Analysis
-
max time kernel
30s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 07:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a0cbc67855a9fea1709a8c2136f0e85e1c9fc74deb51c24fcef0c96e89cd3c6N.dll
Resource
win7-20241023-en
windows7-x64
17 signatures
120 seconds
General
-
Target
5a0cbc67855a9fea1709a8c2136f0e85e1c9fc74deb51c24fcef0c96e89cd3c6N.dll
-
Size
120KB
-
MD5
198f1aa59e129450b8567787d18759d0
-
SHA1
8aafa0cd330ac947b3196720f65efbe545bf73da
-
SHA256
5a0cbc67855a9fea1709a8c2136f0e85e1c9fc74deb51c24fcef0c96e89cd3c6
-
SHA512
70523dbc77facefe8538b4f20df2585281d57174727df8db42ad2ccf7bcf79915ba1e6d0c2f89481d3b8d178fab3847af24fc1d398c95708c64abca31cb99ce1
-
SSDEEP
3072:jCzkUlB+Cn7M2EguPvd4khizd73BM+ccfg4s/r3:sV3n7BYdlhilF3o
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76d662.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76d662.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76d662.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d662.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ba79.exe -
Executes dropped EXE 3 IoCs
pid Process 1696 f76ba79.exe 2932 f76bc3d.exe 2812 f76d662.exe -
Loads dropped DLL 6 IoCs
pid Process 1720 rundll32.exe 1720 rundll32.exe 1720 rundll32.exe 1720 rundll32.exe 1720 rundll32.exe 1720 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ba79.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76bc3d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d662.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76d662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d662.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d662.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: f76ba79.exe File opened (read-only) \??\R: f76ba79.exe File opened (read-only) \??\H: f76ba79.exe File opened (read-only) \??\I: f76ba79.exe File opened (read-only) \??\G: f76ba79.exe File opened (read-only) \??\Q: f76ba79.exe File opened (read-only) \??\P: f76ba79.exe File opened (read-only) \??\M: f76ba79.exe File opened (read-only) \??\N: f76ba79.exe File opened (read-only) \??\L: f76ba79.exe File opened (read-only) \??\O: f76ba79.exe File opened (read-only) \??\S: f76ba79.exe File opened (read-only) \??\E: f76d662.exe File opened (read-only) \??\E: f76ba79.exe File opened (read-only) \??\J: f76ba79.exe -
resource yara_rule behavioral1/memory/1696-14-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-17-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-20-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-22-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-19-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-16-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-23-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-24-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-18-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-62-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-61-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-63-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-64-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-65-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-67-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-68-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-82-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-84-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-86-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-88-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1696-155-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2932-174-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/2812-199-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx behavioral1/memory/2812-223-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\f76baf6 f76ba79.exe File opened for modification C:\Windows\SYSTEM.INI f76ba79.exe File created C:\Windows\f770a9b f76bc3d.exe File created C:\Windows\f771130 f76d662.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76ba79.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76d662.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1696 f76ba79.exe 1696 f76ba79.exe 2812 f76d662.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 1696 f76ba79.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe Token: SeDebugPrivilege 2812 f76d662.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2408 wrote to memory of 1720 2408 rundll32.exe 30 PID 2408 wrote to memory of 1720 2408 rundll32.exe 30 PID 2408 wrote to memory of 1720 2408 rundll32.exe 30 PID 2408 wrote to memory of 1720 2408 rundll32.exe 30 PID 2408 wrote to memory of 1720 2408 rundll32.exe 30 PID 2408 wrote to memory of 1720 2408 rundll32.exe 30 PID 2408 wrote to memory of 1720 2408 rundll32.exe 30 PID 1720 wrote to memory of 1696 1720 rundll32.exe 31 PID 1720 wrote to memory of 1696 1720 rundll32.exe 31 PID 1720 wrote to memory of 1696 1720 rundll32.exe 31 PID 1720 wrote to memory of 1696 1720 rundll32.exe 31 PID 1696 wrote to memory of 1112 1696 f76ba79.exe 19 PID 1696 wrote to memory of 1168 1696 f76ba79.exe 20 PID 1696 wrote to memory of 1196 1696 f76ba79.exe 21 PID 1696 wrote to memory of 2032 1696 f76ba79.exe 23 PID 1696 wrote to memory of 2408 1696 f76ba79.exe 29 PID 1696 wrote to memory of 1720 1696 f76ba79.exe 30 PID 1696 wrote to memory of 1720 1696 f76ba79.exe 30 PID 1720 wrote to memory of 2932 1720 rundll32.exe 32 PID 1720 wrote to memory of 2932 1720 rundll32.exe 32 PID 1720 wrote to memory of 2932 1720 rundll32.exe 32 PID 1720 wrote to memory of 2932 1720 rundll32.exe 32 PID 1720 wrote to memory of 2812 1720 rundll32.exe 34 PID 1720 wrote to memory of 2812 1720 rundll32.exe 34 PID 1720 wrote to memory of 2812 1720 rundll32.exe 34 PID 1720 wrote to memory of 2812 1720 rundll32.exe 34 PID 1696 wrote to memory of 1112 1696 f76ba79.exe 19 PID 1696 wrote to memory of 1168 1696 f76ba79.exe 20 PID 1696 wrote to memory of 1196 1696 f76ba79.exe 21 PID 1696 wrote to memory of 2032 1696 f76ba79.exe 23 PID 1696 wrote to memory of 2932 1696 f76ba79.exe 32 PID 1696 wrote to memory of 2932 1696 f76ba79.exe 32 PID 1696 wrote to memory of 2812 1696 f76ba79.exe 34 PID 1696 wrote to memory of 2812 1696 f76ba79.exe 34 PID 2812 wrote to memory of 1112 2812 f76d662.exe 19 PID 2812 wrote to memory of 1168 2812 f76d662.exe 20 PID 2812 wrote to memory of 1196 2812 f76d662.exe 21 PID 2812 wrote to memory of 2032 2812 f76d662.exe 23 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ba79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76bc3d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d662.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a0cbc67855a9fea1709a8c2136f0e85e1c9fc74deb51c24fcef0c96e89cd3c6N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a0cbc67855a9fea1709a8c2136f0e85e1c9fc74deb51c24fcef0c96e89cd3c6N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\f76ba79.exeC:\Users\Admin\AppData\Local\Temp\f76ba79.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1696
-
-
C:\Users\Admin\AppData\Local\Temp\f76bc3d.exeC:\Users\Admin\AppData\Local\Temp\f76bc3d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\f76d662.exeC:\Users\Admin\AppData\Local\Temp\f76d662.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2812
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2032
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD559c709530d790a419415b03d079b7c64
SHA16394ebaf867ae10cb17653eb0fecf33570470b93
SHA2569d736d8b7e058be314e8b6f9a017f0afe7ff4f0c71ac9a2409bc9ab96798e3a0
SHA512f7d0c629150da39178618d943d66f97cfe93c0093e33c23ef5483b52ad3a13d048cb0f4615be3ffe0361ce4fa3aadcb9c937234c38569b23aad7e2a1d96b7f19
-
Filesize
97KB
MD524ae0272c98e9546fca268ec844f255b
SHA18eaa2616848b9142399ac1dd0b34df6e9abcfc0a
SHA256c5468b6f23f45cf41643f2ca1a65c29a110e6ec79cf2774a692a6e6d1cac9b6f
SHA512f73b6e1b7bbdacbd16bdc57d7bcdf84c8bd3ee13c8fb6d63d4443f476f712d79a1e0ab7b5f3430e9940586422065c6ddca1a2f38df5564a96f1dfe437f19f2e9