Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
27s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2025, 15:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Stealer/Azorult.exe
Resource
win10v2004-20241007-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Stealer/Azorult.exe
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Azorult.exe -
Rms family
-
UAC bypass 3 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe -
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths regedit.exe -
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" Azorult.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Azorult.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" Azorult.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" Azorult.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 41 2428 msedge.exe -
resource yara_rule behavioral1/files/0x0007000000023d63-264.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation wini.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 4 IoCs
pid Process 4656 Azorult.exe 2560 wini.exe 2208 winit.exe 732 rutserv.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 40 raw.githubusercontent.com 41 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Azorult.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000023d32-149.dat autoit_exe behavioral1/files/0x0007000000023d64-249.dat autoit_exe -
Hide Artifacts: Hidden Users 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" Azorult.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5788 sc.exe 6132 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Azorult.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rutserv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3932 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings wini.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 781069.crdownload:SmartScreen msedge.exe -
Runs .reg file with regedit 2 IoCs
pid Process 4524 regedit.exe 3792 regedit.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2428 msedge.exe 2428 msedge.exe 4912 msedge.exe 4912 msedge.exe 4936 identity_helper.exe 4936 identity_helper.exe 5020 msedge.exe 5020 msedge.exe 4656 Azorult.exe 4656 Azorult.exe 4656 Azorult.exe 4656 Azorult.exe 4656 Azorult.exe 4656 Azorult.exe 4656 Azorult.exe 4656 Azorult.exe 4656 Azorult.exe 4656 Azorult.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4656 Azorult.exe 2560 wini.exe 2208 winit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4912 wrote to memory of 1100 4912 msedge.exe 84 PID 4912 wrote to memory of 1100 4912 msedge.exe 84 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2408 4912 msedge.exe 85 PID 4912 wrote to memory of 2428 4912 msedge.exe 86 PID 4912 wrote to memory of 2428 4912 msedge.exe 86 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 PID 4912 wrote to memory of 4208 4912 msedge.exe 87 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Azorult.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Azorult.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5532 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Stealer/Azorult.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd1c046f8,0x7fffd1c04708,0x7fffd1c047182⤵PID:1100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:22⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5576 /prefetch:82⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6080 /prefetch:82⤵PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020
-
-
C:\Users\Admin\Downloads\Azorult.exe"C:\Users\Admin\Downloads\Azorult.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4656 -
C:\ProgramData\Microsoft\Intel\wini.exeC:\ProgramData\Microsoft\Intel\wini.exe -pnaxui3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2560 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"6⤵
- UAC bypass
- Windows security bypass
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:3792
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"6⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4524
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3932
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /silentinstall6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:732
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /firewall6⤵PID:4124
-
-
C:\ProgramData\Windows\rutserv.exerutserv.exe /start6⤵PID:5180
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*6⤵
- Views/modifies file attributes
PID:5532
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10006⤵
- Launches sc.exe
PID:5788
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"6⤵
- Launches sc.exe
PID:6132
-
-
-
-
C:\ProgramData\Windows\winit.exe"C:\ProgramData\Windows\winit.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2208
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:12⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,1749979538921631249,1043644557640755139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:12⤵PID:3052
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3684
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3160
-
C:\ProgramData\Windows\rutserv.exeC:\ProgramData\Windows\rutserv.exe1⤵PID:5232
-
C:\ProgramData\Windows\rfusclient.exeC:\ProgramData\Windows\rfusclient.exe2⤵PID:5336
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
1Hidden Users
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD58382847cdc73ba41938181c74cc46c1f
SHA1bf5d307f834194f538329e066f45ca4c3c5b8276
SHA2561eb0095c5db4e451c3939e9f0dc157d4bf02d632f1b6db7ab7014d1edd1d531e
SHA512ebaea3abb4c2340d3682eec24e8f83268dabc2019984b32d6a3b6805d2ab37abdfeb7aaa1263efa6fe07b3ddbbbc7ef2ca7c7e67d95de7d14ceb2bf3efd35225
-
Filesize
384KB
MD5eaf257333b3587b3472904b9e53fd503
SHA118f3e8afdf1c41eb7e9c73e4462eac0e5107d7da
SHA256b143135eee99793ca8322cfe0a916e017503a0cf3ff831b340dede2eac296a8e
SHA512acd4a8973633325c43f2983dd5674cc4da63b8d2acc32ae8696e1b7b5fcf1d720a6792a97150a56d500b9f3cf6507c8d6626b3890907e52d929723f22436f577
-
Filesize
140B
MD55e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
Filesize
12KB
MD5806734f8bff06b21e470515e314cfa0d
SHA1d4ef2552f6e04620f7f3d05f156c64888c9c97ee
SHA2567ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544
SHA512007a79f0023a792057b81483f7428956ab99896dd1c8053cac299de5834ac25da2f6f77b63f6c7d46c51ed7a91b8eccb1c082043028326bfa0bfcb47f2b0d207
-
Filesize
1KB
MD56a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
Filesize
1.1MB
MD5bb22f4f6f1f385a25af5f06285529947
SHA14741ff48e9a777f5bb9907b65a22651e53aa7e39
SHA256cc41ce1ee407ae496bb4b5816942d9fcca0aa56e8e9ab30ac4f8b904d5703114
SHA512e30b5bada5ac00dee88be93faf6f1e1dbd5ddaf076625b49f8c423e72cbdb0a75388b7d294c4527f8749ed4f902834e6d3bc7e3e0bcc7def5c8d94aa71184f96
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
1.5MB
MD50d3be1d9bbdfb4833746bb935e7c7ab3
SHA12a651881b6cfd41364f568fdc38b68f924ce24dc
SHA256680e4ae3e639fa6e66a52eb05c4260371e903cdad1951865aa5586fc430f064d
SHA5120419707b40d4409c7f9163293238c58911f229818946ca53a89c3968f2c6d3fb18d8bfcbeda66d125fd3ff55eb648a2ef7c8a6b4729bcf4277d4d9da435e2fbe
-
Filesize
961KB
MD503a781bb33a21a742be31deb053221f3
SHA13951c17d7cadfc4450c40b05adeeb9df8d4fb578
SHA256e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210
SHA512010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45
-
Filesize
418B
MD5db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD568f48a3fc31a4a965e3a0ffaa9378031
SHA11ee4f46a8de50672d716955f96efcd8a32deb8e9
SHA25600bbb948bc6fa7daa3c3d4cbcea077625078f27a9b1dc6b01826d8a456ace438
SHA51264cd8ff05e470f0b07368bc58090bea152bfa26295081e44ee05639836c58e2d844f259c3f6417d0956f5756c3e250c11aedb25df8449abce9169e65e5798c0f
-
Filesize
5KB
MD59549024c5f5c3468d3952ce9dc152563
SHA1746210563261fd04f446651d27f2dcb51e035045
SHA25617441ef6263bc3bf7c008c76cb3671d18a582ee97ba63eff5502735be2dff922
SHA512b885231ec672a30438d05545cb1a49f9daf0a80f848a75f04c7b493a0e72212b6eb73147e6cfc9faa7c889fafbe8c5f5b0173d4a93059865d8b6eb1de5a01d8b
-
Filesize
6KB
MD51a55968372a9fa5ebefdabbcdcfef823
SHA1ae4150c98d9cf5b3fcbca380a703b00b7a03b084
SHA256f2f5dc1ab3b7246c9cf8f3bb75c1c32d0310e29fbafaf13c9016ed1be16a789a
SHA512d8a148c7b83882ef3f4876e6dee0ecaef221ee14e6a7abd1f6d65a2bd2ae62e269205c685ba5defc4dfe4b9aa7659487752aa0d773c4438472479b11f5414144
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5afbf281b8331efff133eac1a821edda8
SHA1a2dd4e101761788d8963f26c66d9553d100a48c0
SHA2569d9fae37df89ec6ac197444c07c70016c6a9315e733273b7a532bd72cfd6d34f
SHA51254392ceb2d6bf46df919328307a4fcdbb477c916a368698c5bf394ef1e779ffb2790fe6ae46c27649a79a5f5407b155b85c350229c67e0f32874cd8ea417ee36
-
Filesize
4.5MB
MD5f9a9b17c831721033458d59bf69f45b6
SHA1472313a8a15aca343cf669cfc61a9ae65279e06b
SHA2569276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce
SHA512653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8
-
Filesize
10.0MB
MD55df0cf8b8aa7e56884f71da3720fb2c6
SHA10610e911ade5d666a45b41f771903170af58a05a
SHA256dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360
SHA512724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a
-
Filesize
896KB
MD5e08abdce9f627c50b330f59ba1f0d053
SHA19a3dbfa7f92462e8b5b7f9d0c9639c0e5bd7bd4b
SHA256b8e89d22dc2f88b4bdd641c45a76354888744c1a4de45f2048fee83aa21c2f1b
SHA512bd372a1847e7d7101ca5dbff90db0b7300fdbffad68804daa49c405e27bd899b3c6310ea531cf71754917df3c308f9eae5892da8da26b8c3a8f117b36a606424
-
Filesize
256KB
MD5da33055205d9bd46d8165bd295538242
SHA1ab6a7d9080f5b0c157f6bbfc3316f6c8c2820c69
SHA25673b2bacfe67d7eecd01922ac0201e04c4858213406d104b30b3c679f49c90e56
SHA5123c7e2566f97bb5e6a98951bf3bdc95c140de624d8c085db483ee932c3e15a5960a1a37bd2e081823910514a17d62d61c44beb6f695ab3cffa332c8e69b2e4a4d