Analysis
-
max time kernel
28s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 18:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b94b9c10e823cf38e17e3c03e78c20285e7e31c851df66eb1974ab335ac64ffcN.dll
Resource
win7-20240708-en
windows7-x64
17 signatures
120 seconds
General
-
Target
b94b9c10e823cf38e17e3c03e78c20285e7e31c851df66eb1974ab335ac64ffcN.dll
-
Size
120KB
-
MD5
0b8f629eca974d071cfb9ffaab03db00
-
SHA1
6ddcdfc46129b655173d6e97911aff0af19e2881
-
SHA256
b94b9c10e823cf38e17e3c03e78c20285e7e31c851df66eb1974ab335ac64ffc
-
SHA512
d7ed994e595d4c58aa91503052edb5769841e893a57a9378f7c25b773a56aa99138f2251ef0a53596ff1c9fa2d3f022078bc84e77f31caa2e02657075d2fba9c
-
SSDEEP
3072:XzlXR0z1ksvwdqvHNBdNJAyed7Y8yy+uRzSEua+gwd:Dlh0zX40vTdNq5dqmqOw
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c909.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c909.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c909.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c909.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76aea7.exe -
Executes dropped EXE 3 IoCs
pid Process 2536 f76ad21.exe 2656 f76aea7.exe 2248 f76c909.exe -
Loads dropped DLL 6 IoCs
pid Process 2432 rundll32.exe 2432 rundll32.exe 2432 rundll32.exe 2432 rundll32.exe 2432 rundll32.exe 2432 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76aea7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76aea7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c909.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76aea7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ad21.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c909.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: f76ad21.exe File opened (read-only) \??\O: f76ad21.exe File opened (read-only) \??\I: f76ad21.exe File opened (read-only) \??\M: f76ad21.exe File opened (read-only) \??\Q: f76ad21.exe File opened (read-only) \??\R: f76ad21.exe File opened (read-only) \??\E: f76ad21.exe File opened (read-only) \??\H: f76ad21.exe File opened (read-only) \??\P: f76ad21.exe File opened (read-only) \??\S: f76ad21.exe File opened (read-only) \??\E: f76c909.exe File opened (read-only) \??\G: f76ad21.exe File opened (read-only) \??\L: f76ad21.exe File opened (read-only) \??\K: f76ad21.exe File opened (read-only) \??\N: f76ad21.exe -
resource yara_rule behavioral1/memory/2536-13-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-17-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-18-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-16-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-14-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-20-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-19-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-21-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-15-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-22-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-61-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-62-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-63-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-65-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-64-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-67-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-68-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-81-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-83-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-85-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-88-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2536-152-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2656-157-0x00000000009A0000-0x0000000001A5A000-memory.dmp upx behavioral1/memory/2248-178-0x0000000000990000-0x0000000001A4A000-memory.dmp upx behavioral1/memory/2248-209-0x0000000000990000-0x0000000001A4A000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\f76ad7e f76ad21.exe File opened for modification C:\Windows\SYSTEM.INI f76ad21.exe File created C:\Windows\f76fd04 f76aea7.exe File created C:\Windows\f770129 f76c909.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76ad21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c909.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2536 f76ad21.exe 2536 f76ad21.exe 2248 f76c909.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2536 f76ad21.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe Token: SeDebugPrivilege 2248 f76c909.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 2432 wrote to memory of 2536 2432 rundll32.exe 31 PID 2432 wrote to memory of 2536 2432 rundll32.exe 31 PID 2432 wrote to memory of 2536 2432 rundll32.exe 31 PID 2432 wrote to memory of 2536 2432 rundll32.exe 31 PID 2536 wrote to memory of 1112 2536 f76ad21.exe 19 PID 2536 wrote to memory of 1164 2536 f76ad21.exe 20 PID 2536 wrote to memory of 1204 2536 f76ad21.exe 21 PID 2536 wrote to memory of 496 2536 f76ad21.exe 25 PID 2536 wrote to memory of 3036 2536 f76ad21.exe 29 PID 2536 wrote to memory of 2432 2536 f76ad21.exe 30 PID 2536 wrote to memory of 2432 2536 f76ad21.exe 30 PID 2432 wrote to memory of 2656 2432 rundll32.exe 32 PID 2432 wrote to memory of 2656 2432 rundll32.exe 32 PID 2432 wrote to memory of 2656 2432 rundll32.exe 32 PID 2432 wrote to memory of 2656 2432 rundll32.exe 32 PID 2432 wrote to memory of 2248 2432 rundll32.exe 33 PID 2432 wrote to memory of 2248 2432 rundll32.exe 33 PID 2432 wrote to memory of 2248 2432 rundll32.exe 33 PID 2432 wrote to memory of 2248 2432 rundll32.exe 33 PID 2536 wrote to memory of 1112 2536 f76ad21.exe 19 PID 2536 wrote to memory of 1164 2536 f76ad21.exe 20 PID 2536 wrote to memory of 1204 2536 f76ad21.exe 21 PID 2536 wrote to memory of 496 2536 f76ad21.exe 25 PID 2536 wrote to memory of 2656 2536 f76ad21.exe 32 PID 2536 wrote to memory of 2656 2536 f76ad21.exe 32 PID 2536 wrote to memory of 2248 2536 f76ad21.exe 33 PID 2536 wrote to memory of 2248 2536 f76ad21.exe 33 PID 2248 wrote to memory of 1112 2248 f76c909.exe 19 PID 2248 wrote to memory of 1164 2248 f76c909.exe 20 PID 2248 wrote to memory of 1204 2248 f76c909.exe 21 PID 2248 wrote to memory of 496 2248 f76c909.exe 25 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76aea7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c909.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ad21.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b94b9c10e823cf38e17e3c03e78c20285e7e31c851df66eb1974ab335ac64ffcN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b94b9c10e823cf38e17e3c03e78c20285e7e31c851df66eb1974ab335ac64ffcN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\f76ad21.exeC:\Users\Admin\AppData\Local\Temp\f76ad21.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\f76aea7.exeC:\Users\Admin\AppData\Local\Temp\f76aea7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\f76c909.exeC:\Users\Admin\AppData\Local\Temp\f76c909.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:496
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5aac5d4da71d0a192daef17c6d114ef01
SHA1b27d88353c7237551224cb800d0fbd98effb811f
SHA256e811cf2fd53f24047cd77a618fe51df464f1c0c4cf50fed15122491ae1299c74
SHA51267ee66c0ff58c3ae992210d9f07e02a191457ee97094a1958ecce7241fe5fc234e2db790bbddd6478c40c318631addeca40bfd5daa6d54e28a7218742393c6da
-
Filesize
97KB
MD5361b4ba700ef3e709d1643c3d536bccd
SHA1d66bffc9456eec6794e8754a552da609d5352ed6
SHA256d54cd2f1b69e8f1deff33ee5e35587475eb60a0ffed1b0c600b1d29652c5d08e
SHA512f71646dc5df9cf404f2ccb6e3b122373b7486b96ab70be54c6f97e4fa221a32453827661da6213da3551e5650cc40c762c7967524adeef44972902b84416480d