{"id":8690,"date":"2024-09-04T05:49:49","date_gmt":"2024-09-04T05:49:49","guid":{"rendered":"\/cybersecurity-blog\/?p=8690"},"modified":"2024-09-04T06:31:06","modified_gmt":"2024-09-04T06:31:06","slug":"azorult-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/","title":{"rendered":"AZORult Malware: Technical Analysis"},"content":{"rendered":"\n<p><em>Editor\u2019s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat intelligence analyst. You can find Mostafa on\u00a0<a href=\"https:\/\/x.com\/M4lcode\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0and\u00a0<a href=\"https:\/\/www.linkedin.com\/in\/m4lcode\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>.<\/em><\/p>\n\n\n\n<p>In this malware analysis report, we conduct an in-depth examination of AZORult, a sophisticated credential and payment card information stealer.<\/p>\n\n\n\n<p>Our walk-through covers the malware&#8217;s evolution, including its transition from Delphi to C++ and the introduction of .bit domain support. We will examine a sample of AZORult to uncover its behavior, evasion techniques, and operational tactics. This analysis aims to enhance understanding of AZORult\u2019s functionality and inform effective countermeasures.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overview&nbsp;<\/h2>\n\n\n\n<p>AZORult is a sophisticated credential and payment card information <a href=\"https:\/\/any.run\/malware-trends\/stealer\" target=\"_blank\" rel=\"noreferrer noopener\">stealer<\/a> that can also act as a <a href=\"https:\/\/any.run\/malware-trends\/loader\" target=\"_blank\" rel=\"noreferrer noopener\">downloader<\/a> for various malware families. Notably, version 2 introduced support for .bit domains, enhancing its capabilities. <\/p>\n\n\n\n<p>AZORult has been observed operating alongside Chthonic and has been deployed by Ramnit. Originally developed in Delphi, the malware was ported to C++ in 2019, which shows its evolution and increased complexity.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Basic Analysis&nbsp;<\/h2>\n\n\n\n<p>Let&#8217;s begin our analysis of a sample. Here&#8217;s its key details:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-146\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"2\"\n           data-wpID=\"146\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Sample Hash                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Creation Time                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2013-12-25 05:01:38 UTC                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-146'>\ntable#wpdtSimpleTable-146{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-146 td, table.wpdtSimpleTable146 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>It&#8217;s important to note that the creation time has been edited by the author.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"976\" height=\"225\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-1.png\" alt=\"\" class=\"wp-image-8691\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-1.png 976w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-1-300x69.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-1-768x177.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-1-370x85.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-1-270x62.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-1-740x171.png 740w\" sizes=\"(max-width: 976px) 100vw, 976px\" \/><figcaption class=\"wp-element-caption\">The sample was allegedly created on December 25, 2013<\/figcaption><\/figure><\/div>\n\n\n<p>First we run the sample in the <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=azorult_analysis&amp;utm_term=040924&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN sandbox<\/a> to observe its behavior in a real-time and fully interactive virtual environment. <\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/d6939efb-0f46-41c2-ae3c-40bc190daa61\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=azorult_analysis&amp;utm_term=040924&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View the analysis session<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-1024x568.jpg\" alt=\"\" class=\"wp-image-8692\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-1024x568.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-300x166.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-768x426.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-1536x852.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-370x205.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-270x150.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-740x410.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2.jpg 1679w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The initial sample analyzed in the ANY.RUN sandbox<\/figcaption><\/figure><\/div>\n\n\n<p>The sample initiates two critical processes:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Executes a <a href=\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell command<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Drops a file belonging to the Azorult malware family&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The PowerShell command launches a <a href=\"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/\" target=\"_blank\" rel=\"noreferrer noopener\">script<\/a> in a hidden window:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code style=\"white-space: pre-wrap;\">\"powershell.exe\" -windowstyle hidden \"$Nummmeret=Get-Content 'C:\\Users\\admin\\AppData\\Local\\Temp\\forgrovelse\\konstituerendes\\Printermanualens.Ear';$Trojanerens=$Nummmeret.SubString(42833,3);.$Trojanerens($Nummmeret) \" <\/code><\/pre>\n\n\n\n<p>This command performs the following:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reads the contents of a file located at C:\\Users\\admin\\AppData\\Local\\Temp\\forgrovelse\\konstituerendes\\Printermanualens.Ear and stores it in the variable $Nummmeret.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Extracts a substring from $Nummmeret, starting at index 42833 with a length of 3 characters, and stores this substring in the variable $Trojanerens.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attempts to execute the content of $Trojanerens as a command or script, passing $Nummmeret as an argument to this command.<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTry advanced <span class=\"highlight\">malware analysis<\/span> with ANY.RUN for free&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=azorult_analysis&#038;utm_term=040924&#038;utm_content=linktodemo\" rel=\"noopener\" target=\"_blank\">\nGet 14-day trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>It also drops a file named Declinometer235.exe, the main AZORult payload.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"796\" height=\"129\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-6.png\" alt=\"\" class=\"wp-image-8693\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-6.png 796w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-6-300x49.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-6-768x124.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-6-370x60.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-6-270x44.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-6-740x120.png 740w\" sizes=\"(max-width: 796px) 100vw, 796px\" \/><figcaption class=\"wp-element-caption\">ANY.RUN displays the SHA-256 hash of the malicious payload file<\/figcaption><\/figure><\/div>\n\n\n<p>The malware tries to contact thirteen IP addresses and one malicious domain.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"804\" height=\"457\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-5.png\" alt=\"\" class=\"wp-image-8694\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-5.png 804w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-5-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-5-768x437.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-5-370x210.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-5-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-5-740x421.png 740w\" sizes=\"(max-width: 804px) 100vw, 804px\" \/><figcaption class=\"wp-element-caption\">ANY.RUN provides IOCs for malware and phishing samples<\/figcaption><\/figure><\/div>\n\n\n<p>An analysis of the sample using UnpacMe suggested that it was likely not <a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-packers-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">packed<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"383\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-4-1024x383.png\" alt=\"\" class=\"wp-image-8695\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-4-1024x383.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-4-300x112.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-4-768x287.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-4-370x138.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-4-270x101.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-4-740x277.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-4.png 1405w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The sample has no packer<\/figcaption><\/figure><\/div>\n\n\n<p>&nbsp;Let&#8217;s see the imports.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"333\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-3-1024x333.png\" alt=\"\" class=\"wp-image-8696\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-3-1024x333.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-3-300x98.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-3-768x250.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-3-370x120.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-3-270x88.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-3-740x241.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-3.png 1270w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">AZORult malware actively modifies the Windows registry and attempts to delete data<\/figcaption><\/figure><\/div>\n\n\n<p>The malware queries, deletes, and modifies some registry keys, as well as uses an anti-debugging technique.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"952\" height=\"569\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-3.png\" alt=\"\" class=\"wp-image-8697\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-3.png 952w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-3-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-3-768x459.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-3-370x221.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-3-270x161.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-3-740x442.png 740w\" sizes=\"(max-width: 952px) 100vw, 952px\" \/><figcaption class=\"wp-element-caption\">The certificate is issued by Pretermit Brunbejdsedes<\/figcaption><\/figure><\/div>\n\n\n<p>The sample has a digital <a href=\"https:\/\/any.run\/cybersecurity-blog\/advanced-process-details\/\" target=\"_blank\" rel=\"noreferrer noopener\">certificate<\/a>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Advanced Analysis<\/h2>\n\n\n\n<p>Let&#8217;s now open the sample in IDA to take a closer look at its code.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"697\" height=\"370\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-4.png\" alt=\"\" class=\"wp-image-8698\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-4.png 697w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-4-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-4-370x196.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-4-270x143.png 270w\" sizes=\"(max-width: 697px) 100vw, 697px\" \/><figcaption class=\"wp-element-caption\">Code of the load_SHGetFolderPathW function<\/figcaption><\/figure><\/div>\n\n\n<p>We can see that it loads <strong>SHGetFolderPathW<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"387\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-3-1024x387.png\" alt=\"\" class=\"wp-image-8699\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-3-1024x387.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-3-300x113.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-3-768x290.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-3-370x140.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-3-270x102.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-3-740x280.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-3.png 1087w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The malware loads SHGetFolderPathW<\/figcaption><\/figure><\/div>\n\n\n<p>It gets TEMP path and sets an environment variable containing this path.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image10-3.png\" alt=\"\" class=\"wp-image-8700\" width=\"300\" height=\"509\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image10-3-177x300.png 177w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image10-3-270x457.png 270w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><figcaption class=\"wp-element-caption\">GetTempPathW API is used to to retrieve the temporary directory path<\/figcaption><\/figure><\/div>\n\n\n<p>It uses <strong>GetTickCount <\/strong>API<strong> <\/strong>to detect if their malware is being debugged.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"458\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11.jpeg\" alt=\"\" class=\"wp-image-8702\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11.jpeg 975w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-300x141.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-768x361.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-370x174.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-270x127.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-740x348.jpeg 740w\" sizes=\"(max-width: 975px) 100vw, 975px\" \/><figcaption class=\"wp-element-caption\">The malware is equipped with anti-debugging capabilities<\/figcaption><\/figure><\/div>\n\n\n<p>Debugging often slows down the execution of a program. By checking the time taken between certain operations, the malware can detect anomalies. <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"959\" height=\"305\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12.jpeg\" alt=\"\" class=\"wp-image-8703\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12.jpeg 959w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-300x95.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-768x244.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-370x118.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-270x86.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-740x235.jpeg 740w\" sizes=\"(max-width: 959px) 100vw, 959px\" \/><figcaption class=\"wp-element-caption\">GetTickCount retrieves the current system time in millisecond<\/figcaption><\/figure><\/div>\n\n\n<p>If the time taken is unusually long, it might indicate the presence of a debugger.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze malware <span class=\"highlight\">for free<\/span> with ANY.RUN sandbox&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=azorult_analysis&#038;utm_term=040924&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nCreate free account\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>The malware also creates, writes to, and reads a new file.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"336\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image13.jpeg\" alt=\"\" class=\"wp-image-8704\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image13.jpeg 975w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image13-300x103.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image13-768x265.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image13-370x128.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image13-270x93.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image13-740x255.jpeg 740w\" sizes=\"(max-width: 975px) 100vw, 975px\" \/><figcaption class=\"wp-element-caption\">CreateFileW function creates or opens a file<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"494\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image14.jpeg\" alt=\"\" class=\"wp-image-8705\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image14.jpeg 975w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image14-300x152.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image14-768x389.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image14-370x187.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image14-270x137.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image14-740x375.jpeg 740w\" sizes=\"(max-width: 975px) 100vw, 975px\" \/><figcaption class=\"wp-element-caption\">WriteFile writes data to a specified file, while ReadFile reads data from a specified file<\/figcaption><\/figure><\/div>\n\n\n<p>It returns the value of these functions to Buffer.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image15.png\" alt=\"\" class=\"wp-image-8706\" width=\"513\" height=\"167\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image15.png 513w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image15-300x98.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image15-370x120.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image15-270x88.png 270w\" sizes=\"(max-width: 513px) 100vw, 513px\" \/><figcaption class=\"wp-element-caption\">The value of the functions is returned to Buffer<\/figcaption><\/figure><\/div>\n\n\n<p>It queries the value under the key <strong>HKEY_CURRENT_USER\\Control Panel\\Desktop\\ResourceLocale<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"242\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image16-1024x242.png\" alt=\"\" class=\"wp-image-8707\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image16-1024x242.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image16-300x71.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image16-768x181.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image16-370x87.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image16-270x64.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image16-740x175.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image16.png 1250w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The malware tries to identify the language ID of the UI<\/figcaption><\/figure><\/div>\n\n\n<p>This code attempts to gain shutdown privileges by using <strong>SeShutdownPrivilege<\/strong> to either disrupt the system by forcing a shutdown or restart, or to ensure changes take effect after a restart.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"754\" height=\"298\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image17.png\" alt=\"\" class=\"wp-image-8708\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image17.png 754w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image17-300x119.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image17-370x146.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image17-270x107.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image17-740x292.png 740w\" sizes=\"(max-width: 754px) 100vw, 754px\" \/><figcaption class=\"wp-element-caption\">The malware uses SeShutdownPrivilege to reboot the system<\/figcaption><\/figure><\/div>\n\n\n<p>The function interacts with the clipboard, which could be used to steal or manipulate data.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"892\" height=\"393\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image18.png\" alt=\"\" class=\"wp-image-8709\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image18.png 892w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image18-300x132.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image18-768x338.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image18-370x163.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image18-270x119.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image18-740x326.png 740w\" sizes=\"(max-width: 892px) 100vw, 892px\" \/><figcaption class=\"wp-element-caption\">The malware manipulates the clipboard<\/figcaption><\/figure><\/div>\n\n\n<p>After looking at the strings section, we found the following:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"342\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image19.png\" alt=\"\" class=\"wp-image-8710\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image19.png 720w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image19-300x143.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image19-370x176.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image19-270x128.png 270w\" sizes=\"(max-width: 720px) 100vw, 720px\" \/><figcaption class=\"wp-element-caption\">AZORult uses several system functions <\/figcaption><\/figure><\/div>\n\n\n<p><strong>off_40940C<\/strong> contains these strings in .data section:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\"GetDiskFreeSpaceExW\" \n\n\"MoveFileExW\" \n\n\"RegDeleteKeyExW\" \n\n\"OpenProcessToken\" \n\n\"LookupPrivilegeValueW\" \n\n\"AdjustTokenPrivileges\" \n\n\"GetUserDefaultUILanguage\" \n\n\"SHAutoComplete\" \n\n\"SHFOLDER\" \n\n\"SHGetFolderPathW\" &nbsp;<\/code><\/pre>\n\n\n\n<p>Let&#8217;s see the xrefs of <strong>off_40940C<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"675\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image20-1024x675.png\" alt=\"\" class=\"wp-image-8711\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image20-1024x675.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image20-300x198.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image20-768x506.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image20-370x244.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image20-270x178.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image20-740x488.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image20.png 1224w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">GetProcAddress is used to resolve the APIs<\/figcaption><\/figure><\/div>\n\n\n<p>It uses <strong>LoadLibraryA<\/strong> <strong>and GetProcAddress <\/strong>to resolve these APIs.<\/p>\n\n\n\n<p>The malware uses <strong>GetDiskFreeSpaceExW<\/strong> to check if there is enough disk space available before attempting to install or execute. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"805\" height=\"451\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image21-1.png\" alt=\"\" class=\"wp-image-8716\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image21-1.png 805w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image21-1-300x168.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image21-1-768x430.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image21-1-370x207.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image21-1-270x151.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image21-1-740x415.png 740w\" sizes=\"(max-width: 805px) 100vw, 805px\" \/><\/figure>\n\n\n\n<p>If the disk is nearly full, the malware might avoid installation to prevent detection or impact.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">LookupPrivilegeValueW\/ AdjustTokenPrivileges&nbsp;<\/h3>\n\n\n\n<p>Malware uses <strong>LookupPrivilegeValueW<\/strong> to get the LUID for a privilege like SE_DEBUG_NAME or SE_SYSTEM_ENVIRONMENT_NAME, which allow it to perform actions like debugging other processes or modifying system settings.&nbsp;<\/p>\n\n\n\n<p>It uses <strong>AdjustTokenPrivileges<\/strong> to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Modify Privileges: By adjusting token privileges, malware can avoid detection by security software or make modifications to the system that are not typically allowed under normal user privileges.&nbsp;<\/li>\n\n\n\n<li>Access Sensitive Operations: Malware might need elevated privileges to modify system settings, access protected files, or inject code into other processes.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">GetUserDefaultUILanguage&nbsp;<\/h3>\n\n\n\n<p>This API provides the language used for the user interface of Windows.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"838\" height=\"522\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image22-1.png\" alt=\"\" class=\"wp-image-8715\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image22-1.png 838w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image22-1-300x187.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image22-1-768x478.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image22-1-370x230.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image22-1-270x168.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image22-1-740x461.png 740w\" sizes=\"(max-width: 838px) 100vw, 838px\" \/><\/figure>\n\n\n\n<p>It is used to tailor the malware&#8217;s behavior or appearance based on the language of the system to avoid detection or appear more localized.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>The AZORult malware represents a highly adaptable and sophisticated threat, evolving significantly since its initial development. As observed, AZORult employs various techniques to evade detection and maximize its impact, such as anti-debugging measures, use of environment variables, and privilege escalation.&nbsp;<\/p>\n\n\n\n<p>The malware\u2019s ability to operate in hidden modes, drop additional malicious files, and interact with multiple IP addresses and domains underscores its potential for widespread damage. <\/p>\n\n\n\n<p>The use of specific Windows API calls for tasks like checking disk space, adjusting token privileges, and manipulating system settings reflects a well-designed strategy to ensure persistence and effectiveness. The presence of digital certificates and obfuscation techniques further complicates detection and analysis.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=azorult_analysis&amp;utm_term=040924&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in seconds.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Interact with samples in real time.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Save time and money on sandbox setup and maintenance&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Record and study all aspects of malware behavior.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collaborate with your team&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scale as you need.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=azorult_analysis&amp;utm_term=040924&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial \u2192<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">MD5 Hash<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-147\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"147\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        0824428fdccf3c63fc1ca19a1dd7ef74                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-147'>\ntable#wpdtSimpleTable-147{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-147 td, table.wpdtSimpleTable147 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">DNS requests&nbsp;<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-148\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"148\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        ehzwq[.]shop                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        fp-afd-nocache-ccp.azureedge[.]net                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        r10.o.lencr[.]org                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        a-ring-fallback[.]msedge[.]net                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        t-ring-fdv2[.]msedge[.]net                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        reap.skyestates[.]com[.]mt                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-148'>\ntable#wpdtSimpleTable-148{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-148 td, table.wpdtSimpleTable148 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">IP connections<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-149\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"4\"\n           data-rows=\"4\"\n           data-wpID=\"149\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        108.167.181.251                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        20.166.126.56                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        52.168.117.175                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        20.223.35.26                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2.23.209.130                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2.23.209.158                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2.23.209.140                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        13.107.246.45                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        131.253.33.254                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        20.99.185.48                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2.23.209.140                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"D3\"\n                    data-col-index=\"3\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        13.107.246.45                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        131.253.33.254                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        20.99.185.48                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-empty-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                                            <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-empty-cell \"\n                                            data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                                            <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-149'>\ntable#wpdtSimpleTable-149{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-149 td, table.wpdtSimpleTable149 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">Registry keys<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-150\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"150\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        HKEY_USERS\\S-1-5-21-575823232-3065301323-1442773979-1000\\fordjelsesbesvret\\Uninstall\\Spidsfindigeres22\\luftrr<br> <br>\nHKEY_CURRENT_USER\\fordjelsesbesvret\\Uninstall\\Spidsfindigeres22\\luftrr <br> <br>\nHKEY_CURRENT_USER\\fordjelsesbesvret\\Uninstall\\Spidsfindigeres22luftrr <br> \nSpidsfindigeres22\\luftrr <br> <br>\nfordjelsesbesvret\\Uninstall\\Spidsfindigeres22\\luftrr <br> <br>\nHKEY_CURRENT_USER\\fordjelsesbesvret <br> <br>\nHKEY_CURRENT_USER\\fordjelsesbesvret\\Uninstall <br> <br>\nHKEY_CURRENT_USER\\fordjelsesbesvret\\Uninstall\\Spidsfindigeres22                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-150'>\ntable#wpdtSimpleTable-150{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-150 td, table.wpdtSimpleTable150 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">Mutexes&nbsp;<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-151\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"4\"\n           data-wpID=\"151\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        Global\\6b9d2ecb-1948-49c6-b61f-9cc3ad1d78d1                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Global\\AmiProviderMutex_InventoryApplicationFile                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Global\\OneSettingQueryMutex+compat+encapsulation                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Local\\WERReportingForProcess1284                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-151'>\ntable#wpdtSimpleTable-151{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-151 td, table.wpdtSimpleTable151 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">MITRE ATT&amp;CK TTPs&nbsp;<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-152\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"54\"\n           data-wpID=\"152\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-tc-000000 wpdt-align-center wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        TACTIC                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-tc-000000 wpdt-align-center wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        TECHNIQUE                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-tc-000000 wpdt-align-center wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        MITRE ATT&CK ID\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"6\"                     data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Windows Management Instrumentation\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1047\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Command and Scripting Interpreter\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        PowerShell\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059.001\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Scripting\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1064 (deprecated)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Native API\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1106\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Shared Modules\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1129\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"4\"                     data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Persistence\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Boot or Logon Autostart Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1547\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Shortcut Modification\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1547.009\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hijack Execution Flow\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1574\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        DLL Side-Loading\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1574.002\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"5\"                     data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Privilege Escalation\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Process Injection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C12\"\n                    data-col-index=\"2\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1055\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Boot or Logon Autostart Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C13\"\n                    data-col-index=\"2\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1547\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B14\"\n                    data-col-index=\"1\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Shortcut Modification\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C14\"\n                    data-col-index=\"2\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1547.009\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B15\"\n                    data-col-index=\"1\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hijack Execution Flow\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C15\"\n                    data-col-index=\"2\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1574\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B16\"\n                    data-col-index=\"1\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        DLL Side-Loading\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C16\"\n                    data-col-index=\"2\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1574.002\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"16\"                     data-cell-id=\"A17\"\n                    data-col-index=\"0\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Defense Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B17\"\n                    data-col-index=\"1\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Obfuscated Files or Information\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C17\"\n                    data-col-index=\"2\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1027\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B18\"\n                    data-col-index=\"1\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Software Packing\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C18\"\n                    data-col-index=\"2\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1027.002\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B19\"\n                    data-col-index=\"1\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Embedded Payloads\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C19\"\n                    data-col-index=\"2\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1027.009\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B20\"\n                    data-col-index=\"1\"\n                    data-row-index=\"19\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Masquerading\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C20\"\n                    data-col-index=\"2\"\n                    data-row-index=\"19\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1036\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B21\"\n                    data-col-index=\"1\"\n                    data-row-index=\"20\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Process Injection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C21\"\n                    data-col-index=\"2\"\n                    data-row-index=\"20\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1055\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B22\"\n                    data-col-index=\"1\"\n                    data-row-index=\"21\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Scripting\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C22\"\n                    data-col-index=\"2\"\n                    data-row-index=\"21\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1064 (deprecated)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B23\"\n                    data-col-index=\"1\"\n                    data-row-index=\"22\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Indicator Removal\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C23\"\n                    data-col-index=\"2\"\n                    data-row-index=\"22\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1070\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B24\"\n                    data-col-index=\"1\"\n                    data-row-index=\"23\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Timestomp\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C24\"\n                    data-col-index=\"2\"\n                    data-row-index=\"23\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1070.006\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B25\"\n                    data-col-index=\"1\"\n                    data-row-index=\"24\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Modify Registry\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C25\"\n                    data-col-index=\"2\"\n                    data-row-index=\"24\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1112\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B26\"\n                    data-col-index=\"1\"\n                    data-row-index=\"25\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Deobfuscate\/Decode Files or Information\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C26\"\n                    data-col-index=\"2\"\n                    data-row-index=\"25\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1140\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B27\"\n                    data-col-index=\"1\"\n                    data-row-index=\"26\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        File and Directory Permissions Modification\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C27\"\n                    data-col-index=\"2\"\n                    data-row-index=\"26\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1222\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B28\"\n                    data-col-index=\"1\"\n                    data-row-index=\"27\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Virtualization\/Sandbox Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C28\"\n                    data-col-index=\"2\"\n                    data-row-index=\"27\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1497\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B29\"\n                    data-col-index=\"1\"\n                    data-row-index=\"28\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hide Artifacts\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C29\"\n                    data-col-index=\"2\"\n                    data-row-index=\"28\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1564\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B30\"\n                    data-col-index=\"1\"\n                    data-row-index=\"29\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hidden Window\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C30\"\n                    data-col-index=\"2\"\n                    data-row-index=\"29\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1564.003\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B31\"\n                    data-col-index=\"1\"\n                    data-row-index=\"30\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Hijack Execution Flow\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C31\"\n                    data-col-index=\"2\"\n                    data-row-index=\"30\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1574\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B32\"\n                    data-col-index=\"1\"\n                    data-row-index=\"31\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        DLL Side-Loading\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C32\"\n                    data-col-index=\"2\"\n                    data-row-index=\"31\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1574.002\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"4\"                     data-cell-id=\"A33\"\n                    data-col-index=\"0\"\n                    data-row-index=\"32\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Credential Access\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B33\"\n                    data-col-index=\"1\"\n                    data-row-index=\"32\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        OS Credential Dumping\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C33\"\n                    data-col-index=\"2\"\n                    data-row-index=\"32\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1003\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B34\"\n                    data-col-index=\"1\"\n                    data-row-index=\"33\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Unsecured Credentials\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C34\"\n                    data-col-index=\"2\"\n                    data-row-index=\"33\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1552\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B35\"\n                    data-col-index=\"1\"\n                    data-row-index=\"34\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Credentials In Files\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C35\"\n                    data-col-index=\"2\"\n                    data-row-index=\"34\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1552.001\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B36\"\n                    data-col-index=\"1\"\n                    data-row-index=\"35\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Credentials in Registry\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C36\"\n                    data-col-index=\"2\"\n                    data-row-index=\"35\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1552.002\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"9\"                     data-cell-id=\"A37\"\n                    data-col-index=\"0\"\n                    data-row-index=\"36\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B37\"\n                    data-col-index=\"1\"\n                    data-row-index=\"36\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Application Window Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C37\"\n                    data-col-index=\"2\"\n                    data-row-index=\"36\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1010\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B38\"\n                    data-col-index=\"1\"\n                    data-row-index=\"37\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Query Registry\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C38\"\n                    data-col-index=\"2\"\n                    data-row-index=\"37\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1012\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B39\"\n                    data-col-index=\"1\"\n                    data-row-index=\"38\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Remote System Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C39\"\n                    data-col-index=\"2\"\n                    data-row-index=\"38\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1018\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B40\"\n                    data-col-index=\"1\"\n                    data-row-index=\"39\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Process Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C40\"\n                    data-col-index=\"2\"\n                    data-row-index=\"39\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1057\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B41\"\n                    data-col-index=\"1\"\n                    data-row-index=\"40\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        System Information Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C41\"\n                    data-col-index=\"2\"\n                    data-row-index=\"40\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1082\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B42\"\n                    data-col-index=\"1\"\n                    data-row-index=\"41\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        File and Directory Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C42\"\n                    data-col-index=\"2\"\n                    data-row-index=\"41\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1083\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B43\"\n                    data-col-index=\"1\"\n                    data-row-index=\"42\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Virtualization\/Sandbox Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C43\"\n                    data-col-index=\"2\"\n                    data-row-index=\"42\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1497\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B44\"\n                    data-col-index=\"1\"\n                    data-row-index=\"43\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Software Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C44\"\n                    data-col-index=\"2\"\n                    data-row-index=\"43\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1518\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B45\"\n                    data-col-index=\"1\"\n                    data-row-index=\"44\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Security Software Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C45\"\n                    data-col-index=\"2\"\n                    data-row-index=\"44\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1518.001\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"7\"                     data-cell-id=\"A46\"\n                    data-col-index=\"0\"\n                    data-row-index=\"45\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Collection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B46\"\n                    data-col-index=\"1\"\n                    data-row-index=\"45\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Data from Local System\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C46\"\n                    data-col-index=\"2\"\n                    data-row-index=\"45\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1005\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B47\"\n                    data-col-index=\"1\"\n                    data-row-index=\"46\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Email Collection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C47\"\n                    data-col-index=\"2\"\n                    data-row-index=\"46\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1114\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B48\"\n                    data-col-index=\"1\"\n                    data-row-index=\"47\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Clipboard Data\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C48\"\n                    data-col-index=\"2\"\n                    data-row-index=\"47\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1115\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B49\"\n                    data-col-index=\"1\"\n                    data-row-index=\"48\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Video Capture\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C49\"\n                    data-col-index=\"2\"\n                    data-row-index=\"48\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1125\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B50\"\n                    data-col-index=\"1\"\n                    data-row-index=\"49\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Application Layer Protocol\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C50\"\n                    data-col-index=\"2\"\n                    data-row-index=\"49\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1071\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B51\"\n                    data-col-index=\"1\"\n                    data-row-index=\"50\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Non-Application Layer Protocol\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C51\"\n                    data-col-index=\"2\"\n                    data-row-index=\"50\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1095\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B52\"\n                    data-col-index=\"1\"\n                    data-row-index=\"51\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Encrypted Channel\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C52\"\n                    data-col-index=\"2\"\n                    data-row-index=\"51\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1573\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"2\"                     data-cell-id=\"A53\"\n                    data-col-index=\"0\"\n                    data-row-index=\"52\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Impact\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B53\"\n                    data-col-index=\"1\"\n                    data-row-index=\"52\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        System Shutdown\/Reboot\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C53\"\n                    data-col-index=\"2\"\n                    data-row-index=\"52\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1529\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                            <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B54\"\n                    data-col-index=\"1\"\n                    data-row-index=\"53\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        System Shutdown\/Reboot\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C54\"\n                    data-col-index=\"2\"\n                    data-row-index=\"53\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1529\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-152'>\ntable#wpdtSimpleTable-152{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-152 td, table.wpdtSimpleTable152 th { white-space: normal !important; }\n.wpdt-tc-000000 { color: #000000 !important;}\n<\/style>\n\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat intelligence analyst. You can find Mostafa on\u00a0X\u00a0and\u00a0LinkedIn. In this malware analysis report, we conduct an in-depth examination of AZORult, a sophisticated credential and payment card information stealer. Our walk-through covers the malware&#8217;s evolution, including its transition from Delphi to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":8767,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34,40],"class_list":["post-8690","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>AZORult Malware: Technical Analysis - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"See a detailed analysis of AZORult malware, uncovering its behavior, evasion techniques, and operational tactics.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mostafa ElSheimy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/\"},\"author\":{\"name\":\"Mostafa ElSheimy\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"AZORult Malware: Technical Analysis\",\"datePublished\":\"2024-09-04T05:49:49+00:00\",\"dateModified\":\"2024-09-04T06:31:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/\"},\"wordCount\":1213,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/\",\"name\":\"AZORult Malware: Technical Analysis - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-09-04T05:49:49+00:00\",\"dateModified\":\"2024-09-04T06:31:06+00:00\",\"description\":\"See a detailed analysis of AZORult malware, uncovering its behavior, evasion techniques, and operational tactics.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"AZORult Malware: Technical Analysis\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mostafa ElSheimy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/MostafaElSheimy.webp\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/MostafaElSheimy.webp\",\"caption\":\"Mostafa ElSheimy\"},\"description\":\"Mostafa ElSheimy is a malware reverse engineer and threat intelligence analyst, specializing in analyzing TTPs (Tactics, Techniques, and Procedures) and crafting YARA rules to detect and counter cyber threats. Mostafa's work focuses on dissecting malware to uncover hidden dangers and protect organizations from emerging threats. Find him on X and LinkedIn.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AZORult Malware: Technical Analysis - ANY.RUN&#039;s Cybersecurity Blog","description":"See a detailed analysis of AZORult malware, uncovering its behavior, evasion techniques, and operational tactics.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/","twitter_misc":{"Written by":"Mostafa ElSheimy","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/"},"author":{"name":"Mostafa ElSheimy","@id":"https:\/\/any.run\/"},"headline":"AZORult Malware: Technical Analysis","datePublished":"2024-09-04T05:49:49+00:00","dateModified":"2024-09-04T06:31:06+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/"},"wordCount":1213,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/","name":"AZORult Malware: Technical Analysis - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-09-04T05:49:49+00:00","dateModified":"2024-09-04T06:31:06+00:00","description":"See a detailed analysis of AZORult malware, uncovering its behavior, evasion techniques, and operational tactics.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/azorult-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"AZORult Malware: Technical Analysis"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mostafa ElSheimy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/MostafaElSheimy.webp","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/MostafaElSheimy.webp","caption":"Mostafa ElSheimy"},"description":"Mostafa ElSheimy is a malware reverse engineer and threat intelligence analyst, specializing in analyzing TTPs (Tactics, Techniques, and Procedures) and crafting YARA rules to detect and counter cyber threats. Mostafa's work focuses on dissecting malware to uncover hidden dangers and protect organizations from emerging threats. Find him on X and LinkedIn.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8690"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=8690"}],"version-history":[{"count":18,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8690\/revisions"}],"predecessor-version":[{"id":8769,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8690\/revisions\/8769"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8767"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=8690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=8690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=8690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}