Analysis
-
max time kernel
634s -
max time network
641s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 09:58
Behavioral task
behavioral1
Sample
Injector.exe
Resource
win7-20240221-en
General
-
Target
Injector.exe
-
Size
3.4MB
-
MD5
c6b39ee166d5b0a2c8a9021ccd1593ae
-
SHA1
e480e7c282f64e8b0179c82afe154dd59d14217d
-
SHA256
443b665c5f545a2bdd7855f86bf70a5ee7f35eda1b6b08615161f5809cbda02b
-
SHA512
3864aea36c522ca5658412128e6a4c862a647cf3b1054b9adbe418488590a37600d7639c3eba94ca9de76f087b244b95644c667213b1122889cf2d9b7a4652d2
-
SSDEEP
49152:Kl0nJ28J4VZohYWVGGjW8NhSU7zwo8oXJ2R3KPHsI7coj2J+eNgRpqNc1a:KmnJrJ4DohYWVTJNkIZZ2R6vsmA+FDqN
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Injector.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Injector.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Injector.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Injector.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Injector.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Injector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Injector.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation THEMIDA_UNPACK_x64.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation THEMIDA_UNPACK_x64.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation THEMIDA_UNPACK_x86.exe -
Executes dropped EXE 3 IoCs
pid Process 6848 THEMIDA_UNPACK_x64.exe 6416 THEMIDA_UNPACK_x64.exe 6620 THEMIDA_UNPACK_x86.exe -
resource yara_rule behavioral2/memory/936-0-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/936-1-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/936-3-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/936-4-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/936-5-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/936-6-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/7100-166-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/7100-168-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/7100-169-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/7100-170-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/7100-171-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/7100-172-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6552-181-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6552-182-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6552-184-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6552-185-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6552-186-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6552-187-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6748-198-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6748-199-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6748-201-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6748-204-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6748-205-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6748-206-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6892-208-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6892-209-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6892-211-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6892-212-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida behavioral2/memory/6892-213-0x00007FF79BD90000-0x00007FF79C6F0000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Injector.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Injector.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Injector.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Injector.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Injector.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 936 Injector.exe 7100 Injector.exe 6552 Injector.exe 6748 Injector.exe 6892 Injector.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1140 tasklist.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0 THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU THEMIDA_UNPACK_x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 THEMIDA_UNPACK_x86.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell THEMIDA_UNPACK_x86.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 THEMIDA_UNPACK_x86.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 THEMIDA_UNPACK_x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents" THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ THEMIDA_UNPACK_x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" THEMIDA_UNPACK_x86.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "4" THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 THEMIDA_UNPACK_x86.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" THEMIDA_UNPACK_x86.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\NodeSlot = "5" THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\MRUListEx = ffffffff THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0 THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff THEMIDA_UNPACK_x86.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ THEMIDA_UNPACK_x86.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = 00000000ffffffff THEMIDA_UNPACK_x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000 THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" THEMIDA_UNPACK_x86.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 THEMIDA_UNPACK_x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell THEMIDA_UNPACK_x86.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" THEMIDA_UNPACK_x64.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings THEMIDA_UNPACK_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff THEMIDA_UNPACK_x64.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe 6848 THEMIDA_UNPACK_x64.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 6068 7zFM.exe 6020 7zFM.exe 6848 THEMIDA_UNPACK_x64.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeRestorePrivilege 6020 7zFM.exe Token: 35 6020 7zFM.exe Token: SeRestorePrivilege 6068 7zFM.exe Token: 35 6068 7zFM.exe Token: SeSecurityPrivilege 6068 7zFM.exe Token: SeSecurityPrivilege 6020 7zFM.exe Token: SeDebugPrivilege 6848 THEMIDA_UNPACK_x64.exe Token: SeDebugPrivilege 6416 THEMIDA_UNPACK_x64.exe Token: SeDebugPrivilege 6620 THEMIDA_UNPACK_x86.exe Token: SeDebugPrivilege 1140 tasklist.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 6020 7zFM.exe 6068 7zFM.exe 6068 7zFM.exe 6020 7zFM.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 6848 THEMIDA_UNPACK_x64.exe 7100 Injector.exe 6416 THEMIDA_UNPACK_x64.exe 6620 THEMIDA_UNPACK_x86.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 6848 wrote to memory of 7100 6848 THEMIDA_UNPACK_x64.exe 144 PID 6848 wrote to memory of 7100 6848 THEMIDA_UNPACK_x64.exe 144 PID 6280 wrote to memory of 6416 6280 cmd.exe 147 PID 6280 wrote to memory of 6416 6280 cmd.exe 147 PID 6416 wrote to memory of 6552 6416 THEMIDA_UNPACK_x64.exe 148 PID 6416 wrote to memory of 6552 6416 THEMIDA_UNPACK_x64.exe 148 PID 6280 wrote to memory of 6620 6280 cmd.exe 149 PID 6280 wrote to memory of 6620 6280 cmd.exe 149 PID 6280 wrote to memory of 6620 6280 cmd.exe 149 PID 6620 wrote to memory of 6748 6620 THEMIDA_UNPACK_x86.exe 151 PID 6620 wrote to memory of 6748 6620 THEMIDA_UNPACK_x86.exe 151 PID 2944 wrote to memory of 1140 2944 cmd.exe 154 PID 2944 wrote to memory of 1140 2944 cmd.exe 154 PID 2944 wrote to memory of 6892 2944 cmd.exe 156 PID 2944 wrote to memory of 6892 2944 cmd.exe 156
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:936
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.0.167815462\1991774159" -parentBuildID 20221007134813 -prefsHandle 1788 -prefMapHandle 1780 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a99cf1b-1878-48f5-bb2d-4c21c9c26b9e} 624 "\\.\pipe\gecko-crash-server-pipe.624" 1872 158e2ee0258 gpu1⤵PID:776
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.1.849891867\405729713" -parentBuildID 20221007134813 -prefsHandle 2264 -prefMapHandle 2260 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cb9caaf-99c5-4925-81d4-61aefbbb5ae8} 624 "\\.\pipe\gecko-crash-server-pipe.624" 2276 158d6671f58 socket1⤵PID:1180
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.2.1243443909\64807506" -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 2976 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0f48185-b282-4116-9787-62abdc41b51c} 624 "\\.\pipe\gecko-crash-server-pipe.624" 3084 158e68ef558 tab1⤵PID:4168
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.3.194470629\1148855837" -childID 2 -isForBrowser -prefsHandle 3400 -prefMapHandle 3396 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4d78509-95a3-40e5-90bb-14593ee834cc} 624 "\\.\pipe\gecko-crash-server-pipe.624" 3412 158e7528558 tab1⤵PID:2620
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.4.1608759962\1054550803" -childID 3 -isForBrowser -prefsHandle 4520 -prefMapHandle 4516 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6901d1c7-b433-4602-8b81-81feb96b9c05} 624 "\\.\pipe\gecko-crash-server-pipe.624" 4532 158e8accb58 tab1⤵PID:2600
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.5.1409665562\202820166" -childID 4 -isForBrowser -prefsHandle 4744 -prefMapHandle 4676 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daee40a5-dd95-4ac0-91ba-20abf8c89f16} 624 "\\.\pipe\gecko-crash-server-pipe.624" 4816 158e8ac9e58 tab1⤵PID:1592
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.6.14223451\1176080343" -childID 5 -isForBrowser -prefsHandle 4940 -prefMapHandle 4944 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af891519-8e96-4113-ab9d-8e2242eca7bd} 624 "\\.\pipe\gecko-crash-server-pipe.624" 4984 158e8c76058 tab1⤵PID:3148
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.7.169732387\1248870433" -childID 6 -isForBrowser -prefsHandle 5152 -prefMapHandle 5156 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ed7485e-6b7d-4b5f-9b81-200be449b710} 624 "\\.\pipe\gecko-crash-server-pipe.624" 5140 158e8c76658 tab1⤵PID:2828
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.8.1506665580\1813853812" -childID 7 -isForBrowser -prefsHandle 2920 -prefMapHandle 4336 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9f8444f-f457-4c73-94fe-00b4d0904025} 624 "\\.\pipe\gecko-crash-server-pipe.624" 3268 158e942b258 tab1⤵PID:5692
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.9.221789699\878284964" -childID 8 -isForBrowser -prefsHandle 4712 -prefMapHandle 5800 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9315abee-be44-472e-938a-5a488f3b3975} 624 "\\.\pipe\gecko-crash-server-pipe.624" 4572 158e8cfbc58 tab1⤵PID:5964
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.10.2111526371\1192256949" -childID 9 -isForBrowser -prefsHandle 5748 -prefMapHandle 5872 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30c22871-fff1-46a4-82d3-4c216f6360ac} 624 "\\.\pipe\gecko-crash-server-pipe.624" 4664 158d6630858 tab1⤵PID:5336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:6128
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.11.1313808003\803524843" -childID 10 -isForBrowser -prefsHandle 5228 -prefMapHandle 5244 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {191f10ad-58c2-4094-86e8-b5cd21e5dd4b} 624 "\\.\pipe\gecko-crash-server-pipe.624" 5296 158eaa0d658 tab1⤵PID:936
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.12.1439329605\522480442" -childID 11 -isForBrowser -prefsHandle 4968 -prefMapHandle 6036 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37a6bca5-9786-4fd4-9f85-b84430faa8d2} 624 "\\.\pipe\gecko-crash-server-pipe.624" 5340 158e69f8858 tab1⤵PID:4328
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.13.2072064807\1476172454" -childID 12 -isForBrowser -prefsHandle 4024 -prefMapHandle 3036 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb484a5b-1f6a-4b19-b4c0-ffe47ce58cf7} 624 "\\.\pipe\gecko-crash-server-pipe.624" 1312 158ea277058 tab1⤵PID:2436
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.14.1237581439\727730393" -childID 13 -isForBrowser -prefsHandle 10480 -prefMapHandle 10484 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9119c4ad-91fb-402d-b876-8dc26c710b06} 624 "\\.\pipe\gecko-crash-server-pipe.624" 10472 158ed6f1c58 tab1⤵PID:5612
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.15.909450486\2072153342" -childID 14 -isForBrowser -prefsHandle 10480 -prefMapHandle 10308 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8caa181-7d26-43ce-8d4c-476e636a6396} 624 "\\.\pipe\gecko-crash-server-pipe.624" 10336 158ed80f158 tab1⤵PID:5668
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.16.715778899\62966196" -childID 15 -isForBrowser -prefsHandle 10112 -prefMapHandle 9452 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d4380e2-0b10-4551-a1a8-927b3969c854} 624 "\\.\pipe\gecko-crash-server-pipe.624" 9808 158edfd1f58 tab1⤵PID:4192
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.17.1751111371\980886016" -childID 16 -isForBrowser -prefsHandle 10084 -prefMapHandle 10088 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbdd559b-099c-41ab-8d42-ba43558769d9} 624 "\\.\pipe\gecko-crash-server-pipe.624" 9808 158ee274258 tab1⤵PID:4048
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.18.1013252378\965624025" -childID 17 -isForBrowser -prefsHandle 9116 -prefMapHandle 9112 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ce2b22a-e4b4-48f5-8339-1c6f128ccf25} 624 "\\.\pipe\gecko-crash-server-pipe.624" 9124 158ee343258 tab1⤵PID:5884
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\bin.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6020
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Scylla_v0.9.8.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6068
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6064
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.19.1052427357\241810641" -childID 18 -isForBrowser -prefsHandle 10104 -prefMapHandle 9500 -prefsLen 27530 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a88fe07-8d4f-40a4-9ea8-15abca9e2f11} 624 "\\.\pipe\gecko-crash-server-pipe.624" 10160 158ee272a58 tab1⤵PID:4544
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.20.1815674910\1208686605" -childID 19 -isForBrowser -prefsHandle 9296 -prefMapHandle 9864 -prefsLen 27530 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98aa2610-b6d7-4334-adc1-12ff2b007c00} 624 "\\.\pipe\gecko-crash-server-pipe.624" 9332 158ee353558 tab1⤵PID:6120
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="624.21.191111201\139377098" -childID 20 -isForBrowser -prefsHandle 8944 -prefMapHandle 9236 -prefsLen 27530 -prefMapSize 233444 -jsInitHandle 1192 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60426708-cff6-42f6-85af-01fd4c0f4375} 624 "\\.\pipe\gecko-crash-server-pipe.624" 8964 158eab3cc58 tab1⤵PID:5928
-
C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe"C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exe" C:\Users\Admin\Desktop\Injector.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6848 -
C:\Users\Admin\Desktop\Injector.exe"C:\Users\Admin\Desktop\Injector.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7100
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:6280 -
C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x64.exeTHEMIDA_UNPACK_x64.exe C:\Users\Admin\Desktop\Injector.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6416 -
C:\Users\Admin\Desktop\Injector.exe"C:\Users\Admin\Desktop\Injector.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6552
-
-
-
C:\Users\Admin\Desktop\Release\THEMIDA_UNPACK_x86.exeTHEMIDA_UNPACK_x86.exe C:\Users\Admin\Desktop\Injector.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6620 -
C:\Users\Admin\Desktop\Injector.exe"C:\Users\Admin\Desktop\Injector.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6748
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4152 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:6772
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Users\Admin\Desktop\Injector.exeinjector.exe 4082⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
11KB
MD5ef8f44090b3c2fb7a3cdce2e786176ad
SHA1234ba8bd66418059832b1dfba4443233efcd22d0
SHA2567fa63f7362df7ec78830f9151a79ed31719ecd99da1a179b3f841e9113b2c548
SHA5122b375f255564fa4661ca4473ad2ead93a153b19bed5e7581ed3745679637454c402a0355b4a1f2d04d5fbc98a6b17a78e272a49b0329f45101770368008ddb7e
-
Filesize
11KB
MD56bd00bcdba9fcda14497510d62931077
SHA1e116a1f1d6cf4f429250b3aa98bf84596bbef78c
SHA2569dd804cc9c950322d3780e9b2b774cfd5b6f3bf875fec20f7bd7ba868eb77f30
SHA51219c3f0fa712f7bf7562de015d1de2c1570540d53bfb0ad9a78b5031697fe75524c8f6898975530ad52303ea3ba3f41570711d22cec3dde9486c0742b2d9b6146
-
Filesize
734KB
MD56a93cde6021ce0651c274bc5ee1ae584
SHA187eb4b9e787b4ac6857365c1d1cdc4324c718d0f
SHA256077e756ed53afaa4661eb1dfbed04ad025353a0ce6a9ad8c6b3971d2e6c256d9
SHA51257a53c1fc215f39705c18e8b808e2b60722fbd66b3962fb47964915f2cada24420541bd26741bf91f3336fb8864aabecdae93bad4569a1409a1c450eae702d27