Malware Analysis Report

2024-11-16 12:44

Sample ID 240302-13ba6ahh41
Target Chernobyl.exe
SHA256 2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6
Tags
discovery evasion exploit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6

Threat Level: Known bad

The file Chernobyl.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion exploit persistence trojan

Modifies WinLogon for persistence

UAC bypass

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Possible privilege escalation attempt

Modifies file permissions

Checks whether UAC is enabled

Modifies WinLogon

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of SetWindowsHookEx

System policy modification

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 22:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 22:10

Reported

2024-03-02 22:40

Platform

win11-20240221-en

Max time kernel

45s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables Task Manager via registry modification

evasion

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\kill.ico C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
File opened for modification C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 652 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3468 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3468 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 652 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3120 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3120 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3120 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4128 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4128 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4128 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4668 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4668 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4668 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 756 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 756 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 756 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4532 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4532 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4532 wrote to memory of 3604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 396 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 396 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 396 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1452 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.0.804939911\2058502957" -parentBuildID 20221007134813 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8093f46-6531-49ad-86f2-0d29754f9515} 772 "\\.\pipe\gecko-crash-server-pipe.772" 1868 1bb5e5ece58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.1.389972522\610862226" -parentBuildID 20221007134813 -prefsHandle 2236 -prefMapHandle 2232 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df4e5375-e6bf-47a5-ac0d-fb85d66c8738} 772 "\\.\pipe\gecko-crash-server-pipe.772" 2248 1bb5e3fdb58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.2.564337861\375763627" -childID 1 -isForBrowser -prefsHandle 1516 -prefMapHandle 1596 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04a0e4ba-3d64-40d5-af1e-51e6ef17b45e} 772 "\\.\pipe\gecko-crash-server-pipe.772" 3044 1bb5e564858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.3.1510392747\1306846195" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7992c1b0-6164-4952-86e1-40dd362b5bfd} 772 "\\.\pipe\gecko-crash-server-pipe.772" 3448 1bb63e59958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.4.2050973242\177984452" -childID 3 -isForBrowser -prefsHandle 4544 -prefMapHandle 4540 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5680a3e-ad1b-4245-a022-686df4788ef3} 772 "\\.\pipe\gecko-crash-server-pipe.772" 4480 1bb653cfa58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.5.272637884\1124764959" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5076 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adcf3a11-09ae-46d6-82ae-8052fae42d75} 772 "\\.\pipe\gecko-crash-server-pipe.772" 5108 1bb65d31f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.6.1575036043\1578531317" -childID 5 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7125f588-1a40-430a-82e0-a5285bea3990} 772 "\\.\pipe\gecko-crash-server-pipe.772" 5220 1bb65d32b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.7.210850769\675639257" -childID 6 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c6bcbee-5eae-453b-bbc9-83b06a60f83d} 772 "\\.\pipe\gecko-crash-server-pipe.772" 5500 1bb65d32e58 tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\smss.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\csrss.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\wininit.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\LogonUI.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\lsass.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\winload.efi

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\services.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\winlogon.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\winload.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\ntoskrnl.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers\gmreadme.txt

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers\afunix.sys

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers\gm.dls

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\svchost.exe /grant "Admin:F"

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"

Network

Country Destination Domain Proto
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 44.239.242.57:443 shavar.services.mozilla.com tcp
US 34.117.237.239:443 contile.services.mozilla.com tcp
N/A 127.0.0.1:50042 tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
N/A 127.0.0.1:50048 tcp

Files

memory/652-1-0x00000000745D0000-0x0000000074D81000-memory.dmp

memory/652-0-0x00000000004B0000-0x000000000050C000-memory.dmp

memory/652-2-0x0000000004F70000-0x0000000005002000-memory.dmp

memory/652-3-0x00000000055C0000-0x0000000005B66000-memory.dmp

memory/652-4-0x0000000005310000-0x0000000005320000-memory.dmp

C:\Users\Admin\Desktop\Âěí▌™╬ř♪↑™®☺╠◘╚↕♪åπå¾♠♫╚¶▌►▌«◄×■▲ńŸ◘®²ï◘æ8▲Ç7íσ≈5▄夜6å2ï▀ñ▬ó╚ě╔▼é▀õ¾♣╚◄╥ß≈♫φ╔₧₧♀☺╔₧š☻▄Ç▌¶▐ε♠•µ╥○σ±é

MD5 9e1e5883c74742a497cf5c272ccd2321
SHA1 2cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256 ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512 f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

memory/652-309-0x0000000006260000-0x000000000626A000-memory.dmp

memory/652-310-0x00000000745D0000-0x0000000074D81000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\db\data.safe.bin

MD5 1a219a35746a8af91ee769d9a718ebd3
SHA1 cb1b4e8278b4e4323ca6569474c5783421f9b8ce
SHA256 25bae03d926c05280c40db7dda9733a5404b6c83ea1a742a6f36cc04bc051aa4
SHA512 651a454d65918cf7e5d8c55e5f3538b685fda91de1e715a35768b8efda59fc935982bdf68a306eea253191df3c1505c4cfa7bdac45fbdf78acb38edcd8765adf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\pending_pings\1f9a717a-cb03-4524-ac0b-42df16e91d11

MD5 31c9c9506b8c3e8eba0eba29878e0cb6
SHA1 bf66d23ad98836c2423072d0c86352656fa8e5f2
SHA256 99a9542852053713f239ba652546e89f9f57fe9745ffa3013fd10ed6dff26dcb
SHA512 03d042c0565c1d421f857b7c01ca85850f32ee4cd97b145f486fbbbe7de5746c712247dc20d486e277e7c0ce71e9bf684aafc0d928e12eea7660d9907eb7d0ae

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\pending_pings\092f32ea-8f48-4e64-9b90-08c7128dd40f

MD5 842543c3cc9657902b9d4c57f8133b8b
SHA1 e3f34359d6b3ba524fdac1567314446066d579c8
SHA256 727b501dcf5c74b0ee9a74b3da64b07b8f09dd71da2e071470a303677f6f832f
SHA512 5dbe80ea5f84a9c2bdea88715da6381f000e68c3ee7f2dc3ad7adb13be69ec82fc543273568fcbdaf043f4cdc22feab8bd42c289793aa2c08f137fea06974788

memory/652-376-0x0000000005310000-0x0000000005320000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\sessionCheckpoints.json

MD5 2d87ba02e79c11351c1d478b06ca9b29
SHA1 4b0fb1927ca869256e9e2e2d480c3feb8e67e6f1
SHA256 16b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524
SHA512 be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\sessionstore.jsonlz4

MD5 cd9a559a673cdd68add6e37dfac24165
SHA1 e6e03441c58083237e426390d4f08d5fc9a8a334
SHA256 8549e0a16871100f22bc75712d59f6f01cb750fbfb33de98d6ceed953ab2a10a
SHA512 e423b2a064c6a419ef9e60c1d3a8ab042f01f8cc21d44ba3165d25c3520c0ca96ad7721f793236b10d8ad7bc4b07426bb64da746a92d669aacbce7168284ffad

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\prefs-1.js

MD5 97584a8da73c197d83c2539e4f05e65e
SHA1 68660d8a69cd5732c3682be7db6516a31a5cfed6
SHA256 a9dc4d7dc475adf8a0ad9670ac66a81fb0b03ce2a2f7de61e2378b3b86e1dcb6
SHA512 c3b76f62d8dd09edadb9576ce72380e90ede5724a2d9e9736c4d9f7697158c90dd81e06e48c89683472587f3cdd4d4c2e0447ee0ca0095bd7b3bbbd0fafdf733