Analysis Overview
SHA256
443b665c5f545a2bdd7855f86bf70a5ee7f35eda1b6b08615161f5809cbda02b
Threat Level: Likely malicious
The file Injector.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks computer location settings
Executes dropped EXE
Themida packer
Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 09:58
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 09:58
Reported
2024-04-09 10:00
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Injector.exe"
Network
Files
memory/2320-0-0x000000013FBC0000-0x0000000140520000-memory.dmp
memory/2320-1-0x0000000076EA0000-0x0000000077049000-memory.dmp
memory/2320-2-0x000000013FBC0000-0x0000000140520000-memory.dmp
memory/2320-3-0x000000013FBC0000-0x0000000140520000-memory.dmp
memory/2320-4-0x000000013FBC0000-0x0000000140520000-memory.dmp
memory/2320-5-0x000000013FBC0000-0x0000000140520000-memory.dmp
memory/2320-7-0x0000000076EA0000-0x0000000077049000-memory.dmp
memory/2320-6-0x000000013FBC0000-0x0000000140520000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 09:58
Reported
2024-04-09 10:09
Platform
win10v2004-20240226-en
Max time kernel
634s
Max time network
641s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Injector.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Injector.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\Injector.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\Injector.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Injector.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "4" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\NodeSlot = "5" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Injector.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.0.167815462\1991774159" -parentBuildID 20221007134813 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a99cf1b-1878-48f5-bb2d-4c21c9c26b9e} 624 "\\.\pipe\gecko-crash-server-pipe.624" 1872 158e2ee0258 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.1.849891867\405729713" -parentBuildID 20221007134813 -prefsHandle 2264 -prefMapHandle 2260 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cb9caaf-99c5-4925-81d4-61aefbbb5ae8} 624 "\\.\pipe\gecko-crash-server-pipe.624" 2276 158d6671f58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.2.1243443909\64807506" -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 2976 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0f48185-b282-4116-9787-62abdc41b51c} 624 "\\.\pipe\gecko-crash-server-pipe.624" 3084 158e68ef558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.3.194470629\1148855837" -childID 2 -isForBrowser -prefsHandle 3400 -prefMapHandle 3396 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4d78509-95a3-40e5-90bb-14593ee834cc} 624 "\\.\pipe\gecko-crash-server-pipe.624" 3412 158e7528558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.4.1608759962\1054550803" -childID 3 -isForBrowser -prefsHandle 4520 -prefMapHandle 4516 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6901d1c7-b433-4602-8b81-81feb96b9c05} 624 "\\.\pipe\gecko-crash-server-pipe.624" 4532 158e8accb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.5.1409665562\202820166" -childID 4 -isForBrowser -prefsHandle 4744 -prefMapHandle 4676 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daee40a5-dd95-4ac0-91ba-20abf8c89f16} 624 "\\.\pipe\gecko-crash-server-pipe.624" 4816 158e8ac9e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.6.14223451\1176080343" -childID 5 -isForBrowser -prefsHandle 4940 -prefMapHandle 4944 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af891519-8e96-4113-ab9d-8e2242eca7bd} 624 "\\.\pipe\gecko-crash-server-pipe.624" 4984 158e8c76058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.7.169732387\1248870433" -childID 6 -isForBrowser -prefsHandle 5152 -prefMapHandle 5156 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ed7485e-6b7d-4b5f-9b81-200be449b710} 624 "\\.\pipe\gecko-crash-server-pipe.624" 5140 158e8c76658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.8.1506665580\1813853812" -childID 7 -isForBrowser -prefsHandle 2920 -prefMapHandle 4336 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9f8444f-f457-4c73-94fe-00b4d0904025} 624 "\\.\pipe\gecko-crash-server-pipe.624" 3268 158e942b258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.9.221789699\878284964" -childID 8 -isForBrowser -prefsHandle 4712 -prefMapHandle 5800 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9315abee-be44-472e-938a-5a488f3b3975} 624 "\\.\pipe\gecko-crash-server-pipe.624" 4572 158e8cfbc58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.10.2111526371\1192256949" -childID 9 -isForBrowser -prefsHandle 5748 -prefMapHandle 5872 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30c22871-fff1-46a4-82d3-4c216f6360ac} 624 "\\.\pipe\gecko-crash-server-pipe.624" 4664 158d6630858 tab
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.11.1313808003\803524843" -childID 10 -isForBrowser -prefsHandle 5228 -prefMapHandle 5244 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {191f10ad-58c2-4094-86e8-b5cd21e5dd4b} 624 "\\.\pipe\gecko-crash-server-pipe.624" 5296 158eaa0d658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.12.1439329605\522480442" -childID 11 -isForBrowser -prefsHandle 4968 -prefMapHandle 6036 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37a6bca5-9786-4fd4-9f85-b84430faa8d2} 624 "\\.\pipe\gecko-crash-server-pipe.624" 5340 158e69f8858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.13.2072064807\1476172454" -childID 12 -isForBrowser -prefsHandle 4024 -prefMapHandle 3036 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb484a5b-1f6a-4b19-b4c0-ffe47ce58cf7} 624 "\\.\pipe\gecko-crash-server-pipe.624" 1312 158ea277058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.14.1237581439\727730393" -childID 13 -isForBrowser -prefsHandle 10480 -prefMapHandle 10484 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9119c4ad-91fb-402d-b876-8dc26c710b06} 624 "\\.\pipe\gecko-crash-server-pipe.624" 10472 158ed6f1c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.15.909450486\2072153342" -childID 14 -isForBrowser -prefsHandle 10480 -prefMapHandle 10308 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8caa181-7d26-43ce-8d4c-476e636a6396} 624 "\\.\pipe\gecko-crash-server-pipe.624" 10336 158ed80f158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.16.715778899\62966196" -childID 15 -isForBrowser -prefsHandle 10112 -prefMapHandle 9452 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d4380e2-0b10-4551-a1a8-927b3969c854} 624 "\\.\pipe\gecko-crash-server-pipe.624" 9808 158edfd1f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.17.1751111371\980886016" -childID 16 -isForBrowser -prefsHandle 10084 -prefMapHandle 10088 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbdd559b-099c-41ab-8d42-ba43558769d9} 624 "\\.\pipe\gecko-crash-server-pipe.624" 9808 158ee274258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.18.1013252378\965624025" -childID 17 -isForBrowser -prefsHandle 9116 -prefMapHandle 9112 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ce2b22a-e4b4-48f5-8339-1c6f128ccf25} 624 "\\.\pipe\gecko-crash-server-pipe.624" 9124 158ee343258 tab
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\bin.7z"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Scylla_v0.9.8.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.19.1052427357\241810641" -childID 18 -isForBrowser -prefsHandle 10104 -prefMapHandle 9500 -prefsLen 27530 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a88fe07-8d4f-40a4-9ea8-15abca9e2f11} 624 "\\.\pipe\gecko-crash-server-pipe.624" 10160 158ee272a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.20.1815674910\1208686605" -childID 19 -isForBrowser -prefsHandle 9296 -prefMapHandle 9864 -prefsLen 27530 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98aa2610-b6d7-4334-adc1-12ff2b007c00} 624 "\\.\pipe\gecko-crash-server-pipe.624" 9332 158ee353558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.21.191111201\139377098" -childID 20 -isForBrowser -prefsHandle 8944 -prefMapHandle 9236 -prefsLen 27530 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60426708-cff6-42f6-85af-01fd4c0f4375} 624 "\\.\pipe\gecko-crash-server-pipe.624" 8964 158eab3cc58 tab
C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe
"C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe" C:\Users\Admin\Desktop\Injector.exe
C:\Users\Admin\Desktop\Injector.exe
"C:\Users\Admin\Desktop\Injector.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe
THEMIDA_UNPACK_x64.exe C:\Users\Admin\Desktop\Injector.exe
C:\Users\Admin\Desktop\Injector.exe
"C:\Users\Admin\Desktop\Injector.exe"
C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe
THEMIDA_UNPACK_x86.exe C:\Users\Admin\Desktop\Injector.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4152 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\Desktop\Injector.exe
"C:\Users\Admin\Desktop\Injector.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\tasklist.exe
tasklist
C:\Users\Admin\Desktop\Injector.exe
injector.exe 408
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49823 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 44.239.14.124:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 124.14.239.44.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:49829 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | id.google.com | udp |
| GB | 216.58.201.99:443 | id.google.com | tcp |
| US | 8.8.8.8:53 | id.google.com | udp |
| US | 8.8.8.8:53 | id.google.com | udp |
| GB | 216.58.201.99:443 | id.google.com | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 154.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | 21.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| GB | 216.58.201.99:443 | id.google.com | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 172.217.169.86:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 172.217.169.86:443 | i.ytimg.com | tcp |
| GB | 172.217.169.86:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | 86.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | plus.l.google.com | udp |
| US | 8.8.8.8:53 | plus.l.google.com | udp |
| GB | 216.58.201.110:443 | plus.l.google.com | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.200.14:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| GB | 142.250.200.14:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 79.121.18.2.in-addr.arpa | udp |
| GB | 216.58.201.110:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 216.58.201.110:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r5---sn-aigzrn7d.gvt1.com | udp |
| US | 8.8.8.8:53 | r5.sn-aigzrn7d.gvt1.com | udp |
| GB | 173.194.138.202:443 | r5.sn-aigzrn7d.gvt1.com | tcp |
| US | 8.8.8.8:53 | r5.sn-aigzrn7d.gvt1.com | udp |
| GB | 173.194.138.202:443 | r5.sn-aigzrn7d.gvt1.com | udp |
| US | 8.8.8.8:53 | 202.138.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | rb.gy | udp |
| US | 18.209.251.152:80 | rb.gy | tcp |
| US | 8.8.8.8:53 | rb.gy | udp |
| US | 8.8.8.8:53 | rb.gy | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.213.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 152.251.209.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| GB | 216.58.201.110:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | free-url-shortener.rb.gy | udp |
| DE | 18.66.248.73:443 | free-url-shortener.rb.gy | tcp |
| US | 8.8.8.8:53 | free-url-shortener.rb.gy | udp |
| US | 8.8.8.8:53 | free-url-shortener.rb.gy | udp |
| US | 8.8.8.8:53 | 73.248.66.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | use.typekit.net | udp |
| GB | 104.91.71.78:443 | use.typekit.net | tcp |
| GB | 104.91.71.78:443 | use.typekit.net | tcp |
| US | 8.8.8.8:53 | a1988.dscg1.akamai.net | udp |
| US | 8.8.8.8:53 | a1988.dscg1.akamai.net | udp |
| US | 8.8.8.8:53 | p.typekit.net | udp |
| US | 8.8.8.8:53 | 78.71.91.104.in-addr.arpa | udp |
| GB | 104.91.71.97:443 | p.typekit.net | tcp |
| GB | 104.91.71.97:443 | p.typekit.net | tcp |
| US | 8.8.8.8:53 | a1874.dscg1.akamai.net | udp |
| US | 8.8.8.8:53 | a1874.dscg1.akamai.net | udp |
| US | 8.8.8.8:53 | 97.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | snap.licdn.com | udp |
| US | 8.8.8.8:53 | a1916.dscg2.akamai.net | udp |
| US | 8.8.8.8:53 | a1916.dscg2.akamai.net | udp |
| US | 2.17.251.40:443 | a1916.dscg2.akamai.net | tcp |
| US | 2.17.251.40:443 | a1916.dscg2.akamai.net | tcp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| GB | 163.70.151.21:443 | scontent.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | 40.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | px.ads.linkedin.com | udp |
| US | 8.8.8.8:53 | dashboard-cdn.rebrandly.com | udp |
| US | 8.8.8.8:53 | l-0005.l-msedge.net | udp |
| US | 8.8.8.8:53 | dashboard-cdn.rebrandly.com | udp |
| US | 8.8.8.8:53 | l-0005.l-msedge.net | udp |
| US | 8.8.8.8:53 | dashboard-cdn.rebrandly.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| DE | 18.154.63.36:443 | dashboard-cdn.rebrandly.com | tcp |
| DE | 18.154.63.36:443 | dashboard-cdn.rebrandly.com | tcp |
| DE | 18.154.63.36:443 | dashboard-cdn.rebrandly.com | tcp |
| DE | 18.154.63.36:443 | dashboard-cdn.rebrandly.com | tcp |
| US | 13.107.42.14:443 | l-0005.l-msedge.net | tcp |
| GB | 163.70.151.21:443 | scontent.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | free-url-shortener.rb.gy | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 2.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.63.154.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| BE | 74.125.71.154:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| BE | 74.125.71.154:443 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 154.71.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| GB | 163.70.151.35:443 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 18.209.251.152:443 | rb.gy | tcp |
| US | 8.8.8.8:53 | rb.gy | udp |
| US | 8.8.8.8:53 | dosya.co | udp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| US | 8.8.8.8:53 | dosya.co | udp |
| US | 8.8.8.8:53 | dosya.co | udp |
| US | 8.8.8.8:53 | 49.111.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| GB | 216.58.201.110:443 | redirector.gvt1.com | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | www3.l.google.com | udp |
| GB | 172.217.16.238:443 | www3.l.google.com | tcp |
| GB | 216.58.201.110:443 | redirector.gvt1.com | udp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | udp |
| GB | 172.217.16.238:443 | www3.l.google.com | udp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.10.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.187.250.142.in-addr.arpa | udp |
| GB | 172.217.16.238:443 | www3.l.google.com | udp |
| GB | 172.217.16.238:443 | www3.l.google.com | tcp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | analytics.google.com | udp |
| GB | 142.250.178.14:443 | analytics.google.com | tcp |
| US | 8.8.8.8:53 | analytics.google.com | udp |
| US | 8.8.8.8:53 | analytics.google.com | udp |
| GB | 142.250.178.14:443 | analytics.google.com | udp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | udp |
| BE | 74.125.71.154:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.200.250.142.in-addr.arpa | udp |
| BE | 74.125.71.154:443 | stats.g.doubleclick.net | udp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| US | 8.8.8.8:53 | server7.dosya.co | udp |
| DE | 195.201.111.51:443 | server7.dosya.co | tcp |
| US | 8.8.8.8:53 | server7.dosya.co | udp |
| US | 8.8.8.8:53 | server7.dosya.co | udp |
| US | 8.8.8.8:53 | 51.111.201.195.in-addr.arpa | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| US | 8.8.8.8:53 | dosya.co | udp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| DE | 195.201.111.49:443 | dosya.co | tcp |
| GB | 216.58.201.110:443 | redirector.gvt1.com | tcp |
| GB | 172.217.16.238:443 | www3.l.google.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | udp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | udp |
| GB | 216.58.201.110:443 | redirector.gvt1.com | udp |
| GB | 172.217.16.238:443 | www3.l.google.com | udp |
| GB | 172.217.16.238:443 | www3.l.google.com | udp |
| GB | 142.250.178.14:443 | analytics.google.com | tcp |
| GB | 142.250.178.14:443 | analytics.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
Files
memory/936-0-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/936-2-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp
memory/936-1-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/936-3-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/936-4-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/936-5-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/936-6-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/936-7-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp
C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe
| MD5 | ef8f44090b3c2fb7a3cdce2e786176ad |
| SHA1 | 234ba8bd66418059832b1dfba4443233efcd22d0 |
| SHA256 | 7fa63f7362df7ec78830f9151a79ed31719ecd99da1a179b3f841e9113b2c548 |
| SHA512 | 2b375f255564fa4661ca4473ad2ead93a153b19bed5e7581ed3745679637454c402a0355b4a1f2d04d5fbc98a6b17a78e272a49b0329f45101770368008ddb7e |
memory/6848-161-0x00000292036B0000-0x00000292036B8000-memory.dmp
memory/6848-162-0x00007FFBEB080000-0x00007FFBEBB41000-memory.dmp
memory/6848-163-0x000002921DC70000-0x000002921DC80000-memory.dmp
C:\Users\Admin\Desktop\Release\pd.exe
| MD5 | 6a93cde6021ce0651c274bc5ee1ae584 |
| SHA1 | 87eb4b9e787b4ac6857365c1d1cdc4324c718d0f |
| SHA256 | 077e756ed53afaa4661eb1dfbed04ad025353a0ce6a9ad8c6b3971d2e6c256d9 |
| SHA512 | 57a53c1fc215f39705c18e8b808e2b60722fbd66b3962fb47964915f2cada24420541bd26741bf91f3336fb8864aabecdae93bad4569a1409a1c450eae702d27 |
memory/6848-165-0x00007FFBEB080000-0x00007FFBEBB41000-memory.dmp
memory/7100-166-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/7100-167-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp
memory/7100-168-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/7100-169-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/7100-170-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/7100-171-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/7100-172-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/7100-173-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp
memory/6848-174-0x000002921DC70000-0x000002921DC80000-memory.dmp
memory/6848-176-0x00007FFBEB080000-0x00007FFBEBB41000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\THEMIDA_UNPACK_x64.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/6416-179-0x00007FFBEB130000-0x00007FFBEBBF1000-memory.dmp
memory/6416-180-0x0000021CF76A0000-0x0000021CF76B0000-memory.dmp
memory/6552-181-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6552-183-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp
memory/6552-182-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6552-184-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6552-185-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6552-186-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6552-187-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6552-188-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp
memory/6416-189-0x00007FFBEB130000-0x00007FFBEBBF1000-memory.dmp
C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exe
| MD5 | 6bd00bcdba9fcda14497510d62931077 |
| SHA1 | e116a1f1d6cf4f429250b3aa98bf84596bbef78c |
| SHA256 | 9dd804cc9c950322d3780e9b2b774cfd5b6f3bf875fec20f7bd7ba868eb77f30 |
| SHA512 | 19c3f0fa712f7bf7562de015d1de2c1570540d53bfb0ad9a78b5031697fe75524c8f6898975530ad52303ea3ba3f41570711d22cec3dde9486c0742b2d9b6146 |
memory/6620-193-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/6620-194-0x0000000000700000-0x0000000000708000-memory.dmp
memory/6620-195-0x00000000056E0000-0x0000000005C84000-memory.dmp
memory/6620-196-0x0000000005130000-0x00000000051C2000-memory.dmp
memory/6620-197-0x00000000053A0000-0x00000000053B0000-memory.dmp
memory/6748-198-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6748-199-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6748-200-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp
memory/6748-201-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6620-203-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/6748-204-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6748-205-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6748-206-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6748-207-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp
memory/6892-208-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6892-210-0x00007FFC0E590000-0x00007FFC0E785000-memory.dmp
memory/6892-209-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6892-211-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6892-212-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp
memory/6892-213-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp