{
	"id": "469c1806-565f-4292-9a26-e0d131dd07fd",
	"created_at": "2026-04-06T00:11:43.216656Z",
	"updated_at": "2026-04-10T03:20:24.597354Z",
	"deleted_at": null,
	"sha1_hash": "f8ebe56405610cbd1f68b81375be11c8bc985cef",
	"title": "https://www.malvuln.com/advisory/9eb9197cd58f4417a27621c4e1b25a71.txt",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37672,
	"plain_text": "https://www.malvuln.com/advisory/9eb9197cd58f4417a27621c4e1b25a71.txt\r\nArchived: 2026-04-05 19:56:10 UTC\r\nDiscovery / credits: Malvuln - malvuln.com (c) 2022\r\nOriginal source: https://malvuln.com/advisory/9eb9197cd58f4417a27621c4e1b25a71.txt\r\nContact: malvuln13@gmail.com\r\nMedia: twitter.com/malvuln\r\nThreat: Conti Ransom\r\nVulnerability: Code Execution\r\nDescription: Conti looks for and executes DLLs in its current directory. Therefore, we can potentially hijack\r\nFamily: Conti\r\nType: PE32\r\nMD5: 9eb9197cd58f4417a27621c4e1b25a71\r\nVuln ID: MVID-2022-0576\r\nDisclosure: 05/03/2022\r\nVideo PoC URL: https://www.youtube.com/watch?v=Sb2fKCOSoew\r\nVideo PoC URL: https://vimeo.com/751855543\r\nExploit/PoC:\r\n1) Compile the following C code as \"netapi32.dll\"\r\n2) Place the DLL in same directory as the ransomware\r\n3) Optional - Hide it: attrib +s +h \"netapi32.dll\"\r\n4) Run Conti\r\n#include \"windows.h\"\r\n#include \"stdio.h\"\r\n//By malvuln\r\n//Purpose: Code Execution\r\n//Target: Conti Ransomware\r\n//MD5: 9eb9197cd58f4417a27621c4e1b25a71\r\n/** DISCLAIMER:\r\nAuthor is NOT responsible for any damages whatsoever by using this software or improper malware\r\nhandling. By using this code you assume and accept all risk implied or otherwise.\r\n**/\r\n//gcc -c netapi32.c -m32\r\n//gcc -shared -o netapi32.dll netapi32.o -m32\r\nBOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){\r\n switch (reason) {\r\n case DLL_PROCESS_ATTACH:\r\n MessageBox(NULL, \"Code Exec\", \"by malvuln\", MB_OK);\r\n TCHAR buf[MAX_PATH];\r\n GetCurrentDirectory(MAX_PATH, TEXT(buf));\r\n int rc = strcmp(\"C:\\\\Windows\\\\System32\", TEXT(buf));\r\n if(rc != 0){\r\nhttps://www.malvuln.com/advisory/9eb9197cd58f4417a27621c4e1b25a71.txt\r\nPage 1 of 2\n\nHANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());\r\n if (NULL != handle) {\r\n TerminateProcess(handle, 0);\r\n CloseHandle(handle);\r\n }\r\n }\r\n break;\r\n }\r\n return TRUE;\r\n}\r\nDisclaimer: The information contained within this advisory is supplied \"as-is\" with no warranties or guarantee\r\nSource: https://www.malvuln.com/advisory/9eb9197cd58f4417a27621c4e1b25a71.txt\r\nhttps://www.malvuln.com/advisory/9eb9197cd58f4417a27621c4e1b25a71.txt\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.malvuln.com/advisory/9eb9197cd58f4417a27621c4e1b25a71.txt"
	],
	"report_names": [
		"9eb9197cd58f4417a27621c4e1b25a71.txt"
	],
	"threat_actors": [],
	"ts_created_at": 1775434303,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8ebe56405610cbd1f68b81375be11c8bc985cef.pdf",
		"text": "https://archive.orkl.eu/f8ebe56405610cbd1f68b81375be11c8bc985cef.txt",
		"img": "https://archive.orkl.eu/f8ebe56405610cbd1f68b81375be11c8bc985cef.jpg"
	}
}