Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
31-12-2024 20:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
23745e0d83ba4329b7e29bcf691150cd223625acdba3a8464f29cdc1d86e4dcc.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
150 seconds
General
-
Target
23745e0d83ba4329b7e29bcf691150cd223625acdba3a8464f29cdc1d86e4dcc.dll
-
Size
120KB
-
MD5
e751947f1cc4c44cfbe30351f1e88ab6
-
SHA1
acbb382a6bfe409cf11905193433e80934dce53f
-
SHA256
23745e0d83ba4329b7e29bcf691150cd223625acdba3a8464f29cdc1d86e4dcc
-
SHA512
a34f33c6cd223145fb723d18115ada4980a2842cc85b4f2c996de280ac2db741a384a226a425f56b21f2ccc1800cf4c4d97485bfdd879935885f9fe9ccf8ac9d
-
SSDEEP
3072:I0ih6tvRfkxpQAyb1l/41e2epBeLTtg0hBuAxj5n:ILyvl4pQAybr417epBqlhBT5n
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c330.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c330.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c330.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c1aa.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e64a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c330.exe -
Executes dropped EXE 3 IoCs
pid Process 2564 f76c1aa.exe 2756 f76c330.exe 2664 f76e64a.exe -
Loads dropped DLL 6 IoCs
pid Process 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c1aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c330.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c1aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e64a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e64a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c330.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76c1aa.exe File opened (read-only) \??\K: f76c1aa.exe File opened (read-only) \??\L: f76c1aa.exe File opened (read-only) \??\I: f76e64a.exe File opened (read-only) \??\J: f76c1aa.exe File opened (read-only) \??\N: f76c1aa.exe File opened (read-only) \??\O: f76c1aa.exe File opened (read-only) \??\H: f76e64a.exe File opened (read-only) \??\G: f76c1aa.exe File opened (read-only) \??\H: f76c1aa.exe File opened (read-only) \??\I: f76c1aa.exe File opened (read-only) \??\G: f76e64a.exe File opened (read-only) \??\M: f76c1aa.exe File opened (read-only) \??\P: f76c1aa.exe File opened (read-only) \??\E: f76e64a.exe -
resource yara_rule behavioral1/memory/2564-11-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-13-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-15-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-16-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-18-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-20-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-21-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-19-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-17-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-14-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-63-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-64-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-65-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-66-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-68-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-67-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-72-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-86-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-109-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2564-151-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2756-162-0x0000000000970000-0x0000000001A2A000-memory.dmp upx behavioral1/memory/2664-186-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/2664-218-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\f771258 f76e64a.exe File created C:\Windows\f76c1f8 f76c1aa.exe File opened for modification C:\Windows\SYSTEM.INI f76c1aa.exe File created C:\Windows\f77119d f76c330.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c1aa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e64a.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2564 f76c1aa.exe 2564 f76c1aa.exe 2664 f76e64a.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2564 f76c1aa.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe Token: SeDebugPrivilege 2664 f76e64a.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2500 wrote to memory of 3016 2500 rundll32.exe 30 PID 2500 wrote to memory of 3016 2500 rundll32.exe 30 PID 2500 wrote to memory of 3016 2500 rundll32.exe 30 PID 2500 wrote to memory of 3016 2500 rundll32.exe 30 PID 2500 wrote to memory of 3016 2500 rundll32.exe 30 PID 2500 wrote to memory of 3016 2500 rundll32.exe 30 PID 2500 wrote to memory of 3016 2500 rundll32.exe 30 PID 3016 wrote to memory of 2564 3016 rundll32.exe 31 PID 3016 wrote to memory of 2564 3016 rundll32.exe 31 PID 3016 wrote to memory of 2564 3016 rundll32.exe 31 PID 3016 wrote to memory of 2564 3016 rundll32.exe 31 PID 2564 wrote to memory of 1112 2564 f76c1aa.exe 19 PID 2564 wrote to memory of 1204 2564 f76c1aa.exe 20 PID 2564 wrote to memory of 1288 2564 f76c1aa.exe 21 PID 2564 wrote to memory of 1616 2564 f76c1aa.exe 25 PID 2564 wrote to memory of 2500 2564 f76c1aa.exe 29 PID 2564 wrote to memory of 3016 2564 f76c1aa.exe 30 PID 2564 wrote to memory of 3016 2564 f76c1aa.exe 30 PID 3016 wrote to memory of 2756 3016 rundll32.exe 32 PID 3016 wrote to memory of 2756 3016 rundll32.exe 32 PID 3016 wrote to memory of 2756 3016 rundll32.exe 32 PID 3016 wrote to memory of 2756 3016 rundll32.exe 32 PID 3016 wrote to memory of 2664 3016 rundll32.exe 34 PID 3016 wrote to memory of 2664 3016 rundll32.exe 34 PID 3016 wrote to memory of 2664 3016 rundll32.exe 34 PID 3016 wrote to memory of 2664 3016 rundll32.exe 34 PID 2564 wrote to memory of 1112 2564 f76c1aa.exe 19 PID 2564 wrote to memory of 1204 2564 f76c1aa.exe 20 PID 2564 wrote to memory of 1288 2564 f76c1aa.exe 21 PID 2564 wrote to memory of 1616 2564 f76c1aa.exe 25 PID 2564 wrote to memory of 2756 2564 f76c1aa.exe 32 PID 2564 wrote to memory of 2756 2564 f76c1aa.exe 32 PID 2564 wrote to memory of 2664 2564 f76c1aa.exe 34 PID 2564 wrote to memory of 2664 2564 f76c1aa.exe 34 PID 2664 wrote to memory of 1112 2664 f76e64a.exe 19 PID 2664 wrote to memory of 1204 2664 f76e64a.exe 20 PID 2664 wrote to memory of 1288 2664 f76e64a.exe 21 PID 2664 wrote to memory of 1616 2664 f76e64a.exe 25 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c1aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c330.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e64a.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1204
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1288
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23745e0d83ba4329b7e29bcf691150cd223625acdba3a8464f29cdc1d86e4dcc.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23745e0d83ba4329b7e29bcf691150cd223625acdba3a8464f29cdc1d86e4dcc.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\f76c1aa.exeC:\Users\Admin\AppData\Local\Temp\f76c1aa.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\f76c330.exeC:\Users\Admin\AppData\Local\Temp\f76c330.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\f76e64a.exeC:\Users\Admin\AppData\Local\Temp\f76e64a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2664
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1616
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD56ccdbf58f3bc807a7970bc1b684499bc
SHA1fd3f1b23feb40f62dc8942cc662d23ed6e6efff5
SHA256b804a01916ce2c68e82b79dc62d98662b5bd025f39b29e60d971fc65d7d125cf
SHA512293350761cac9b592405e729ec425eb4ce0e54ba9250d284004d468854d61c061b82b11b69167971f585e074ff1d217ee5214f8d9c2bd229b5229d9fdf72759f
-
Filesize
97KB
MD507d19f85e0b8b2f4aa4e58c1164163e0
SHA1170d1a88a6a86520313471679ee4f5a2f7c2fc32
SHA256939436aca10023493e211c2de845af339abfc27ec7ca096e62d33d9b1f69c96a
SHA5121ace9fb9a716115a4572b9bb6ba57716e3e220b4e09e429951a5690eccba70d81a0dff6c24c0f3e67d36704d43b55e20e687f0de5665d835d3fe9a31a9d4645d