Analysis
-
max time kernel
96s -
max time network
15s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 20:15
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
General
-
Target
Chernobyl.exe
-
Size
341KB
-
MD5
7f1c19a77fc0bbffb1e71d08a40cd972
-
SHA1
7dbcfe131b362583dd8185ea7e5c2f577e40ac02
-
SHA256
f4a8b0e01d972c6150db282db7443f91a0bebf85edb5342df44502ed3cc4ce85
-
SHA512
8df5ad36dd1dc15f8d533f2dce5a964a77b9072520dbb5e6c8674b16b310964b765c92824e994137f505c87c8f5761c70cc4914c25adb945363c6ed3d294cc59
-
SSDEEP
6144:XYb7o0222222222222222222222222222222222222222222222222222222222x:BkZOZzv4TatsNqaJg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 14 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 1484 takeown.exe 1520 takeown.exe 1548 icacls.exe 1172 takeown.exe 2848 takeown.exe 1724 icacls.exe 1380 takeown.exe 2060 takeown.exe 1856 takeown.exe 2816 icacls.exe 700 takeown.exe 2744 takeown.exe 1756 takeown.exe 2736 takeown.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exepid process 1380 takeown.exe 1172 takeown.exe 2848 takeown.exe 1548 icacls.exe 1520 takeown.exe 1856 takeown.exe 700 takeown.exe 1484 takeown.exe 2736 takeown.exe 2060 takeown.exe 2816 icacls.exe 1724 icacls.exe 2744 takeown.exe 1756 takeown.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 1 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kill.ico Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exeChernobyl.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" Chernobyl.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1688 Chernobyl.exe Token: SeDebugPrivilege 1688 Chernobyl.exe Token: SeTakeOwnershipPrivilege 1484 takeown.exe Token: SeTakeOwnershipPrivilege 2744 takeown.exe Token: SeTakeOwnershipPrivilege 1520 takeown.exe Token: SeTakeOwnershipPrivilege 1756 takeown.exe Token: SeTakeOwnershipPrivilege 2736 takeown.exe Token: SeTakeOwnershipPrivilege 1380 takeown.exe Token: SeTakeOwnershipPrivilege 2060 takeown.exe Token: SeTakeOwnershipPrivilege 1856 takeown.exe Token: SeTakeOwnershipPrivilege 1172 takeown.exe Token: SeTakeOwnershipPrivilege 2848 takeown.exe Token: SeTakeOwnershipPrivilege 700 takeown.exe Token: SeShutdownPrivilege 1688 Chernobyl.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Chernobyl.exepid process 1688 Chernobyl.exe 1688 Chernobyl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1688 wrote to memory of 960 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 960 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 960 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 960 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 564 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 564 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 564 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 564 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 844 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 844 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 844 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 844 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 2868 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 2868 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 2868 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 2868 1688 Chernobyl.exe cmd.exe PID 960 wrote to memory of 328 960 cmd.exe rundll32.exe PID 960 wrote to memory of 328 960 cmd.exe rundll32.exe PID 960 wrote to memory of 328 960 cmd.exe rundll32.exe PID 960 wrote to memory of 328 960 cmd.exe rundll32.exe PID 960 wrote to memory of 328 960 cmd.exe rundll32.exe PID 960 wrote to memory of 328 960 cmd.exe rundll32.exe PID 960 wrote to memory of 328 960 cmd.exe rundll32.exe PID 564 wrote to memory of 1752 564 cmd.exe rundll32.exe PID 564 wrote to memory of 1752 564 cmd.exe rundll32.exe PID 564 wrote to memory of 1752 564 cmd.exe rundll32.exe PID 564 wrote to memory of 1752 564 cmd.exe rundll32.exe PID 564 wrote to memory of 1752 564 cmd.exe rundll32.exe PID 564 wrote to memory of 1752 564 cmd.exe rundll32.exe PID 564 wrote to memory of 1752 564 cmd.exe rundll32.exe PID 1688 wrote to memory of 1748 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 1748 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 1748 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 1748 1688 Chernobyl.exe cmd.exe PID 844 wrote to memory of 708 844 cmd.exe rundll32.exe PID 844 wrote to memory of 708 844 cmd.exe rundll32.exe PID 844 wrote to memory of 708 844 cmd.exe rundll32.exe PID 844 wrote to memory of 708 844 cmd.exe rundll32.exe PID 844 wrote to memory of 708 844 cmd.exe rundll32.exe PID 844 wrote to memory of 708 844 cmd.exe rundll32.exe PID 844 wrote to memory of 708 844 cmd.exe rundll32.exe PID 2868 wrote to memory of 584 2868 cmd.exe rundll32.exe PID 2868 wrote to memory of 584 2868 cmd.exe rundll32.exe PID 2868 wrote to memory of 584 2868 cmd.exe rundll32.exe PID 2868 wrote to memory of 584 2868 cmd.exe rundll32.exe PID 2868 wrote to memory of 584 2868 cmd.exe rundll32.exe PID 2868 wrote to memory of 584 2868 cmd.exe rundll32.exe PID 2868 wrote to memory of 584 2868 cmd.exe rundll32.exe PID 1688 wrote to memory of 900 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 900 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 900 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 900 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 1980 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 1980 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 1980 1688 Chernobyl.exe cmd.exe PID 1688 wrote to memory of 1980 1688 Chernobyl.exe cmd.exe PID 1748 wrote to memory of 1732 1748 cmd.exe rundll32.exe PID 1748 wrote to memory of 1732 1748 cmd.exe rundll32.exe PID 1748 wrote to memory of 1732 1748 cmd.exe rundll32.exe PID 1748 wrote to memory of 1732 1748 cmd.exe rundll32.exe PID 1748 wrote to memory of 1732 1748 cmd.exe rundll32.exe PID 1748 wrote to memory of 1732 1748 cmd.exe rundll32.exe PID 1748 wrote to memory of 1732 1748 cmd.exe rundll32.exe PID 1688 wrote to memory of 1600 1688 Chernobyl.exe cmd.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:328
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:708
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:584
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:900
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1980
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1600
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2224
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3008
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:1132
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3012
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2552
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:1432
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:2708
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:1624
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\wininit.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1548
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:1396
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:2892
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:2148
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:1876
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:2184
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:2588
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:2196
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2816
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:1052
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1724
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2424
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\╠ï▐♂▀8╤εř╧•žï±♪♣█ל—•µ♪¢®¼╠ß±Â↑¤Ÿ↑☻╧▬ßï4╤▀æ6♥╬—▼Â▲æ▼•►57řžäó♦ÆěŸ²8¥σš¤♪☻2♫9í♫66ö½♠↕ř█▼■5π½♣▄╥²╚ß9▼9½1⤵
- Modifies registry class
PID:1536 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\╠ï▐♂▀8╤εř╧•žï±♪♣█ל—•µ♪¢®¼╠ß±Â↑¤Ÿ↑☻╧▬ßï4╤▀æ6♥╬—▼Â▲æ▼•►57řžäó♦ÆěŸ²8¥σš¤♪☻2♫9í♫66ö½♠↕ř█▼■5π½♣▄╥²╚ß9▼9½2⤵PID:1640
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\å╩éš╠¢■8○╔↑œ▄ñφč■∞䟗¬3╧ó▼∞♫šΣ○ö╧↕φ×█♂¬ïÂ♫ńéä1µ☻╬ě♣♫²×√◙▌σ◙♣ß╠▲╚♣☻♦ñΣ•╠╤○☼▀π¶▼▬σ╚æÂ™¢♦ě¤í≈▄♂☼88éΣč▬•
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b