Malware Analysis Report

2024-10-23 19:29

Sample ID 240901-tyflrawblq
Target Azorult 3.3‌.exe
SHA256 d6af1ba026c010e4d006842da28b478419bbc4c711f907a28c52079bc7fea1bf
Tags
azorult xworm discovery execution infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6af1ba026c010e4d006842da28b478419bbc4c711f907a28c52079bc7fea1bf

Threat Level: Known bad

The file Azorult 3.3‌.exe was found to be: Known bad.

Malicious Activity Summary

azorult xworm discovery execution infostealer rat trojan

Xworm

Detect Xworm Payload

Azorult

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 16:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 16:27

Reported

2024-09-01 16:30

Platform

win7-20240708-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe"

Signatures

Azorult

trojan infostealer azorult

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk C:\ProgramData\csrss.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk C:\ProgramData\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\csrss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000007f3cff158c5919e7a8443e3d5350a343e2c96786da7f3c741fe799a07eaf1852000000000e80000000020000200000007d6062e7dac47758d6e5bd03448af532af69921a847319ae5c4689c77afbdd36900000003463342f326fd3cc6dc177cd66cb3ff96a8b96fd344fc6f6ee9ec49f465924ac9470483ca5c10ac60a40da31cdef028efb9e0fd8d5a1c37eb2866fd2980595f7ed505c6b2bac7d888580808b173414ca7847e72891011b10652d5bc6d0072cb445d814e590a232dd932a33c0d8250d07a2528e8b0785adc493f01c7851f5fda5721de31fc93a7886781b8cd460faeb724000000059a4fc6f3287eb6816e8c0852849feb9deacc0e960038c04d8daccd45eb927e97b150657572a76117e9a5a8019916383c9a855e98ed583347e612d19f2e155c3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffffe0ffffff620100006604000009040000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3DE64861-687F-11EF-8334-424588269AE0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431369986" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000846e2e4ab40ccd1d01b7cfd9d7c69909751ac05e58d712824d3dd1934d5a7aa5000000000e80000000020000200000000f576b30904febc9bf8001f417be6a9b7237cd60934626b78b6533e0ded20da720000000900cdea3537baee018ea18937266772380804eb49350c36ba7a3d325db1abecf4000000044b7bb5ed55351096637d85ff7ca8f725d4ad36de636614449102098e6560d37b708d4b189ac007a938107dcdaedd6ce1cfea5a8f31d221625db436574d15772 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20dcc2088cfcda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\csrss.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 2976 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 2976 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 2976 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 2976 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2976 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2976 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2976 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\ProgramData\csrss.exe
PID 2976 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\ProgramData\csrss.exe
PID 2976 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\ProgramData\csrss.exe
PID 1056 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 2928 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 2928 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 2928 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 3060 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 3060 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 3060 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 1988 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 1988 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 1988 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 2788 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 2788 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 2788 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2364 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2364 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2364 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2364 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2616 wrote to memory of 2148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 1980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 1980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 1980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 1980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe

"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe"

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe

"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\ProgramData\csrss.exe

"C:\ProgramData\csrss.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://xakfor.net/forum

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:406544 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
SG 146.190.110.91:3389 tcp
US 8.8.8.8:53 xakfor.net udp
NL 37.48.65.144:443 xakfor.net tcp
NL 37.48.65.144:443 xakfor.net tcp
US 8.8.8.8:53 r11.o.lencr.org udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.18.190.73:80 r11.o.lencr.org tcp
GB 2.18.190.80:80 r11.o.lencr.org tcp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 ww1.xakfor.net udp
US 199.59.243.226:80 ww1.xakfor.net tcp
US 199.59.243.226:80 ww1.xakfor.net tcp
NL 37.48.65.144:443 xakfor.net tcp
NL 37.48.65.144:443 xakfor.net tcp
US 199.59.243.226:80 ww1.xakfor.net tcp
US 199.59.243.226:80 ww1.xakfor.net tcp
SG 146.190.110.91:3389 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
FR 2.22.57.219:80 www.microsoft.com tcp
SG 146.190.110.91:3389 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
SG 146.190.110.91:3389 tcp
SG 146.190.110.91:3389 tcp

Files

memory/2976-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

memory/2976-1-0x0000000000BF0000-0x0000000000D0E000-memory.dmp

memory/2976-5-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe

MD5 8440a861c68965a66c009b140e1bee47
SHA1 801a8c77156a2c6cbc5899f36c961dc8fdc56665
SHA256 a8add4815bce2e26df3cd492c5686e22ab842bfa52c68af3f33c23adb820d06f
SHA512 c42903216f9f35368d41853ae96aaa7a7a07ce0730ca99b26909b98f5525b4fd772e0868c683fae0ca71730c0586ad3130be4ef3e6af68e299a933d9accca266

C:\ProgramData\csrss.exe

MD5 0998890ccf8a3d8702db7a84fe6dd7b3
SHA1 18e561e0ef68fb08d8f391eacd45c7d573206b92
SHA256 c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220
SHA512 8132312fb66a9d947eef3f625a4c18b8e640cec51616d0a9fd756e028d1bac5677f5de9a53c3ed32186cb238e8c46613b8c3d6641a6a953d7961412b030c6dd1

memory/1056-22-0x00000000000D0000-0x00000000000E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 50dce71a753bad01a07904f2af283123
SHA1 1beab766071ddeff0c8e577c6717debcee0d21e6
SHA256 8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3
SHA512 7cdc64dcfa8a0cbc1375a1878f560beb083cd9778ff67c5c0f1b693927c35365b384affc9dc33cade4aeaafded11ac328001a18ccb34a559678c1f50fa886c01

memory/2976-24-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

memory/2076-23-0x0000000000200000-0x000000000020E000-memory.dmp

memory/2364-25-0x00000000001F0000-0x000000000034A000-memory.dmp

memory/2364-26-0x0000000000530000-0x0000000000536000-memory.dmp

memory/2364-27-0x00000000021A0000-0x0000000002208000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 793209850878547c7f9973a626248878
SHA1 b8a9b6802819f79a6c6e0cf1e5b60b9d013634e9
SHA256 1ec676462084deca8949dc193f67c468ad18e16c9baccdf21cf1bd782f1ab663
SHA512 68e4cb18eb4b64cef6eec2c3aee47ab2102399836afdfe466ae054347cefe1bd451e976e8eda60e4af36d1d8caf1340a8888b870e4babb8d7ca90e91561785f9

memory/2120-37-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/2120-38-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

memory/3060-44-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/3060-51-0x0000000001E70000-0x0000000001E78000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2788-68-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/2364-76-0x0000000008EC0000-0x0000000008EC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar3F24.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Cab3F25.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 383c40ec38334466886dfddba2bf6ec9
SHA1 d9a2720174dc74511c4854e09fc727185e672835
SHA256 4f5845940d7237c9ef25af7029cf99c3011a0489967826c3ae272757ffb50a0a
SHA512 29feb2930c5b231d175b82d957130e71a76b1117b14352ab2f8bf8666c2b63797292a0cfe17a61a686e20a910592735108480fcb4d7a31822e22849a33efa709

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b9319cf04c5e1f32faef730c1c1b2fc
SHA1 b5467995e16f82f1fe8d8e801cdaadf542793e0b
SHA256 9b7c55bab5a0853f8764a10eaba7a5ce4864c02a3dc0660c460a198d56c42fba
SHA512 becd168aaf27744551a70caae2fcde81ad0b82ba63f7fe5ff9f75346f805a2e4b54bf21b51b49b31d5653db482dfa9754e0e1d60b6847a84795a57ac850de91a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d504f1bbb02c72b16034e2cf88f8303d
SHA1 0a3ee01580d5141dd8e895f9aac2b5d5edc2c320
SHA256 0845de5c5ff583ceb7ae8d947bd4a8632451666205fdf079314865e76c09fe54
SHA512 531666305c349345ad638b5417ea5177a71f1f60ef2c7e950221a90c065848bc1be927c7f1d0332a917f418489348a616ea91f5ac3feaa11193205887ca2e79d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb1ed370249fa495ef0bb7d302e4a4f5
SHA1 129af7b6ebf57d3486c434d25cd402f94d39f92f
SHA256 a467039b26aa45311e444d9857a2a313127286a0daeea488b0c0322901a603e8
SHA512 8884032e8ab2bd59434139c93fe388edfaf43abb868792c1fb52b6cc001c7e0c57e916cbc3f0a8ec1c63cfe4833a276e918035db0aad915969192191f189121c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c20c11d9ca7f98e0399e5ccdfc889030
SHA1 7b730c0bae23a1f121ca85246ecb40ac54a00d36
SHA256 c013aa27a867948cf1a466b33f39b231c4f60ae381c3189f0b5f0ff19c9544d2
SHA512 f488fba7ebbe6ea6c5c417cf9360e43af09c38b502c898a9698f68c69a104a5e81ac593ac4f24702b7913da7b9d1e1e9036b95c4ac79e5d97acbfc357f053499

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b79c1cf72f34acb031475ab642c17e40
SHA1 642b355d365e04213bb73c0dcbdfd247c0b81bef
SHA256 c8362ac4623cec9eeed88cffc07f742aba55e4d4ec1877977f3ca906ead361fc
SHA512 8f8de0bebc007ad9f0c2129fa2a0f22c854293cc88272c96d6f580c1e13cf5f75fc4d45253f51faa29c50772d8f95cdf3fda14a6e36ae4f95329909a77f9015e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a120e445c6da708a4199cd6aae4b7115
SHA1 a8e1fc6912d3456d9f062609d31fd56d810523c1
SHA256 2a61ce9b7f169bdd0db3fe10d79880d26f790e125a5c5c47ee25b59413ba93b2
SHA512 c0ac1cdb84a71b1a650735720d9243b49dd275cbbce78965897212e034517ca814834a5b8b16689db2bce7373f095b1ddda2246b07036255d104c54c2475aec9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bdfa34ceaeebb60322159bbc8a161b1
SHA1 dcb0775fce344f4fac8b02d17a5ee0cb4dec8251
SHA256 931c4a033771ff8a296be106dd0a8ec9de9bfbae9abdbd7496346324a95c4bb9
SHA512 ff77453eeb8a029f2f06f5d5edc671588c9f7d05ce6be4f3e0e8969b74c39affba6cb5aa2dd65112eccbe3974d7ac0892c237a1e41b5921cb31c84ca3b31a5a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PV4UUA1D.txt

MD5 542ad0f97ffddeefb9845c19441ef7c3
SHA1 71476a18c234cfbc428bc8737d8b0bee0ef19be6
SHA256 0a52d543e6699655123d462aa8a019d751df653895c236377f241bc7ffb3c418
SHA512 da39ffef6a5e80278c7b192696f04082eb8817dfe09bc05fe6f5d3b59e5f4966e76d2c805fb5c2dfdcac0e56fd7225c22421c34e88dc912e3e4ea94c7ee792c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\10A18B4E3A1EFF2159C89DEBDD93AEDE

MD5 dd16d56ac3ae8f000433e15835e7ad6a
SHA1 6c69213dcd09af9cc52af09c0635a5295e60f53d
SHA256 9b7ae127fbb9ed7d2782579496e01ed5fc6194e53b0ebac3712107d5171033c4
SHA512 4553578ec0537466216d4d20250b7b4e054e04f8def9db3298f7ac24a850326670f773113c797c523f316ba264ca48a3f864ce913878b1adacad1a4ebd5e6f2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d35721440539516dbf5b836e59da6b2
SHA1 71307eaa7498b1ea6862499d5174fff698baca7f
SHA256 4040a56d8409f269a7a6e12dc81bd4e6f92451a08fd2e3b1729dde8a0a1ca686
SHA512 f2b634d8f307805ac573b686beee32b348c5bbcc6a23031d4dc52f7e5a4d804712b1c56c50d8edc8cdb0a1d8c7daa4bedd898adbd81c3232478bde3313f0de16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\10A18B4E3A1EFF2159C89DEBDD93AEDE

MD5 5e895f1e5fb265c96d1960f97a551d7c
SHA1 98f75337e31a863bc179f8628c1f97272812c2cd
SHA256 7360cfc093129ff3b308f5c29c6416520e5faf23ea6694d163a9ea7393723132
SHA512 b6f0abff6e220e43db512396829acfac57a3c5770290a0d9126da056174431d981186d7e1182a6c12abbc98367868357383f98678d9456da8a3fe15367c34943

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 ab0ad66f97ddcab4ca6d485f92cd1cf9
SHA1 5fe04980078f6ed7d5670730cee79c35ec92da26
SHA256 c69b02d3dfda425389364045f486ac66203b3ad0b1cbbc48cb3d12188f888888
SHA512 bf733a33fad76e1211259ffbc671db1398b71eccfb248432645bb88e564b38bafe027d35bdee246d85f1a923635b170f21e653236a20c41d50e5a82ab3631bf0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AWSQ4YT7.txt

MD5 9c054e3f9261c4af34030adf6d35d0f2
SHA1 10042c1684839bc817de178fa985432d021ce194
SHA256 c8d8c4171b09c87880ef38c395dba9303f1507576200fc4f1a68af5601e17e0f
SHA512 7af60d1f89410914ab616572830f85ea55bf418d38690a961ff5c35e3013628627612b5305146449c9080a0d8d8e66db586ce3d759bb0f426dc4a6a72e9c782f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\btSVMKKaV[1].js

MD5 e2ec36d427fa4a992d76c0ee5e8dfd4d
SHA1 47ec4ace4851c6c3a4fe23ad2c842885f6d973f2
SHA256 36488e81afcbc4d7018b8764c18032b10be21aa45521c9671fde0cc77f70b2d8
SHA512 d1ae29d19f65ce74b9b480c82b87315634ec2e96d199f5feb423918af9ad6e24c8b436e03904d452f71562f04c42acbb250256eed73bcd592a79c08911c74976

C:\Users\Admin\AppData\Local\Temp\~DF376B3E66C67784AF.TMP

MD5 e1fe10f7137e19656d6332025a7f7cd8
SHA1 7588aca4803aa9bd4fd1c0f83b78e503b7c27a13
SHA256 4cd6b829057e50c2ac92aa23a6d92fc625ec1ac89cebbb95a12d9aa299a193b0
SHA512 1f2a65d04c6c25eaa2f9a8c4319283e96828d1c301d6cd5a25d44e0202c5a517fe03a53f9f77a951443d70b8a2d49be0c6c6ce540b67ac1c8e1b00f659d193a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3b6211347c8d784c7adb5043360480d
SHA1 aff0f9ddcc56bbd5d8913d4cd63111c5da78b133
SHA256 55e2195bb57017fadb47412990965d5fc7083806d1fd9662f10831fed490ae38
SHA512 b656f782e9adb2233652e0711a1cd3a09e3d54da8e1b8d2bffb2be09ac9e7d614cc5cb87fbc85e764275ea00a847b9066fd09624ee0b02a2c7f551608486ab2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9c95408628cd307317109d7a9a1b2ce
SHA1 bf998bdf6212f90bd3cb4d59a39f3d1c663d7d65
SHA256 465aa4619e95369a48c8d625190970e37f348f79c9c61b347f5140db66c81b5b
SHA512 ca9957d65b582a881864eb34d9df1a1e9de5023c49f5b6987df853b817ffa9b8fe1404aa5750794be36c6e002f44173a0ab661627e1356acd27c3eba3a421cfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 01d2195b6e3122358790f0cdc732e67c
SHA1 946f983b371d301f71ff7e623e65bc723b2415b1
SHA256 32a4395abcd02d2e14040ed06b21396fc55627bc00b3da0615b6fa6f48f94a0d
SHA512 14bdea38aa9edbae40806addfd8b420f70b26d78080ca98b0c6c46620f3ee0fd913e27860021f6b3db99cf4ca9af8e49456146ecca5396ddcd8c5ab469a9efb1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d3a0db43ad1734dadbac7f5182dc991
SHA1 9f15cf69f72594f5c46fcf7aeee1d96878dc10f6
SHA256 83c9627b238c5f3ec9870eb67ff0115a34fb5139514c762744c6ffb237b1644e
SHA512 89f9f4c90db47fbdec249d119d8d00c4ed05ef630efc93da7d1e39e0503e9f58a4fd2c056ba232bf4285635b867c22a7402ac6dd17ad134d9e9fd8a35f59d586

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e901e867fa0d8b0e0bbba1fa9a500d9b
SHA1 0c03936dbc6dd080d3b0e740c86ca3bca25f58be
SHA256 cc3fd933fa873ac4d4b587716d019d0fd81259a21fc8ffd72bcf7b711864c8c4
SHA512 d8c350bafadf0750d4c317c179cf9b87429b9cbd7b1d811be63d29a284cb7b2936261e90c790cb2e1d55ec77e3876ba94277eb2e8b4d183057871ae23cfe45a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb90e27097a7ec063cce39f0abc5d548
SHA1 ac9e96371623c8ad5e9028222655ef9e4ae6d2af
SHA256 01c942a487be30416b8abee1e3e3b59438ca90a3f115016258a2f9c5b9b8cea9
SHA512 809539ef8fc471f042cdb53361edd1838b0ba141fb7c16d31b595dd84581c13ff6067fa3862e4369fdccbc5612f51b16fc0c1301bc56fe25fcd4f53d02be2abd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9617e517cecbc5c9049eb96fe13928f3
SHA1 edb1cc6426fa18aef96d1a6f73a8eea38e34e159
SHA256 a1d16e8672e30e123d7f16983616055ddcadcb8ead93a18a24d85155d30adc06
SHA512 b7407e041c971e715d795f948e50bd11cfc3ea118baa2e86861d7d00a81f2672dcee4b45db6cfa24b2a849e83001f04351df8d30802ea208531ac5273b5c3622

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82bbc9da701a687cbf6cd01faa49125a
SHA1 7482a5e63f3c6f2ec0072014710ba796288826a6
SHA256 bcb46c13531aae8ac18031bd4ec8512a58a96e296910c22db2782748ef83865b
SHA512 16239e09d809b6f81f9b7d9b4a39bbb09a6a5e8a70e56f29cd203954e7347538a1848c55c8eca1c483278446055fc8bc1b3c0f1a8413afa4d72cab91a5e5f064

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2373d7862b5adc3cee7f9b3c66552b1d
SHA1 4ab749cbe23f1baa9060898bfa29bcffd0d4107c
SHA256 998728b2d78357bb9047152fae2487b8f15d92c77828d7dc5a1c0c435c719a2a
SHA512 d16664fec798b60eca9d616c28ce128b1014cbf2c4a59570bb5e1bb5dd6e68aab794d4bfda15d42e7c46dcb7fccb94a0f1199d7632ab30e9b387ce825f2840f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 b47ac1c52aea415244d6ae946d0a6cab
SHA1 2bbc28264b1afe43159195287b5a2ddfbaa40ab5
SHA256 c2353ed407b555fa4cb04156585d10df481b7097b1acc5a3e29e9d1f32c1d96e
SHA512 6376897fc7be8fa1fd89716c3823635dbb8c4b3e78a26a6fff4506d7a7eff7e118e6d6eb57c6c09fa19abaf1925a6dce8de1c4e14a27b132a130d37be8c8db64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8c4cc4e44b9ecb3eb222ad2624dd14c
SHA1 bc00981596903d091171bff6beef8f9feeb2c316
SHA256 ba9051a54a98ad77934e637e5dea344f9d34c5c74a66703b900dc1032e3e66ee
SHA512 762cb9b748dc22ac4615deafa0fe2e2843e8fd70a2fa0cb0d6d28e95631cf5bf5c6a2cd82ce25aeea4462b011d3d92eac202651aed34b59261842f1147634b24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f0b060d1d5d6471ad24110e23e7d6a0
SHA1 87ba341de167fa573771306414837337d5b41062
SHA256 51a480328aafe803fac360db37b60a7c10dab52d862c9f590ad8148f661e3507
SHA512 e0ca46feb4aaef9aba3b5aeae8f0fb4f697a9e5dff36189d07a31161b4b5c7e3d1dc84ca156395945d620d6c4bff7b0762ee02a505acfb61ae830a35f939b434

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-01 16:27

Reported

2024-09-01 16:30

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe"

Signatures

Azorult

trojan infostealer azorult

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\ProgramData\csrss.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk C:\ProgramData\csrss.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk C:\ProgramData\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\csrss.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4200 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 4200 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 4200 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 4200 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4200 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4200 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\ProgramData\csrss.exe
PID 4200 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\ProgramData\csrss.exe
PID 4364 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 1356 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 1356 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 1824 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 1824 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 3664 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 3664 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 2824 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2416 wrote to memory of 2824 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe

"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe"

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe

"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\ProgramData\csrss.exe

"C:\ProgramData\csrss.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
SG 146.190.110.91:3389 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
SG 146.190.110.91:3389 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
SG 146.190.110.91:3389 tcp
SG 146.190.110.91:3389 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
SG 146.190.110.91:3389 tcp
SG 146.190.110.91:3389 tcp

Files

memory/4200-0-0x00007FFED23B3000-0x00007FFED23B5000-memory.dmp

memory/4200-1-0x0000000000020000-0x000000000013E000-memory.dmp

memory/4200-4-0x00007FFED23B0000-0x00007FFED2E71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe

MD5 8440a861c68965a66c009b140e1bee47
SHA1 801a8c77156a2c6cbc5899f36c961dc8fdc56665
SHA256 a8add4815bce2e26df3cd492c5686e22ab842bfa52c68af3f33c23adb820d06f
SHA512 c42903216f9f35368d41853ae96aaa7a7a07ce0730ca99b26909b98f5525b4fd772e0868c683fae0ca71730c0586ad3130be4ef3e6af68e299a933d9accca266

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 50dce71a753bad01a07904f2af283123
SHA1 1beab766071ddeff0c8e577c6717debcee0d21e6
SHA256 8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3
SHA512 7cdc64dcfa8a0cbc1375a1878f560beb083cd9778ff67c5c0f1b693927c35365b384affc9dc33cade4aeaafded11ac328001a18ccb34a559678c1f50fa886c01

memory/4364-41-0x00007FFED23B0000-0x00007FFED2E71000-memory.dmp

C:\ProgramData\csrss.exe

MD5 0998890ccf8a3d8702db7a84fe6dd7b3
SHA1 18e561e0ef68fb08d8f391eacd45c7d573206b92
SHA256 c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220
SHA512 8132312fb66a9d947eef3f625a4c18b8e640cec51616d0a9fd756e028d1bac5677f5de9a53c3ed32186cb238e8c46613b8c3d6641a6a953d7961412b030c6dd1

memory/4364-37-0x0000000000BF0000-0x0000000000C08000-memory.dmp

memory/2236-42-0x000000007528E000-0x000000007528F000-memory.dmp

memory/4200-43-0x00007FFED23B0000-0x00007FFED2E71000-memory.dmp

memory/2416-44-0x00000000000E0000-0x00000000000EE000-memory.dmp

memory/2236-45-0x00000000008E0000-0x0000000000A3A000-memory.dmp

memory/2236-46-0x00000000025A0000-0x00000000025A6000-memory.dmp

memory/2236-47-0x00000000046C0000-0x0000000004728000-memory.dmp

memory/2236-48-0x0000000007770000-0x0000000007D14000-memory.dmp

memory/2236-49-0x00000000071C0000-0x0000000007252000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vnx13dxc.mjg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1428-57-0x000001B0F20A0000-0x000001B0F20C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cbc41bceec6e8cf6d23f68d952487858
SHA1 f52edbceff042ded7209e8be90ec5e09086d62eb
SHA256 b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d
SHA512 0f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb

memory/2236-85-0x0000000002630000-0x000000000263A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 865d30ef81d6f5d8cb94ccd6bd627d1d
SHA1 13fbe1cfd95fecd018929b220078b9b6ae4aeaf1
SHA256 9094c4736c6c3cfe381c2eb7c2b01461ce35dbbb87dd9d16606561a8ba5324dd
SHA512 03906c48756aeec397a71431f0fc7fbe43246f88ce49087c320d97c10203290beb53bf0b80cb8c1bb5eda5c0278dc8459fb5b61cedcea6a98b537ea72fca8766

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbb22d95851b93abf2afe8fb96a8e544
SHA1 920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256 e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA512 16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

memory/4364-143-0x00007FFED23B0000-0x00007FFED2E71000-memory.dmp

memory/2236-144-0x000000007528E000-0x000000007528F000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-01 16:27

Reported

2024-09-01 16:30

Platform

win11-20240802-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe"

Signatures

Azorult

trojan infostealer azorult

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk C:\ProgramData\csrss.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk C:\ProgramData\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\csrss.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 2484 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 2484 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 2484 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2484 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2484 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\ProgramData\csrss.exe
PID 2484 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\ProgramData\csrss.exe
PID 1048 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4888 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4888 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 1408 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 1408 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4756 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4756 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4364 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4364 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe

"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe"

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe

"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\ProgramData\csrss.exe

"C:\ProgramData\csrss.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
SG 146.190.110.91:3389 tcp
SG 146.190.110.91:3389 tcp
SG 146.190.110.91:3389 tcp
SG 146.190.110.91:3389 tcp
SG 146.190.110.91:3389 tcp

Files

memory/2484-0-0x00007FFF01FD3000-0x00007FFF01FD5000-memory.dmp

memory/2484-1-0x0000000000D60000-0x0000000000E7E000-memory.dmp

memory/2484-4-0x00007FFF01FD0000-0x00007FFF02A92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe

MD5 8440a861c68965a66c009b140e1bee47
SHA1 801a8c77156a2c6cbc5899f36c961dc8fdc56665
SHA256 a8add4815bce2e26df3cd492c5686e22ab842bfa52c68af3f33c23adb820d06f
SHA512 c42903216f9f35368d41853ae96aaa7a7a07ce0730ca99b26909b98f5525b4fd772e0868c683fae0ca71730c0586ad3130be4ef3e6af68e299a933d9accca266

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 50dce71a753bad01a07904f2af283123
SHA1 1beab766071ddeff0c8e577c6717debcee0d21e6
SHA256 8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3
SHA512 7cdc64dcfa8a0cbc1375a1878f560beb083cd9778ff67c5c0f1b693927c35365b384affc9dc33cade4aeaafded11ac328001a18ccb34a559678c1f50fa886c01

memory/4824-23-0x000000007515E000-0x000000007515F000-memory.dmp

memory/4976-43-0x0000000000E90000-0x0000000000E9E000-memory.dmp

memory/1048-41-0x0000000000980000-0x0000000000998000-memory.dmp

C:\ProgramData\csrss.exe

MD5 0998890ccf8a3d8702db7a84fe6dd7b3
SHA1 18e561e0ef68fb08d8f391eacd45c7d573206b92
SHA256 c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220
SHA512 8132312fb66a9d947eef3f625a4c18b8e640cec51616d0a9fd756e028d1bac5677f5de9a53c3ed32186cb238e8c46613b8c3d6641a6a953d7961412b030c6dd1

memory/1048-38-0x00007FFF01FD3000-0x00007FFF01FD5000-memory.dmp

memory/4824-44-0x00000000008E0000-0x0000000000A3A000-memory.dmp

memory/2484-45-0x00007FFF01FD0000-0x00007FFF02A92000-memory.dmp

memory/4824-46-0x00000000026A0000-0x00000000026A6000-memory.dmp

memory/4824-47-0x00000000046C0000-0x0000000004728000-memory.dmp

memory/4824-48-0x0000000007660000-0x0000000007C06000-memory.dmp

memory/4824-49-0x0000000007190000-0x0000000007222000-memory.dmp

memory/1468-55-0x00000296F8E70000-0x00000296F8E92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axwj0a1s.yff.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3840d9bcedfe7017e49ee5d05bd1c46
SHA1 272620fb2605bd196df471d62db4b2d280a363c6
SHA256 3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA512 76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

memory/4824-89-0x00000000025B0000-0x00000000025BA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0bdf1f3b17535062ac08020252a67de7
SHA1 0bdfb9e03a0495d3348c44050fe2c2ad5b8ded5c
SHA256 868024d64b75b07c6848c7297ca32670af1ff5a4f961baaf873daddf3a8abbae
SHA512 ec18062b156907365e198d99038b1616b28055b0f9fe1714489ff2bd5f2a5bd0affb7ac954763b1cf197d038d000566ba05fc6fb27da401e24ad9ac284ab6ba7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a13d86aa4aa93ee4e7b6a655edf6cc79
SHA1 b3172c58361cfc52fe51b7bd2971df38657e77db
SHA256 d42c42ef46ed4341b7eb52572aa6c7bc7720401481c93b38d6cc7cbf00826066
SHA512 6e55311ca9f9ec756eac30841c9564a679089b7a249a6d5841e97e7bc73e5dd213bd7683856b740bbae2fa46456558558f52ec78b4460ef932d363d3e7800fbf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34e3230cb2131270db1af79fb3d57752
SHA1 21434dd7cf3c4624226b89f404fd7982825f8ac6
SHA256 0f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39
SHA512 3756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335

memory/4824-135-0x000000007515E000-0x000000007515F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 16:27

Reported

2024-09-01 16:29

Platform

win10-20240404-en

Max time kernel

50s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe"

Signatures

Azorult

trojan infostealer azorult

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk C:\ProgramData\csrss.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk C:\ProgramData\csrss.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\csrss.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3328 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 3328 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 3328 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
PID 3328 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3328 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3328 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\ProgramData\csrss.exe
PID 3328 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe C:\ProgramData\csrss.exe
PID 2216 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4320 wrote to memory of 3628 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4320 wrote to memory of 3628 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4320 wrote to memory of 4992 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4320 wrote to memory of 4992 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4320 wrote to memory of 1940 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4320 wrote to memory of 1940 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2216 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4320 wrote to memory of 4636 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4320 wrote to memory of 4636 N/A C:\ProgramData\csrss.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe

"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe"

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe

"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\ProgramData\csrss.exe

"C:\ProgramData\csrss.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 f.f.f.f.8.f.2.0.2.c.1.c.3.1.0.9.f.f.f.f.6.9.8.8.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
SG 146.190.110.91:3389 tcp
SG 146.190.110.91:3389 tcp

Files

memory/3328-0-0x00007FFC73053000-0x00007FFC73054000-memory.dmp

memory/3328-1-0x0000000000220000-0x000000000033E000-memory.dmp

memory/3328-4-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe

MD5 8440a861c68965a66c009b140e1bee47
SHA1 801a8c77156a2c6cbc5899f36c961dc8fdc56665
SHA256 a8add4815bce2e26df3cd492c5686e22ab842bfa52c68af3f33c23adb820d06f
SHA512 c42903216f9f35368d41853ae96aaa7a7a07ce0730ca99b26909b98f5525b4fd772e0868c683fae0ca71730c0586ad3130be4ef3e6af68e299a933d9accca266

C:\ProgramData\csrss.exe

MD5 0998890ccf8a3d8702db7a84fe6dd7b3
SHA1 18e561e0ef68fb08d8f391eacd45c7d573206b92
SHA256 c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220
SHA512 8132312fb66a9d947eef3f625a4c18b8e640cec51616d0a9fd756e028d1bac5677f5de9a53c3ed32186cb238e8c46613b8c3d6641a6a953d7961412b030c6dd1

memory/3328-23-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

memory/4320-25-0x0000000000620000-0x000000000062E000-memory.dmp

memory/2216-24-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

memory/2216-20-0x0000000000270000-0x0000000000288000-memory.dmp

memory/3836-26-0x0000000000270000-0x00000000003CA000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 50dce71a753bad01a07904f2af283123
SHA1 1beab766071ddeff0c8e577c6717debcee0d21e6
SHA256 8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3
SHA512 7cdc64dcfa8a0cbc1375a1878f560beb083cd9778ff67c5c0f1b693927c35365b384affc9dc33cade4aeaafded11ac328001a18ccb34a559678c1f50fa886c01

memory/3836-27-0x00000000052D0000-0x00000000052D6000-memory.dmp

memory/3836-28-0x000000000A800000-0x000000000A868000-memory.dmp

memory/3836-29-0x000000000E630000-0x000000000EB2E000-memory.dmp

memory/3836-30-0x000000000A950000-0x000000000A9E2000-memory.dmp

memory/524-35-0x000002641D430000-0x000002641D452000-memory.dmp

memory/524-38-0x0000026435AC0000-0x0000026435B36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4f0r41e.nnr.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3836-105-0x0000000004E60000-0x0000000004E6A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b721b21f475be36eee76eb7dc3e479b8
SHA1 e4ec21b1f2ed4a3d29e55ad4350fa54c9b13e53c
SHA256 caff144bf4be3976720feb58d440318d242c86a89f0c3b0133a360391015fe4d
SHA512 fcc865cab4dcc809efb5559f7882764e30d7db05284515e150cf2b43b4ed22af2cb37139302f69fed4c31fc8bcf1aaee9ebb6dddeaa85b7426a8db15509d551b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d26e61b05e1a82bc1ed5078b6f020fbb
SHA1 5a7b374a664e5975e3aacab00e30fb499bbc5dd8
SHA256 7788aceab7325c7eaeb0c7c6ef1def257f8ffe731874f9b9d3247590528b6011
SHA512 75bfdbfc5e79404951e82448f68cb14b70091ba5abf4119029c826b403ca30d0612d3ab8cdb8190f1c8269ccd5cea27e17736b123990c96557d1cbb61f1a5f1c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 feea8d6f8250de52fcd3693783c40a27
SHA1 4e56e1e6ce74490a5c12cfd7d12bab0c4e518ff3
SHA256 faa6d6e6aae83d484b2aa47c15fed5e631ec90e10f70caaa4ab9aae7e247c7b3
SHA512 559e26c7b384860fd8de7b9d0b8581cdf360cb1715b8f1b589a208d321c1560589ab85fba8c1b29eb0bcb1e24908dc7bd029e828cb613f9880fb4f134d9f216a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f3a77fddce80e2459933641b72404720
SHA1 43f29c7710ccdf53140456e0721e4f5b327c12f2
SHA256 9199ba2bca3d294818252d576e8ce2b76ee65a9c0746092e5ba877120710855b
SHA512 0582bcfd7b54b32e147bc643e6bc2a8ccf1f5c9959d31602de73d31f378cff01d6c218f1ab5a2d7d752199480da4df96585b8138dd0c260039f7058239869d08

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d65fde5c872d59436685b946ea909d45
SHA1 312037e8abf5616a8dba9f9df024d0f7560b4371
SHA256 3e9a7d6652bdaef973a920b7ab52949485dfcad9793a5baa6369c5b9d90db9c5
SHA512 b593a9d423f0bc4021252afdaedae9ec5038b04a26abce1e05c142e112f39a48e0e9506d32955b3cbb32c389e7abd035b7ed5f0d36f9daa8b2b5c8562569fc59

memory/2216-381-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp