Analysis
-
max time kernel
97s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 18:55
Static task
static1
Behavioral task
behavioral1
Sample
7ZSfxMod.exe
Resource
win7-20240903-en
General
-
Target
7ZSfxMod.exe
-
Size
3.6MB
-
MD5
60360a0972149ee8ca84c288bdf39d6c
-
SHA1
843c4ffbca3b189088180661939c6a13dd01d20c
-
SHA256
b2afdcbf92f1b41139d177ef0f232631b25f5b05731b7348de0ad7ef89ed51a1
-
SHA512
aab61fc28a166c1cb653c5482e3f6db70ee88216a28805a78d8072777e1c44a0461c9edda541cfdd6815ace3976e1f74aa4afbcc1a5b1e9241c3fedec46374b5
-
SSDEEP
98304:ctAHsVyBjcigPR21cmyoqJ+/ftPgKUJpF+fpHLOsg55ISgEHFY:ctAHHjwRFmAJSgPFAiJ5etV
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 7ZSfxMod.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 7ZSfxMod.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 7ZSfxMod.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ZSfxMod.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7ZSfxMod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 7ZSfxMod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7ZSfxMod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7ZSfxMod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7ZSfxMod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7ZSfxMod.exe -
Detects Floxif payload 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023342-2.dat floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0009000000023342-2.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation 7ZSfxMod.exe -
Loads dropped DLL 1 IoCs
pid Process 1616 7ZSfxMod.exe -
System Binary Proxy Execution: Rundll32 1 TTPs 1 IoCs
Abuse Rundll32 to proxy execution of malicious code.
pid Process 2284 rundll32.exe -
resource yara_rule behavioral2/files/0x0009000000023342-2.dat upx behavioral2/memory/1616-5-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1616-7-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-10-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-9-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-11-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-12-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-20-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-22-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-13-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-23-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-28-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-29-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-31-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-35-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-36-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-54-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-55-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/files/0x00070000000233b8-59.dat upx behavioral2/memory/1616-62-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/files/0x00070000000233b7-65.dat upx behavioral2/memory/1616-66-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-68-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/1616-69-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-71-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-76-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-80-0x0000000002DC0000-0x0000000003E4E000-memory.dmp upx behavioral2/memory/1616-98-0x0000000010000000-0x0000000010030000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7ZSfxMod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 7ZSfxMod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7ZSfxMod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7ZSfxMod.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 7ZSfxMod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7ZSfxMod.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7ZSfxMod.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ZSfxMod.exe -
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 7ZSfxMod.exe File opened (read-only) \??\G: 7ZSfxMod.exe File opened (read-only) \??\H: 7ZSfxMod.exe File opened (read-only) \??\I: 7ZSfxMod.exe File opened (read-only) \??\J: 7ZSfxMod.exe File opened (read-only) \??\K: 7ZSfxMod.exe File opened (read-only) \??\e: 7ZSfxMod.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\uTorrent\utorrent.inf cmd.exe File opened for modification C:\Program Files (x86)\uTorrent\updates 7ZSfxMod.exe File created C:\Program Files (x86)\uTorrent\settings.dat 7ZSfxMod.exe File opened for modification C:\Program Files (x86)\uTorrent\Tools\nircmdc.exe 7ZSfxMod.exe File opened for modification C:\Program Files (x86)\uTorrent\Tools 7ZSfxMod.exe File created C:\Program Files (x86)\uTorrent\dlimagecache 7ZSfxMod.exe File created C:\Program Files (x86)\uTorrent\ie 7ZSfxMod.exe File opened for modification C:\Program Files (x86)\uTorrent\utorrent.lng 7ZSfxMod.exe File created C:\Program Files (x86)\uTorrent\utorrent.exe 7ZSfxMod.exe File opened for modification C:\Program Files (x86)\uTorrent\share 7ZSfxMod.exe File created C:\Program Files (x86)\uTorrent\updates 7ZSfxMod.exe File opened for modification C:\Program Files (x86)\uTorrent\Tools\1.cmd 7ZSfxMod.exe File created C:\Program Files (x86)\uTorrent\Tools\new_put.cmd 7ZSfxMod.exe File opened for modification C:\Program Files (x86)\uTorrent\utorrent.inf 7ZSfxMod.exe File created C:\Program Files (x86)\uTorrent\utorrent.lng 7ZSfxMod.exe File opened for modification C:\Program Files (x86)\uTorrent\apps 7ZSfxMod.exe File created C:\Program Files (x86)\uTorrent\share 7ZSfxMod.exe File created C:\Program Files (x86)\uTorrent\Tools\1.cmd 7ZSfxMod.exe File opened for modification C:\Program Files (x86)\uTorrent\Tools\new_put.cmd 7ZSfxMod.exe File created C:\Program Files (x86)\uTorrent\utorrent.inf 7ZSfxMod.exe File created C:\Program Files\Common Files\System\symsrv.dll 7ZSfxMod.exe File opened for modification C:\Program Files (x86)\uTorrent\settings.dat 7ZSfxMod.exe File opened for modification C:\Program Files (x86)\uTorrent\utorrent.exe 7ZSfxMod.exe File opened for modification C:\Program Files (x86)\uTorrent\ie 7ZSfxMod.exe File created C:\Program Files (x86)\uTorrent\Tools\nircmdc.exe 7ZSfxMod.exe File created \??\c:\program files\common files\system\symsrv.dll.000 7ZSfxMod.exe File created C:\Program Files (x86)\uTorrent\apps 7ZSfxMod.exe File opened for modification C:\Program Files (x86)\uTorrent\dlimagecache 7ZSfxMod.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 7ZSfxMod.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ZSfxMod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1616 7ZSfxMod.exe 1616 7ZSfxMod.exe 1616 7ZSfxMod.exe 1616 7ZSfxMod.exe 1616 7ZSfxMod.exe 1616 7ZSfxMod.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe Token: SeDebugPrivilege 1616 7ZSfxMod.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1616 7ZSfxMod.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1616 7ZSfxMod.exe 1616 7ZSfxMod.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1616 wrote to memory of 788 1616 7ZSfxMod.exe 8 PID 1616 wrote to memory of 796 1616 7ZSfxMod.exe 9 PID 1616 wrote to memory of 332 1616 7ZSfxMod.exe 13 PID 1616 wrote to memory of 2944 1616 7ZSfxMod.exe 49 PID 1616 wrote to memory of 2964 1616 7ZSfxMod.exe 50 PID 1616 wrote to memory of 2380 1616 7ZSfxMod.exe 52 PID 1616 wrote to memory of 3408 1616 7ZSfxMod.exe 56 PID 1616 wrote to memory of 3568 1616 7ZSfxMod.exe 57 PID 1616 wrote to memory of 3748 1616 7ZSfxMod.exe 58 PID 1616 wrote to memory of 3864 1616 7ZSfxMod.exe 59 PID 1616 wrote to memory of 3928 1616 7ZSfxMod.exe 60 PID 1616 wrote to memory of 4016 1616 7ZSfxMod.exe 61 PID 1616 wrote to memory of 3532 1616 7ZSfxMod.exe 62 PID 1616 wrote to memory of 316 1616 7ZSfxMod.exe 74 PID 1616 wrote to memory of 3640 1616 7ZSfxMod.exe 76 PID 1616 wrote to memory of 1776 1616 7ZSfxMod.exe 82 PID 1616 wrote to memory of 1776 1616 7ZSfxMod.exe 82 PID 1776 wrote to memory of 2264 1776 cmd.exe 84 PID 1776 wrote to memory of 2264 1776 cmd.exe 84 PID 1776 wrote to memory of 2168 1776 cmd.exe 85 PID 1776 wrote to memory of 2168 1776 cmd.exe 85 PID 1616 wrote to memory of 4352 1616 7ZSfxMod.exe 86 PID 1616 wrote to memory of 4352 1616 7ZSfxMod.exe 86 PID 4352 wrote to memory of 1536 4352 cmd.exe 88 PID 4352 wrote to memory of 1536 4352 cmd.exe 88 PID 4352 wrote to memory of 3592 4352 cmd.exe 89 PID 4352 wrote to memory of 3592 4352 cmd.exe 89 PID 1616 wrote to memory of 1872 1616 7ZSfxMod.exe 90 PID 1616 wrote to memory of 1872 1616 7ZSfxMod.exe 90 PID 1616 wrote to memory of 1872 1616 7ZSfxMod.exe 90 PID 1616 wrote to memory of 2284 1616 7ZSfxMod.exe 92 PID 1616 wrote to memory of 2284 1616 7ZSfxMod.exe 92 PID 1616 wrote to memory of 2284 1616 7ZSfxMod.exe 92 PID 1616 wrote to memory of 744 1616 7ZSfxMod.exe 93 PID 1616 wrote to memory of 744 1616 7ZSfxMod.exe 93 PID 1616 wrote to memory of 788 1616 7ZSfxMod.exe 8 PID 1616 wrote to memory of 796 1616 7ZSfxMod.exe 9 PID 1616 wrote to memory of 332 1616 7ZSfxMod.exe 13 PID 1616 wrote to memory of 2944 1616 7ZSfxMod.exe 49 PID 1616 wrote to memory of 2964 1616 7ZSfxMod.exe 50 PID 1616 wrote to memory of 2380 1616 7ZSfxMod.exe 52 PID 1616 wrote to memory of 3408 1616 7ZSfxMod.exe 56 PID 1616 wrote to memory of 3568 1616 7ZSfxMod.exe 57 PID 1616 wrote to memory of 3748 1616 7ZSfxMod.exe 58 PID 1616 wrote to memory of 3864 1616 7ZSfxMod.exe 59 PID 1616 wrote to memory of 3928 1616 7ZSfxMod.exe 60 PID 1616 wrote to memory of 4016 1616 7ZSfxMod.exe 61 PID 1616 wrote to memory of 3532 1616 7ZSfxMod.exe 62 PID 1616 wrote to memory of 316 1616 7ZSfxMod.exe 74 PID 1616 wrote to memory of 3640 1616 7ZSfxMod.exe 76 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7ZSfxMod.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2964
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2380
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\7ZSfxMod.exe"C:\Users\Admin\AppData\Local\Temp\7ZSfxMod.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Ver | Find "6." >Nul && Echo PROG_SDIR2 ="..\..\..\..\..\..\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch">>utorrent.inf3⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Ver "4⤵PID:2264
-
-
C:\Windows\system32\find.exeFind "6."4⤵PID:2168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Ver | Find "6." >Nul || Echo PROG_SDIR2= "..\..\Application Data\Microsoft\Internet Explorer\Quick Launch">>utorrent.inf3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Ver "4⤵PID:1536
-
-
C:\Windows\system32\find.exeFind "6."4⤵PID:3592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c Move utorrent.inf C:\Windows\INF3⤵
- System Location Discovery: System Language Discovery
PID:1872
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" advpack,LaunchINFSection utorrent.inf,DefaultInstall_x64,03⤵
- System Binary Proxy Execution: Rundll32
- System Location Discovery: System Language Discovery
PID:2284
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "C:\Program Files (x86)\uTorrent\Tools"3⤵PID:744
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3928
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3532
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:316
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3640
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5System Binary Proxy Execution
1Rundll32
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
123B
MD568cfcc4cfb4e56b3e67589295f39be00
SHA1c7b6144b7a7670cd7eae75f4f3ce9471f72bbcfb
SHA256cc25fe455a7ba68b52a8ccc47e4b15a5bd6bcdcf1043722d1524e5667f168717
SHA5123832d3f05f41d1e85d032ca8b3e3556ce5cb300976227d3a0ae39e534eb38f7d7c334a348df8387a35450e514efd93947ae09b76ed9be1768be90db512d8fe04
-
Filesize
1KB
MD51ab5193e7b9b72c36f6c048da59d2459
SHA13e0e1234f3e5dfb3b9f022c79d154088ae2e2fb0
SHA256fb3d79b45c09155d1db042f261248d6d319e6d1e2851172ab26aae049d4f510e
SHA5129b4f8a6f9c7ec0d3fba41f669661c6ae7f41314c8c0f06980400f792b20e07a24964b2222b59186ef916eff30e9283c66da2a4580d3a510940be07ac5fe3c90f
-
Filesize
42KB
MD52f9c7fda92c346cb5aa32091536ae0cb
SHA1a3bbbba563eac751692ba814ada18c3f1c33dd9b
SHA256f2bd35063b92a8f7d0f8d1a5448ff6836d22972fe3fe4a55fcaecafb7d4044cb
SHA51290414a718453ddb1065f912c344f3774b1d1d5759aa5d86e6b31faee2ba92d26b2164212196b97611fccb52f50866540d0b7c1f2c4940cb494ff3fcbad090aad
-
Filesize
2.1MB
MD5409179273c5f70a46d868b6e928d262f
SHA18ac172017f92c0ca70f200cdda017fc96764b8dd
SHA2566b3e21d568c9305c5ab205341c6d0f943cbec5f8f04b67d9d7230f1f1e40f8f2
SHA5120c2c9ae5a16438bb14d7d407856dfbbac4eb697166231ef32c7cc791ac55e4833de6d81dcaf61a690918f75a95e9eae79cb2a543b38ed64cc953631a1122ac75
-
Filesize
3KB
MD50e3322acf2d84d1671282b825665e788
SHA10125ccae40eeecd964c3b2f9cc1155eb79879fc2
SHA256bc276018078803c1506dd23a9a0dd3f94e4262d73943fdb70f2a32dd13bc6e70
SHA5121af819951f68037b6c081ad85c2171945a464303fb80a745bcefdf703dfe7581bca2c648e1424eb4edca27af0ef9af0d000ba89abedd3953cf741cf23f394e76
-
Filesize
3KB
MD590ad6a5f0c853afffe8ac0f435ceb653
SHA11a012dcd3b0809e822907175073d280a56b6b8b8
SHA256666ecfc1209a81b001d99373e15efcc39a7d2986528596c649c21373eaea63e2
SHA51260acbbcd17ca2bd65f6ee82b9b0f36d08263eaebeb2aa0cf401a7528577e19f1b36c5006306c384e394cca888756803cfb8f7894a6d12c692a276f3404f103a3
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab