Analysis
-
max time kernel
41s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 12:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8e8b199203c9c7c9e649fbc2332d117cbc93c48c2731d731f2b81841c7861517N.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
8e8b199203c9c7c9e649fbc2332d117cbc93c48c2731d731f2b81841c7861517N.dll
-
Size
120KB
-
MD5
5126662a2aad02c1bdbab148c5c167b0
-
SHA1
bfa728f3c23576976f39d893d9f048c527ad1ac4
-
SHA256
8e8b199203c9c7c9e649fbc2332d117cbc93c48c2731d731f2b81841c7861517
-
SHA512
21901436ddf77b1518550526e5e54db0ebb28334340449ddf96d05cb18ae5aae7a23c28a5adb461f860248db9bc080d6d613c98f6b841667fb3850e9a8ef8622
-
SSDEEP
3072:rZGVctUQQidOnJzpWcdilfyqAGouM/dIGfJg:UV5idQYZXAly
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f77cb6a.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77ea6e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77cb6a.exe -
Executes dropped EXE 3 IoCs
pid Process 2480 f77cb6a.exe 2796 f77ce66.exe 1600 f77ea6e.exe -
Loads dropped DLL 6 IoCs
pid Process 2124 rundll32.exe 2124 rundll32.exe 2124 rundll32.exe 2124 rundll32.exe 2124 rundll32.exe 2124 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77cb6a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77ce66.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77ea6e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77ea6e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77ea6e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77ea6e.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: f77cb6a.exe File opened (read-only) \??\Q: f77cb6a.exe File opened (read-only) \??\E: f77cb6a.exe File opened (read-only) \??\L: f77cb6a.exe File opened (read-only) \??\P: f77cb6a.exe File opened (read-only) \??\H: f77cb6a.exe File opened (read-only) \??\M: f77cb6a.exe File opened (read-only) \??\O: f77cb6a.exe File opened (read-only) \??\R: f77cb6a.exe File opened (read-only) \??\S: f77cb6a.exe File opened (read-only) \??\I: f77cb6a.exe File opened (read-only) \??\K: f77cb6a.exe File opened (read-only) \??\G: f77cb6a.exe File opened (read-only) \??\J: f77cb6a.exe -
resource yara_rule behavioral1/memory/2480-16-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-22-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-41-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-23-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-17-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-20-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-18-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-21-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-19-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-24-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-64-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-63-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-65-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-66-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-67-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-69-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-70-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-71-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-73-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-87-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-89-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-102-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-103-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2480-151-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2796-161-0x0000000000930000-0x00000000019EA000-memory.dmp upx behavioral1/memory/1600-188-0x0000000000A10000-0x0000000001ACA000-memory.dmp upx behavioral1/memory/1600-207-0x0000000000A10000-0x0000000001ACA000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f77cb6a.exe File created C:\Windows\f781e79 f77ce66.exe File created C:\Windows\f7827db f77ea6e.exe File created C:\Windows\f77cc83 f77cb6a.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f77ea6e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f77cb6a.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2480 f77cb6a.exe 2480 f77cb6a.exe 1600 f77ea6e.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 2480 f77cb6a.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe Token: SeDebugPrivilege 1600 f77ea6e.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2124 2820 rundll32.exe 30 PID 2820 wrote to memory of 2124 2820 rundll32.exe 30 PID 2820 wrote to memory of 2124 2820 rundll32.exe 30 PID 2820 wrote to memory of 2124 2820 rundll32.exe 30 PID 2820 wrote to memory of 2124 2820 rundll32.exe 30 PID 2820 wrote to memory of 2124 2820 rundll32.exe 30 PID 2820 wrote to memory of 2124 2820 rundll32.exe 30 PID 2124 wrote to memory of 2480 2124 rundll32.exe 31 PID 2124 wrote to memory of 2480 2124 rundll32.exe 31 PID 2124 wrote to memory of 2480 2124 rundll32.exe 31 PID 2124 wrote to memory of 2480 2124 rundll32.exe 31 PID 2480 wrote to memory of 1252 2480 f77cb6a.exe 19 PID 2480 wrote to memory of 1340 2480 f77cb6a.exe 20 PID 2480 wrote to memory of 1388 2480 f77cb6a.exe 21 PID 2480 wrote to memory of 1508 2480 f77cb6a.exe 25 PID 2480 wrote to memory of 2820 2480 f77cb6a.exe 29 PID 2480 wrote to memory of 2124 2480 f77cb6a.exe 30 PID 2480 wrote to memory of 2124 2480 f77cb6a.exe 30 PID 2124 wrote to memory of 2796 2124 rundll32.exe 32 PID 2124 wrote to memory of 2796 2124 rundll32.exe 32 PID 2124 wrote to memory of 2796 2124 rundll32.exe 32 PID 2124 wrote to memory of 2796 2124 rundll32.exe 32 PID 2124 wrote to memory of 1600 2124 rundll32.exe 33 PID 2124 wrote to memory of 1600 2124 rundll32.exe 33 PID 2124 wrote to memory of 1600 2124 rundll32.exe 33 PID 2124 wrote to memory of 1600 2124 rundll32.exe 33 PID 2480 wrote to memory of 1252 2480 f77cb6a.exe 19 PID 2480 wrote to memory of 1340 2480 f77cb6a.exe 20 PID 2480 wrote to memory of 1388 2480 f77cb6a.exe 21 PID 2480 wrote to memory of 1508 2480 f77cb6a.exe 25 PID 2480 wrote to memory of 2796 2480 f77cb6a.exe 32 PID 2480 wrote to memory of 2796 2480 f77cb6a.exe 32 PID 2480 wrote to memory of 1600 2480 f77cb6a.exe 33 PID 2480 wrote to memory of 1600 2480 f77cb6a.exe 33 PID 1600 wrote to memory of 1252 1600 f77ea6e.exe 19 PID 1600 wrote to memory of 1340 1600 f77ea6e.exe 20 PID 1600 wrote to memory of 1388 1600 f77ea6e.exe 21 PID 1600 wrote to memory of 1508 1600 f77ea6e.exe 25 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77cb6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77ce66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77ea6e.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1252
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1340
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1388
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8e8b199203c9c7c9e649fbc2332d117cbc93c48c2731d731f2b81841c7861517N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8e8b199203c9c7c9e649fbc2332d117cbc93c48c2731d731f2b81841c7861517N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\f77cb6a.exeC:\Users\Admin\AppData\Local\Temp\f77cb6a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\f77ce66.exeC:\Users\Admin\AppData\Local\Temp\f77ce66.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\f77ea6e.exeC:\Users\Admin\AppData\Local\Temp\f77ea6e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1600
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1508
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5a6134ff8ba44b3576fb1ee80908218c3
SHA1ffe45572e25209b695070eb6262a8025ecc7ac0c
SHA256b026ba4233393122dd322499678a8ba6488fe61501aa1bed8ef2ef54ba2b1bbc
SHA51218644c0758156d022be7a13886a06b5558b0af4692e935ee738b025fa4e71e7f43069ef8705637832e6294c750d45acc842f331b3d5a531bc087a747f9a2bd72
-
Filesize
97KB
MD5e82c0bc4b02fe0566f2fdf964128d3cd
SHA164795d872674d114804b25e6d6a8abb3ca76ae16
SHA25698c2e56af08d2f2283128e46942b3c9c956b29f18876bdcf54880f1a9b0c87e0
SHA512b9718b89a13f8750609248bcda0b46d30e44d1977c3f7f31373f836f9f4bae46beb8046232089880c93033c69f4e4d7613c0b6e91a7b46412380e5812dc801fe