Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22/11/2024, 18:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe
Resource
win7-20241023-en
windows7-x64
20 signatures
120 seconds
Behavioral task
behavioral2
Sample
f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
120 seconds
General
-
Target
f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe
-
Size
320KB
-
MD5
7aaa28ceb63303ddec0abe580b4d1ff0
-
SHA1
491b70864a07a5dada35a4119119174da47d878c
-
SHA256
f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362ea
-
SHA512
040dde561ad1541b3df357d3bfed1605673982008704a85aba5e2c22a5a6f445049267388af37d2f1df316b166f56bab281c8b3af44b019331c72f25ff567390
-
SSDEEP
6144:qTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:EXgvmzFHi0mo5aH0qMzd5807FRPJQPDV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" imubjl.exe -
Adds policy Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucozlrgmdh = "xqnjgxxoqfdaqcmrtuleb.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vajradp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kaunhvsgfrmgtcjlki.exe" imubjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucozlrgmdh = "iawrndcstheapajnooew.exe" imubjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vajradp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawrndcstheapajnooew.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vajradp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqnjgxxoqfdaqcmrtuleb.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vajradp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqnjgxxoqfdaqcmrtuleb.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucozlrgmdh = "kaunhvsgfrmgtcjlki.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucozlrgmdh = "uiarjvqczjcufmrr.exe" imubjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vajradp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uiarjvqczjcufmrr.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vajradp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmhbwljyylhcqaillkz.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vajradp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmhbwljyylhcqaillkz.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucozlrgmdh = "vmhbwljyylhcqaillkz.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucozlrgmdh = "uiarjvqczjcufmrr.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucozlrgmdh = "bqjbuhdqoztmygmnl.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucozlrgmdh = "kaunhvsgfrmgtcjlki.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vajradp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uiarjvqczjcufmrr.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucozlrgmdh = "iawrndcstheapajnooew.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucozlrgmdh = "xqnjgxxoqfdaqcmrtuleb.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vajradp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawrndcstheapajnooew.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vajradp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjbuhdqoztmygmnl.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucozlrgmdh = "bqjbuhdqoztmygmnl.exe" imubjl.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imubjl.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imubjl.exe -
Executes dropped EXE 2 IoCs
pid Process 1796 imubjl.exe 1740 imubjl.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend imubjl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc imubjl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power imubjl.exe -
Loads dropped DLL 4 IoCs
pid Process 2412 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 2412 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 2412 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 2412 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "iawrndcstheapajnooew.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\pylxkrhoglz = "kaunhvsgfrmgtcjlki.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "xqnjgxxoqfdaqcmrtuleb.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "xqnjgxxoqfdaqcmrtuleb.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwlzoxpyszpem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjbuhdqoztmygmnl.exe ." f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kaunhvsgfrmgtcjlki.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "kaunhvsgfrmgtcjlki.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "vmhbwljyylhcqaillkz.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\myodtdwgbjaqze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmhbwljyylhcqaillkz.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjbuhdqoztmygmnl.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mwkxltkslrgu = "bqjbuhdqoztmygmnl.exe ." imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kaunhvsgfrmgtcjlki.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqnjgxxoqfdaqcmrtuleb.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "bqjbuhdqoztmygmnl.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwlzoxpyszpem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uiarjvqczjcufmrr.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "iawrndcstheapajnooew.exe ." imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uiarjvqczjcufmrr.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "xqnjgxxoqfdaqcmrtuleb.exe ." imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjbuhdqoztmygmnl.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwlzoxpyszpem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqnjgxxoqfdaqcmrtuleb.exe ." imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mwkxltkslrgu = "vmhbwljyylhcqaillkz.exe ." imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mwkxltkslrgu = "iawrndcstheapajnooew.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "iawrndcstheapajnooew.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\pylxkrhoglz = "vmhbwljyylhcqaillkz.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\pylxkrhoglz = "vmhbwljyylhcqaillkz.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\myodtdwgbjaqze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawrndcstheapajnooew.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjbuhdqoztmygmnl.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "vmhbwljyylhcqaillkz.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmhbwljyylhcqaillkz.exe ." imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawrndcstheapajnooew.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\myodtdwgbjaqze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjbuhdqoztmygmnl.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "uiarjvqczjcufmrr.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "kaunhvsgfrmgtcjlki.exe ." f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\pylxkrhoglz = "kaunhvsgfrmgtcjlki.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "vmhbwljyylhcqaillkz.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwlzoxpyszpem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqnjgxxoqfdaqcmrtuleb.exe ." imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjbuhdqoztmygmnl.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mwkxltkslrgu = "kaunhvsgfrmgtcjlki.exe ." imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqnjgxxoqfdaqcmrtuleb.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uiarjvqczjcufmrr.exe ." imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\pylxkrhoglz = "iawrndcstheapajnooew.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "kaunhvsgfrmgtcjlki.exe ." imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mwkxltkslrgu = "vmhbwljyylhcqaillkz.exe ." f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\myodtdwgbjaqze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawrndcstheapajnooew.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\pylxkrhoglz = "bqjbuhdqoztmygmnl.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\pylxkrhoglz = "uiarjvqczjcufmrr.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "iawrndcstheapajnooew.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\myodtdwgbjaqze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kaunhvsgfrmgtcjlki.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "kaunhvsgfrmgtcjlki.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\myodtdwgbjaqze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqnjgxxoqfdaqcmrtuleb.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwlzoxpyszpem = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmhbwljyylhcqaillkz.exe ." imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmhbwljyylhcqaillkz.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mwkxltkslrgu = "kaunhvsgfrmgtcjlki.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "uiarjvqczjcufmrr.exe ." imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawrndcstheapajnooew.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\myodtdwgbjaqze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uiarjvqczjcufmrr.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\myodtdwgbjaqze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kaunhvsgfrmgtcjlki.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\pylxkrhoglz = "kaunhvsgfrmgtcjlki.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\myodtdwgbjaqze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqjbuhdqoztmygmnl.exe" imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "bqjbuhdqoztmygmnl.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawrndcstheapajnooew.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bitdothmc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iawrndcstheapajnooew.exe ." imubjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\myodtdwgbjaqze = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uiarjvqczjcufmrr.exe" imubjl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\kqajtxko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqnjgxxoqfdaqcmrtuleb.exe" imubjl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" imubjl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" imubjl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA imubjl.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" imubjl.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 www.showmyipaddress.com 7 whatismyip.everdot.org 8 www.whatismyip.ca 13 whatismyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\ccgjnlsqzvaebulxgommqtxv.ajf imubjl.exe File opened for modification C:\Windows\SysWOW64\lwlzoxpyszpemqspjclwlzoxpyszpemqspj.lwl imubjl.exe File created C:\Windows\SysWOW64\lwlzoxpyszpemqspjclwlzoxpyszpemqspj.lwl imubjl.exe File opened for modification C:\Windows\SysWOW64\ccgjnlsqzvaebulxgommqtxv.ajf imubjl.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\lwlzoxpyszpemqspjclwlzoxpyszpemqspj.lwl imubjl.exe File opened for modification C:\Program Files (x86)\ccgjnlsqzvaebulxgommqtxv.ajf imubjl.exe File created C:\Program Files (x86)\ccgjnlsqzvaebulxgommqtxv.ajf imubjl.exe File opened for modification C:\Program Files (x86)\lwlzoxpyszpemqspjclwlzoxpyszpemqspj.lwl imubjl.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\ccgjnlsqzvaebulxgommqtxv.ajf imubjl.exe File created C:\Windows\ccgjnlsqzvaebulxgommqtxv.ajf imubjl.exe File opened for modification C:\Windows\lwlzoxpyszpemqspjclwlzoxpyszpemqspj.lwl imubjl.exe File created C:\Windows\lwlzoxpyszpemqspjclwlzoxpyszpemqspj.lwl imubjl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imubjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imubjl.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe 1796 imubjl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1796 imubjl.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1796 2412 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 30 PID 2412 wrote to memory of 1796 2412 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 30 PID 2412 wrote to memory of 1796 2412 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 30 PID 2412 wrote to memory of 1796 2412 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 30 PID 2412 wrote to memory of 1740 2412 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 31 PID 2412 wrote to memory of 1740 2412 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 31 PID 2412 wrote to memory of 1740 2412 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 31 PID 2412 wrote to memory of 1740 2412 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 31 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" imubjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" imubjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" imubjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" imubjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" imubjl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" imubjl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe"C:\Users\Admin\AppData\Local\Temp\f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\imubjl.exe"C:\Users\Admin\AppData\Local\Temp\imubjl.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\imubjl.exe"C:\Users\Admin\AppData\Local\Temp\imubjl.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:1740
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5cec01a8c340f91fbbafc4d84e2d34b75
SHA1b32d510eba788040e2c6b77b8849b8debf6c743b
SHA2562696d4326a7722b5a44a0a8d4d3c4c952d39acd19404543abbaa535782bdc81e
SHA512797ec53eb8f407a56d7cb47d689f7e5e1cd8f15b68b012b1db0bed7c0e2f01522eb4915cf0e0450d7d7fbf95dc418af4fd59e587dba0608acddc3ff39bc440c2
-
Filesize
280B
MD50c26642760cc53cb91213b3c93c45a14
SHA17d7b0ec7cb2aac1559f8ec374bfbd36cdd73908b
SHA25672554e107914597b2e3e22d2a8a02fad6b7713e843b087af7a7ae59087eec3be
SHA5123de7ea87d4dd29568e9645d8c05a9dc4923a1214d5ca775949f5bdfa9617dbb3d5e8f623e832fc3e049bd4a5d0ccdd91e52b4a4b4ba86a3727a6cac737dd9549
-
Filesize
280B
MD578fc620897c253fd48c99c40cb845a8b
SHA12c4ef3498aa33dd7f6fd17b251901cfaf4fa58d5
SHA256500917f91998ea39aff033ddb6957982028d3124ecfdb1d65cd9109384677aa9
SHA512ea62a384e7bf120e478bdf1485ecfc325708dee5e6063526f31c87584fc796226dc5d44dfd43162a6352626cfd54e02f60b2a25ca7868d990ee5a97b18c0d636
-
Filesize
280B
MD5569648df74863e74cc4c8b420fd0d423
SHA157fff191aaeec224e04e97458c0fe3e5720a771e
SHA25669129f9837361386ec62fb773fd0d067a4d657f467d6efdbc378b0e79c2ffb63
SHA5123eebc152529df8e5d5c97b3848ba51082c64b6072297f0919f2cbbc60d9d501f897606433b76c821b8f277f5dd27a1ac7ab352a6d8bdc7247db2875d5fee6480
-
Filesize
280B
MD51102b1453e590db3d3988ca400e47845
SHA18f9f8aa1658f6a407fa8bb619a7fd66b6c7c93ad
SHA256eaaac1e4994e792eb3ac4fdae6064e52d95d210aa34a40fbaf936db38ccbc791
SHA5126d0ccba63153a9ddeaee67c9c95e5b8138882b8eefc52f8667172c285bb50e719811dad4a67c646f3e6aa1cd571b0fff736daa6b6c399a6c9331b558bb0e8f25
-
Filesize
280B
MD53f99af9623b8a8c7cf8c266ac0954418
SHA18dc1dc5301f7a85ad73205e558d0fda6e7ab9518
SHA2569d4289f45b530b58e05fd239e163968811d26198a2eac8f0ab9b825744e34264
SHA512e6fa5c329c9dfa2edf4af6983222698498b93e62ba24c005ab95fc4a316756bf98115bf0daf7dfab930295c1d9a169deb39cd5ec797950a13ece1764fbd11c0a
-
Filesize
280B
MD5ff4d9ac5d48b8d27a115e4567dc888c3
SHA16e0f3b81b1c1ff7fab8b96fb5c0cd1f75ff05341
SHA256fd5b02631224dc49a725ee6c049c466474b6dc3f4f64b2e6747df0888c03f74d
SHA5123de4daccefdf6edd64dab7f0dbaa01218467380fcd1181476642e1ec031754c6b07c00d56d3342070f07ee58e0fb55774c1bfa63ff8f5922be46b6a01796df35
-
Filesize
4KB
MD58ab8da37ca24168b4b6cfe8b0a35e7b2
SHA1cec4a994a2ce153decb4cba1b08a0f32ee3f15da
SHA256a3a44f21bc05f8bfdc7ec271abf4dc243fffb9fd50895d193c471bbe2a3c8e2b
SHA512d17f0f7f361fe62a53c544e9681f336786461593f711ba28a6841c3270c7f66e97c5e3083e9eae313e855cb32a741b48ac62c7cd29d94072352188399095c82e
-
Filesize
732KB
MD5a8150d4ffde6e0f7eba66f4cf7686527
SHA1b90f98856a90fc119f0cf1557a83be62f7d30db4
SHA2563179eb4d5f499fbde0647370b8936666be85b10184b2ebf1e0b033e61cc593c4
SHA512522e6e958fb98e75782d4f68112abd9bb389f3bd805ec31fb608762a7d4b2c3360db13752cd3546fcc736912dca1b1f06ed0c11de2b46f248ff0aeba7dc65f61