Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 07:11
Static task
static1
Behavioral task
behavioral1
Sample
703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16.dll
Resource
win7-20241023-en
General
-
Target
703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16.dll
-
Size
120KB
-
MD5
32654fe2ae581a72e9aa91401c2aab82
-
SHA1
253c854372ad84dc78e925659cb94a57adc8b1ed
-
SHA256
703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16
-
SHA512
dd9f8e2a4344607b6197fba025b1237c6e8f85b5e85656d810ff988a7dacec4003b7b98b44a4b28981668c56c06af79d075071a1ec4797a999cdb841bdd7eb62
-
SSDEEP
3072:Ho+CyN4Xnld4YwjcNi+g4dzAm8Ws4Py7+14:7Cyanld4HGPJdznjDPy04
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76b693.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76b809.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76b693.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76b809.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76b693.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b693.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d24d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b693.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b693.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b693.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b693.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b693.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b693.exe -
Executes dropped EXE 3 IoCs
pid Process 1800 f76b693.exe 1912 f76b809.exe 2732 f76d24d.exe -
Loads dropped DLL 6 IoCs
pid Process 2324 rundll32.exe 2324 rundll32.exe 2324 rundll32.exe 2324 rundll32.exe 2324 rundll32.exe 2324 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b693.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b693.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b693.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b693.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b693.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76b693.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76b809.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b693.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d24d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d24d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b693.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: f76b693.exe File opened (read-only) \??\O: f76b693.exe File opened (read-only) \??\Q: f76b693.exe File opened (read-only) \??\R: f76b693.exe File opened (read-only) \??\T: f76b693.exe File opened (read-only) \??\G: f76b693.exe File opened (read-only) \??\K: f76b693.exe File opened (read-only) \??\M: f76b693.exe File opened (read-only) \??\E: f76d24d.exe File opened (read-only) \??\E: f76b693.exe File opened (read-only) \??\J: f76b693.exe File opened (read-only) \??\H: f76b693.exe File opened (read-only) \??\L: f76b693.exe File opened (read-only) \??\S: f76b693.exe File opened (read-only) \??\I: f76b693.exe File opened (read-only) \??\P: f76b693.exe -
resource yara_rule behavioral1/memory/1800-15-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-16-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-14-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-10-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-17-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-19-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-18-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-13-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-12-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-58-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-59-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-60-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-62-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-61-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-64-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-65-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-83-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-85-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-86-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-106-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-107-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-109-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1800-156-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1912-186-0x0000000000950000-0x0000000001A0A000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\f76b6e1 f76b693.exe File opened for modification C:\Windows\SYSTEM.INI f76b693.exe File created C:\Windows\f770676 f76b809.exe File created C:\Windows\f77083b f76d24d.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76b693.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76b809.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76d24d.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1800 f76b693.exe 1800 f76b693.exe 1912 f76b809.exe 2732 f76d24d.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1800 f76b693.exe Token: SeDebugPrivilege 1912 f76b809.exe Token: SeDebugPrivilege 1912 f76b809.exe Token: SeDebugPrivilege 1912 f76b809.exe Token: SeDebugPrivilege 1912 f76b809.exe Token: SeDebugPrivilege 1912 f76b809.exe Token: SeDebugPrivilege 1912 f76b809.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe Token: SeDebugPrivilege 2732 f76d24d.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2324 2172 rundll32.exe 30 PID 2172 wrote to memory of 2324 2172 rundll32.exe 30 PID 2172 wrote to memory of 2324 2172 rundll32.exe 30 PID 2172 wrote to memory of 2324 2172 rundll32.exe 30 PID 2172 wrote to memory of 2324 2172 rundll32.exe 30 PID 2172 wrote to memory of 2324 2172 rundll32.exe 30 PID 2172 wrote to memory of 2324 2172 rundll32.exe 30 PID 2324 wrote to memory of 1800 2324 rundll32.exe 31 PID 2324 wrote to memory of 1800 2324 rundll32.exe 31 PID 2324 wrote to memory of 1800 2324 rundll32.exe 31 PID 2324 wrote to memory of 1800 2324 rundll32.exe 31 PID 1800 wrote to memory of 1124 1800 f76b693.exe 19 PID 1800 wrote to memory of 1176 1800 f76b693.exe 20 PID 1800 wrote to memory of 1224 1800 f76b693.exe 21 PID 1800 wrote to memory of 1264 1800 f76b693.exe 23 PID 1800 wrote to memory of 2172 1800 f76b693.exe 29 PID 1800 wrote to memory of 2324 1800 f76b693.exe 30 PID 1800 wrote to memory of 2324 1800 f76b693.exe 30 PID 2324 wrote to memory of 1912 2324 rundll32.exe 32 PID 2324 wrote to memory of 1912 2324 rundll32.exe 32 PID 2324 wrote to memory of 1912 2324 rundll32.exe 32 PID 2324 wrote to memory of 1912 2324 rundll32.exe 32 PID 2324 wrote to memory of 2732 2324 rundll32.exe 34 PID 2324 wrote to memory of 2732 2324 rundll32.exe 34 PID 2324 wrote to memory of 2732 2324 rundll32.exe 34 PID 2324 wrote to memory of 2732 2324 rundll32.exe 34 PID 1800 wrote to memory of 1124 1800 f76b693.exe 19 PID 1800 wrote to memory of 1176 1800 f76b693.exe 20 PID 1800 wrote to memory of 1224 1800 f76b693.exe 21 PID 1800 wrote to memory of 1264 1800 f76b693.exe 23 PID 1800 wrote to memory of 1912 1800 f76b693.exe 32 PID 1800 wrote to memory of 1912 1800 f76b693.exe 32 PID 1800 wrote to memory of 2732 1800 f76b693.exe 34 PID 1800 wrote to memory of 2732 1800 f76b693.exe 34 PID 2732 wrote to memory of 1124 2732 f76d24d.exe 19 PID 2732 wrote to memory of 1176 2732 f76d24d.exe 20 PID 2732 wrote to memory of 1224 2732 f76d24d.exe 21 PID 2732 wrote to memory of 1264 2732 f76d24d.exe 23 PID 2732 wrote to memory of 1912 2732 f76d24d.exe 32 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b693.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d24d.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\f76b693.exeC:\Users\Admin\AppData\Local\Temp\f76b693.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\f76b809.exeC:\Users\Admin\AppData\Local\Temp\f76b809.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1912
-
-
C:\Users\Admin\AppData\Local\Temp\f76d24d.exeC:\Users\Admin\AppData\Local\Temp\f76d24d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2732
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1264
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD57cab21b63fd6655ca0e23f456928846d
SHA18592cd8e891830effb04ed4950d8c7509e3a394b
SHA256690879c813971bd7c17ec18399c84e16e277f2f9d62d3f274b9308988443d41b
SHA512d2f0b95035fdfc409e6c3a7650088035316d5e6e27a07d4d824cdca9e4e82b4261d61fdde9006de128c9dfbe232dea0cc0fb122866da9dc5e2d77d9191ecd2af
-
Filesize
97KB
MD59f6dc47fa19382690d19ed8a359696f1
SHA10a673df77cb1219e5372db041ddcf9fafe31328a
SHA256bc2793599caa0e6703b7370c3508de4543ef98e7581be1ed55acd4731ab59148
SHA51283c673802c192a7866faef2e077fa1b85bde25429a0efc9df48471bf0431617b0c24a03f11574c012dc83e5ab145ea86dad736439324724dc7a9a3a002b8c450