4afbfaef6181c64f4b061e5938ff45055e561091943e59229854251ec88f3bd8

Analysis

max time kernel
63s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

signoutallcomputers.bat
Size

433B
MD5

d03d282458d6a0687ff09b17c51e97f0
SHA1

f04205a8706029b6a62e4d6e8d6340c4ab773602
SHA256

4afbfaef6181c64f4b061e5938ff45055e561091943e59229854251ec88f3bd8
SHA512

acf3ac42a627d47328e5d9d5bfbf6473d5f289e3a7eda587af674c6f37163dc74986e7b6356bef81262ac6663a1ab248a1a9b1dcc6e3b657e0b6f52100011fb5

Score

6^/10

discovery

Malware Config

Signatures

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4512	ARP.EXE

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "184"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4484	Notepad.exe
2292	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4520	shutdown.exe
Token: SeRemoteShutdownPrivilege	4520	shutdown.exe
Token: SeShutdownPrivilege	4192	shutdown.exe
Token: SeRemoteShutdownPrivilege	4192	shutdown.exe
Token: SeShutdownPrivilege	644	shutdown.exe
Token: SeRemoteShutdownPrivilege	644	shutdown.exe
Token: SeShutdownPrivilege	2316	shutdown.exe
Token: SeRemoteShutdownPrivilege	2316	shutdown.exe
Token: SeShutdownPrivilege	1328	shutdown.exe
Token: SeRemoteShutdownPrivilege	1328	shutdown.exe
Token: SeShutdownPrivilege	4468	shutdown.exe
Token: SeRemoteShutdownPrivilege	4468	shutdown.exe
Token: SeShutdownPrivilege	3264	shutdown.exe
Token: SeRemoteShutdownPrivilege	3264	shutdown.exe
Token: SeShutdownPrivilege	5072	shutdown.exe
Token: SeRemoteShutdownPrivilege	5072	shutdown.exe
Token: SeShutdownPrivilege	4260	shutdown.exe
Token: SeRemoteShutdownPrivilege	4260	shutdown.exe
Token: SeShutdownPrivilege	4428	shutdown.exe
Token: SeRemoteShutdownPrivilege	4428	shutdown.exe
Token: SeDebugPrivilege	2944	firefox.exe
Token: SeDebugPrivilege	2944	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2944	firefox.exe
6072	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4512	4060	cmd.exe	82
PID 4060 wrote to memory of 4512	4060	cmd.exe	82
PID 4060 wrote to memory of 4520	4060	cmd.exe	83
PID 4060 wrote to memory of 4520	4060	cmd.exe	83
PID 4060 wrote to memory of 4192	4060	cmd.exe	85
PID 4060 wrote to memory of 4192	4060	cmd.exe	85
PID 4060 wrote to memory of 644	4060	cmd.exe	86
PID 4060 wrote to memory of 644	4060	cmd.exe	86
PID 4060 wrote to memory of 2316	4060	cmd.exe	89
PID 4060 wrote to memory of 2316	4060	cmd.exe	89
PID 4060 wrote to memory of 1328	4060	cmd.exe	92
PID 4060 wrote to memory of 1328	4060	cmd.exe	92
PID 4060 wrote to memory of 4468	4060	cmd.exe	93
PID 4060 wrote to memory of 4468	4060	cmd.exe	93
PID 4060 wrote to memory of 3264	4060	cmd.exe	94
PID 4060 wrote to memory of 3264	4060	cmd.exe	94
PID 4060 wrote to memory of 5072	4060	cmd.exe	95
PID 4060 wrote to memory of 5072	4060	cmd.exe	95
PID 4060 wrote to memory of 4260	4060	cmd.exe	97
PID 4060 wrote to memory of 4260	4060	cmd.exe	97
PID 4060 wrote to memory of 4428	4060	cmd.exe	98
PID 4060 wrote to memory of 4428	4060	cmd.exe	98
PID 2544 wrote to memory of 2944	2544	firefox.exe	107
PID 2544 wrote to memory of 2944	2544	firefox.exe	107
PID 2544 wrote to memory of 2944	2544	firefox.exe	107
PID 2544 wrote to memory of 2944	2544	firefox.exe	107
PID 2544 wrote to memory of 2944	2544	firefox.exe	107
PID 2544 wrote to memory of 2944	2544	firefox.exe	107
PID 2544 wrote to memory of 2944	2544	firefox.exe	107
PID 2544 wrote to memory of 2944	2544	firefox.exe	107
PID 2544 wrote to memory of 2944	2544	firefox.exe	107
PID 2544 wrote to memory of 2944	2544	firefox.exe	107
PID 2544 wrote to memory of 2944	2544	firefox.exe	107
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108
PID 2944 wrote to memory of 4616	2944	firefox.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\signoutallcomputers.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\system32\ARP.EXE
  arp -a
  2⤵
  - Network Service Discovery
  PID:4512
- C:\Windows\system32\shutdown.exe
  shutdown /s /m 10.127.1.52 /t 60 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- C:\Windows\system32\shutdown.exe
  shutdown /s /m Address /t 60 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\system32\shutdown.exe
  shutdown /s /m aa-6d-3e-4e-d2-21 /t 60 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\system32\shutdown.exe
  shutdown /s /m ff-ff-ff-ff-ff-ff /t 60 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\system32\shutdown.exe
  shutdown /s /m aa-6d-3e-4e-d2-21 /t 60 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\system32\shutdown.exe
  shutdown /s /m 01-00-5e-00-00-16 /t 60 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\system32\shutdown.exe
  shutdown /s /m 01-00-5e-00-00-fb /t 60 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3264
- C:\Windows\system32\shutdown.exe
  shutdown /s /m 01-00-5e-00-00-fc /t 60 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\system32\shutdown.exe
  shutdown /s /m 01-00-5e-7f-ff-fa /t 60 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\system32\shutdown.exe
  shutdown /s /m ff-ff-ff-ff-ff-ff /t 60 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4428

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\PushResume.vbe
1⤵
- Opens file in notepad (likely ransom note)
PID:4484

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ConvertSet.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:2292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ea86b89-2c96-4e51-9560-4e64eb3e81da} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" gpu
    3⤵
    PID:4616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29df578c-7111-48a0-bb6c-474a101771d7} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" socket
    3⤵
    PID:4120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1572 -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 3032 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a741a689-bc2f-4aa8-8424-1dd6289c6523} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
    3⤵
    PID:3164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3888 -childID 2 -isForBrowser -prefsHandle 3912 -prefMapHandle 3908 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3599c08a-f228-4f77-b5c5-63d38b39f248} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
    3⤵
    PID:2948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4800 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4768 -prefMapHandle 4776 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8cbcb06-d76b-4651-9025-6e519daaedc7} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" utility
    3⤵
    - Checks processor information in registry
    PID:3808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5276 -childID 3 -isForBrowser -prefsHandle 5268 -prefMapHandle 5240 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {def241a9-67ae-4ac5-ad4e-458e498bddb9} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
    3⤵
    PID:4660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5432 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {077cb675-1afa-4b1c-9c17-f446b189e215} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
    3⤵
    PID:2056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5624 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a30daf40-540d-41fa-b920-332366086991} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
    3⤵
    PID:892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6028 -childID 6 -isForBrowser -prefsHandle 5252 -prefMapHandle 5440 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e5dc704-7329-453d-b773-cbab83bc92d3} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
    3⤵
    PID:440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6212 -childID 7 -isForBrowser -prefsHandle 6220 -prefMapHandle 6224 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5ad1285-d67b-4929-a2d3-f26ea357a1df} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
    3⤵
    PID:5036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6552 -parentBuildID 20240401114208 -prefsHandle 6536 -prefMapHandle 6532 -prefsLen 29357 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19809efc-0856-42c7-a778-45e4b9398003} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" rdd
    3⤵
    PID:3504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6564 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6556 -prefMapHandle 6548 -prefsLen 29357 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bcb631e-d825-4846-917d-adc38ecfa428} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" utility
    3⤵
    - Checks processor information in registry
    PID:764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7024 -childID 8 -isForBrowser -prefsHandle 7016 -prefMapHandle 7012 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5032d519-ac2e-480c-9e18-bb73d496a1c5} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
    3⤵
    PID:2508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3680 -childID 9 -isForBrowser -prefsHandle 3520 -prefMapHandle 3672 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21f1f309-3db1-4143-961d-511088b22a81} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
    3⤵
    PID:1508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 10 -isForBrowser -prefsHandle 7200 -prefMapHandle 4052 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b0cab1d-c2aa-410b-b153-02ffc75a693f} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
    3⤵
    PID:1104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39bf055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5utpapi8.default-release\cache2\entries\8DE1387980521DB91D909ED7329D8C17EF78172F

Filesize
144KB

MD5
d8c347a352ef55ab56ebee6aa0e6f666

SHA1
a956b1070afd5e8cd82eb6d5eecd6a6e1da1d0ee

SHA256
bdf61b118b36be8cf4810da6eb873315e6a8b60c4915b771d8580d347c4d20c1

SHA512
a30327ed970ba24a5740c6d02759ae7cc664ca754ee4aa9c2c8a0b070fb2a5243a59b709cbd137fa56ab86ae13af77a5a407bf76d8ce4656e1a548a161151c69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin

Filesize
10KB

MD5
654831a619e9997a6442d7b83280d2de

SHA1
5a062207f84b26bf78fae2a234f2199778385e74

SHA256
ae9ed803e5a08a61baf1dbfe31374cd219ab565e66829c2fc4034a6d85f1d50f

SHA512
94d3f3d2eab1dbc1876d23b8078d3fa9aef7360685ef2189b5915db8956954e4e8f9faf4b8fe4929b8e1dbb3814e3259ede2a8e43312a0f2345a2513e9c38ca2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
84f424057f956f1616b2ffc34e05593a

SHA1
18998abff57f17fdf7a6d7cfea91eee24255d7d3

SHA256
c67ad4ef5a949ad49aaa553cbad070c92616d6996261f2209beb39025bebba34

SHA512
1770a120a20a8d7974c6f80cb2aed600fda2088b378cb96d697c1bce9a36b87874b2cad9e5d01d51dab2ec81d06948940e72b67757f7fd2aebf53090f3637d6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1f9a33d16b7f60dcf6731da6eb7ed52d

SHA1
3476bc055ec66238f4a92eaf9ac3d458c8a074f7

SHA256
406b08ce43e3f710956daa7653a66d08a265478a14c6ed2de90e659d5dc0b328

SHA512
1f2868293a75f58bfa4d94d604aaa4ee54691b80558fe53d79c0916d5df048da5706384cebf92017ea7ab5de998a7bc57c36f4c585e44a1ebfc3097db85e68a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
54c737508fcf15f27e9ba285ed6e3f0b

SHA1
7066e36c721db91efd0518367e08226c17d704e8

SHA256
e58a17f58d354bba9c2a2c85060380bb8ef5607b0f1ba1b454b48b8def8d64a1

SHA512
0d483d0aaaa85fa43e28785ecd14d7110a3ef567b265bba2a8fc2c14047ececd52daffca2d417d9c047c09c30d0f707ad9bb960c81817fea06ee8af7ed6581f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\4f42b331-1b29-4abc-adf2-07e0e7e70051

Filesize
982B

MD5
0b3293f3e19911bdbd518bb432afd873

SHA1
1ea122bff8fb666500e97a899df0c06ab926490b

SHA256
87f49ec897e882a68668ce37e70768d7660d13aab18281c5df0127c5f566f254

SHA512
d0b045c770579ead4a77f4fdbef4fcf3509e274d62701af79603186934214b976db326a9929662d6cee94e6d68730137a35f52bcfb3c72d647d968849b5545ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\6cee47df-5297-462a-a0f9-ebee5f00fd87

Filesize
26KB

MD5
de1734f123374d3756b67cf357fe455c

SHA1
4c598d2499c724c1ebdd864e0c8c618a1b5673d2

SHA256
1ce7dfea43193e7c6f913099bdf29fb1d29b0a1d1ca3132b2229a9a948174264

SHA512
41d4d29786e642f543d2f50d104bb5a7d40b0801da690636fbd6529a1e7078d7a6b542df56f51bf34df48b054a89b4c4ab4927dc6424ae1539c907236bd7df22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\930a5521-9183-450f-b52c-525725ca51e7

Filesize
671B

MD5
db29266944d9c4a6908c58b563af87e7

SHA1
63703db759261318c6e0863a2e4b2afab6563096

SHA256
baba8810edb38408ac0c32d4859973052407e30b00e5293a237a91b27cdee487

SHA512
070055ddc64c089459b4fcb40cd65b99fc12abe12f585f6080f0b9d0fb87e2e4e2e747fb731d107a9d7c8c306b9cbeb84e41222aa341d73c8dc11db7520325b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

Filesize
11KB

MD5
d1f1ef25b2c0d9047f46f1e91c81d2cb

SHA1
ca378ef498cffba55730bb62c056c2830fc011fa

SHA256
1cdaad59db721df1410cac3b9692d7d0e387650912a120f7c5c6601b9f8b8ace

SHA512
3b01ae2d544a6e0b9c938c5583211f59e7c386d418b1a488384c032c3c0541138af16f2b069dd67ea96065c3d188f633267086d5c9771e6052d47f6db0a4e460

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

Filesize
11KB

MD5
c33fc9702ef6ddf29bdc182f6495d315

SHA1
15cc19c82010c6111fa7430a4b39c6618b556b55

SHA256
e20da46350722af2b450082e1f653c0a787364044ee648259815382111d88ffa

SHA512
a24c918072b00663e576c36dcfbc6be7f761ac554b938e035f38f0a846f3b0b7f681a8c2296e72cbec45a70467146e0ebaf467f86406a17e9eff9f6630a5ab3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\serviceworker-1.txt

Filesize
164B

MD5
2044553ee698e1788672d5f2e707ad27

SHA1
9c0e534781f9c65f211a22fda6fd11d485413867

SHA256
e2ad66971389a0ac1ed15feece8aa5f8dcc112551d3e489dc822292a7da59f59

SHA512
4a0dee0315dd45d7fd0df0f7e747ab59ff7ce5d380accb097f7cf46ef63212e817b6e93582c9f843178e88d1a0b97c1e7e762defbc663ac33861191cdbd2cdc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\serviceworker.txt

Filesize
149B

MD5
198833346241120ae22de2e68a2c84f5

SHA1
69a584cfd9f35a451647340a14da279d725148b9

SHA256
ce6d76d930b6bcae80b8fe35181eb8ab663ba32a15933de3b751cd39396df749

SHA512
c63174e298e5bd12c1394864dcc902e3614420238f6f3fc7ee7c50c338b0bb47940d73f783bd3d01864537498fcae1e6b702495502967678b350651573eafa86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\default\https+++www.youtube.com\cache\morgue\120\{f8bfc369-a2a2-49d9-8d36-3f9e507c5178}.final

Filesize
88KB

MD5
622f70428f4dd1ab855635de94d49e4d

SHA1
52f4dd05fd3d843e65071b9a96b7ad1f747c7934

SHA256
624693300f2071cff15ff094ff7e161a63b12f8c6dd4db427d22793174ea744b

SHA512
561872bc562930edcc04698e1acd80f0b69cf647e0f5ad076f854c23fe0bdc1f5f9c51ec2b16970dd970e0f7bfe06d0a9c628f66b42adc81e49ac4acbdbc9b16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\default\https+++www.youtube.com\cache\morgue\126\{443e2bb7-a7e3-4f12-abbe-2eb80bbaba7e}.final

Filesize
62KB

MD5
29f214884f5d76bbf057df814c512073

SHA1
73746e2048eb94efe0810638a817dafc56aebb46

SHA256
3a1020f99b51eef7cde51f60027267e9fbc85fe45a0bc004577de552e30e76e4

SHA512
40b568ad6517f1d6aa2b409f5f3cb41a3a288f18a330aa93a82b67fbf18b8d6bf45eb75829db964c8f6f673640e534db93f41983c330e9c422bcb0a9d63ec21e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\default\https+++www.youtube.com\cache\morgue\135\{0e2866af-bada-49b4-bd45-8655233a4587}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\default\https+++www.youtube.com\cache\morgue\220\{c3d23ebc-3dd9-40d4-8b32-6f7db2c184dc}.final

Filesize
57KB

MD5
f3d449b1a1fc11eee2c977c83382c84f

SHA1
cfb73ba0c775c1fb553e85ba868ea8d0701cb1f5

SHA256
e033b5d95fbc8887c11b8ab984e51cce02ddcf1c8b71d8347decd847b04bf089

SHA512
54204f73bda52b2b120b9f59b1dbce0d16052e72a7b1d16c0691ae7f1a9b754e310ecc82f6a1b95d399127df3cf276ab7bda317893ca5d9ba8bb6018071af4ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\default\https+++www.youtube.com\cache\morgue\228\{a580b522-8cc6-44fc-abbb-8f8d77aec2e4}.final

Filesize
4KB

MD5
57dc4bc23fa76808fb313394c2ef7244

SHA1
cb65af6aa8f49ac917b60bce675aade0f4fc9b15

SHA256
0c5067b3a531309bfe11d7c191410ed5c39335f45553904c8c196fed162564c8

SHA512
da83c1946fbc7bb2ee67c72f177751b8eff2f9f197391d4be233b7d4963852b01f11e9643eba28fa080e80422389a5d62033d54abbe4e543af8726f7752cf6d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\default\https+++www.youtube.com\cache\morgue\2\{e1b9db93-4c11-4c2a-82e3-5ecf2b8a2102}.final

Filesize
148KB

MD5
f8f94e201582b9d925529e7a61cfca8a

SHA1
408804acaa3eb41f666a9c3f52fd3f7f6cf76a06

SHA256
932bca702d81c04da3af1bab79a5ab7bdc1baf0575bcb06a83044c5c432de03f

SHA512
79465dfd6282756db612e5a602b83eefbda1223f41c641e7eb86f9b63baae36fde52abaf0c9a9a8210b82a35e5ae03a58faabcb3a95ef21b4998649de5f2c14a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\default\https+++www.youtube.com\cache\morgue\44\{787910e2-1589-418f-a659-1de12272002c}.final

Filesize
3KB

MD5
283648446405e95e1a0f3e4e24de484a

SHA1
45d5e60c4de5e85a012b4aa4831897fdaeab6259

SHA256
9c9dc19f2024f77bf915fbe966073c880a2d34fde449bed2d94247e1dc795358

SHA512
f22536b6565bedaa3496703d490c44de140ff227101077691ecaa72401ef2e8529af0f392a2aa439941926024c606939d20eaa1d4338c02a3d3c4456153fa2b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\default\https+++www.youtube.com\idb\1779866410yCt7-%iCt7-%r5e0sdp6o.sqlite

Filesize
48KB

MD5
4ac0252eb3b23057a817896c5ab1c26e

SHA1
9734febf5434e0fafd8b6f0fd759f6cf8918e6a9

SHA256
d89253d1ac69958f7df8d77557afd3f06e5de5b4415eb7604f5b94fc3e35850a

SHA512
3a87dbef4d96ffd1ecb70f382a022b97a09d0448554ac684c3074395bb766edf1f3207070c806c32df1cea91b7bc738c3ead2a17a8af766a7a64b05ab8b60dd7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-wal

Filesize
40KB

MD5
8f876df82a2670114ba7880859f8cc06

SHA1
db8cf4318c30330d11387d29241b1db0177970a4

SHA256
9fa8af082602c877a6f5832161f5dfa516bc33d387f1dee03f36c2ad70db8e12

SHA512
4fa479431fb53a08b19d3fea73770ce7d93bb6adb34d57cadd49196d496f7ec79431091b4bac057bb081332d139adf6d614aafcfa2f4f140c0e6535c403ed0cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
4f47876d0c35571516c0b1d97cde515e

SHA1
831db441fa9a0bff60b3c832d766927de52b8bb7

SHA256
3ac7582b38733b1c9ce0993aa7b56bf31c6d54ee8610b7f9d1aa433952837bf3

SHA512
a88171d02cd4b154bee1366d100a72c1de04b2a791ef4e174c5858993f6e59f2389818250ccfeaf33fbcd0318737e82dae16e4423abc0de76383024c0fda2724

Download Submit