Analysis Overview
SHA256
2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6
Threat Level: Known bad
The file Chernobyl.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Possible privilege escalation attempt
Modifies file permissions
Checks whether UAC is enabled
Modifies WinLogon
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
System policy modification
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 22:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 22:01
Reported
2024-03-02 22:31
Platform
win11-20240221-en
Max time kernel
47s
Max time network
70s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\kill.ico | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\cluttscape.exe | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| File opened for modification | C:\Windows\cluttscape.exe | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe
"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffc6aa43cb8,0x7ffc6aa43cc8,0x7ffc6aa43cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.0.1499258282\342343607" -parentBuildID 20221007134813 -prefsHandle 1764 -prefMapHandle 1752 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdaa99d8-b541-4981-b8b8-244d78a3a8d4} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 1856 2aa2e1f9e58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.1.934596635\1160752142" -parentBuildID 20221007134813 -prefsHandle 2212 -prefMapHandle 2208 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60e68214-0a69-4ac5-acc7-c4571bde9efa} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 2232 2aa22071958 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.2.1563585800\649669080" -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 3048 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8215651f-3067-40c8-aca8-0fbae7f017df} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 3132 2aa336a3658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.3.336752411\1474535523" -childID 2 -isForBrowser -prefsHandle 2796 -prefMapHandle 2896 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffcd645d-d736-4cba-9ad8-9a2d379c7aa1} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 3744 2aa2206ae58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.4.642955501\1686523303" -childID 3 -isForBrowser -prefsHandle 4124 -prefMapHandle 4120 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89727082-bbb0-407e-8ffa-c96ed425a865} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 4136 2aa30cdca58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.5.1716515432\1852182303" -childID 4 -isForBrowser -prefsHandle 5060 -prefMapHandle 4660 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cb8fec1-312f-46a2-9767-6cc6df219a1b} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5072 2aa2202de58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.6.2030889354\1832722704" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ff4d2c9-cd05-4259-9319-7d82592ac7a2} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5208 2aa35899458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.7.499854864\808228470" -childID 6 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6daa9349-af7f-4aef-aa1a-cccc69fff319} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5400 2aa35899758 tab
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\smss.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\csrss.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\wininit.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\lsass.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\services.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\winlogon.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\winload.efi
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\winload.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\ntoskrnl.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\svchost.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\drivers\afunix.sys
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\drivers\gm.dls
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\drivers\gmreadme.txt
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\svchost.exe /grant "Admin:F"
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 2.18.66.88:443 | tcp | |
| US | 52.168.117.171:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.171:443 | r.bing.com | tcp |
| GB | 92.123.128.171:443 | r.bing.com | tcp |
| GB | 92.123.128.171:443 | r.bing.com | tcp |
| GB | 92.123.128.171:443 | r.bing.com | tcp |
| GB | 92.123.128.171:443 | r.bing.com | tcp |
| GB | 92.123.128.171:443 | r.bing.com | tcp |
| N/A | 127.0.0.1:50182 | tcp | |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 44.237.149.213:443 | shavar.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| N/A | 127.0.0.1:50189 | tcp |
Files
memory/720-1-0x0000000074D20000-0x00000000754D1000-memory.dmp
memory/720-0-0x0000000000520000-0x000000000057C000-memory.dmp
memory/720-2-0x0000000005000000-0x0000000005092000-memory.dmp
memory/720-3-0x0000000005650000-0x0000000005BF6000-memory.dmp
memory/720-4-0x0000000004FF0000-0x0000000005000000-memory.dmp
C:\Users\Admin\Desktop\í◄■ř¬π╬ñÇåõ╧ń╚ñí¥ß▄Â8☺—♠◙♥¼õ4Æ▬ě╚9▐☻215♥╚◘☼ž™¢6²▬š♀☻○ńÿ♣↕ížœš£í☼ń╧♪♫■Âñ•▼åä╚▬ø•šń£Â♠¤∩♥åíß♀▲řφ√®▀☼¾Ÿ
| MD5 | 9e1e5883c74742a497cf5c272ccd2321 |
| SHA1 | 2cf33e34d08b8e17743a60352baffef4b6f02dee |
| SHA256 | ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a |
| SHA512 | f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b |
memory/720-309-0x0000000005640000-0x000000000564A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 19a8bcb40a17253313345edd2a0da1e7 |
| SHA1 | 86fac74b5bbc59e910248caebd1176a48a46d72e |
| SHA256 | b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e |
| SHA512 | 9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0 |
\??\pipe\LOCAL\crashpad_4124_OFXTAFGXSWYLCXWR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 96899614360333c9904499393c6e3d75 |
| SHA1 | bbfa17cf8df01c266323965735f00f0e9e04cd34 |
| SHA256 | 486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c |
| SHA512 | 974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 22629b5b3136d4435c3c36d37814aaaa |
| SHA1 | 503b96c2615d7c680f9b8c7845ad16c2fdf9a3f5 |
| SHA256 | 1e03ce9661291ad0870a790eb795ec4ef7fb324890be4e4b786401357d904356 |
| SHA512 | 046a0e56552f00c2cc1c5ac722446e7bceab1a1f1b8e59af9e6fab781ffc3669b696ea1eda08c61d9fa3db7d1cbd54afe05e0a489cf2d510e8baba4567791924 |
memory/720-332-0x0000000074D20000-0x00000000754D1000-memory.dmp
memory/720-339-0x0000000004FF0000-0x0000000005000000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 173cc00bc454f97dfe5836fc7a85fec7 |
| SHA1 | 44e50ee37ff51a550c2be12f61018bd76e4b77d4 |
| SHA256 | 8b2b2234fb085a38dd92cad6b9e1473b84947a0dfe33f3e47a9e0b886611eab7 |
| SHA512 | d83603363a00e8d4f79486086a5ce5343e4e7735315f324f8bdb05a3063c31f6c8f44785076d4419e68cb79c7a6a1878cdf6c72944574835a131874ed68d769c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c9f9ef42efbe37d6dda484149f82efaa |
| SHA1 | eb20a0a3a96cd90e79e86bcb75f5a62cc18fe50b |
| SHA256 | 8c663e9b0a9fbbb99455cc03bbea32238e3ed7867dec31ecf169bf89ebd52e6e |
| SHA512 | 64d07fe25fb17b58ac8274e05e1060d9881b88d1c4969c2e9ff193224064287fab4c969105311b782d6aa87bab5eb59720a3645b4387ad03ef7ec99a07ed5629 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\c6f53fee-8099-4b80-8699-3e90582bf637
| MD5 | 22ba7188fb3b812aa01f0c4166a671cc |
| SHA1 | e1b2d40884f9ee048bf1ac4e8da4fdb44b7e1775 |
| SHA256 | cc54ebfaf54f9cf4c6ac67c4ebfc87039e76b196b37b5d35624b7d3f0f19700b |
| SHA512 | 27ab13f8c0384d4f5d251e754803efa06fd0416af798ab1fad61d5ffd9e15848d8a62dfb2bab6c5fbde587cbc2ad103fb719317aab1fb8c09198edd407e4822d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 1d18f8dac16c3cc15bac22107c7d76be |
| SHA1 | 6cb6ea2291d29735a287b56c8caff3ee55f93002 |
| SHA256 | e7cd66f0381bc830726cb5928759fdbfbda6a583afa0389d8c631285eadcaf8b |
| SHA512 | 4e00d1c837c86afaa45f71a93130ee24f12c6956aae79b8bebd23632c249fa0f65a9d06694ed54035d424f1f8cb92b982d270af5b7c86478be0d3ca36d24e872 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore.jsonlz4
| MD5 | 78141ac98872fc6f2cdf6f006fcebf83 |
| SHA1 | c1a5be472e6ecf529c1806c5eb729445efbe23b2 |
| SHA256 | 65602e5f654814fc987a3980e132188beea8a985fd886f92b349dd93eafba7c3 |
| SHA512 | 345f45ed3bea0e741d939bd9ec9e2f412ee6b9b62f9c29f2e437620686cd0be23d52608b42a95aac4f2ee33f3c62f8481f5dd6f0f10148a11f0e91aea60997a8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js
| MD5 | 64835d24d580ba9acfc8597528b5042e |
| SHA1 | 1ffd11a17e6d8846be9706aac21a32697c4f1cf2 |
| SHA256 | 2054fd9eae57ee7af6d87495843a49dbb31a34f472b9cdffef2f0bd6d98b200d |
| SHA512 | f7c2a718d93f4b6a15d438d72d96953fe45993c1e55686bc2e9aa95a9dafb76baf084da891e875f531b0100a8c35aae3d82673897aff1d09f30eae235b95c5ac |