7d90ea4b9f44f5fc3ca56ade5d9f7fd766bc0737ded8ec619abd8155cd0dfa40

General

Target

b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
Size

9.8MB
MD5

c74db1c18bb808ffca46773f66c8d229
SHA1

c3d0a2360be7e31c3e200fc1b304252d2055ddeb
SHA256

b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96
SHA512

fc12876e52c7f81c921daa70360bb831536727f6134e174787154368c03c521129c876174b7709739cea1e8bd4121a4e298903a1e48a4e23321e322e58016c63
SSDEEP

196608:/pp+DPIQAjWjFOz3miT1VYMCwt/UaadQda6h+2qj7/UFHhpyEQ:/pQDPIQ1jkCY/UaAiEY7gEQ

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1960-117-0x0000000000400000-0x000000000179B000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe

pid	process
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1844 560 WerFault.exe svchost.exe

pid	pid_target	process	target process
1844	560	WerFault.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe

pid	process
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe

pid process

1960 b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exesvchost.exe

description	pid	process	target process
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	svchost.exe
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	svchost.exe
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	svchost.exe
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	svchost.exe
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	svchost.exe
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	svchost.exe
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	svchost.exe
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	svchost.exe
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	svchost.exe
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	svchost.exe
PID 1960 wrote to memory of 560	1960	b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe	svchost.exe
PID 560 wrote to memory of 1844	560	svchost.exe	WerFault.exe
PID 560 wrote to memory of 1844	560	svchost.exe	WerFault.exe
PID 560 wrote to memory of 1844	560	svchost.exe	WerFault.exe
PID 560 wrote to memory of 1844	560	svchost.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe
"C:\Users\Admin\AppData\Local\Temp\b65cd0e3ee3835ef3e59a09e64ef85fa9bd2170dcd3ec3eec14aa7856ea88e96.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 52
3⤵
- Program crash
PID:1844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-186-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1960-55-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1960-54-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1960-56-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1960-58-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1960-57-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1960-59-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1960-61-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1960-62-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1960-64-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1960-65-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1960-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1960-68-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1960-70-0x00000000017A0000-0x00000000017A1000-memory.dmp

Filesize
4KB

Download
memory/1960-71-0x00000000017A0000-0x00000000017A1000-memory.dmp

Filesize
4KB

Download
memory/1960-73-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/1960-72-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/1960-74-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/1960-76-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1960-75-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1960-77-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1960-79-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/1960-78-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/1960-80-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/1960-81-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/1960-82-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/1960-83-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/1960-88-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/1960-89-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/1960-87-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/1960-86-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1960-85-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1960-84-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1960-91-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/1960-90-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/1960-92-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/1960-94-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1960-93-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1960-95-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1960-97-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/1960-96-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/1960-98-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/1960-100-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/1960-99-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/1960-101-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/1960-103-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/1960-102-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/1960-104-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/1960-106-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/1960-105-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/1960-107-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/1960-109-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1960-108-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1960-110-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1960-111-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1960-112-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1960-113-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1960-114-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/1960-115-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/1960-116-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/1960-117-0x0000000000400000-0x000000000179B000-memory.dmp

Filesize
19.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads