rhadamanthys | hxxp://85[.]208[.]184[.]101[:]8000

Analysis

max time kernel
684s
max time network
697s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19-04-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://85.208.184.101:8000

Score

10^/10

rhadamanthys collection stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

Processes:

BitLockerToGo.exedialer.exeBitLockerToGo.exedialer.exeBitLockerToGo.exedialer.exeBitLockerToGo.exedialer.exeBitLockerToGo.exeBitLockerToGo.exedialer.exeBitLockerToGo.exedialer.exe

description	pid	process	target process
PID 4992 created 2692	4992	BitLockerToGo.exe	sihost.exe
PID 1180 created 2692	1180	dialer.exe	sihost.exe
PID 6384 created 2692	6384	BitLockerToGo.exe	sihost.exe
PID 1856 created 2692	1856	dialer.exe	sihost.exe
PID 5096 created 2692	5096	BitLockerToGo.exe	sihost.exe
PID 2368 created 2692	2368	dialer.exe	sihost.exe
PID 5272 created 2692	5272	BitLockerToGo.exe	sihost.exe
PID 6388 created 2692	6388	dialer.exe	sihost.exe
PID 5128 created 2692	5128	BitLockerToGo.exe	sihost.exe
PID 3796 created 2692	3796	BitLockerToGo.exe	sihost.exe
PID 4584 created 2692	4584	dialer.exe	sihost.exe
PID 5408 created 2692	5408	BitLockerToGo.exe	sihost.exe
PID 3208 created 2692	3208	dialer.exe	sihost.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exepowershell.exe

flow pid process

44 5280 rundll32.exe
47 3496 powershell.exe

flow	pid	process
44	5280	rundll32.exe
47	3496	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

downloaded2024.exedownloaded2024.exedownloaded2024.exedownloaded2024.exedownloaded2024.exedownloaded2024.exedownloaded2024.exedownloaded2024.exedownloaded2024.exe

pid	process
6908	downloaded2024.exe
6984	downloaded2024.exe
7144	downloaded2024.exe
1716	downloaded2024.exe
3532	downloaded2024.exe
5560	downloaded2024.exe
4928	downloaded2024.exe
564	downloaded2024.exe
1092	downloaded2024.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5280 rundll32.exe

pid	process
5280	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 36 IoCs

collection

Email Collection

T1114

Processes:

openwith.exeopenwith.exeopenwith.exeopenwith.exeopenwith.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	openwith.exe
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	openwith.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

downloaded2024.exedownloaded2024.exedownloaded2024.exedownloaded2024.exedownloaded2024.exedownloaded2024.exedownloaded2024.exedownloaded2024.exe

description	pid	process	target process
PID 7144 set thread context of 4992	7144	downloaded2024.exe	BitLockerToGo.exe
PID 3532 set thread context of 6384	3532	downloaded2024.exe	BitLockerToGo.exe
PID 5560 set thread context of 5096	5560	downloaded2024.exe	BitLockerToGo.exe
PID 4928 set thread context of 5272	4928	downloaded2024.exe	BitLockerToGo.exe
PID 6908 set thread context of 3796	6908	downloaded2024.exe	BitLockerToGo.exe
PID 6984 set thread context of 5128	6984	downloaded2024.exe	BitLockerToGo.exe
PID 1716 set thread context of 5760	1716	downloaded2024.exe	BitLockerToGo.exe
PID 564 set thread context of 5408	564	downloaded2024.exe	BitLockerToGo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2812	4992	WerFault.exe	BitLockerToGo.exe
5480	4992	WerFault.exe	BitLockerToGo.exe
1368	6384	WerFault.exe	BitLockerToGo.exe
1620	6384	WerFault.exe	BitLockerToGo.exe
6852	5096	WerFault.exe	BitLockerToGo.exe
5768	5096	WerFault.exe	BitLockerToGo.exe
6276	5272	WerFault.exe	BitLockerToGo.exe
1312	5272	WerFault.exe	BitLockerToGo.exe
412	5128	WerFault.exe	BitLockerToGo.exe
5604	3796	WerFault.exe	BitLockerToGo.exe
472	5128	WerFault.exe	BitLockerToGo.exe
5040	3796	WerFault.exe	BitLockerToGo.exe
5672	5760	WerFault.exe	BitLockerToGo.exe
4588	5760	WerFault.exe	BitLockerToGo.exe
4216	5408	WerFault.exe	BitLockerToGo.exe
4348	5408	WerFault.exe	BitLockerToGo.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

openwith.exefirefox.exeopenwith.exeopenwith.exefirefox.exeopenwith.exeopenwith.exeopenwith.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	openwith.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	openwith.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	openwith.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	openwith.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	openwith.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	openwith.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	openwith.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	openwith.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	openwith.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	openwith.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	openwith.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	openwith.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\evil_theme.themepack:Zone.Identifier firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\evil_theme.themepack:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 17 IoCs

Processes:

wmprph.exesetup_wm.exewmplayer.exewmpshare.exesetup_wm.exewmplayer.exewmprph.exewmplayer.exewmprph.exewmpnscfg.exewmpshare.exewmlaunch.exewmprph.exesetup_wm.exewmplayer.exewmprph.exewmpshare.exe

pid	process
1036	wmprph.exe
5584	setup_wm.exe
3492	wmplayer.exe
2080	wmpshare.exe
1408	setup_wm.exe
2176	wmplayer.exe
6052	wmprph.exe
420	wmplayer.exe
5692	wmprph.exe
5068	wmpnscfg.exe
2284	wmpshare.exe
5956	wmlaunch.exe
5636	wmprph.exe
5696	setup_wm.exe
876	wmplayer.exe
6624	wmprph.exe
4600	wmpshare.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeBitLockerToGo.exedialer.exeopenwith.exewmprph.exesetup_wm.exewmplayer.exeBitLockerToGo.exedialer.exeopenwith.exewmpshare.exesetup_wm.exewmplayer.exe

pid	process
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
4992	BitLockerToGo.exe
4992	BitLockerToGo.exe
1180	dialer.exe
1180	dialer.exe
1180	dialer.exe
1180	dialer.exe
420	openwith.exe
420	openwith.exe
420	openwith.exe
420	openwith.exe
420	openwith.exe
420	openwith.exe
1036	wmprph.exe
1036	wmprph.exe
5584	setup_wm.exe
5584	setup_wm.exe
1036	wmprph.exe
1036	wmprph.exe
3492	wmplayer.exe
3492	wmplayer.exe
1036	wmprph.exe
1036	wmprph.exe
6384	BitLockerToGo.exe
6384	BitLockerToGo.exe
1036	wmprph.exe
1036	wmprph.exe
1856	dialer.exe
1856	dialer.exe
1036	wmprph.exe
1036	wmprph.exe
1856	dialer.exe
1856	dialer.exe
4892	openwith.exe
4892	openwith.exe
4892	openwith.exe
4892	openwith.exe
4892	openwith.exe
4892	openwith.exe
2080	wmpshare.exe
2080	wmpshare.exe
1036	wmprph.exe
1036	wmprph.exe
1408	setup_wm.exe
1408	setup_wm.exe
2080	wmpshare.exe
1036	wmprph.exe
1036	wmprph.exe
2080	wmpshare.exe
2176	wmplayer.exe
2176	wmplayer.exe
2080	wmpshare.exe
1036	wmprph.exe
2080	wmpshare.exe
1036	wmprph.exe
2080	wmpshare.exe
1036	wmprph.exe
1036	wmprph.exe
2080	wmpshare.exe
2080	wmpshare.exe
2080	wmpshare.exe
1036	wmprph.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

firefox.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4596	firefox.exe
Token: SeDebugPrivilege	4596	firefox.exe
Token: SeDebugPrivilege	4596	firefox.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	4596	firefox.exe
Token: SeDebugPrivilege	4596	firefox.exe
Token: SeDebugPrivilege	4596	firefox.exe
Token: SeDebugPrivilege	4596	firefox.exe
Token: SeDebugPrivilege	4596	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.exe

pid process

4596 firefox.exe
4596 firefox.exe
4596 firefox.exe
4596 firefox.exe
4596 firefox.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

firefox.exe

pid process

4596 firefox.exe
4596 firefox.exe
4596 firefox.exe
4596 firefox.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

firefox.exe

pid process

4596 firefox.exe
4596 firefox.exe
4596 firefox.exe
4596 firefox.exe
4596 firefox.exe
4596 firefox.exe
4596 firefox.exe

pid	process
4596	firefox.exe
4596	firefox.exe
4596	firefox.exe
4596	firefox.exe
4596	firefox.exe

pid	process
4596	firefox.exe
4596	firefox.exe
4596	firefox.exe
4596	firefox.exe

pid	process
4596	firefox.exe
4596	firefox.exe
4596	firefox.exe
4596	firefox.exe
4596	firefox.exe
4596	firefox.exe
4596	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4636 wrote to memory of 4596	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 4596	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 4596	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 4596	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 4596	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 4596	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 4596	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 4596	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 4596	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 4596	4636	firefox.exe	firefox.exe
PID 4636 wrote to memory of 4596	4636	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 4036	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 5832	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 5832	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 5832	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 5832	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 5832	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 5832	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 5832	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 5832	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 5832	4596	firefox.exe	firefox.exe
PID 4596 wrote to memory of 5832	4596	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

openwith.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	openwith.exe

outlook_win_path 1 IoCs

Processes:

openwith.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	openwith.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2692

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Windows\system32\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:420

C:\Program Files\Windows Media Player\wmprph.exe
"C:\Program Files\Windows Media Player\wmprph.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Program Files\Windows Media Player\setup_wm.exe
"C:\Program Files\Windows Media Player\setup_wm.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:5584

C:\Program Files\Windows Media Player\wmplayer.exe
"C:\Program Files\Windows Media Player\wmplayer.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:1856

C:\Windows\system32\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4892

C:\Program Files\Windows Media Player\wmpshare.exe
"C:\Program Files\Windows Media Player\wmpshare.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:2080

C:\Program Files\Windows Media Player\setup_wm.exe
"C:\Program Files\Windows Media Player\setup_wm.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1408

C:\Program Files\Windows Media Player\wmplayer.exe
"C:\Program Files\Windows Media Player\wmplayer.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2368

C:\Windows\system32\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
PID:2076

C:\Program Files\Windows Media Player\wmprph.exe
"C:\Program Files\Windows Media Player\wmprph.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6052

C:\Program Files\Windows Media Player\wmplayer.exe
"C:\Program Files\Windows Media Player\wmplayer.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:420

C:\Program Files\Windows Media Player\wmprph.exe
"C:\Program Files\Windows Media Player\wmprph.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:5692

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:6388

C:\Windows\system32\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
PID:1236

C:\Program Files\Windows Media Player\wmpnscfg.exe
"C:\Program Files\Windows Media Player\wmpnscfg.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:5068

C:\Program Files\Windows Media Player\wmpshare.exe
"C:\Program Files\Windows Media Player\wmpshare.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:2284

C:\Program Files\Windows Media Player\wmlaunch.exe
"C:\Program Files\Windows Media Player\wmlaunch.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:5956

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4584

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
PID:6264

C:\Windows\system32\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
PID:6568

C:\Program Files\Windows Media Player\wmprph.exe
"C:\Program Files\Windows Media Player\wmprph.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:5636

C:\Program Files\Windows Media Player\setup_wm.exe
"C:\Program Files\Windows Media Player\setup_wm.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:5696

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3208

C:\Windows\system32\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:2604

C:\Program Files\Windows Media Player\wmplayer.exe
"C:\Program Files\Windows Media Player\wmplayer.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:876

C:\Program Files\Windows Media Player\wmprph.exe
"C:\Program Files\Windows Media Player\wmprph.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6624

C:\Program Files\Windows Media Player\wmpshare.exe
"C:\Program Files\Windows Media Player\wmpshare.exe"
3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://85.208.184.101:8000"
1⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://85.208.184.101:8000
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4596.0.799885945\812051157" -parentBuildID 20230214051806 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0247ddd3-a166-4a6c-add4-94e69bda988a} 4596 "\\.\pipe\gecko-crash-server-pipe.4596" 1880 211fff1d758 gpu
3⤵
PID:4036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4596.1.742117571\2135246648" -parentBuildID 20230214051806 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8eeb1c5f-2ac6-4b38-b428-6075a0de2449} 4596 "\\.\pipe\gecko-crash-server-pipe.4596" 2408 211804b0f58 socket
3⤵
- Checks processor information in registry
PID:5832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4596.2.665976327\1105318737" -childID 1 -isForBrowser -prefsHandle 3140 -prefMapHandle 3136 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd631a88-16cf-437c-8958-89bce0398faf} 4596 "\\.\pipe\gecko-crash-server-pipe.4596" 3212 21182f3f758 tab
3⤵
PID:4632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4596.3.1415798331\1551605482" -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1926bce3-3d8d-49ee-affd-64d8f472a1a7} 4596 "\\.\pipe\gecko-crash-server-pipe.4596" 3648 21185bf3f58 tab
3⤵
PID:2336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4596.4.1563291539\1432900496" -childID 3 -isForBrowser -prefsHandle 5164 -prefMapHandle 5160 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ec25126-3c49-4781-ac5b-5c46f12eb71a} 4596 "\\.\pipe\gecko-crash-server-pipe.4596" 5176 21186e19858 tab
3⤵
PID:6048

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4596.5.768033967\1636841680" -childID 4 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a4ecfe6-2432-465a-a84e-4a37c2544b81} 4596 "\\.\pipe\gecko-crash-server-pipe.4596" 5272 21186e19558 tab
3⤵
PID:5628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4596.6.1195561960\354600690" -childID 5 -isForBrowser -prefsHandle 5556 -prefMapHandle 5552 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1340 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d562070c-baa8-40df-ba05-d849c6f723cc} 4596 "\\.\pipe\gecko-crash-server-pipe.4596" 5564 21186e16258 tab
3⤵
PID:5696

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\themecpl.dll,OpenThemeAction C:\Users\Admin\Downloads\evil_theme.themepack
1⤵
PID:5740

C:\Windows\System32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\Resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5284

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\themecpl.dll,OpenThemeAction C:\Users\Admin\Downloads\evil_theme.themepack
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Users\Admin\Downloads\downloaded2024.exe
"C:\Users\Admin\Downloads\downloaded2024.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6908

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 472
5⤵
- Program crash
PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 504
5⤵
- Program crash
PID:5040

C:\Users\Admin\Downloads\downloaded2024.exe
"C:\Users\Admin\Downloads\downloaded2024.exe" -ExecutionPolicy Bypass
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6984

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 476
5⤵
- Program crash
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 472
5⤵
- Program crash
PID:472

C:\Users\Admin\Downloads\downloaded2024.exe
"C:\Users\Admin\Downloads\downloaded2024.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7144

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 504
5⤵
- Program crash
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 476
5⤵
- Program crash
PID:5480

C:\Users\Admin\Downloads\downloaded2024.exe
"C:\Users\Admin\Downloads\downloaded2024.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1716

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5760 -s 436
5⤵
- Program crash
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5760 -s 444
5⤵
- Program crash
PID:4588

C:\Users\Admin\Downloads\downloaded2024.exe
"C:\Users\Admin\Downloads\downloaded2024.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3532

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:6384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6384 -s 468
5⤵
- Program crash
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6384 -s 480
5⤵
- Program crash
PID:1620

C:\Users\Admin\Downloads\downloaded2024.exe
"C:\Users\Admin\Downloads\downloaded2024.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5560

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 468
5⤵
- Program crash
PID:6852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 472
5⤵
- Program crash
PID:5768

C:\Users\Admin\Downloads\downloaded2024.exe
"C:\Users\Admin\Downloads\downloaded2024.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4928

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 448
5⤵
- Program crash
PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 432
5⤵
- Program crash
PID:1312

C:\Users\Admin\Downloads\downloaded2024.exe
"C:\Users\Admin\Downloads\downloaded2024.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:564

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 472
5⤵
- Program crash
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 468
5⤵
- Program crash
PID:4348

C:\Users\Admin\Downloads\downloaded2024.exe
"C:\Users\Admin\Downloads\downloaded2024.exe"
3⤵
- Executes dropped EXE
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4992 -ip 4992
1⤵
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4992 -ip 4992
1⤵
PID:5960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6384 -ip 6384
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6384 -ip 6384
1⤵
PID:6416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5096 -ip 5096
1⤵
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5096 -ip 5096
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5272 -ip 5272
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5272 -ip 5272
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5128 -ip 5128
1⤵
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3796 -ip 3796
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5128 -ip 5128
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3796 -ip 3796
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5760 -ip 5760
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5760 -ip 5760
1⤵
PID:6544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5408 -ip 5408
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5408 -ip 5408
1⤵
PID:2972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
e6ccf3c01e13e4556790f22c3ec3fffb

SHA1
5e66d1904a9316ca765de3836e672815b2e5ac30

SHA256
be93a2b6f8349e20bedb740bb6a70373391d8ef675df9e82707156b0e008093d

SHA512
b582868d5cfd1a57b597dca7cf995e8c1fee7d376cc7210b63e98dcb3fa5a2592486cb1ab9acbea2afa72c93190c7e40a28f8d5afb6a200ea3e057235e8ba331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
579B

MD5
502cd4c145e9df40ef1524f6ba1fcaeb

SHA1
be0f3dc805c1e49d82fbc6ddec378b64b457d324

SHA256
b3798688a42ba0d6a30cf1680801973f457bd579926d056aaae7cc03de71ff19

SHA512
36be99c14cf36c1807aad0ec56b3c3f562cfdd3c9bba10c3c429044b1182ac35a1bf702d155a5f6fe15c7ca8894adcca9e67f09a0ee9d74736b63aee4ac69091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
bb0ba81ed56a1033c8a76f66eacfac3b

SHA1
6c98fbdd45d468fcca72cb4068b5f4828c194e41

SHA256
9c74fd1c86de83521fab8b3ce9370ca7862fc4676fb09b847817c15a391d580c

SHA512
4ceddc9b78f72826075597e1a9bb1681b42b4d2e9fc6ff7b6df3525eb089b990920515e9c1283f11aa1350d2290859fa98728c116f837f6bd0951d6ebdacd736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
84a80b46b732a1a32609da89f27c07ae

SHA1
f2d597d950c1e63bc9fb9b8fbf7a23a7498041be

SHA256
e0ed2d52358d762aa666a873dff325aaa9cd7843757951521302cfcf037684e6

SHA512
4fd8525ca2119ce94a61c10549d1b6566b7b4a5449baf3f2d9b0af6ae70fd307d523bbe4b5fde69b163d6f4bf7bd90a1a81adcc43d6aa76ad091b41e580222be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
9ceb794919cba6c08a0a54bb6e4a021d

SHA1
b909707b902c2b883eb8c5465e8a056971b84984

SHA256
7523a6c96c79d4e90c66f1315a79c4c6d835981fec8f777b88d5ef4269023230

SHA512
60d73cd873462c49572467f0eb9aa780d50864d60bf85c696439796ff2e1832dce4d391a4f650aa1624d75d5e6ee265f5cd3c922a6808f4abc88c38fa8c1a40b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
d6ac925e301f6b07cf704b1690405650

SHA1
eb2dae768aab3914fa25ff26ad1fd8956a813aac

SHA256
76d67ee2ff2bbf212e8948f0e0530b0333f5a9cc1ba9956f892bb1cf5ffce817

SHA512
74f3ff22cd79a62ac339c8e9df7ec1a7ceb663b6b204acf4f508cc36e6f9fa558f1ee836a7c6140b4a2e04cd50cd022d516184526a842c9750b8d850e09d9adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
4e69597ce44a7513c82b9f50934c729b

SHA1
888b20865a832ead22491483c56fde1306ca9fed

SHA256
4f4f8955415c053e35216d3eeee1ceb768639ba169be0bb1d2ffcdf269b03f6f

SHA512
d394c1753c64f5f18814557c08a5f9a6867f4bff13abdfde53a92c3b5ab527b828135305901ea1ab7b8521afeda1bfabd8649e651d2d54cd666aeba8131fbee6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk2ya47p.default-release\activity-stream.discovery_stream.json.tmp
Filesize
27KB

MD5
c8cc6515bd24fccca3715299093300c7

SHA1
a7e5d28aba7d4de2098256b8a5c555a2f1254b26

SHA256
d026aaed4b63c3e53cd75aeb483abfaa7db21e2ce8f66d4c5a0d4e924a18fe4e

SHA512
96e763325482d31fccaf1b8651257492ab710b4c92943f0f1a5f7e8078595ca276d2ae969fa5b8427868231754af5625fab0d734955d0cc51cbd4e3a61e6579e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk2ya47p.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C
Filesize
13KB

MD5
9bb829c03226d7c0cb0a5da467c14c69

SHA1
25f6813e49e0420301456476f06f9c1241bf67f2

SHA256
06c21e077477187817c1c205a4f9fb743b2c56c34cffec122f7caa72c03caa9e

SHA512
1e8d978d15db230beeca0b6054c593c993e9c11d4e37692f87612c553937bd999f6cede40b5096d46fbed10cc5c1a99388374842e2c8b21b70b14ec7df602fef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uk2ya47p.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308
Filesize
9KB

MD5
f49390b2f78078c34e7ae55144f91c6c

SHA1
bd8ee2f90572b0fe72d423008438e09aa6c2ff33

SHA256
2b6d1c7edcb9b58d1f10afb192c5c1e64d7debf41c58b26f441d5784a5dab09a

SHA512
bc171bf9cddfab37ae76414af421182f6a97e56e5032c83485702d5089468546e5d8a3082c7af5c78acee38652d0e881133efb43924a63613c6f3776dc595a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\TP_F2E.tmp
Filesize
372B

MD5
c59a1c392fa59774efc752c828048e69

SHA1
25a5ec0257163e171b9dd3a3e24d8e38a381ebb2

SHA256
c48b779d628a9cd7d0320bed24e02da1dbd0a7b5babb708e484430e20e727796

SHA512
03286db13ac5f1278402a451a95b9e9f410b698209d267257dfb90b1904b8dee51750e6777ccfadaf1afe502959a8eb46905718cef33b0e00d576b28f40de6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k5diwngl.ib1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
9KB

MD5
2db2bec4fb8ad713c154262f0c0ce749

SHA1
ddba5564ee013feb528fb59e63829fe4beaa8756

SHA256
b1d1552afe8b2dddeaecd02bf5514da489b082b4c5b7b6b98c16b4b22fb60f40

SHA512
f7682d7b803db3a11694c3f6132125e19e8b0b3aa94b9e30ed1c5a7667b05b0e647520980333c98640b20aa165b6ac0d8f1de365ee3e94c7b81965bf233ada4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\bookmarkbackups\bookmarks-2024-04-19_11_0hwhHkvSjIzgctZ9MzSxAg==.jsonlz4
Filesize
1004B

MD5
4f1b64b134b5adddb4d7ac195e0d4cdb

SHA1
3c827b0dd6b01c62d9074898b191874b49870f1e

SHA256
e1e8bfa49b04840968bf6575de3a41114a538161fdb7d36b9779d40bcdcd3039

SHA512
587182d5a87a5944f1726fb86dbcb8314af4accadcf04d72138c0b88cd2bda965889485fb6ba231ab5c200a72c2daff79a0a612a1ee703f6153ae5ce487ee917

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\broadcast-listeners.json
Filesize
216B

MD5
8429bdbc6fc7a95e8fcd9363f9321270

SHA1
9c140c1fefa7c15e99bd77c0d06b12d0a5a990e1

SHA256
09e1368a571153087feeacfc2688d4fc77ef9c224aef2c1ceb28086f88852838

SHA512
498bc63e3d428c3d3f89e0f57bc0aea80bead8334a68eb7b0af8fe43faea5638d2a5a1286e3a5e3f4954a804765232a8003fd55f461c4fe192256bc3f2a04e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\prefs-1.js
Filesize
8KB

MD5
b6af6cc1b0f9fd3dc4da091f989893b5

SHA1
165d888350d633a5c9939137cf12a669256b8309

SHA256
c64e9437b6ce7f5558f98841436991a43426361b889a5f4a1dfef69734b606c3

SHA512
dc52ff745351fca81ff772189327c8fc3c7ad50c8faae43146bc54f3ae03fc0fbc8dbe20f432604fd9a011c74580dafe8e665f72cb15e7c4b979920fdb8f0064

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\prefs-1.js
Filesize
7KB

MD5
593dc24712374537acced25123321231

SHA1
cc4a4eeadeb06df194a6436f6fb08bb20538d807

SHA256
4cb2d9ac1154c5ae5d0fceb20961f9d689bd5ce22057ec77845b974bcea3c8dc

SHA512
8f99eea36f738352689119da1643aea46faea4e3d0c69ddb5bb986ef625ad78590fc4593b3f23a97afc81f19b3b2a4e77cb86f5814ff36275978aeced03ea3bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\prefs-1.js
Filesize
11KB

MD5
752e5701a5b6a054b458151029c178f7

SHA1
6345df8b55ab8cac3e9609cc9e709ad2430b16c7

SHA256
c9202e2043c977f4c4b756b365b2062ecc5e510853794952d208c0d3d9ce5bf6

SHA512
f5690d6f6a17879b764c3865f453558b32ae8ed9655b872c0f99ad59437a9faa1e017208a3b489aede5e40525f55f1b2bcb622cc523433970e1e56137f4868a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\prefs-1.js
Filesize
10KB

MD5
9cfbba9a3c8bc6bef9ed37d20dbecf9e

SHA1
4957e78c7dfbc78ee8f0a31529002e242916bc15

SHA256
be95c693749f3a8e1479491fcec238a534c394716c1f2c68d2bc7000615d5002

SHA512
1f1ffbc8f0927a6456c8ab8f1a453d39c1a97149eac47e0e98081ba2bf2b7d2065246c95b8dd29b6f85c700c1091d016b9c8acd0e7b6544fca3407a5a2dfb835

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\prefs.js
Filesize
10KB

MD5
7bfc9e746596366f6e5990af484751ae

SHA1
ffdaccb5129a266356723ffa37aefe0cb97724fb

SHA256
9b662c6b98cf9f8e70629e098fa9a2beff5d4596b88e5cf089cc35bf5143f0f3

SHA512
cbecaf6467b7deccc628c473664e1129a03034defb0aef2e8c7d06cdf6960bdc0cec93728fc0e01a1b4cdff5af8eeda30f2eed3d8391234258926081d00f1090

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\prefs.js
Filesize
10KB

MD5
ce0779f495040538c73062d07782839d

SHA1
ab40da374c6a6bc1c4f2c381ffc8c932cf45786f

SHA256
73679ceab85eca496e5d360edb68d44cccf6f62b604773a8d2b787bb8c970b3c

SHA512
ea6f6d14b996f6fafb294cc82ea0879bc9ccd38b62cfb7a003da0269bc7726753f1fa5770e867a8d83fe277bb73674f40426c305a87e0beeda82e952a22d0dce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\sessionCheckpoints.json
Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
b1141eb3debfe8e547ad47eca26c58e9

SHA1
92f53fd06cabd555269696ae9bb9464648177117

SHA256
e5f62b01ea0da39ec4185862d4349a333fe572a4b60e3cd2b6cbbda424ba688b

SHA512
c299e3759d0c72a982fdeb790045f2031894f222c1e1125dcde1ea829c6502873aaf5ef544fd55848256c1c2d1efcae62ed828ba8f4d8406a9581f5df8177963

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\sessionstore.jsonlz4
Filesize
812B

MD5
2e7e46c6283240da8d02a34708322f63

SHA1
8406a30597dcb912afbe0506d1162b64c09d3fbe

SHA256
541e90f93b232f35b32cd14b21e782d3da0db0b46ecbe45e29ff066c7be80e52

SHA512
b0f1702c3ac57f61a5d8148633324ffb72bb6379848e261f63675a42548bd133cf8cc388a3db569d5bf23b94e577885795e80eeec61d7eaef146b64f7babc8ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\targeting.snapshot.json
Filesize
4KB

MD5
0566f4e3ebcf6d2f02e0bd8bf8ba490c

SHA1
4db6aa04e2d3906007fc70018f119fbbeefd0ce0

SHA256
e3ede891723e5bdc24d7a9542f0c332d1c55673e996ab2ca6332f1bc3e1d6d1d

SHA512
ead109a29b6bc36776d2318fab10eda637c851162a529ccd8768e3e100f2a949f5d0109683a6acd3116451bc797a1a537f5e196fd8eb05c4685f1c6c1cb34f14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uk2ya47p.default-release\xulstore.json
Filesize
141B

MD5
b847f28acdec63348ea376efd4278d02

SHA1
da4ae0ce914885ad7fe1f89aef3aa4f324747091

SHA256
7e63f727108182d4afdf0ae5131c9e0692d857b934fe8d93a7d4a8cea58fb834

SHA512
07b89826d35c5b9f056c8556ed5dd0a961f779d1aa7639321b90c56ef65bf6706a653a22f7790543b1482414069d5587c1f1c28215e92a7ffdf0fa4a55537c08

Download Submit
C:\Users\Admin\Downloads\downloaded2024.exe
Filesize
8.7MB

MD5
953287b6e6ce75e1bfd5246fd6bd1dc4

SHA1
0d4f0f40e13eade2667062a5d18f3585af5a0eac

SHA256
ca413cdbe19bc2e03329b4108a3c4d4f12b2a80d2c8b44b772f06a41f2970381

SHA512
bac323cc68f92da062329ce53e33442f47c565aa855e9cdc9bf25edd35440edd24b1ac92722536c1331d3bb7052ee4367a93815a9e1f7a26fea207230c9e6173

Download Submit
C:\Users\Admin\Downloads\evil_theme.themepack
Filesize
457B

MD5
27c5a7451ea87d19a92dbdc8ba442e4b

SHA1
8cec3b471f81b18c0008de6bb27eac9ded9ee051

SHA256
2130f0628e0d048664bad4ed703e95ab04d50842a61f6d6b34981a85ea6b6ccb

SHA512
105603d2a3b58a4df8a6359eeb071e8874697c846603b431b7ddeb185278b4e10812d19e616a1e402acf4cee12dbae5bff9a55e91fb4a210fa360110f371f3f1

Download Submit
\Device\Mup\85.208.184.101\tb\Aero.msstyles_vrf.dll
Filesize
1.4MB

MD5
9119ab91e6c01a3018c9f602e8b73237

SHA1
b43702f264a9c374dbce1c7e5b030f3386a647b8

SHA256
06309e669be4cce0b20cc6d0f49d2a9636dbc7dd7816c2b9672debc0a55030b4

SHA512
35da6ff9f188be6abeca71a376d9490e5cc450ad1f2016aaed513d1f7e73889c0ca2ef969c3f35eace1aef09f6eea3a4fa6f60541b14988e2944a3e5cb1750da

Download Submit
memory/420-3800-0x00007FF450D50000-0x00007FF450E98000-memory.dmp

Filesize
1.3MB

Download
memory/420-3796-0x00007FF450D50000-0x00007FF450E98000-memory.dmp

Filesize
1.3MB

Download
memory/420-3786-0x000001403EBA0000-0x000001403EBA3000-memory.dmp

Filesize
12KB

Download
memory/420-3790-0x000001403EBA0000-0x000001403EBA3000-memory.dmp

Filesize
12KB

Download
memory/420-3889-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/420-3888-0x0000014040650000-0x0000014040655000-memory.dmp

Filesize
20KB

Download
memory/420-3798-0x00007FF450D50000-0x00007FF450E98000-memory.dmp

Filesize
1.3MB

Download
memory/420-3842-0x00007FF450D50000-0x00007FF450E98000-memory.dmp

Filesize
1.3MB

Download
memory/420-3838-0x0000014040650000-0x0000014040657000-memory.dmp

Filesize
28KB

Download
memory/420-3797-0x00007FF450D50000-0x00007FF450E98000-memory.dmp

Filesize
1.3MB

Download
memory/420-3802-0x00007FF450D50000-0x00007FF450E98000-memory.dmp

Filesize
1.3MB

Download
memory/420-3804-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/420-3803-0x00007FF450D50000-0x00007FF450E98000-memory.dmp

Filesize
1.3MB

Download
memory/420-3805-0x0000014040670000-0x00000140407E9000-memory.dmp

Filesize
1.5MB

Download
memory/420-3787-0x0000014040650000-0x0000014040657000-memory.dmp

Filesize
28KB

Download
memory/420-3861-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/1036-3811-0x000001C893FB0000-0x000001C894011000-memory.dmp

Filesize
388KB

Download
memory/1036-3816-0x000001C893FB0000-0x000001C894011000-memory.dmp

Filesize
388KB

Download
memory/1036-3814-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/1036-3879-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/1036-3819-0x00007FF4694F0000-0x00007FF4694F8000-memory.dmp

Filesize
32KB

Download
memory/1036-3807-0x000001C893FB0000-0x000001C894011000-memory.dmp

Filesize
388KB

Download
memory/1036-3812-0x000001C893FB0000-0x000001C894011000-memory.dmp

Filesize
388KB

Download
memory/1036-3851-0x000001C894320000-0x000001C894325000-memory.dmp

Filesize
20KB

Download
memory/1036-3820-0x00007FF4694F0000-0x00007FF4694F8000-memory.dmp

Filesize
32KB

Download
memory/1036-3870-0x000001C894320000-0x000001C894325000-memory.dmp

Filesize
20KB

Download
memory/1036-3813-0x000001C893FB0000-0x000001C894011000-memory.dmp

Filesize
388KB

Download
memory/1036-3823-0x000001C894320000-0x000001C894325000-memory.dmp

Filesize
20KB

Download
memory/1036-3815-0x000001C893FB0000-0x000001C894011000-memory.dmp

Filesize
388KB

Download
memory/1036-3886-0x00007FF4694F0000-0x00007FF4694F8000-memory.dmp

Filesize
32KB

Download
memory/1036-3852-0x00007FF4694E0000-0x00007FF4694E8000-memory.dmp

Filesize
32KB

Download
memory/1036-3908-0x00007FF4694E0000-0x00007FF4694E8000-memory.dmp

Filesize
32KB

Download
memory/1036-3882-0x000001C893FB0000-0x000001C894011000-memory.dmp

Filesize
388KB

Download
memory/1036-3881-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/1036-3810-0x000001C893FB0000-0x000001C894011000-memory.dmp

Filesize
388KB

Download
memory/1036-3808-0x000001C893FB0000-0x000001C894011000-memory.dmp

Filesize
388KB

Download
memory/1036-3880-0x00007FF4694B0000-0x00007FF4694DB000-memory.dmp

Filesize
172KB

Download
memory/1180-3781-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/1180-3782-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/1180-3784-0x0000000003220000-0x0000000003255000-memory.dmp

Filesize
212KB

Download
memory/1180-3785-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/1180-3776-0x0000000003220000-0x0000000003255000-memory.dmp

Filesize
212KB

Download
memory/1180-3739-0x00000000007D0000-0x00000000007D9000-memory.dmp

Filesize
36KB

Download
memory/1180-3788-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/1180-3789-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/1180-3742-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/1180-3747-0x0000000075F30000-0x0000000076182000-memory.dmp

Filesize
2.3MB

Download
memory/1180-3743-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/1180-3744-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/1180-3746-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/1716-3791-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/1716-3809-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/1716-3732-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/1856-3970-0x0000000002AE0000-0x0000000002EE0000-memory.dmp

Filesize
4.0MB

Download
memory/1856-3947-0x0000000002AE0000-0x0000000002EE0000-memory.dmp

Filesize
4.0MB

Download
memory/1856-3950-0x0000000002AE0000-0x0000000002EE0000-memory.dmp

Filesize
4.0MB

Download
memory/1856-3952-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/1856-3968-0x0000000002AE0000-0x0000000002EE0000-memory.dmp

Filesize
4.0MB

Download
memory/1856-3971-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/2080-3994-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/2080-3996-0x000001A0F8CD0000-0x000001A0F8D31000-memory.dmp

Filesize
388KB

Download
memory/3492-3865-0x000001FD845F0000-0x000001FD84651000-memory.dmp

Filesize
388KB

Download
memory/3492-3863-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/3492-3909-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/3492-3867-0x000001FD845F0000-0x000001FD84651000-memory.dmp

Filesize
388KB

Download
memory/3492-3911-0x000001FD845F0000-0x000001FD84651000-memory.dmp

Filesize
388KB

Download
memory/3492-3866-0x000001FD845F0000-0x000001FD84651000-memory.dmp

Filesize
388KB

Download
memory/3496-2658-0x000001DFB8C30000-0x000001DFB8C40000-memory.dmp

Filesize
64KB

Download
memory/3496-2639-0x00007FFBD3210000-0x00007FFBD3CD2000-memory.dmp

Filesize
10.8MB

Download
memory/3496-2656-0x000001DFB8C30000-0x000001DFB8C40000-memory.dmp

Filesize
64KB

Download
memory/3496-2697-0x000001DFD1570000-0x000001DFD15B6000-memory.dmp

Filesize
280KB

Download
memory/3496-3674-0x00007FFBD3210000-0x00007FFBD3CD2000-memory.dmp

Filesize
10.8MB

Download
memory/3496-3675-0x000001DFB8C30000-0x000001DFB8C40000-memory.dmp

Filesize
64KB

Download
memory/3496-3680-0x000001DFB8C30000-0x000001DFB8C40000-memory.dmp

Filesize
64KB

Download
memory/3496-3681-0x000001DFB8C30000-0x000001DFB8C40000-memory.dmp

Filesize
64KB

Download
memory/3496-2623-0x000001DFD1140000-0x000001DFD1162000-memory.dmp

Filesize
136KB

Download
memory/3496-2647-0x000001DFB8C30000-0x000001DFB8C40000-memory.dmp

Filesize
64KB

Download
memory/4892-3976-0x00007FF4BEF60000-0x00007FF4BF0A8000-memory.dmp

Filesize
1.3MB

Download
memory/4892-3982-0x00007FF4BEF60000-0x00007FF4BF0A8000-memory.dmp

Filesize
1.3MB

Download
memory/4892-3981-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/4992-3735-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/4992-3726-0x0000000000420000-0x000000000048D000-memory.dmp

Filesize
436KB

Download
memory/4992-3774-0x00000000034B0000-0x00000000038B0000-memory.dmp

Filesize
4.0MB

Download
memory/4992-3738-0x0000000075F30000-0x0000000076182000-memory.dmp

Filesize
2.3MB

Download
memory/4992-3737-0x00000000034B0000-0x00000000038B0000-memory.dmp

Filesize
4.0MB

Download
memory/4992-3734-0x00000000034B0000-0x00000000038B0000-memory.dmp

Filesize
4.0MB

Download
memory/4992-3733-0x00000000034B0000-0x00000000038B0000-memory.dmp

Filesize
4.0MB

Download
memory/4992-3731-0x00000000034B0000-0x00000000038B0000-memory.dmp

Filesize
4.0MB

Download
memory/4992-3730-0x0000000000420000-0x000000000048D000-memory.dmp

Filesize
436KB

Download
memory/4992-3729-0x0000000000420000-0x000000000048D000-memory.dmp

Filesize
436KB

Download
memory/5584-3839-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/5584-3832-0x00000292FCF70000-0x00000292FCFD1000-memory.dmp

Filesize
388KB

Download
memory/5584-3840-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/5584-3841-0x00000292FCF70000-0x00000292FCFD1000-memory.dmp

Filesize
388KB

Download
memory/5584-3887-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/6384-3942-0x0000000004370000-0x0000000004770000-memory.dmp

Filesize
4.0MB

Download
memory/6384-3954-0x0000000004370000-0x0000000004770000-memory.dmp

Filesize
4.0MB

Download
memory/6384-3936-0x00000000012E0000-0x000000000134D000-memory.dmp

Filesize
436KB

Download
memory/6384-3939-0x0000000004370000-0x0000000004770000-memory.dmp

Filesize
4.0MB

Download
memory/6384-3944-0x00007FFBF5820000-0x00007FFBF5A29000-memory.dmp

Filesize
2.0MB

Download
memory/6908-3741-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/6908-3715-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/6908-3703-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/6908-3721-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/6908-3701-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/6908-3799-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/6908-3821-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/6908-3700-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/6984-3717-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/6984-3806-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/6984-3724-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/6984-3704-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/6984-3775-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/7144-3727-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download
memory/7144-3725-0x00007FF64C730000-0x00007FF64D051000-memory.dmp

Filesize
9.1MB

Download