Analysis
-
max time kernel
47s -
max time network
70s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-03-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win11-20240221-en
General
-
Target
Chernobyl.exe
-
Size
343KB
-
MD5
d576e0520faa40435d5bdc66304205f9
-
SHA1
b99fce6ebd094e2cbc29e1ed4e47360781e86c47
-
SHA256
2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6
-
SHA512
6b60a287f3eefbf2c0f2b0f205e88c4ce5a5aad050f59ff5fd1bc8017322039963f51bdd72b0922ec08880ae5da17286c04418c44dd996f0fb7b585f376f4c98
-
SSDEEP
6144:ab+co0222222222222222222222222222222222222222222222222222222222w:jjkyOZzv4TatsNqaJg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 18 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 5372 takeown.exe 6136 takeown.exe 5480 takeown.exe 4220 takeown.exe 5496 takeown.exe 4584 icacls.exe 1576 takeown.exe 4108 takeown.exe 5516 icacls.exe 5508 icacls.exe 5520 icacls.exe 6036 takeown.exe 6056 takeown.exe 5320 takeown.exe 5404 takeown.exe 5424 takeown.exe 6008 takeown.exe 5468 takeown.exe -
Modifies file permissions 1 TTPs 18 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 6056 takeown.exe 4220 takeown.exe 5424 takeown.exe 5516 icacls.exe 5496 takeown.exe 4584 icacls.exe 6008 takeown.exe 6036 takeown.exe 6136 takeown.exe 5372 takeown.exe 5520 icacls.exe 1576 takeown.exe 4108 takeown.exe 5468 takeown.exe 5480 takeown.exe 5320 takeown.exe 5404 takeown.exe 5508 icacls.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 1 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kill.ico Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
Processes:
Chernobyl.exefirefox.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsedge.exepid process 4580 msedge.exe 4580 msedge.exe 4124 msedge.exe 4124 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Chernobyl.exefirefox.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 720 Chernobyl.exe Token: SeDebugPrivilege 720 Chernobyl.exe Token: SeDebugPrivilege 3588 firefox.exe Token: SeDebugPrivilege 3588 firefox.exe Token: SeTakeOwnershipPrivilege 6008 takeown.exe Token: SeTakeOwnershipPrivilege 6036 takeown.exe Token: SeTakeOwnershipPrivilege 6056 takeown.exe Token: SeTakeOwnershipPrivilege 6136 takeown.exe Token: SeTakeOwnershipPrivilege 1576 takeown.exe Token: SeTakeOwnershipPrivilege 5404 takeown.exe Token: SeTakeOwnershipPrivilege 5320 takeown.exe Token: SeTakeOwnershipPrivilege 5372 takeown.exe Token: SeTakeOwnershipPrivilege 4220 takeown.exe Token: SeTakeOwnershipPrivilege 4108 takeown.exe Token: SeTakeOwnershipPrivilege 5424 takeown.exe Token: SeTakeOwnershipPrivilege 5468 takeown.exe Token: SeTakeOwnershipPrivilege 5480 takeown.exe Token: SeTakeOwnershipPrivilege 5496 takeown.exe Token: SeShutdownPrivilege 720 Chernobyl.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
Processes:
msedge.exefirefox.exepid process 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 3588 firefox.exe 3588 firefox.exe 3588 firefox.exe 3588 firefox.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
msedge.exefirefox.exepid process 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 4124 msedge.exe 3588 firefox.exe 3588 firefox.exe 3588 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3588 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 720 wrote to memory of 2804 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 2804 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 2804 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 1128 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 1128 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 1128 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 4324 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 4324 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 4324 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 1492 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 1492 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 1492 720 Chernobyl.exe cmd.exe PID 2804 wrote to memory of 1724 2804 cmd.exe rundll32.exe PID 2804 wrote to memory of 1724 2804 cmd.exe rundll32.exe PID 2804 wrote to memory of 1724 2804 cmd.exe rundll32.exe PID 720 wrote to memory of 3032 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 3032 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 3032 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 3308 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 3308 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 3308 720 Chernobyl.exe cmd.exe PID 1128 wrote to memory of 1092 1128 cmd.exe rundll32.exe PID 1128 wrote to memory of 1092 1128 cmd.exe rundll32.exe PID 1128 wrote to memory of 1092 1128 cmd.exe rundll32.exe PID 720 wrote to memory of 4920 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 4920 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 4920 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 652 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 652 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 652 720 Chernobyl.exe cmd.exe PID 1492 wrote to memory of 3036 1492 cmd.exe rundll32.exe PID 1492 wrote to memory of 3036 1492 cmd.exe rundll32.exe PID 1492 wrote to memory of 3036 1492 cmd.exe rundll32.exe PID 3032 wrote to memory of 1280 3032 cmd.exe rundll32.exe PID 3032 wrote to memory of 1280 3032 cmd.exe rundll32.exe PID 3032 wrote to memory of 1280 3032 cmd.exe rundll32.exe PID 720 wrote to memory of 2580 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 2580 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 2580 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 1472 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 1472 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 1472 720 Chernobyl.exe cmd.exe PID 4324 wrote to memory of 2344 4324 cmd.exe rundll32.exe PID 4324 wrote to memory of 2344 4324 cmd.exe rundll32.exe PID 4324 wrote to memory of 2344 4324 cmd.exe rundll32.exe PID 3308 wrote to memory of 2916 3308 cmd.exe rundll32.exe PID 3308 wrote to memory of 2916 3308 cmd.exe rundll32.exe PID 3308 wrote to memory of 2916 3308 cmd.exe rundll32.exe PID 720 wrote to memory of 8 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 8 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 8 720 Chernobyl.exe cmd.exe PID 4920 wrote to memory of 2684 4920 cmd.exe rundll32.exe PID 4920 wrote to memory of 2684 4920 cmd.exe rundll32.exe PID 4920 wrote to memory of 2684 4920 cmd.exe rundll32.exe PID 720 wrote to memory of 1420 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 1420 720 Chernobyl.exe cmd.exe PID 720 wrote to memory of 1420 720 Chernobyl.exe cmd.exe PID 652 wrote to memory of 2636 652 cmd.exe rundll32.exe PID 652 wrote to memory of 2636 652 cmd.exe rundll32.exe PID 652 wrote to memory of 2636 652 cmd.exe rundll32.exe PID 1472 wrote to memory of 4172 1472 cmd.exe rundll32.exe PID 1472 wrote to memory of 4172 1472 cmd.exe rundll32.exe PID 1472 wrote to memory of 4172 1472 cmd.exe rundll32.exe PID 8 wrote to memory of 3932 8 cmd.exe rundll32.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1092
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2344
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3036
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1280
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2916
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2684
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2580
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4508
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4172
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3932
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1420
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3428
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:5688
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6008
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:5708
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6036
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:5752
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6056
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:5800
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6136
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:5828
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5320
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:5868
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:5900
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5372
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:5948
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5404
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:6028
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:6092
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:5324
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5424
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5508
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit2⤵PID:5360
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\afunix.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5468
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5516
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit2⤵PID:2072
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\gm.dls3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5480
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit2⤵PID:4500
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\gmreadme.txt3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5496
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4584
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4124 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffc6aa43cb8,0x7ffc6aa43cc8,0x7ffc6aa43cd82⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:22⤵PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:82⤵PID:2296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:1772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:12⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:12⤵PID:1832
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1804
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2496
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:4624
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3588 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.0.1499258282\342343607" -parentBuildID 20221007134813 -prefsHandle 1764 -prefMapHandle 1752 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdaa99d8-b541-4981-b8b8-244d78a3a8d4} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 1856 2aa2e1f9e58 gpu3⤵PID:2488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.1.934596635\1160752142" -parentBuildID 20221007134813 -prefsHandle 2212 -prefMapHandle 2208 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60e68214-0a69-4ac5-acc7-c4571bde9efa} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 2232 2aa22071958 socket3⤵
- Checks processor information in registry
PID:2116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.2.1563585800\649669080" -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 3048 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8215651f-3067-40c8-aca8-0fbae7f017df} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 3132 2aa336a3658 tab3⤵PID:4244
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.3.336752411\1474535523" -childID 2 -isForBrowser -prefsHandle 2796 -prefMapHandle 2896 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffcd645d-d736-4cba-9ad8-9a2d379c7aa1} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 3744 2aa2206ae58 tab3⤵PID:4220
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.4.642955501\1686523303" -childID 3 -isForBrowser -prefsHandle 4124 -prefMapHandle 4120 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89727082-bbb0-407e-8ffa-c96ed425a865} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 4136 2aa30cdca58 tab3⤵PID:1176
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.5.1716515432\1852182303" -childID 4 -isForBrowser -prefsHandle 5060 -prefMapHandle 4660 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cb8fec1-312f-46a2-9767-6cc6df219a1b} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5072 2aa2202de58 tab3⤵PID:2360
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.6.2030889354\1832722704" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ff4d2c9-cd05-4259-9319-7d82592ac7a2} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5208 2aa35899458 tab3⤵PID:4360
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.7.499854864\808228470" -childID 6 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6daa9349-af7f-4aef-aa1a-cccc69fff319} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5400 2aa35899758 tab3⤵PID:2580
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD519a8bcb40a17253313345edd2a0da1e7
SHA186fac74b5bbc59e910248caebd1176a48a46d72e
SHA256b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e
SHA5129f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0
-
Filesize
152B
MD596899614360333c9904499393c6e3d75
SHA1bbfa17cf8df01c266323965735f00f0e9e04cd34
SHA256486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c
SHA512974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7
-
Filesize
5KB
MD522629b5b3136d4435c3c36d37814aaaa
SHA1503b96c2615d7c680f9b8c7845ad16c2fdf9a3f5
SHA2561e03ce9661291ad0870a790eb795ec4ef7fb324890be4e4b786401357d904356
SHA512046a0e56552f00c2cc1c5ac722446e7bceab1a1f1b8e59af9e6fab781ffc3669b696ea1eda08c61d9fa3db7d1cbd54afe05e0a489cf2d510e8baba4567791924
-
Filesize
5KB
MD5c9f9ef42efbe37d6dda484149f82efaa
SHA1eb20a0a3a96cd90e79e86bcb75f5a62cc18fe50b
SHA2568c663e9b0a9fbbb99455cc03bbea32238e3ed7867dec31ecf169bf89ebd52e6e
SHA51264d07fe25fb17b58ac8274e05e1060d9881b88d1c4969c2e9ff193224064287fab4c969105311b782d6aa87bab5eb59720a3645b4387ad03ef7ec99a07ed5629
-
Filesize
11KB
MD5173cc00bc454f97dfe5836fc7a85fec7
SHA144e50ee37ff51a550c2be12f61018bd76e4b77d4
SHA2568b2b2234fb085a38dd92cad6b9e1473b84947a0dfe33f3e47a9e0b886611eab7
SHA512d83603363a00e8d4f79486086a5ce5343e4e7735315f324f8bdb05a3063c31f6c8f44785076d4419e68cb79c7a6a1878cdf6c72944574835a131874ed68d769c
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD51d18f8dac16c3cc15bac22107c7d76be
SHA16cb6ea2291d29735a287b56c8caff3ee55f93002
SHA256e7cd66f0381bc830726cb5928759fdbfbda6a583afa0389d8c631285eadcaf8b
SHA5124e00d1c837c86afaa45f71a93130ee24f12c6956aae79b8bebd23632c249fa0f65a9d06694ed54035d424f1f8cb92b982d270af5b7c86478be0d3ca36d24e872
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\c6f53fee-8099-4b80-8699-3e90582bf637
Filesize12KB
MD522ba7188fb3b812aa01f0c4166a671cc
SHA1e1b2d40884f9ee048bf1ac4e8da4fdb44b7e1775
SHA256cc54ebfaf54f9cf4c6ac67c4ebfc87039e76b196b37b5d35624b7d3f0f19700b
SHA51227ab13f8c0384d4f5d251e754803efa06fd0416af798ab1fad61d5ffd9e15848d8a62dfb2bab6c5fbde587cbc2ad103fb719317aab1fb8c09198edd407e4822d
-
Filesize
6KB
MD564835d24d580ba9acfc8597528b5042e
SHA11ffd11a17e6d8846be9706aac21a32697c4f1cf2
SHA2562054fd9eae57ee7af6d87495843a49dbb31a34f472b9cdffef2f0bd6d98b200d
SHA512f7c2a718d93f4b6a15d438d72d96953fe45993c1e55686bc2e9aa95a9dafb76baf084da891e875f531b0100a8c35aae3d82673897aff1d09f30eae235b95c5ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore.jsonlz4
Filesize882B
MD578141ac98872fc6f2cdf6f006fcebf83
SHA1c1a5be472e6ecf529c1806c5eb729445efbe23b2
SHA25665602e5f654814fc987a3980e132188beea8a985fd886f92b349dd93eafba7c3
SHA512345f45ed3bea0e741d939bd9ec9e2f412ee6b9b62f9c29f2e437620686cd0be23d52608b42a95aac4f2ee33f3c62f8481f5dd6f0f10148a11f0e91aea60997a8
-
C:\Users\Admin\Desktop\í◄■ř¬π╬ñÇåõ╧ń╚ñí¥ß▄Â8☺—♠◙♥¼õ4Æ▬ě╚9▐☻215♥╚◘☼ž™¢6²▬š♀☻○ńÿ♣↕ížœš£í☼ń╧♪♫■Âñ•▼åä╚▬ø•šń£Â♠¤∩♥åíß♀▲řφ√®▀☼¾Ÿ
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e