Analysis

  • max time kernel
    47s
  • max time network
    70s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-03-2024 22:01

General

  • Target

    Chernobyl.exe

  • Size

    343KB

  • MD5

    d576e0520faa40435d5bdc66304205f9

  • SHA1

    b99fce6ebd094e2cbc29e1ed4e47360781e86c47

  • SHA256

    2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6

  • SHA512

    6b60a287f3eefbf2c0f2b0f205e88c4ce5a5aad050f59ff5fd1bc8017322039963f51bdd72b0922ec08880ae5da17286c04418c44dd996f0fb7b585f376f4c98

  • SSDEEP

    6144:ab+co0222222222222222222222222222222222222222222222222222222222w:jjkyOZzv4TatsNqaJg

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 18 IoCs
  • Modifies file permissions 1 TTPs 18 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe
    "C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:720
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:1724
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1128
        • C:\Windows\SysWOW64\rundll32.exe
          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
          3⤵
            PID:1092
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4324
          • C:\Windows\SysWOW64\rundll32.exe
            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
            3⤵
              PID:2344
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1492
            • C:\Windows\SysWOW64\rundll32.exe
              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
              3⤵
                PID:3036
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3032
              • C:\Windows\SysWOW64\rundll32.exe
                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                3⤵
                  PID:1280
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3308
                • C:\Windows\SysWOW64\rundll32.exe
                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                  3⤵
                    PID:2916
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4920
                  • C:\Windows\SysWOW64\rundll32.exe
                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                    3⤵
                      PID:2684
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:652
                    • C:\Windows\SysWOW64\rundll32.exe
                      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                      3⤵
                        PID:2636
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                      2⤵
                        PID:2580
                        • C:\Windows\SysWOW64\rundll32.exe
                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                          3⤵
                            PID:4508
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1472
                          • C:\Windows\SysWOW64\rundll32.exe
                            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                            3⤵
                              PID:4172
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:8
                            • C:\Windows\SysWOW64\rundll32.exe
                              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                              3⤵
                                PID:3932
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                              2⤵
                                PID:1420
                                • C:\Windows\SysWOW64\rundll32.exe
                                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                  3⤵
                                    PID:3428
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit
                                  2⤵
                                    PID:5688
                                    • C:\Windows\SysWOW64\takeown.exe
                                      takeown /f C:\Windows\System32\smss.exe
                                      3⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6008
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit
                                    2⤵
                                      PID:5708
                                      • C:\Windows\SysWOW64\takeown.exe
                                        takeown /f C:\Windows\System32\csrss.exe
                                        3⤵
                                        • Possible privilege escalation attempt
                                        • Modifies file permissions
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:6036
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit
                                      2⤵
                                        PID:5752
                                        • C:\Windows\SysWOW64\takeown.exe
                                          takeown /f C:\Windows\System32\wininit.exe
                                          3⤵
                                          • Possible privilege escalation attempt
                                          • Modifies file permissions
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:6056
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit
                                        2⤵
                                          PID:5800
                                          • C:\Windows\SysWOW64\takeown.exe
                                            takeown /f C:\Windows\System32\LogonUI.exe
                                            3⤵
                                            • Possible privilege escalation attempt
                                            • Modifies file permissions
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:6136
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit
                                          2⤵
                                            PID:5828
                                            • C:\Windows\SysWOW64\takeown.exe
                                              takeown /f C:\Windows\System32\lsass.exe
                                              3⤵
                                              • Possible privilege escalation attempt
                                              • Modifies file permissions
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5320
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit
                                            2⤵
                                              PID:5868
                                              • C:\Windows\SysWOW64\takeown.exe
                                                takeown /f C:\Windows\System32\services.exe
                                                3⤵
                                                • Possible privilege escalation attempt
                                                • Modifies file permissions
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1576
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit
                                              2⤵
                                                PID:5900
                                                • C:\Windows\SysWOW64\takeown.exe
                                                  takeown /f C:\Windows\System32\winlogon.exe
                                                  3⤵
                                                  • Possible privilege escalation attempt
                                                  • Modifies file permissions
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:5372
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit
                                                2⤵
                                                  PID:5948
                                                  • C:\Windows\SysWOW64\takeown.exe
                                                    takeown /f C:\Windows\System32\winload.efi
                                                    3⤵
                                                    • Possible privilege escalation attempt
                                                    • Modifies file permissions
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:5404
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit
                                                  2⤵
                                                    PID:6028
                                                    • C:\Windows\SysWOW64\takeown.exe
                                                      takeown /f C:\Windows\System32\winload.exe
                                                      3⤵
                                                      • Possible privilege escalation attempt
                                                      • Modifies file permissions
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4108
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit
                                                    2⤵
                                                      PID:6092
                                                      • C:\Windows\SysWOW64\takeown.exe
                                                        takeown /f C:\Windows\System32\ntoskrnl.exe
                                                        3⤵
                                                        • Possible privilege escalation attempt
                                                        • Modifies file permissions
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4220
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit
                                                      2⤵
                                                        PID:5324
                                                        • C:\Windows\SysWOW64\takeown.exe
                                                          takeown /f C:\Windows\System32\svchost.exe
                                                          3⤵
                                                          • Possible privilege escalation attempt
                                                          • Modifies file permissions
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5424
                                                        • C:\Windows\SysWOW64\icacls.exe
                                                          icacls C:\Windows\System32\svchost.exe /grant "Admin:F"
                                                          3⤵
                                                          • Possible privilege escalation attempt
                                                          • Modifies file permissions
                                                          PID:5508
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit
                                                        2⤵
                                                          PID:5360
                                                          • C:\Windows\SysWOW64\takeown.exe
                                                            takeown /f C:\Windows\System32\drivers\afunix.sys
                                                            3⤵
                                                            • Possible privilege escalation attempt
                                                            • Modifies file permissions
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:5468
                                                          • C:\Windows\SysWOW64\icacls.exe
                                                            icacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"
                                                            3⤵
                                                            • Possible privilege escalation attempt
                                                            • Modifies file permissions
                                                            PID:5516
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit
                                                          2⤵
                                                            PID:2072
                                                            • C:\Windows\SysWOW64\takeown.exe
                                                              takeown /f C:\Windows\System32\drivers\gm.dls
                                                              3⤵
                                                              • Possible privilege escalation attempt
                                                              • Modifies file permissions
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:5480
                                                            • C:\Windows\SysWOW64\icacls.exe
                                                              icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"
                                                              3⤵
                                                              • Possible privilege escalation attempt
                                                              • Modifies file permissions
                                                              PID:5520
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit
                                                            2⤵
                                                              PID:4500
                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                takeown /f C:\Windows\System32\drivers\gmreadme.txt
                                                                3⤵
                                                                • Possible privilege escalation attempt
                                                                • Modifies file permissions
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5496
                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"
                                                                3⤵
                                                                • Possible privilege escalation attempt
                                                                • Modifies file permissions
                                                                PID:4584
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
                                                            1⤵
                                                            • Enumerates system info in registry
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            PID:4124
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffc6aa43cb8,0x7ffc6aa43cc8,0x7ffc6aa43cd8
                                                              2⤵
                                                                PID:4444
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
                                                                2⤵
                                                                  PID:4792
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
                                                                  2⤵
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:4580
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
                                                                  2⤵
                                                                    PID:2296
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
                                                                    2⤵
                                                                      PID:1772
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
                                                                      2⤵
                                                                        PID:2256
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
                                                                        2⤵
                                                                          PID:2392
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
                                                                          2⤵
                                                                            PID:1832
                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                          1⤵
                                                                            PID:1804
                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                            1⤵
                                                                              PID:2496
                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                              1⤵
                                                                                PID:4624
                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                  2⤵
                                                                                  • Checks processor information in registry
                                                                                  • Modifies registry class
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:3588
                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.0.1499258282\342343607" -parentBuildID 20221007134813 -prefsHandle 1764 -prefMapHandle 1752 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdaa99d8-b541-4981-b8b8-244d78a3a8d4} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 1856 2aa2e1f9e58 gpu
                                                                                    3⤵
                                                                                      PID:2488
                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.1.934596635\1160752142" -parentBuildID 20221007134813 -prefsHandle 2212 -prefMapHandle 2208 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60e68214-0a69-4ac5-acc7-c4571bde9efa} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 2232 2aa22071958 socket
                                                                                      3⤵
                                                                                      • Checks processor information in registry
                                                                                      PID:2116
                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.2.1563585800\649669080" -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 3048 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8215651f-3067-40c8-aca8-0fbae7f017df} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 3132 2aa336a3658 tab
                                                                                      3⤵
                                                                                        PID:4244
                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.3.336752411\1474535523" -childID 2 -isForBrowser -prefsHandle 2796 -prefMapHandle 2896 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffcd645d-d736-4cba-9ad8-9a2d379c7aa1} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 3744 2aa2206ae58 tab
                                                                                        3⤵
                                                                                          PID:4220
                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.4.642955501\1686523303" -childID 3 -isForBrowser -prefsHandle 4124 -prefMapHandle 4120 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89727082-bbb0-407e-8ffa-c96ed425a865} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 4136 2aa30cdca58 tab
                                                                                          3⤵
                                                                                            PID:1176
                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.5.1716515432\1852182303" -childID 4 -isForBrowser -prefsHandle 5060 -prefMapHandle 4660 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cb8fec1-312f-46a2-9767-6cc6df219a1b} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5072 2aa2202de58 tab
                                                                                            3⤵
                                                                                              PID:2360
                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.6.2030889354\1832722704" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ff4d2c9-cd05-4259-9319-7d82592ac7a2} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5208 2aa35899458 tab
                                                                                              3⤵
                                                                                                PID:4360
                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.7.499854864\808228470" -childID 6 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6daa9349-af7f-4aef-aa1a-cccc69fff319} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5400 2aa35899758 tab
                                                                                                3⤵
                                                                                                  PID:2580

                                                                                            Network

                                                                                            MITRE ATT&CK Enterprise v15

                                                                                            Replay Monitor

                                                                                            Loading Replay Monitor...

                                                                                            Downloads

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                              Filesize

                                                                                              152B

                                                                                              MD5

                                                                                              19a8bcb40a17253313345edd2a0da1e7

                                                                                              SHA1

                                                                                              86fac74b5bbc59e910248caebd1176a48a46d72e

                                                                                              SHA256

                                                                                              b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e

                                                                                              SHA512

                                                                                              9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                              Filesize

                                                                                              152B

                                                                                              MD5

                                                                                              96899614360333c9904499393c6e3d75

                                                                                              SHA1

                                                                                              bbfa17cf8df01c266323965735f00f0e9e04cd34

                                                                                              SHA256

                                                                                              486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c

                                                                                              SHA512

                                                                                              974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                              Filesize

                                                                                              5KB

                                                                                              MD5

                                                                                              22629b5b3136d4435c3c36d37814aaaa

                                                                                              SHA1

                                                                                              503b96c2615d7c680f9b8c7845ad16c2fdf9a3f5

                                                                                              SHA256

                                                                                              1e03ce9661291ad0870a790eb795ec4ef7fb324890be4e4b786401357d904356

                                                                                              SHA512

                                                                                              046a0e56552f00c2cc1c5ac722446e7bceab1a1f1b8e59af9e6fab781ffc3669b696ea1eda08c61d9fa3db7d1cbd54afe05e0a489cf2d510e8baba4567791924

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                              Filesize

                                                                                              5KB

                                                                                              MD5

                                                                                              c9f9ef42efbe37d6dda484149f82efaa

                                                                                              SHA1

                                                                                              eb20a0a3a96cd90e79e86bcb75f5a62cc18fe50b

                                                                                              SHA256

                                                                                              8c663e9b0a9fbbb99455cc03bbea32238e3ed7867dec31ecf169bf89ebd52e6e

                                                                                              SHA512

                                                                                              64d07fe25fb17b58ac8274e05e1060d9881b88d1c4969c2e9ff193224064287fab4c969105311b782d6aa87bab5eb59720a3645b4387ad03ef7ec99a07ed5629

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                              Filesize

                                                                                              11KB

                                                                                              MD5

                                                                                              173cc00bc454f97dfe5836fc7a85fec7

                                                                                              SHA1

                                                                                              44e50ee37ff51a550c2be12f61018bd76e4b77d4

                                                                                              SHA256

                                                                                              8b2b2234fb085a38dd92cad6b9e1473b84947a0dfe33f3e47a9e0b886611eab7

                                                                                              SHA512

                                                                                              d83603363a00e8d4f79486086a5ce5343e4e7735315f324f8bdb05a3063c31f6c8f44785076d4419e68cb79c7a6a1878cdf6c72944574835a131874ed68d769c

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                                                                                              Filesize

                                                                                              264KB

                                                                                              MD5

                                                                                              f50f89a0a91564d0b8a211f8921aa7de

                                                                                              SHA1

                                                                                              112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                              SHA256

                                                                                              b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                              SHA512

                                                                                              bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\db\data.safe.bin

                                                                                              Filesize

                                                                                              2KB

                                                                                              MD5

                                                                                              1d18f8dac16c3cc15bac22107c7d76be

                                                                                              SHA1

                                                                                              6cb6ea2291d29735a287b56c8caff3ee55f93002

                                                                                              SHA256

                                                                                              e7cd66f0381bc830726cb5928759fdbfbda6a583afa0389d8c631285eadcaf8b

                                                                                              SHA512

                                                                                              4e00d1c837c86afaa45f71a93130ee24f12c6956aae79b8bebd23632c249fa0f65a9d06694ed54035d424f1f8cb92b982d270af5b7c86478be0d3ca36d24e872

                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\c6f53fee-8099-4b80-8699-3e90582bf637

                                                                                              Filesize

                                                                                              12KB

                                                                                              MD5

                                                                                              22ba7188fb3b812aa01f0c4166a671cc

                                                                                              SHA1

                                                                                              e1b2d40884f9ee048bf1ac4e8da4fdb44b7e1775

                                                                                              SHA256

                                                                                              cc54ebfaf54f9cf4c6ac67c4ebfc87039e76b196b37b5d35624b7d3f0f19700b

                                                                                              SHA512

                                                                                              27ab13f8c0384d4f5d251e754803efa06fd0416af798ab1fad61d5ffd9e15848d8a62dfb2bab6c5fbde587cbc2ad103fb719317aab1fb8c09198edd407e4822d

                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js

                                                                                              Filesize

                                                                                              6KB

                                                                                              MD5

                                                                                              64835d24d580ba9acfc8597528b5042e

                                                                                              SHA1

                                                                                              1ffd11a17e6d8846be9706aac21a32697c4f1cf2

                                                                                              SHA256

                                                                                              2054fd9eae57ee7af6d87495843a49dbb31a34f472b9cdffef2f0bd6d98b200d

                                                                                              SHA512

                                                                                              f7c2a718d93f4b6a15d438d72d96953fe45993c1e55686bc2e9aa95a9dafb76baf084da891e875f531b0100a8c35aae3d82673897aff1d09f30eae235b95c5ac

                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore.jsonlz4

                                                                                              Filesize

                                                                                              882B

                                                                                              MD5

                                                                                              78141ac98872fc6f2cdf6f006fcebf83

                                                                                              SHA1

                                                                                              c1a5be472e6ecf529c1806c5eb729445efbe23b2

                                                                                              SHA256

                                                                                              65602e5f654814fc987a3980e132188beea8a985fd886f92b349dd93eafba7c3

                                                                                              SHA512

                                                                                              345f45ed3bea0e741d939bd9ec9e2f412ee6b9b62f9c29f2e437620686cd0be23d52608b42a95aac4f2ee33f3c62f8481f5dd6f0f10148a11f0e91aea60997a8

                                                                                            • C:\Users\Admin\Desktop\í◄■ř¬π╬ñÇåõ╧ń╚ñí¥ß▄Â8☺—♠◙♥¼õ4Æ▬ě╚9▐☻215♥╚◘☼ž™¢6²▬š♀☻○ńÿ♣↕ížœš£í☼ń╧♪♫■Âñ•▼åä╚▬ø•šń£Â♠¤∩♥åíß♀▲řφ√®▀☼¾Ÿ

                                                                                              Filesize

                                                                                              666B

                                                                                              MD5

                                                                                              9e1e5883c74742a497cf5c272ccd2321

                                                                                              SHA1

                                                                                              2cf33e34d08b8e17743a60352baffef4b6f02dee

                                                                                              SHA256

                                                                                              ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a

                                                                                              SHA512

                                                                                              f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

                                                                                            • \??\pipe\LOCAL\crashpad_4124_OFXTAFGXSWYLCXWR

                                                                                              MD5

                                                                                              d41d8cd98f00b204e9800998ecf8427e

                                                                                              SHA1

                                                                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                              SHA256

                                                                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                              SHA512

                                                                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                            • memory/720-339-0x0000000004FF0000-0x0000000005000000-memory.dmp

                                                                                              Filesize

                                                                                              64KB

                                                                                            • memory/720-2-0x0000000005000000-0x0000000005092000-memory.dmp

                                                                                              Filesize

                                                                                              584KB

                                                                                            • memory/720-0-0x0000000000520000-0x000000000057C000-memory.dmp

                                                                                              Filesize

                                                                                              368KB

                                                                                            • memory/720-1-0x0000000074D20000-0x00000000754D1000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                            • memory/720-309-0x0000000005640000-0x000000000564A000-memory.dmp

                                                                                              Filesize

                                                                                              40KB

                                                                                            • memory/720-332-0x0000000074D20000-0x00000000754D1000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                            • memory/720-3-0x0000000005650000-0x0000000005BF6000-memory.dmp

                                                                                              Filesize

                                                                                              5.6MB

                                                                                            • memory/720-4-0x0000000004FF0000-0x0000000005000000-memory.dmp

                                                                                              Filesize

                                                                                              64KB