Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 06:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
64ca71e9ed639558d338fde2e46698bc05dbb86e3d5f4ead45f2b23d511a8e09.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
64ca71e9ed639558d338fde2e46698bc05dbb86e3d5f4ead45f2b23d511a8e09.dll
-
Size
120KB
-
MD5
12e6a070151c696da0dc92564e42c846
-
SHA1
a6d5666c9230801d0127215026a79aff83044784
-
SHA256
64ca71e9ed639558d338fde2e46698bc05dbb86e3d5f4ead45f2b23d511a8e09
-
SHA512
e70d1a4fdd6632f4ce18620c760343f01326d4c4e56cec5fb54950cecddccd6b9407cb7ab6d4a808018a68feaf6b2fc7d4b32093ddd3218c1673a1c3513073f9
-
SSDEEP
3072:JVhpdGEE6P6MF4ABPn3M62B5gUeP5j50+lj:JVhTFEJAB/cfyUeF+Sj
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e292.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e292.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e292.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e292.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e292.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e292.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e292.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e292.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e292.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e292.exe -
Executes dropped EXE 3 IoCs
pid Process 2308 f76c6d8.exe 2468 f76c83f.exe 2696 f76e292.exe -
Loads dropped DLL 6 IoCs
pid Process 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe 2120 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e292.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e292.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c6d8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c83f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e292.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e292.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e292.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e292.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e292.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e292.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76e292.exe File opened (read-only) \??\N: f76c6d8.exe File opened (read-only) \??\Q: f76c6d8.exe File opened (read-only) \??\S: f76c6d8.exe File opened (read-only) \??\E: f76c6d8.exe File opened (read-only) \??\O: f76c6d8.exe File opened (read-only) \??\P: f76c6d8.exe File opened (read-only) \??\R: f76c6d8.exe File opened (read-only) \??\T: f76c6d8.exe File opened (read-only) \??\G: f76e292.exe File opened (read-only) \??\H: f76c6d8.exe File opened (read-only) \??\J: f76c6d8.exe File opened (read-only) \??\K: f76c6d8.exe File opened (read-only) \??\M: f76c6d8.exe File opened (read-only) \??\G: f76c6d8.exe File opened (read-only) \??\I: f76c6d8.exe File opened (read-only) \??\L: f76c6d8.exe -
resource yara_rule behavioral1/memory/2308-16-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-19-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-20-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-15-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-22-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-21-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-18-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-17-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-23-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-14-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-63-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-64-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-65-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-66-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-67-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-69-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-70-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-87-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-90-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-92-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2308-159-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2468-170-0x0000000000930000-0x00000000019EA000-memory.dmp upx behavioral1/memory/2696-194-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/2696-222-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\f76c707 f76c6d8.exe File opened for modification C:\Windows\SYSTEM.INI f76c6d8.exe File created C:\Windows\f7716cb f76c83f.exe File created C:\Windows\f771767 f76e292.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c6d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e292.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2308 f76c6d8.exe 2308 f76c6d8.exe 2696 f76e292.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2308 f76c6d8.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe Token: SeDebugPrivilege 2696 f76e292.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2112 wrote to memory of 2120 2112 rundll32.exe 30 PID 2120 wrote to memory of 2308 2120 rundll32.exe 31 PID 2120 wrote to memory of 2308 2120 rundll32.exe 31 PID 2120 wrote to memory of 2308 2120 rundll32.exe 31 PID 2120 wrote to memory of 2308 2120 rundll32.exe 31 PID 2308 wrote to memory of 1112 2308 f76c6d8.exe 19 PID 2308 wrote to memory of 1176 2308 f76c6d8.exe 20 PID 2308 wrote to memory of 1208 2308 f76c6d8.exe 21 PID 2308 wrote to memory of 1108 2308 f76c6d8.exe 23 PID 2308 wrote to memory of 2112 2308 f76c6d8.exe 29 PID 2308 wrote to memory of 2120 2308 f76c6d8.exe 30 PID 2308 wrote to memory of 2120 2308 f76c6d8.exe 30 PID 2120 wrote to memory of 2468 2120 rundll32.exe 32 PID 2120 wrote to memory of 2468 2120 rundll32.exe 32 PID 2120 wrote to memory of 2468 2120 rundll32.exe 32 PID 2120 wrote to memory of 2468 2120 rundll32.exe 32 PID 2120 wrote to memory of 2696 2120 rundll32.exe 34 PID 2120 wrote to memory of 2696 2120 rundll32.exe 34 PID 2120 wrote to memory of 2696 2120 rundll32.exe 34 PID 2120 wrote to memory of 2696 2120 rundll32.exe 34 PID 2308 wrote to memory of 1112 2308 f76c6d8.exe 19 PID 2308 wrote to memory of 1176 2308 f76c6d8.exe 20 PID 2308 wrote to memory of 1208 2308 f76c6d8.exe 21 PID 2308 wrote to memory of 1108 2308 f76c6d8.exe 23 PID 2308 wrote to memory of 2468 2308 f76c6d8.exe 32 PID 2308 wrote to memory of 2468 2308 f76c6d8.exe 32 PID 2308 wrote to memory of 2696 2308 f76c6d8.exe 34 PID 2308 wrote to memory of 2696 2308 f76c6d8.exe 34 PID 2696 wrote to memory of 1112 2696 f76e292.exe 19 PID 2696 wrote to memory of 1176 2696 f76e292.exe 20 PID 2696 wrote to memory of 1208 2696 f76e292.exe 21 PID 2696 wrote to memory of 1108 2696 f76e292.exe 23 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c6d8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c83f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e292.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\64ca71e9ed639558d338fde2e46698bc05dbb86e3d5f4ead45f2b23d511a8e09.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\64ca71e9ed639558d338fde2e46698bc05dbb86e3d5f4ead45f2b23d511a8e09.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\f76c6d8.exeC:\Users\Admin\AppData\Local\Temp\f76c6d8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\f76c83f.exeC:\Users\Admin\AppData\Local\Temp\f76c83f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2468
-
-
C:\Users\Admin\AppData\Local\Temp\f76e292.exeC:\Users\Admin\AppData\Local\Temp\f76e292.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2696
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1108
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD561b1af78d69e58836ade3e76664e6b84
SHA1ba35bee9da34f0c591d71fca95f931a88b8d70e0
SHA256ad7e262cd13eb58e0a1782bf6498082c92359a34e79ef7d09d23976174a63fb2
SHA512e464492283f32d16a70ceccd7a3a529f26e5fadcb0ec1d8bf381e071fd355ddb06c88f960562fcb4d40e67b78007dea7a844d9aadd786ab86092a6844d4eb365
-
Filesize
97KB
MD515fe04a66f4feeef21515a58d8269826
SHA133d0fad8eb03ac4e92185d8d7d6ea9b482d68450
SHA2569ce25622c862c7a87e8b71bbf2d7c976270d459ce37721adba3c446b72d2bd72
SHA51204198f14296f5278ea0082bc8f7efdaa30edce6e9267e42e70965136127c5d4b3d2e6a741966c01a3e154c30b114abe54c3e502341505087b11a1b8ec738b8af