Analysis
-
max time kernel
113s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
29-12-2024 03:08
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Extracted
azorult
http://boglogov.site/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Adds policy Run key to start application 2 TTPs 3 IoCs
-
Executes dropped EXE 6 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 28 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8037e46f8,0x7ff8037e4708,0x7ff8037e47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3380 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5360 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3624 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,352875225519354292,14876982785377454040,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5272 /prefetch:22⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Bezilom.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Bezilom.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Bumerang.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Bumerang.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ddraw32.dllC:\Windows\system32\ddraw32.dll2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 3243⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\ddraw32.dllC:\Windows\system32\ddraw32.dll :C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Bumerang.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2756 -ip 27561⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Fagot.a.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Fagot.a.exe"1⤵
- Modifies WinLogon for persistence
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\HeadTail.vbs"1⤵
- Drops file in Program Files directory
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Heap41A.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Heap41A.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe" MicrosoftPowerPoint\install.txt2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
-
C:\heap41a\svchost.exeC:\heap41a\svchost.exe C:\heap41a\std.txt3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\heap41a\svchost.exeC:\heap41a\svchost.exe C:\heap41a\script1.txt4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\heap41a\svchost.exeC:\heap41a\svchost.exe C:\heap41a\reproduce.txt4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Mantas.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Mantas.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Netres.a.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Netres.a.exe"1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Nople.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Nople.exe"1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe"1⤵
-
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui2⤵
-
-
C:\programdata\install\cheat.exeC:\programdata\install\cheat.exe -pnaxui2⤵
-
-
C:\programdata\install\ink.exeC:\programdata\install\ink.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MoonTitle2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MoonTitle"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop AudioServer2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete AudioServer"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_642⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5b56f101011d0d42df34f0d91b304176f
SHA1b82ccfe7a538987d94137fdb6af52c714d7964da
SHA2562c3d88d6a9262d2478e45a96d57170f01a90528606b44a35b780ea2dc55df06e
SHA5121784834b12c4fdf983db1b2f2c336c7f2b93cc8a26d52f491245fb69e975ef339c2d17ecbc4381681cdf11cb18bd0a2366c4319fef846453e7e82e23c1834342
-
Filesize
4.5MB
MD5c097289ee1c20ac1fbddb21378f70410
SHA1d16091bfb972d966130dc8d3a6c235f427410d7f
SHA256b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2
SHA51246236dba79489272b6b7f9649fb8be5beb4a0b10776adf7b67ef3a9f969a977cde7a99b1b154b4b9142eb1bf72abcadbfd38abaef1eb88d7d03c646645517d0d
-
Filesize
112KB
MD5ef3839826ed36f3a534d1d099665b909
SHA18afbee7836c8faf65da67a9d6dd901d44a8c55ca
SHA256136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040
SHA512040c7f7b7a28b730c6b7d3fabc95671fe1510dac0427a49af127bdeb35c8643234730bf3824f627050e1532a0283895bd41fd8a0f5ac20a994accf81a27514f8
-
Filesize
150B
MD5d11a04f067b4f7187c62e940ff9f73c5
SHA10d8efe877828b9afa3765129df424cf1bb8fad3f
SHA25628639984fe655686819cc10d58bc3d60114fe977a93e5ead4daba85e89eb7e4e
SHA5124491a4e2acba5f14512ac99b9cec82e66ad5e33d1de3f7ad94089b72d1fdb6be79f9d0223902e1fbd9f3b66c4e038b9d421511291ff13abf9a6db9fb64178984
-
Filesize
825KB
MD5c504a500b16885d90b97406df5eefdd1
SHA14fa4943d71d677c28390aac8318ab2664f4855b4
SHA2560af8ec41336faa61c3b7e9463955d440bb48afe3c1e3fe36ddcd097805ef617e
SHA512d2ed7e30a4bca4edfbec68ebe83a4c362a5dd0d7819588bda614ca700c88293d87dd2db1dcf448ce5f916849fac792ea8d7a8a1652b161db315f928dd60bde86
-
Filesize
152B
MD550d5ad3165c72b813f8744e3413a96b3
SHA13900e46f2075a7088bdee2a4fd17977d05ff90d8
SHA2569369c8950ef09d4b84df59453ce2e202b12ae67abf825a865f656002bfe3e072
SHA51211ca4d96a159ea471922658c3bb956777c0a44e056ad89078524d22f8d6cb4bae010db7ccd6f23f7a67e24530c39ac646838c9b2ad665478eb6fdf00a47880ff
-
Filesize
152B
MD5e55832d7cd7e868a2c087c4c73678018
SHA1ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f
-
Filesize
152B
MD5c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA14d16a7e82190f8490a00008bd53d85fb92e379b0
SHA2561e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd
-
Filesize
1KB
MD563999ae535c91a83c40e8b3edbd22a0b
SHA1a19f6e2ec5acccf531b0240e58666f86542e9b27
SHA256d187331615eaf27622b89438e62c2884c50d0d7de55c4754f980ac2184acac3c
SHA512626a3f5f7b1a14c59f1f0456aeb0ba45c0f978c769ecd94408c931389eccf6847ed5de5ade2f87a3981ade77cd4e1878338aca66a2b4dbe726bd616fda81345d
-
Filesize
573B
MD572d8b549c047805a5315df059bb1539a
SHA13df3770c14379441be3be79eac28f5a1344cdada
SHA256beb758c4229b5c555242bde07bb5e88edd0d43be725dd68c8a4f33e6eddf10f6
SHA5120bee533bd41e2226f9e971c9e4b75dee9d8d8ea545bc8a119d3a3c31bbea9f4c30b0ae3dcb58cfeca103ec4880171d2d63c676ac7a4a71b990e4a5ad376fe4fb
-
Filesize
6KB
MD5ed4129c401ddcedb65e85d899b619a11
SHA1a3249e03d91a1585d0ff1acb0ed0cfc9a6cfbbd5
SHA256d2e92251cb4c0d9e3da88838c5bf304357f35b16989b176a89f0300a34b81758
SHA5128487bf6119f1cd57e2f3c1f696a7ffbb550fb109cca4b09e51a0a39fd37f58a2d6aa78a18dd222d41fd3971d151873a239b33040b786ba62ad840a252a1785c2
-
Filesize
5KB
MD51d3e32b2d7c82e56e13a780bf5aa5de2
SHA1c9101d2d3cfff914f456191a724b350d079578aa
SHA25642567e13cb01b0bc7e89b5cb6d8d75cb8071e4ec612fc41c411f8d437a67788b
SHA512f03cadd041773366815875e943e7040040ab41ca3f5e96bc6c8476b9cd54e834866888e3ef3ddf0a6596f881ef4b97258162c96991c3a70b13f6defffceea24f
-
Filesize
6KB
MD59776c6e26249498ec63b98af7e04b9bb
SHA1927f74cb2e90c69aa66084585a103d32c76ff479
SHA25600c5c8dc87da363498fbb9a5f37f2c61e8fe1ebb721fe52a9a7adc7d60e1fb1b
SHA5127ed41f9213d7cb2a4b51fcd251f92126f0634c34953e6bb9b885ce4d58ad51b49b0cf40c7a9b97b7237d89f88984483e51c011d88616e5fd9a497fe5126ba495
-
Filesize
6KB
MD527f07fdd4eb4bf96e913591bf2c5488e
SHA1f79e68f20f91593ac2c14d03ab553eee579ac266
SHA2565d393b8cad7751d37a13040667aad9d67f2a71508a118d2c271de5ad1e2fec40
SHA5127555519c97910d79a3bcd1e71f0295f1b709d92b18c5fc9d486cf8a436350d0d300fe76fe4023047358dc74170b88dc5fa355b1ea6c5848cfe0e800198b42e8b
-
Filesize
1KB
MD5109f1a07aa294ef4222260ecd04d47f5
SHA1bc11c170c3751397e311a6b288c4c53bba1f37a5
SHA2563ea4fdb7be16107fc1886e1535778da1f582022406d6ec16cccb67504c491ca2
SHA512c3010ccf53a5ed17a35206cd7dbe7c3d77b1f3c7407ce1005ba4e6faed7d378d4c50883136707b522fbb59d3bb404fb147f7867639e3bb7dc085e3f704d482f2
-
Filesize
1KB
MD54cd17f7c86c41805afe822a7a9baebb1
SHA1fbc6e1e46b8f7170a3b78332aed72302599bddcb
SHA256e75ad906a8fd4ee373a96b2073dceebcc5e3277bd21d19818431ebadcab8d1d6
SHA5128293a33148f0908eabdaa2e5d7be68ff329ffc1f0af6e2f5478b4069a19e7e2c3e121ecc669d9577d41cd955dddb9757400fdd082542701ecf23549fdfc5ad9e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD59216d5d0486772516c764677c9e2dda6
SHA14f29d262f8d011424f469709b1b9023ad4088dba
SHA2562a71b2906ff9b9b8eddf98de28bbf5f3bbbd63fd3af7e163793f1508bf6ab344
SHA512b93379c1ae31d81cb82873d3389b1993abb6beba1f76aa3dd7c9935a4a16d159ae52c1863887056a060d4c08e1316307efbf0e44c98ce385a4da1674e0064f8b
-
Filesize
264KB
MD52cab2d95eac558320737af47438db77f
SHA19494ed4a69db95ca03a5a0adc1f0b93f533581e3
SHA256a21ea72577ecad15c089e7586eb6815c3ed4e967f2c2f52a7f36cd8b3fd05890
SHA51271f2cb1af7ff30374d5d8409f0c759f10d956cc4369866243d72ef91ca240ab279fdb741992866b840b30d6bce1a63d24a0a1b0621f3b9ffe7184a28030d2931
-
Filesize
11KB
MD5de44ec893d3d130ce63fefde27bd1737
SHA17014c3ad1e6190905554fbacc7c7538fe6a1f59e
SHA256d85acc0a17715bcb8dca7c8c39a4eee5aaeffd6506be016347ad6e7c8de2c930
SHA5124ad91d7a0ed44737249d9d0aa232b86146c48f23daf43fd937bb6ceb7f721d095322bf43e6de111ec2a0ae5bab829847e30d3749d9b806bf21ee5422dd11a1b3
-
Filesize
55KB
MD5996867ee0cfd71ede0cda93e57789c75
SHA115abbe1362ca9ae1889ea56d3ea07f793ee76665
SHA256c3d83fa6b168c9c53b7f9f4324be6f8053e47047e63199c05665a6bad5a587ed
SHA512e4c3505e9f3c3f4469c858f08e612982e0a24b05b0c3e5aee5c63cd028b48f232c4e7470be50f3443f80b09aa74f2f9e59fc78fd8aba52777a1811033fb6cf00
-
Filesize
318B
MD5e4231534c2813fda3a98d6d6b5b8b3b5
SHA1c22ac56a296756120228cfe77fcc17b9000934c9
SHA256143c93447046030853857088e31ee6c121d63fdfd03f10d36dfdcf6f0634ba43
SHA51259aa526796c7e1de9bf2074fecae7b7520f34fd0f523bbb4c1f111b1b289f0a5bb7b94dc73fd8fec6187076c10d87a56273a09c79c718e388fcbaf5f0dd676cd
-
Filesize
8KB
MD5c0f4dbba918d1c7507f21463c422f29e
SHA1daf5a4e8b449dddd98cfa54c75098c150576a8f6
SHA2564fb1eb0cab27dba73bb042ddfbe470e7c75da6a126d934c3a5650959a7afc849
SHA512fd50f5a631f394fb3d8220c1af4dcc79f66814c56727e3d845fe02ff8dc320927d430177b826f29cff49b55446a52e11be208de76a3f78d02e6b217906c7464a
-
Filesize
52B
MD50508bce1cc472b6b9e899a51e6d16a67
SHA1bfeecf6312f868157503c5a9acf31ccc656e9229
SHA2567786563108861b5f45b09745fca9d139f1a8d2db29d63f4a2db67e90096baed5
SHA5126c5bceada4ce2f612d6b887a6ecb082ba6ac3b2e0f42fab77a7c23e297f2d1fe9fbed1b5da6d974229dcce8091be720ce8345b9ee737149ab41dae196d626634
-
Filesize
233KB
MD5155e389a330dd7d7e1b274b8e46cdda7
SHA16445697a6db02e1a0e76efe69a3c87959ce2a0d8
SHA2566390a4374f8d00c8dd4247e271137b2fa6259e0678b7b8bd29ce957058fd8f05
SHA512df8d78cf27e4a384371f755e6d0d7333c736067aeeb619e44cbc5d88381bdcbc09a9b8eeb8aafb764fc1aaf39680e387b3bca73021c6af5452c0b2e03f0e8091
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
40KB
MD553f25f98742c5114eec23c6487af624c
SHA1671af46401450d6ed9c0904402391640a1bddcc2
SHA2567b5dec6a48ee2114c3056f4ccb6935f3e7418ef0b0bc4a58931f2c80fc94d705
SHA512f460775308b34552c930c3f256cef1069b28421673d71e3fa2712b0467485861a98285925ae49f1adea1faf59265b964c873c12a3bb5de216122ac20084e1048
-
Filesize
23KB
MD558b1840b979ae31f23aa8eb3594d5c17
SHA16b28b8e047cee70c7fa42715c552ea13a5671bbb
SHA256b2bb460aa299c6064e7fc947bff314e0f915c6ee6f8f700007129e3b6a314f47
SHA51213548e5900bddc6797d573fcca24cec1f1eefa0662e9d07c4055a3899460f4e135e1c76197b57a49b452e61e201cb86d1960f3e8b00828a2d0031dc9aa78666a
-
Filesize
80KB
MD514da34c98fb358457c69bf69e8397e91
SHA158403035d71e38a4557ceeea63dd77facdc3918a
SHA256fcb50cdd2be67660cafc81b7a2f1842e77bec0dd74c11e1c916599c9582642df
SHA512c254fd912358566b8028cbf5454b175149e49bbf55840db5b54662b7ea50ed4ef429a2546b77e55dc111978af0a41d9393c8ab5f0284227d36edee827f399007
-
Filesize
28KB
MD58e9d7feb3b955e6def8365fd83007080
SHA1df7522e270506b1a2c874700a9beeb9d3d233e23
SHA25694d2b1da2c4ce7db94ee9603bc2f81386032687e7c664aff6460ba0f5dac0022
SHA5124157a5628dc7f47489be2c30dbf2b14458a813eb66e942bba881615c101df25001c09afb9a54f88831fa4c1858f42d897f8f55fbf6b4c1a82d2509bd52ba1536
-
Filesize
22KB
MD5f1ac5c806ed1e188c54e0861cbf1f358
SHA1b2a2895a0eae5e2ef8d10ed0f079d0fcfea9585a
SHA25687b7d23ab8720f1087d50a902244cbbdc25245b29da9bfa54698a4545b82afc4
SHA512ddb61b46a71db7401984e1917f0ef1498883cff76f0a98ff8d65acb08b6d7181511ca57a1e23c7482fc9d26afcf48b662896375b80eff4b2e0d08b7b55d9b98f
-
Filesize
373KB
MD530cdab5cf1d607ee7b34f44ab38e9190
SHA1d4823f90d14eba0801653e8c970f47d54f655d36
SHA2561517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f
SHA512b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3
-
Filesize
72B
MD5343c6f5dcbc9f70509a2659b6dcca34e
SHA1573ce994df7f433ba8d897a03b8beebc1a1e80b7
SHA256375c1af6f2d1fec8595df303bced33d9f80da01fea7d4968e24ef64dfccf78bd
SHA5124b92a1a45c2f1d00eaa58feda3a0de94d91727824c5ec5472f0eb4ba0ee8edfcae8f05b01bacba5263e870f79e5737137f75434e009260d53853b7f86f94ba4e
-
Filesize
834B
MD54caff3a1fff3c9a4184dc586cf232265
SHA195603f1d5febc408dd421b96f8cc7d65b617d073
SHA256dbc040d5f5261175089971582de1761569f6e1bd1f5dfc14cb4d7810cf192d6b
SHA512dab3dbf898e8acb3e55c4411363f807be9ff67c20ef44c8d1505de689f8ba66e4beb7c57ee2fb0e04db1fb89b810beda6e854cd6063c84821f7ca827266ee95b
-
Filesize
3KB
MD583dcab5f77dbe3c6309957368da10d79
SHA144f588cbe597aae47aea2a4c14389d363269f418
SHA25682ee86007227f285a1a1827d076c0abfeceb6fcc29960a9972114744fb37e0cd
SHA51216fc76355027d45e416856bbc2d510acec15a7043f071d97f0c4cbf5752c01360962c31d28a3baff94adc81b4dbce71c15d33ccfa9f987a1df5c7b2e3ef1e034
-
Filesize
439B
MD5ae294ea720e7714ba05305b1eb2c371c
SHA1f491b0abd1e180438a63890fdfbfc22f24e7be39
SHA256ccc6e118a00a915962f2944dbc24dd9dd190e1a05923569f8b7c270d0195c9dd
SHA512dca8c2564c8ee7e08755043a267492ca9a09e0c276bea4b2849905156c449edd31913b9b1ebd5005bda504d96afd873a59aafbef25d2b2e99cf295d7cc2f879d
-
Filesize
621B
MD5499b7f9ec3a5ac8b6616aa7f3532627d
SHA122c313d197228da4b3ce2b174015e98a83823403
SHA2564cc5e2dddcf8fce138ccb4750f8e6fe74ccca4f2ca9b87f269c8a0e02245796b
SHA51279680d9e4088c4fac620e9a30a5be1b5bb0f540f7c1478062f6120cc7898864c3fe7ed136cb1f7519516c77a7ad94cb4f576dc7605444be68e7aceab9e893ed6
-
Filesize
169B
MD58d9590edca00d7f5729e9c1ae6528e1c
SHA1d4fbfb5cef65919d054e0d7fd1f702c023d45044
SHA256ee9ee81f407185677784199d1e14d44e2494f248958f0d00bdd9e9ba2fe7e40d
SHA512ff2390072551d15eb9abdb85484be88d5eaf7bf4dae9651dc4eabd9956086f45c9c55bf1a18f152c3b8c2c1c829c3bfe40aa041f4c87ee4b9319640a7d23adf4
-
Filesize
347B
MD591145866f989a3eb754087c82f2aa038
SHA1aaf58f8e40bd64f328a84259500d2d1ede5d51b7
SHA256b30db7920794dfc63eb5a2fecd5f40e14788606f858c8964c3c6de9c3b6bbca6
SHA5123b90580f6a69d39cf27a943d5c92205ef177aaf2e24ce30e11192a62e24112b7bf8764b2ac861965464422a9692e65e836e3048c208c3cad77331a9e5df165e2
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
64KB
-
Filesize
400KB
-
Filesize
400KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
128KB
-
Filesize
80KB
-
Filesize
328KB
-
Filesize
5.6MB
-
Filesize
32KB
-
Filesize
1.2MB
-
Filesize
584KB
-
Filesize
6.0MB
