Analysis
-
max time kernel
45s -
max time network
34s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-03-2024 22:10
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win11-20240221-en
General
-
Target
Chernobyl.exe
-
Size
343KB
-
MD5
d576e0520faa40435d5bdc66304205f9
-
SHA1
b99fce6ebd094e2cbc29e1ed4e47360781e86c47
-
SHA256
2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6
-
SHA512
6b60a287f3eefbf2c0f2b0f205e88c4ce5a5aad050f59ff5fd1bc8017322039963f51bdd72b0922ec08880ae5da17286c04418c44dd996f0fb7b585f376f4c98
-
SSDEEP
6144:ab+co0222222222222222222222222222222222222222222222222222222222w:jjkyOZzv4TatsNqaJg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 18 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 1212 takeown.exe 4940 takeown.exe 4868 icacls.exe 3336 icacls.exe 2660 takeown.exe 4788 takeown.exe 3648 takeown.exe 3852 takeown.exe 3036 takeown.exe 3220 icacls.exe 2420 icacls.exe 4844 takeown.exe 3964 takeown.exe 3424 takeown.exe 2144 takeown.exe 1524 takeown.exe 4100 takeown.exe 2644 takeown.exe -
Modifies file permissions 1 TTPs 18 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 3036 takeown.exe 3852 takeown.exe 1212 takeown.exe 2644 takeown.exe 2420 icacls.exe 3336 icacls.exe 4844 takeown.exe 2144 takeown.exe 4868 icacls.exe 3964 takeown.exe 2660 takeown.exe 3220 icacls.exe 3424 takeown.exe 4940 takeown.exe 1524 takeown.exe 4100 takeown.exe 4788 takeown.exe 3648 takeown.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 1 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kill.ico Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 2 IoCs
Processes:
Chernobyl.exefirefox.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
firefox.exeChernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 772 firefox.exe Token: SeDebugPrivilege 772 firefox.exe Token: SeDebugPrivilege 652 Chernobyl.exe Token: SeDebugPrivilege 652 Chernobyl.exe Token: SeTakeOwnershipPrivilege 3424 takeown.exe Token: SeTakeOwnershipPrivilege 4940 takeown.exe Token: SeTakeOwnershipPrivilege 3036 takeown.exe Token: SeTakeOwnershipPrivilege 3852 takeown.exe Token: SeTakeOwnershipPrivilege 4844 takeown.exe Token: SeTakeOwnershipPrivilege 3964 takeown.exe Token: SeTakeOwnershipPrivilege 1524 takeown.exe Token: SeTakeOwnershipPrivilege 4100 takeown.exe Token: SeTakeOwnershipPrivilege 2660 takeown.exe Token: SeTakeOwnershipPrivilege 4788 takeown.exe Token: SeTakeOwnershipPrivilege 2644 takeown.exe Token: SeTakeOwnershipPrivilege 1212 takeown.exe Token: SeTakeOwnershipPrivilege 3648 takeown.exe Token: SeTakeOwnershipPrivilege 2144 takeown.exe Token: SeShutdownPrivilege 652 Chernobyl.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 772 firefox.exe 772 firefox.exe 772 firefox.exe 772 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 772 firefox.exe 772 firefox.exe 772 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 772 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 652 wrote to memory of 3468 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 3468 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 3468 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 4128 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 4128 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 4128 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 3120 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 3120 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 3120 652 Chernobyl.exe cmd.exe PID 3468 wrote to memory of 3944 3468 cmd.exe rundll32.exe PID 3468 wrote to memory of 3944 3468 cmd.exe rundll32.exe PID 3468 wrote to memory of 3944 3468 cmd.exe rundll32.exe PID 652 wrote to memory of 1040 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 1040 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 1040 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 2492 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 2492 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 2492 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 4668 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 4668 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 4668 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 4532 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 4532 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 4532 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 2676 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 2676 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 2676 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 756 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 756 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 756 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 396 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 396 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 396 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 4892 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 4892 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 4892 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 1452 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 1452 652 Chernobyl.exe cmd.exe PID 652 wrote to memory of 1452 652 Chernobyl.exe cmd.exe PID 1040 wrote to memory of 4524 1040 cmd.exe rundll32.exe PID 1040 wrote to memory of 4524 1040 cmd.exe rundll32.exe PID 1040 wrote to memory of 4524 1040 cmd.exe rundll32.exe PID 3120 wrote to memory of 2568 3120 cmd.exe rundll32.exe PID 3120 wrote to memory of 2568 3120 cmd.exe rundll32.exe PID 3120 wrote to memory of 2568 3120 cmd.exe rundll32.exe PID 4128 wrote to memory of 4660 4128 cmd.exe rundll32.exe PID 4128 wrote to memory of 4660 4128 cmd.exe rundll32.exe PID 4128 wrote to memory of 4660 4128 cmd.exe rundll32.exe PID 2492 wrote to memory of 4848 2492 cmd.exe rundll32.exe PID 2492 wrote to memory of 4848 2492 cmd.exe rundll32.exe PID 2492 wrote to memory of 4848 2492 cmd.exe rundll32.exe PID 4668 wrote to memory of 1980 4668 cmd.exe rundll32.exe PID 4668 wrote to memory of 1980 4668 cmd.exe rundll32.exe PID 4668 wrote to memory of 1980 4668 cmd.exe rundll32.exe PID 756 wrote to memory of 4332 756 cmd.exe rundll32.exe PID 756 wrote to memory of 4332 756 cmd.exe rundll32.exe PID 756 wrote to memory of 4332 756 cmd.exe rundll32.exe PID 4532 wrote to memory of 3604 4532 cmd.exe rundll32.exe PID 4532 wrote to memory of 3604 4532 cmd.exe rundll32.exe PID 4532 wrote to memory of 3604 4532 cmd.exe rundll32.exe PID 396 wrote to memory of 2008 396 cmd.exe rundll32.exe PID 396 wrote to memory of 2008 396 cmd.exe rundll32.exe PID 396 wrote to memory of 2008 396 cmd.exe rundll32.exe PID 1452 wrote to memory of 4940 1452 cmd.exe rundll32.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3944
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4660
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4524
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3604
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2676
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4748
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4332
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4892
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4344
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4940
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:1316
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:1304
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:4536
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:4956
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:4848
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:2112
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:3172
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:764
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:1072
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:3244
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:1724
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3220
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit2⤵PID:4920
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\afunix.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4868
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit2⤵PID:1000
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\gm.dls3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3336
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit2⤵PID:1328
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\gmreadme.txt3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2420
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:1600
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:772 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.0.804939911\2058502957" -parentBuildID 20221007134813 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8093f46-6531-49ad-86f2-0d29754f9515} 772 "\\.\pipe\gecko-crash-server-pipe.772" 1868 1bb5e5ece58 gpu3⤵PID:1988
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.1.389972522\610862226" -parentBuildID 20221007134813 -prefsHandle 2236 -prefMapHandle 2232 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df4e5375-e6bf-47a5-ac0d-fb85d66c8738} 772 "\\.\pipe\gecko-crash-server-pipe.772" 2248 1bb5e3fdb58 socket3⤵
- Checks processor information in registry
PID:3360
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.2.564337861\375763627" -childID 1 -isForBrowser -prefsHandle 1516 -prefMapHandle 1596 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04a0e4ba-3d64-40d5-af1e-51e6ef17b45e} 772 "\\.\pipe\gecko-crash-server-pipe.772" 3044 1bb5e564858 tab3⤵PID:4928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.3.1510392747\1306846195" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7992c1b0-6164-4952-86e1-40dd362b5bfd} 772 "\\.\pipe\gecko-crash-server-pipe.772" 3448 1bb63e59958 tab3⤵PID:3180
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.4.2050973242\177984452" -childID 3 -isForBrowser -prefsHandle 4544 -prefMapHandle 4540 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5680a3e-ad1b-4245-a022-686df4788ef3} 772 "\\.\pipe\gecko-crash-server-pipe.772" 4480 1bb653cfa58 tab3⤵PID:3116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.5.272637884\1124764959" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5076 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adcf3a11-09ae-46d6-82ae-8052fae42d75} 772 "\\.\pipe\gecko-crash-server-pipe.772" 5108 1bb65d31f58 tab3⤵PID:4776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.6.1575036043\1578531317" -childID 5 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7125f588-1a40-430a-82e0-a5285bea3990} 772 "\\.\pipe\gecko-crash-server-pipe.772" 5220 1bb65d32b58 tab3⤵PID:1660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.7.210850769\675639257" -childID 6 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c6bcbee-5eae-453b-bbc9-83b06a60f83d} 772 "\\.\pipe\gecko-crash-server-pipe.772" 5500 1bb65d32e58 tab3⤵PID:2288
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD51a219a35746a8af91ee769d9a718ebd3
SHA1cb1b4e8278b4e4323ca6569474c5783421f9b8ce
SHA25625bae03d926c05280c40db7dda9733a5404b6c83ea1a742a6f36cc04bc051aa4
SHA512651a454d65918cf7e5d8c55e5f3538b685fda91de1e715a35768b8efda59fc935982bdf68a306eea253191df3c1505c4cfa7bdac45fbdf78acb38edcd8765adf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\pending_pings\092f32ea-8f48-4e64-9b90-08c7128dd40f
Filesize11KB
MD5842543c3cc9657902b9d4c57f8133b8b
SHA1e3f34359d6b3ba524fdac1567314446066d579c8
SHA256727b501dcf5c74b0ee9a74b3da64b07b8f09dd71da2e071470a303677f6f832f
SHA5125dbe80ea5f84a9c2bdea88715da6381f000e68c3ee7f2dc3ad7adb13be69ec82fc543273568fcbdaf043f4cdc22feab8bd42c289793aa2c08f137fea06974788
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\pending_pings\1f9a717a-cb03-4524-ac0b-42df16e91d11
Filesize746B
MD531c9c9506b8c3e8eba0eba29878e0cb6
SHA1bf66d23ad98836c2423072d0c86352656fa8e5f2
SHA25699a9542852053713f239ba652546e89f9f57fe9745ffa3013fd10ed6dff26dcb
SHA51203d042c0565c1d421f857b7c01ca85850f32ee4cd97b145f486fbbbe7de5746c712247dc20d486e277e7c0ce71e9bf684aafc0d928e12eea7660d9907eb7d0ae
-
Filesize
6KB
MD597584a8da73c197d83c2539e4f05e65e
SHA168660d8a69cd5732c3682be7db6516a31a5cfed6
SHA256a9dc4d7dc475adf8a0ad9670ac66a81fb0b03ce2a2f7de61e2378b3b86e1dcb6
SHA512c3b76f62d8dd09edadb9576ce72380e90ede5724a2d9e9736c4d9f7697158c90dd81e06e48c89683472587f3cdd4d4c2e0447ee0ca0095bd7b3bbbd0fafdf733
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\sessionCheckpoints.json
Filesize181B
MD52d87ba02e79c11351c1d478b06ca9b29
SHA14b0fb1927ca869256e9e2e2d480c3feb8e67e6f1
SHA25616b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524
SHA512be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\sessionstore.jsonlz4
Filesize883B
MD5cd9a559a673cdd68add6e37dfac24165
SHA1e6e03441c58083237e426390d4f08d5fc9a8a334
SHA2568549e0a16871100f22bc75712d59f6f01cb750fbfb33de98d6ceed953ab2a10a
SHA512e423b2a064c6a419ef9e60c1d3a8ab042f01f8cc21d44ba3165d25c3520c0ca96ad7721f793236b10d8ad7bc4b07426bb64da746a92d669aacbce7168284ffad
-
C:\Users\Admin\Desktop\Âěí▌™╬ř♪↑™®☺╠◘╚↕♪åπå¾♠♫╚¶▌►▌«◄×■▲ńŸ◘®²ï◘æ8▲Ç7íσ≈5▄夜6å2ï▀ñ▬ó╚ě╔▼é▀õ¾♣╚◄╥ß≈♫φ╔₧₧♀☺╔₧š☻▄Ç▌¶▐ε♠•µ╥○σ±é
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b