Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 21:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db93ce71516473cb4313fd518894849bd3ab36b02efc256f8069306a8b1f06c1N.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
120 seconds
General
-
Target
db93ce71516473cb4313fd518894849bd3ab36b02efc256f8069306a8b1f06c1N.dll
-
Size
120KB
-
MD5
4bd92a582168cff219e84f898f227c80
-
SHA1
d0ed74cf500e8410d6ba0bb183baf08d6636fb6b
-
SHA256
db93ce71516473cb4313fd518894849bd3ab36b02efc256f8069306a8b1f06c1
-
SHA512
efffa5d86ed2f58c97297f74b999fa5a9ed51788b6ba3e6421b03bb61e182078406585a5f7a5e42efb2675d500ba5d2b5bee3c8f23318fe2da3b5a327fd5d965
-
SSDEEP
3072:hwReFh3p38sVa3dH3KJavU2h+KJPNTsUo1T:2ReFh3ppVaN/vU2FZna
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f23b.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d00b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d00b.exe -
Executes dropped EXE 3 IoCs
pid Process 2352 f76d00b.exe 2788 f76d1ef.exe 2396 f76f23b.exe -
Loads dropped DLL 6 IoCs
pid Process 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe 1440 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f23b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d00b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76d00b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f23b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d00b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76d1ef.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f23b.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: f76d00b.exe File opened (read-only) \??\N: f76d00b.exe File opened (read-only) \??\Q: f76d00b.exe File opened (read-only) \??\S: f76d00b.exe File opened (read-only) \??\T: f76d00b.exe File opened (read-only) \??\E: f76f23b.exe File opened (read-only) \??\G: f76f23b.exe File opened (read-only) \??\H: f76d00b.exe File opened (read-only) \??\K: f76d00b.exe File opened (read-only) \??\L: f76d00b.exe File opened (read-only) \??\O: f76d00b.exe File opened (read-only) \??\H: f76f23b.exe File opened (read-only) \??\E: f76d00b.exe File opened (read-only) \??\I: f76d00b.exe File opened (read-only) \??\M: f76d00b.exe File opened (read-only) \??\R: f76d00b.exe File opened (read-only) \??\G: f76d00b.exe File opened (read-only) \??\J: f76d00b.exe -
resource yara_rule behavioral1/memory/2352-11-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-16-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-19-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-20-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-15-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-21-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-17-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-14-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-13-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-18-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-59-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-60-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-61-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-63-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-62-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-65-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-66-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-67-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-68-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-71-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-85-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2352-156-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2396-170-0x0000000000950000-0x0000000001A0A000-memory.dmp upx behavioral1/memory/2396-217-0x0000000000950000-0x0000000001A0A000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f76d00b.exe File created C:\Windows\f77205c f76d1ef.exe File created C:\Windows\f7723b6 f76f23b.exe File created C:\Windows\f76d098 f76d00b.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f23b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76d00b.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2352 f76d00b.exe 2352 f76d00b.exe 2396 f76f23b.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2352 f76d00b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe Token: SeDebugPrivilege 2396 f76f23b.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2136 wrote to memory of 1440 2136 rundll32.exe 30 PID 2136 wrote to memory of 1440 2136 rundll32.exe 30 PID 2136 wrote to memory of 1440 2136 rundll32.exe 30 PID 2136 wrote to memory of 1440 2136 rundll32.exe 30 PID 2136 wrote to memory of 1440 2136 rundll32.exe 30 PID 2136 wrote to memory of 1440 2136 rundll32.exe 30 PID 2136 wrote to memory of 1440 2136 rundll32.exe 30 PID 1440 wrote to memory of 2352 1440 rundll32.exe 31 PID 1440 wrote to memory of 2352 1440 rundll32.exe 31 PID 1440 wrote to memory of 2352 1440 rundll32.exe 31 PID 1440 wrote to memory of 2352 1440 rundll32.exe 31 PID 2352 wrote to memory of 1140 2352 f76d00b.exe 19 PID 2352 wrote to memory of 1224 2352 f76d00b.exe 20 PID 2352 wrote to memory of 1260 2352 f76d00b.exe 21 PID 2352 wrote to memory of 1532 2352 f76d00b.exe 25 PID 2352 wrote to memory of 2136 2352 f76d00b.exe 29 PID 2352 wrote to memory of 1440 2352 f76d00b.exe 30 PID 2352 wrote to memory of 1440 2352 f76d00b.exe 30 PID 1440 wrote to memory of 2788 1440 rundll32.exe 32 PID 1440 wrote to memory of 2788 1440 rundll32.exe 32 PID 1440 wrote to memory of 2788 1440 rundll32.exe 32 PID 1440 wrote to memory of 2788 1440 rundll32.exe 32 PID 1440 wrote to memory of 2396 1440 rundll32.exe 34 PID 1440 wrote to memory of 2396 1440 rundll32.exe 34 PID 1440 wrote to memory of 2396 1440 rundll32.exe 34 PID 1440 wrote to memory of 2396 1440 rundll32.exe 34 PID 2352 wrote to memory of 1140 2352 f76d00b.exe 19 PID 2352 wrote to memory of 1224 2352 f76d00b.exe 20 PID 2352 wrote to memory of 1260 2352 f76d00b.exe 21 PID 2352 wrote to memory of 1532 2352 f76d00b.exe 25 PID 2352 wrote to memory of 2788 2352 f76d00b.exe 32 PID 2352 wrote to memory of 2788 2352 f76d00b.exe 32 PID 2352 wrote to memory of 2396 2352 f76d00b.exe 34 PID 2352 wrote to memory of 2396 2352 f76d00b.exe 34 PID 2396 wrote to memory of 1140 2396 f76f23b.exe 19 PID 2396 wrote to memory of 1224 2396 f76f23b.exe 20 PID 2396 wrote to memory of 1260 2396 f76f23b.exe 21 PID 2396 wrote to memory of 1532 2396 f76f23b.exe 25 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d00b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f23b.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1140
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1224
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1260
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db93ce71516473cb4313fd518894849bd3ab36b02efc256f8069306a8b1f06c1N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db93ce71516473cb4313fd518894849bd3ab36b02efc256f8069306a8b1f06c1N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\f76d00b.exeC:\Users\Admin\AppData\Local\Temp\f76d00b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2352
-
-
C:\Users\Admin\AppData\Local\Temp\f76d1ef.exeC:\Users\Admin\AppData\Local\Temp\f76d1ef.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2788
-
-
C:\Users\Admin\AppData\Local\Temp\f76f23b.exeC:\Users\Admin\AppData\Local\Temp\f76f23b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2396
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1532
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5b33b58336f306122644f3dff7220ff96
SHA1ccb61c2abd033d86a7c6267aaf677d30634e15c3
SHA25683d45ade80af4b46c310c7b22cb1af9bbab2f7f61c0f3594a10120a47797d6fd
SHA512f8da1a01c3f4b7b1605da1c26aa0d4cc2736e91a4ab76aec04bcc20fbeefa9e544726c09dee99f016fb7b8733af3e67ec03d2786d99057cc2fd4f7cfe23f4b4e
-
Filesize
97KB
MD58d838f7cbf607e2e258bddb5d52b7c4a
SHA1b7194465c2f571ff5b20488e0096de15c1e81c71
SHA25670cbf1702dcd7626e1dcc26d79f1811752f9776f440dafb7ed9bebc1464df3f8
SHA512030ea0f9990b564eab155b9c2988abe67924dfc56b8231478852927599841f5821e7d76376e6b2e59a7070479fbdc1f78b67c3061a3f31eb64610ba52482605a