SHA256:—
3784	Azorult.exe	C:\Programdata\Microsoft\temp\Clean.bat		text
		MD5:041E144A6429A6926771B0469B901630	SHA256:1134B862F4D0CE10466742BEB334C06C2386E85ACAD72725DDB1CECB1871B312
3784	Azorult.exe	C:\Users\admin\AppData\Local\Temp\autF136.tmp		binary
		MD5:7B5818F70DA8C573F74BE380A6658570	SHA256:7985A07B0E5795C7DFAC7489B91A9B15CE9C0534DA1FFC2AE385F9FCAEFE92AB
3784	Azorult.exe	C:\Users\admin\AppData\Local\Temp\autF146.tmp		binary
		MD5:0E65104906591BA1FAB714B173A460FB	SHA256:83B28E026DE4CE5588039491968A4E360C7334CEEAFC0E64A63BB19EFDE7F985
3784	Azorult.exe	C:\Programdata\Microsoft\temp\H.bat		text
		MD5:76303BB3BB0FAA707000DF998D8C9F3D	SHA256:A33AF2B70AD8FEA8900B6BD31AC7B0AAB8A2B8B79E3E27ADAFBD34BDFCB67549
2036	wini.exe	C:\ProgramData\Windows\rutserv.exe		executable
		MD5:37A8802017A212BB7F5255ABC7857969	SHA256:1699B9B4FC1724F9B0918B57CA58C453829A3935EFD89BD4E9FA66B5E9F2B8A6
2036	wini.exe	C:\ProgramData\Windows\install.bat		text
		MD5:DB76C882184E8D2BAC56865C8E88F8FD	SHA256:E3DB831CDB021D6221BE26A36800844E9AF13811BAC9E4961AC21671DFF9207A
2036	wini.exe	C:\ProgramData\Windows\rfusclient.exe		executable
		MD5:B8667A1E84567FCF7821BCEFB6A444AF	SHA256:DC9D875E659421A51ADDD8E8A362C926369E84320AB0C5D8BBB1E4D12D372FC9
2036	wini.exe	C:\ProgramData\Windows\winit.exe		executable
		MD5:03A781BB33A21A742BE31DEB053221F3	SHA256:E95FC3E7ED9EC61BA7214CC3FE5D869E2EE22ABBEAC3052501813BB2B6DDE210
2036	wini.exe	C:\ProgramData\Windows\vp8encoder.dll		executable
		MD5:6298C0AF3D1D563834A218A9CC9F54BD	SHA256:81AF82019D9F45A697A8CA1788F2C5C0205AF9892EFD94879DEDF4BC06DB4172

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3784	Azorult.exe	GET	304	95.101.54.113:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?427c9e24a1504d9e	unknown	—	—	unknown
2860	winit.exe	GET	200	208.95.112.1:80	http://ip-api.com/json	unknown	binary	313 b	unknown
1264	RDPWInst.exe	GET	304	95.101.54.113:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?06f9130f5a672118	unknown	—	—	unknown
3784	Azorult.exe	GET	200	95.101.54.113:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c560cb65c7ee1331	unknown	compressed	65.2 Kb	unknown
3548	taskhostw.exe	GET	200	152.89.218.85:80	http://taskhostw.com/randomx/STATUS.html	unknown	text	6 b	unknown
3548	taskhostw.exe	GET	404	152.89.218.85:80	http://taskhostw.com/randomx/loaderTOP.html	unknown	html	275 b	unknown
3548	taskhostw.exe	GET	200	152.89.218.85:80	http://taskhostw.com/randomx/Login.html	unknown	text	4 b	unknown
3784	Azorult.exe	GET	200	2.18.97.144:80	http://x1.c.lencr.org/	unknown	binary	717 b	unknown
3784	Azorult.exe	GET	200	69.192.161.44:80	http://x2.c.lencr.org/	unknown	binary	299 b	unknown
3548	taskhostw.exe	GET	200	152.89.218.85:80	http://taskhostw.com/randomx/Password.html	unknown	text	12 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1740	rutserv.exe	95.213.205.83:5655	rms-server.tektonit.ru	OOO Network of data-centers Selectel	RU	unknown
2860	winit.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	unknown
2860	winit.exe	194.0.200.251:465	freemail.freehost.com.ua	PE Freehost	UA	unknown
1264	RDPWInst.exe	185.199.110.133:443	raw.githubusercontent.com	FASTLY	US	unknown
1264	RDPWInst.exe	95.101.54.113:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	unknown
3784	Azorult.exe	104.21.4.208:443	iplogger.org	CLOUDFLARENET	—	unknown
3784	Azorult.exe	95.101.54.113:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
rms-server.tektonit.ru	95.213.205.83	malicious
boglogov.site	—	unknown
ip-api.com	208.95.112.1	shared
freemail.freehost.com.ua	194.0.200.251	unknown
raw.githubusercontent.com	185.199.110.133 185.199.108.133 185.199.109.133 185.199.111.133	shared
ctldl.windowsupdate.com	95.101.54.113 95.101.54.105	whitelisted
iplogger.org	104.21.4.208 172.67.132.113	shared
taskhostw.com	152.89.218.85	unknown
x1.c.lencr.org	2.18.97.144	whitelisted
x2.c.lencr.org	69.192.161.44	whitelisted

Threats

PID	Process	Class	Message
2860	winit.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2860	winit.exe	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2860	winit.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
1080	svchost.exe	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
3784	Azorult.exe	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (iplogger .org in TLS SNI)
3548	taskhostw.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
3548	taskhostw.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
3548	taskhostw.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
3548	taskhostw.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
3548	taskhostw.exe	Potential Corporate Privacy Violation	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile

6 ETPRO signatures available at the full report

Add for printing

Process	Message
rutserv.exe	TMainService.Start
rutserv.exe	GUID_MONITOR_POWER_ON
rutserv.exe	13-02-2024_02:34:25:580#T:Msg Size: 104
rutserv.exe	13-02-2024_02:34:25:580#T:Msg code: 3
rutserv.exe	13-02-2024_02:34:25:580#T:MSG_KEEP_ALIVE
rutserv.exe	MSG_KEEP_ALIVE
rutserv.exe	13-02-2024_02:36:47:689#T:Msg Size: 104
rutserv.exe	13-02-2024_02:36:47:689#T:Msg code: 3
rutserv.exe	13-02-2024_02:36:47:689#T:MSG_KEEP_ALIVE
rutserv.exe	MSG_KEEP_ALIVE

General Info

Azorult.exe

5DF0CF8B8AA7E56884F71DA3720FB2C6

0610E911ADE5D666A45B41F771903170AF58A05A

DD396A3F66AD728660023CB116235F3CB1C35D679A155B08EC6A9CCAF966C360

196608:NjIrZDbMLq8TKqTNNRYWzmf1e4Qx/PMPTZPkTGX9sqiL/aVvTAs:N2Z4DRYWXdaZPGy9sJL/aVv/

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Disables Windows Defender

UAC/LUA settings modification

RMS is detected

METAMORFO has been detected (YARA)

Changes the Windows auto-update feature

Starts NET.EXE to view/add/change user profiles

Starts NET.EXE to view/change users localgroup

Uses Task Scheduler to autorun other applications

Creates or modifies Windows services

Changes appearance of the Explorer extensions

Starts NET.EXE to view/change login properties

Changes the autorun value in the registry

SUSPICIOUS

Dropped object may contain URLs of mainers pools

Executable content was dropped or overwritten

The process executes VB scripts

Reads the Internet Settings

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Runs shell command (SCRIPT)

Uses REG/REGEDIT.EXE to modify registry

Uses TIMEOUT.EXE to delay execution

Reads the date of Windows installation

Executes as Windows Service

Uses ATTRIB.EXE to modify file attributes

Connects to unusual port

Starts SC.EXE for service management

The process creates files with name similar to system file names

Application launched itself

Uses NETSH.EXE to add a firewall rule or allowed programs

Uses NETSH.EXE to change the status of the firewall

Reads settings of System Certificates

The process verifies whether the antivirus software is installed

Uses ICACLS.EXE to modify access control lists

Adds/modifies Windows certificates

Checks for external IP

Uses TASKKILL.EXE to kill process

Starts application with an unusual extension

Starts POWERSHELL.EXE for commands execution

Checks Windows Trust Settings

Detected use of alternative data streams (AltDS)

Process uses IPCONFIG to clear DNS cache

Connects to FTP

The process executes via Task Scheduler

INFO

Checks supported languages

Reads mouse settings

Reads the computer name

Creates files in the program directory

Create files in a temporary directory

Reads Windows Product ID

Reads product name

Reads Environment values

Reads the machine GUID from the registry

Checks proxy server information

Reads CPU info

Creates files or folders in the user directory

Reads the software policy settings

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph