analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://bit.ly/2Mb1SGD

Full analysis: https://app.any.run/tasks/1c9aaf98-8eba-4001-a92b-b93753f128f0
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: August 13, 2019, 13:25:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
miner
rat
rms
trojan
azorult
stealer
autoit
evasion
opendir
Indicators:
MD5:

D92A10D1F296FA907115A0D81ABC9B64

SHA1:

8C674EF2907C3C947515AAFB0AC35DCFA5532962

SHA256:

E4273615BD110B7C1E04EA738842D43746129FE925AE83F522E2233F0B3E7397

SSDEEP:

3:N8kToq:2SD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • install_cheat.exe (PID: 3552)
      • install_cheat.exe (PID: 1952)
      • wini.exe (PID: 1696)
      • rutserv.exe (PID: 1892)
      • rutserv.exe (PID: 3308)
      • winit.exe (PID: 3044)
      • rfusclient.exe (PID: 2348)
      • rfusclient.exe (PID: 1580)
      • rutserv.exe (PID: 1668)
      • rutserv.exe (PID: 3644)
      • cheat.exe (PID: 1504)
      • P.exe (PID: 3380)
      • taskhost.exe (PID: 1252)
      • 1.exe (PID: 2548)
      • ink.exe (PID: 2444)
      • rfusclient.exe (PID: 3456)
      • R8.exe (PID: 1076)
      • winlog.exe (PID: 6048)
      • taskhostw.exe (PID: 2364)
      • taskhostw.exe (PID: 5896)
      • Rar.exe (PID: 3128)
      • winlogon.exe (PID: 4372)
      • scaner.exe (PID: 3860)
      • start.exe (PID: 2944)
      • MicrosoftHost.exe (PID: 6080)
      • taskhostw.exe (PID: 5380)
      • system.exe (PID: 4332)
      • system.exe (PID: 4124)
      • taskhostw.exe (PID: 9696)
    • Disables Windows Defender

      • install_cheat.exe (PID: 3552)
      • powershell.exe (PID: 5536)
    • UAC/LUA settings modification

      • install_cheat.exe (PID: 3552)
      • regedit.exe (PID: 3452)
    • RMS was detected

      • regedit.exe (PID: 3452)
      • regedit.exe (PID: 1784)
      • rutserv.exe (PID: 1668)
    • AZORULT was detected

      • ink.exe (PID: 2444)
    • Connects to CnC server

      • ink.exe (PID: 2444)
      • MicrosoftHost.exe (PID: 6080)
    • Actions looks like stealing of personal data

      • 1.exe (PID: 2548)
    • Stealing of credential data

      • 1.exe (PID: 2548)
    • Uses NirSoft utilities to collect credentials

      • 1.exe (PID: 2548)
    • Uses Task Scheduler to run other applications

      • taskhost.exe (PID: 1252)
      • cmd.exe (PID: 5848)
      • cmd.exe (PID: 2640)
      • cmd.exe (PID: 6116)
      • cmd.exe (PID: 5600)
      • cmd.exe (PID: 312)
      • cmd.exe (PID: 4920)
      • cmd.exe (PID: 5212)
      • install_cheat.exe (PID: 3552)
      • cmd.exe (PID: 5700)
    • Executes PowerShell scripts

      • cmd.exe (PID: 5372)
    • Uses Task Scheduler to autorun other applications

      • taskhost.exe (PID: 1252)
      • install_cheat.exe (PID: 3552)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 4624)
      • schtasks.exe (PID: 5688)
      • schtasks.exe (PID: 5508)
      • schtasks.exe (PID: 5096)
      • schtasks.exe (PID: 6012)
      • schtasks.exe (PID: 3132)
      • schtasks.exe (PID: 4224)
      • schtasks.exe (PID: 5844)
      • schtasks.exe (PID: 3648)
      • schtasks.exe (PID: 6032)
      • schtasks.exe (PID: 5880)
      • schtasks.exe (PID: 4508)
    • Changes the autorun value in the registry

      • taskhostw.exe (PID: 5896)
    • Changes Windows auto-update feature

      • powershell.exe (PID: 5536)
    • Starts NET.EXE to view/add/change user profiles

      • cmd.exe (PID: 4212)
    • Starts NET.EXE to view/change login properties

      • cmd.exe (PID: 4212)
    • Starts NET.EXE to view/change users group

      • cmd.exe (PID: 4212)
    • Looks like application has launched a miner

      • taskhostw.exe (PID: 5896)
    • Loads dropped or rewritten executable

      • system.exe (PID: 4332)
      • 1.exe (PID: 2548)
      • system.exe (PID: 4124)
      • WinRAR.exe (PID: 2908)
      • chrome.exe (PID: 2320)
      • Eternalblue-2.2.0.exe (PID: 5868)
    • MINER was detected

      • MicrosoftHost.exe (PID: 6080)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • install_cheat.exe (PID: 3552)
      • wini.exe (PID: 1696)
      • cheat.exe (PID: 1504)
      • P.exe (PID: 3380)
      • taskhost.exe (PID: 1252)
      • R8.exe (PID: 1076)
      • taskhostw.exe (PID: 5896)
      • scaner.exe (PID: 3860)
    • Dropped object may contain URLs of mainers pools

      • install_cheat.exe (PID: 3552)
      • cmd.exe (PID: 4424)
    • Creates files in the program directory

      • install_cheat.exe (PID: 3552)
      • wini.exe (PID: 1696)
      • taskhost.exe (PID: 1252)
      • cheat.exe (PID: 1504)
      • P.exe (PID: 3380)
      • winit.exe (PID: 3044)
      • 1.exe (PID: 2548)
      • winlog.exe (PID: 6048)
      • taskhostw.exe (PID: 5896)
      • start.exe (PID: 2944)
      • system.exe (PID: 4124)
      • system.exe (PID: 4332)
      • scaner.exe (PID: 3860)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 1364)
      • install_cheat.exe (PID: 3552)
      • WScript.exe (PID: 2468)
      • winit.exe (PID: 3044)
      • WScript.exe (PID: 5956)
      • winlogon.exe (PID: 4712)
      • taskhostw.exe (PID: 5896)
      • winlogon.exe (PID: 4372)
      • taskhost.exe (PID: 1252)
      • WScript.exe (PID: 2648)
      • rundll.exe (PID: 4280)
      • WScript.exe (PID: 2816)
    • Executes scripts

      • wini.exe (PID: 1696)
      • P.exe (PID: 3380)
      • R8.exe (PID: 1076)
      • cmd.exe (PID: 6060)
      • start.exe (PID: 2944)
    • Reads Environment values

      • rutserv.exe (PID: 1892)
      • rutserv.exe (PID: 3644)
      • rutserv.exe (PID: 3308)
      • rutserv.exe (PID: 1668)
      • rfusclient.exe (PID: 2348)
      • rfusclient.exe (PID: 1580)
      • rfusclient.exe (PID: 3456)
    • Reads Windows Product ID

      • rutserv.exe (PID: 1892)
      • rutserv.exe (PID: 3644)
      • rutserv.exe (PID: 3308)
      • rutserv.exe (PID: 1668)
      • rfusclient.exe (PID: 2348)
      • rfusclient.exe (PID: 1580)
      • rfusclient.exe (PID: 3456)
    • Executed as Windows Service

      • rutserv.exe (PID: 1668)
    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2056)
      • cmd.exe (PID: 2976)
      • cmd.exe (PID: 4212)
    • Starts SC.EXE for service management

      • cmd.exe (PID: 2884)
      • cmd.exe (PID: 2056)
      • cmd.exe (PID: 2404)
      • cmd.exe (PID: 2824)
      • cmd.exe (PID: 2848)
      • cmd.exe (PID: 680)
      • cmd.exe (PID: 2396)
      • cmd.exe (PID: 1912)
      • cmd.exe (PID: 640)
      • cmd.exe (PID: 2496)
      • cmd.exe (PID: 3384)
      • cmd.exe (PID: 900)
      • cmd.exe (PID: 2552)
      • cmd.exe (PID: 3912)
      • cmd.exe (PID: 628)
      • cmd.exe (PID: 1864)
      • cmd.exe (PID: 3644)
      • cmd.exe (PID: 3844)
      • cmd.exe (PID: 3112)
      • cmd.exe (PID: 3860)
      • cmd.exe (PID: 1336)
      • cmd.exe (PID: 3576)
    • Application launched itself

      • rfusclient.exe (PID: 2348)
    • Loads DLL from Mozilla Firefox

      • 1.exe (PID: 2548)
    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 3424)
      • cmd.exe (PID: 2380)
      • cmd.exe (PID: 3120)
      • cmd.exe (PID: 3900)
      • cmd.exe (PID: 3256)
      • cmd.exe (PID: 3936)
      • cmd.exe (PID: 3944)
      • cmd.exe (PID: 3560)
      • cmd.exe (PID: 868)
      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 3336)
      • cmd.exe (PID: 2160)
      • cmd.exe (PID: 2988)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 2532)
      • cmd.exe (PID: 384)
      • cmd.exe (PID: 2880)
      • cmd.exe (PID: 976)
      • cmd.exe (PID: 1200)
      • cmd.exe (PID: 3584)
      • cmd.exe (PID: 956)
      • cmd.exe (PID: 4212)
    • Uses RUNDLL32.EXE to load library

      • winit.exe (PID: 3044)
      • taskhostw.exe (PID: 5896)
      • taskhost.exe (PID: 1252)
      • install_cheat.exe (PID: 3552)
    • Reads Internet Cache Settings

      • rundll32.exe (PID: 1892)
      • rundll32.exe (PID: 1484)
      • rundll32.exe (PID: 2184)
      • rundll32.exe (PID: 4320)
      • rundll32.exe (PID: 4584)
      • rundll32.exe (PID: 4028)
      • rundll32.exe (PID: 2600)
      • rundll32.exe (PID: 1920)
      • rundll32.exe (PID: 5488)
      • rundll32.exe (PID: 2076)
      • rundll32.exe (PID: 5216)
    • Uses ICACLS.EXE to modify access control list

      • cmd.exe (PID: 3864)
      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 1644)
      • cmd.exe (PID: 1104)
      • cmd.exe (PID: 3700)
      • cmd.exe (PID: 2512)
      • cmd.exe (PID: 724)
      • cmd.exe (PID: 2392)
      • cmd.exe (PID: 1568)
      • cmd.exe (PID: 2372)
      • cmd.exe (PID: 2404)
      • cmd.exe (PID: 2800)
      • cmd.exe (PID: 352)
      • cmd.exe (PID: 1332)
      • cmd.exe (PID: 680)
      • cmd.exe (PID: 4056)
      • cmd.exe (PID: 2072)
      • cmd.exe (PID: 3184)
      • cmd.exe (PID: 2672)
      • cmd.exe (PID: 2788)
      • cmd.exe (PID: 3316)
      • cmd.exe (PID: 2292)
      • cmd.exe (PID: 332)
      • cmd.exe (PID: 1148)
      • cmd.exe (PID: 5588)
      • cmd.exe (PID: 5088)
      • cmd.exe (PID: 5084)
      • cmd.exe (PID: 1476)
      • cmd.exe (PID: 3108)
      • cmd.exe (PID: 5952)
      • cmd.exe (PID: 4580)
      • cmd.exe (PID: 5620)
      • cmd.exe (PID: 5288)
      • cmd.exe (PID: 4952)
      • cmd.exe (PID: 5356)
      • cmd.exe (PID: 3844)
      • cmd.exe (PID: 5024)
      • cmd.exe (PID: 4340)
      • cmd.exe (PID: 4784)
      • cmd.exe (PID: 4560)
      • cmd.exe (PID: 5348)
      • cmd.exe (PID: 3624)
      • cmd.exe (PID: 4616)
      • cmd.exe (PID: 4860)
      • cmd.exe (PID: 5196)
      • cmd.exe (PID: 3384)
      • cmd.exe (PID: 2104)
      • cmd.exe (PID: 4736)
      • cmd.exe (PID: 4672)
      • cmd.exe (PID: 5944)
      • cmd.exe (PID: 2216)
      • cmd.exe (PID: 1780)
      • cmd.exe (PID: 5776)
      • cmd.exe (PID: 5704)
      • cmd.exe (PID: 5128)
      • cmd.exe (PID: 4904)
      • cmd.exe (PID: 2584)
      • cmd.exe (PID: 5684)
      • cmd.exe (PID: 3260)
      • cmd.exe (PID: 2544)
      • cmd.exe (PID: 5752)
      • cmd.exe (PID: 4832)
    • Checks for external IP

      • winit.exe (PID: 3044)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6060)
      • cmd.exe (PID: 2976)
    • Creates files in the user directory

      • powershell.exe (PID: 5536)
    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 5512)
    • Starts application with an unusual extension

      • cmd.exe (PID: 6060)
      • cmd.exe (PID: 4212)
    • Executed via Task Scheduler

      • taskhostw.exe (PID: 2364)
      • taskhostw.exe (PID: 5380)
      • taskhostw.exe (PID: 9696)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 4212)
  • INFO

    • Modifies the open verb of a shell class

      • chrome.exe (PID: 2264)
    • Manual execution by user

      • opera.exe (PID: 3244)
      • install_cheat.exe (PID: 3552)
      • install_cheat.exe (PID: 1952)
    • Creates files in the user directory

      • opera.exe (PID: 3244)
    • Application launched itself

      • chrome.exe (PID: 2264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
528
Monitored processes
357
Malicious processes
33
Suspicious processes
11

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs opera.exe chrome.exe no specs chrome.exe no specs winrar.exe no specs install_cheat.exe no specs install_cheat.exe wini.exe wscript.exe no specs winit.exe cmd.exe no specs #RMS regedit.exe no specs #RMS regedit.exe no specs timeout.exe no specs rutserv.exe no specs rutserv.exe no specs rutserv.exe no specs #RMS rutserv.exe rfusclient.exe no specs rfusclient.exe no specs attrib.exe no specs attrib.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cheat.exe taskhost.exe p.exe wscript.exe no specs #AZORULT ink.exe cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs 1.exe cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs rfusclient.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs rundll32.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs r8.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs winlog.exe no specs cmd.exe no specs icacls.exe no specs wscript.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs taskhostw.exe winlogon.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs schtasks.exe no specs cmd.exe no specs icacls.exe no specs taskkill.exe no specs powershell.exe no specs cmd.exe no specs schtasks.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs winlogon.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs ipconfig.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs gpupdate.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs rundll32.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs rundll32.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs rundll32.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs chcp.com no specs rundll32.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs timeout.exe no specs icacls.exe no specs cmd.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs taskhostw.exe no specs rundll32.exe no specs rar.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs rundll32.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs rundll32.exe no specs schtasks.exe no specs taskkill.exe no specs schtasks.exe no specs rundll32.exe no specs timeout.exe no specs rundll32.exe no specs timeout.exe no specs rundll32.exe no specs wscript.exe no specs timeout.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs taskkill.exe no specs netsh.exe no specs taskkill.exe no specs net.exe no specs net1.exe no specs attrib.exe no specs chcp.com no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs scaner.exe reg.exe no specs net.exe no specs net1.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs start.exe no specs wscript.exe no specs cmd.exe no specs rundll.exe cmd.exe no specs system.exe cmd.exe no specs cmd.exe no specs eternalblue-2.2.0.exe no specs system.exe #MINER microsofthost.exe taskhostw.exe no specs taskhostw.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2264"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://bit.ly/2Mb1SGD"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
2164"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x70fea9d0,0x70fea9e0,0x70fea9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2580"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2612 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2864"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1012,2647212974985672907,2068481879732910935,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=17491259592026223004 --mojo-platform-channel-handle=1024 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3788"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1012,2647212974985672907,2068481879732910935,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=15123481794422462353 --mojo-platform-channel-handle=1624 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
4092"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,2647212974985672907,2068481879732910935,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6045655952598512595 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2856"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,2647212974985672907,2068481879732910935,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7424723941278846202 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3400"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,2647212974985672907,2068481879732910935,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1980991686741230575 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2432 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1164"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1012,2647212974985672907,2068481879732910935,131072 --enable-features=PasswordImport --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=2269037864659182447 --mojo-platform-channel-handle=3324 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3244"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
Total events
5 555
Read events
3 848
Write events
0
Delete events
0

Modification events

No data
Executable files
139
Suspicious files
63
Text files
146
Unknown types
14

Dropped files

PID
Process
Filename
Type
2264chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
MD5:
SHA256:
2264chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old
MD5:
SHA256:
2264chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ea88ee9d-453e-4bf6-8814-f289371f8e52.tmp
MD5:
SHA256:
2264chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
2264chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
2264chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF37110b.TMPtext
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30
SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
2264chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
2264chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:3D551B6E929CF62F7AA66091E718704B
SHA256:1698A1B1BC3E86676392FB8BD4C712438302A5A2220503C08F290ED4B1790404
2264chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.oldtext
MD5:911B244E4A362B56F2478647D2D61A40
SHA256:3A5AEC1EA537D8841E604D0AA4CD5F9241C805A3D4EB4E372CFB7EEB3678A361
2264chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Tabsbinary
MD5:0686D6159557E1162D04C44240103333
SHA256:3303D5EED881951B0BB52CF1C6BFA758770034D0120C197F9F7A3520B92A86FB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
53
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3244
opera.exe
GET
200
172.217.22.67:80
http://crl.pki.goog/gsr2/gsr2.crl
US
der
815 b
whitelisted
3244
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
528 b
whitelisted
3788
chrome.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAy%2BK8lPT%2B%2Fr4u1gFxGeJoE%3D
US
der
471 b
whitelisted
3244
opera.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAy%2BK8lPT%2B%2Fr4u1gFxGeJoE%3D
US
der
471 b
whitelisted
3244
opera.exe
GET
200
216.58.206.3:80
http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEBsLTAENQpqdmTkw83kxDuA%3D
US
der
471 b
whitelisted
3044
winit.exe
GET
200
185.194.141.58:80
http://ip-api.com/json
DE
text
298 b
shared
5896
taskhostw.exe
GET
404
194.67.196.43:80
http://taskhostw.com/randomx/loaderTOP.html
RU
html
299 b
suspicious
3788
chrome.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
528 b
whitelisted
3244
opera.exe
GET
200
216.58.206.3:80
http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDo4ppmeCJaKx8etRHAIrWs%3D
US
der
471 b
whitelisted
1252
taskhost.exe
GET
404
194.67.196.43:80
http://taskhostw.com/randomink/L.html
RU
html
293 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3788
chrome.exe
172.217.18.110:443
drive.google.com
Google Inc.
US
whitelisted
3788
chrome.exe
216.58.206.1:443
doc-0o-2g-docs.googleusercontent.com
Google Inc.
US
whitelisted
3788
chrome.exe
172.217.18.173:443
accounts.google.com
Google Inc.
US
whitelisted
3788
chrome.exe
67.199.248.11:443
bit.ly
Bitly Inc
US
shared
3788
chrome.exe
67.199.248.10:443
bit.ly
Bitly Inc
US
shared
3244
opera.exe
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted
3788
chrome.exe
172.217.21.196:443
www.google.com
Google Inc.
US
whitelisted
3788
chrome.exe
216.58.210.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3788
chrome.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3788
chrome.exe
172.217.16.131:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.11
  • 67.199.248.10
shared
clientservices.googleapis.com
  • 216.58.210.3
whitelisted
accounts.google.com
  • 172.217.18.173
shared
www.google.com
  • 172.217.21.196
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ssl.gstatic.com
  • 172.217.16.131
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
drive.google.com
  • 172.217.18.110
shared
doc-0o-2g-docs.googleusercontent.com
  • 216.58.206.1
shared
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted

Threats

PID
Process
Class
Message
2444
ink.exe
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
2444
ink.exe
A Network Trojan was detected
AV TROJAN Azorult CnC Beacon
2444
ink.exe
A Network Trojan was detected
AV TROJAN AZORult CnC Beacon
2444
ink.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
2444
ink.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult.Stealer HTTP Header
3044
winit.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
3044
winit.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3044
winit.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
5896
taskhostw.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
5896
taskhostw.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
4 ETPRO signatures available at the full report
Process
Message
rutserv.exe
TMainService.Start
rutserv.exe
GUID_MONITOR_POWER_ON
rutserv.exe
13-08-2019_14:28:53:341#T:Msg Size: 104
rutserv.exe
13-08-2019_14:28:53:341#T:Msg code: 3
rutserv.exe
13-08-2019_14:28:53:341#T:MSG_KEEP_ALIVE
rutserv.exe
MSG_KEEP_ALIVE
rundll.exe
Python failed to load the default activation context
rutserv.exe
13-08-2019_14:29:22:699#T:Msg Size: 104
rutserv.exe
13-08-2019_14:29:22:699#T:Msg code: 3
rutserv.exe
13-08-2019_14:29:22:699#T:MSG_KEEP_ALIVE