Analysis
-
max time kernel
126s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 01:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe
-
Size
96KB
-
MD5
287ea47bd89d26f011f59839bed38649
-
SHA1
ba53d51ef5784b275e4ac2e03db0b8d65bb7f729
-
SHA256
dfc0e840e791635a7448eb0c84a215c0fe2f621193013b1c3c0d540725854fe8
-
SHA512
12eb77f3330f927974692e16415afb05f00041006aa162c12fbf87aeb1f8ef8fcf622e488e14fe417d05cc221cef13ec7b58516a547baf28a643d32a6701a5aa
-
SSDEEP
1536:EdyoIjdlHJKQwvS/yShwGGgw7WC5ACLPX1v:EdyoIj3xUGyShwGGxb5A0tv
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\U: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\V: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\X: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\Y: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\J: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\L: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\N: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\P: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\R: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\E: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\G: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\H: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\Z: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\W: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\I: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\M: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\O: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\Q: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\S: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened (read-only) \??\T: 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened for modification C:\autorun.inf 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/1580-1-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-5-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-4-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-6-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-3-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-8-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-10-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-9-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-7-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-25-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-26-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-27-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-28-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-29-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-31-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-32-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-33-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-35-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-38-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-54-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-56-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-59-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-58-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-60-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-63-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-62-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-66-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1580-67-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe Token: SeDebugPrivilege 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 PID 1580 wrote to memory of 1088 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 18 PID 1580 wrote to memory of 1152 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 19 PID 1580 wrote to memory of 1184 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 20 PID 1580 wrote to memory of 1676 1580 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe 22 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1088
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1152
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\287ea47bd89d26f011f59839bed38649_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1580
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1676
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5f34a1f43fa3efd2a0494ecbe193b880d
SHA10dfdacc8aa4e1594d99bd15130e61bc17ffac27d
SHA256ff852c523e8d7a7258741352e3b796a31a082c4627715404f02c068af57dad1e
SHA51285e371dba3deec64ecb4cb79e6231be2797d1a18b130513d39022589b9f4690d6b875f68df22ec265cdcd17d197464f417f592d5cea768232f939f5e2371e315