Malware Analysis Report

2024-10-18 22:05

Sample ID 240616-tvrjvatfnl
Target Themida_x32_x64_v3.0.4.0_Repacked.rar
SHA256 e9be6aac7a3adb3fc4b27a3c6295a4d1f11bbef9e1c2a5b5719c57685650a509
Tags
execution bootkit evasion persistence trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

e9be6aac7a3adb3fc4b27a3c6295a4d1f11bbef9e1c2a5b5719c57685650a509

Threat Level: Likely malicious

The file Themida_x32_x64_v3.0.4.0_Repacked.rar was found to be: Likely malicious.

Malicious Activity Summary

execution bootkit evasion persistence trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Checks BIOS information in registry

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Command and Scripting Interpreter: JavaScript

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Checks processor information in registry

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 16:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\C\x64\Debug\TestPlugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\C\x64\Debug\TestPlugin.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\SecureEngineSDK64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\SecureEngineSDK64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240611-en

Max time kernel

136s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\SecureEngineSDK64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\SecureEngineSDK64.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1304,i,8660989700097327804,17931739887231169645,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240226-en

Max time kernel

132s

Max time network

164s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\libspv.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3296 wrote to memory of 4376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3296 wrote to memory of 4376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3296 wrote to memory of 4376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\libspv.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\libspv.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4756 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protectio Macros(Check Protection)\C\Visual C++\vc_example.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4536 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 4544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4536 wrote to memory of 2704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protectio Macros(Check Protection)\C\Visual C++\vc_example.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccea246f8,0x7ffccea24708,0x7ffccea24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,10866693884541910928,13778092091754933968,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,10866693884541910928,13778092091754933968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,10866693884541910928,13778092091754933968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10866693884541910928,13778092091754933968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10866693884541910928,13778092091754933968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,10866693884541910928,13778092091754933968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,10866693884541910928,13778092091754933968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10866693884541910928,13778092091754933968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10866693884541910928,13778092091754933968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10866693884541910928,13778092091754933968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,10866693884541910928,13778092091754933968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,10866693884541910928,13778092091754933968,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b4a74bc775caf3de7fc9cde3c30ce482
SHA1 c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256 dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA512 55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c5abc082d9d9307e797b7e89a2f755f4
SHA1 54c442690a8727f1d3453b6452198d3ec4ec13df
SHA256 a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512 ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

\??\pipe\LOCAL\crashpad_4536_IGVJNXIRGCYKWYYA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 32d09c787698bd6608de2077c9f60ec6
SHA1 2ada657e08b28e9da30e32ef96bf2fc07f276a3a
SHA256 a34264e65f3a6c398f490426d4e5f1a092cfb711511ed889dde6f17b5c10f716
SHA512 5ae999bff09ea38e076ea40922ba3fd99f6f066ae5aabb0b96ab8a781f9bb94ca1da09ef1c41580160e82a35b0512484e51896b9e1d906f766f4fdbb3d8986a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 379664b1a0ebb711d8eda2ff7b2d8766
SHA1 054ca22a50bb3b7e4b5eb5eb9db8bed4537656af
SHA256 3ec5dd85879173ab5518dd660ce97ba8024c2b8ff8475113dc5a2b003a350be2
SHA512 726170cf903a7c3ecba8eb3998bb4bc4b0b4fe4d2f889ebf1a35bbb55f88a6e73ed4b91508badd6ac60cb88ffe30c963098c1e969519eedbab21686f527930ac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 401353ec8625bd3276c3b9db250f2fc9
SHA1 a3b26900bb2501c779e2952e9f2147ddc2efaef8
SHA256 9a67c21bedc735a89313927959444e65d55a6271e512074a42393fe9438cebf8
SHA512 780eccefd966bb4fb993b0c9a94b76b84f0eb825bfbbe7dcf0c398b18484bdaa1496e51b24b516dbc2710a9653b1b5e241d3a5054d0792febc0382d98e9b2acb

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

150s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\CBuilder\Project1.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\CBuilder\Project1.js"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4276 /prefetch:8

Network

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\WinlicenseSDK.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\WinlicenseSDK.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\WinlicenseSDK.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 220

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20231129-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\demangler.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1592 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1592 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1592 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1592 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1592 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1592 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1592 wrote to memory of 1960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\demangler.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\demangler.dll,#1

Network

N/A

Files

memory/1960-0-0x0000000000170000-0x000000000018C000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240508-en

Max time kernel

40s

Max time network

52s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\Include\C\Via ASM module\How to add ASM files in your Solution.pdf"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 4072 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4588 wrote to memory of 4072 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4588 wrote to memory of 4072 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 392 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4072 wrote to memory of 624 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\Include\C\Via ASM module\How to add ASM files in your Solution.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7ED55D7F3D56516974D2CE8B75BA91AC --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5C13A51BE55EF47D878801443F957711 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5C13A51BE55EF47D878801443F957711 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F12CD0F79157AC730932795E4831ECCC --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1C2CFB4E79BC12BAAAFF55A30620F888 --mojo-platform-channel-handle=2404 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4E15068961629A10CD2785049DF1D15F --mojo-platform-channel-handle=1856 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6B642EC0C78E069BE5906CB0DFD2EEA3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6B642EC0C78E069BE5906CB0DFD2EEA3 --renderer-client-id=7 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1

Network

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\core.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\core.exe

"C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\core.exe"

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240611-en

Max time kernel

121s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\libspv.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2868 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\libspv.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\libspv.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240226-en

Max time kernel

66s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CertificateAuthority.Request C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CertificateAuthority.Request\CLSID\Certificate Number (535603502) = 83246282e02b8c90 C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CertificateAuthority.Request\CLSID C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe

"C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/1772-0-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-1-0x0000000076170000-0x0000000076171000-memory.dmp

memory/1772-2-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-4-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-5-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-3-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-7-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-6-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-8-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-9-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-10-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-11-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-14-0x0000000076170000-0x0000000076171000-memory.dmp

memory/1772-13-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-15-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-16-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-17-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-18-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-19-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-21-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-39-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-38-0x0000000076150000-0x0000000076240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b26b26d.dll

MD5 e1db733e43aa8d065fb7e8669db76524
SHA1 3f9c62ee28959959271632fdc7f5387d539a1d23
SHA256 9e65d9e8ebb895f3b03c95ce64f044c70251fff444a4bcbee83f558b599a614d
SHA512 3f6106f32932e72d197865f7b796eba072c8ab20c22b4d205f27de9b9fc6c139be8450ae25541fbdac37a06bc3ec2d1fab3f9b3216201a9231b70fcde6fb8eb3

memory/1772-41-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-40-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-46-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-47-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-49-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-48-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-51-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-50-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-55-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-59-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-54-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-56-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-53-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-52-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-57-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1772-58-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-60-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-61-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-62-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-63-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-64-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-65-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-67-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-66-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-68-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-69-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-74-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-73-0x0000000000CB0000-0x0000000004CFA000-memory.dmp

memory/1772-75-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-76-0x0000000076150000-0x0000000076240000-memory.dmp

memory/1772-78-0x0000000076150000-0x0000000076240000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240611-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\Delphi\TestPlugin.dll,#1

Signatures

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\Delphi\TestPlugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\Delphi\TestPlugin.dll,#1

Network

N/A

Files

memory/1716-0-0x0000000000980000-0x0000000000A48000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protectio Macros(Check Protection)\C\CBuilder\Project1.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protectio Macros(Check Protection)\C\CBuilder\Project1.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240220-en

Max time kernel

118s

Max time network

120s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\CBuilder\Project1.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protection Macros\C\CBuilder\Project1.js"

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240508-en

Max time kernel

50s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\core.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\core.exe

"C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\core.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240611-en

Max time kernel

118s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\C\Debug\TestPlugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 1700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\C\Debug\TestPlugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\C\Debug\TestPlugin.dll,#1

Network

N/A

Files

memory/1700-2-0x0000000074E60000-0x0000000074E85000-memory.dmp

memory/1700-1-0x0000000074E40000-0x0000000074E65000-memory.dmp

memory/1700-0-0x0000000074E70000-0x0000000074E95000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protectio Macros(Check Protection)\C\Visual C++\vc_example.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000f83159f3955f0164ae3c3ad8aa97a1442209013a88da9e3eb2e6453a7bfb3e3d000000000e800000000200002000000071bcf03116f8af7f95c3f2ddb8e22d2f52ae0a6f307af6eac88e2dc535a6205c200000006cc5f27c3fe4e1fe9b4893da11ef4c533b26b38f0f8659934283e8f32b4c96cf400000003e00480d5b5a4a16ff74aef28dfb7683873228912aff88587f092f06d68a0d06e6d180d0003f3e4096ac386b8285f04f4b3acdb0cd8f91bd3e6037ff532c82c8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000009300c1c9d7111940b2f33c6902d6b34bb8ae72a64cd551eecb9506c1d0dc518a000000000e800000000200002000000049dcd7e11efb343c5c2451c6997805738b7e978bf5f41b3977031b1583c583ca900000004223d5ea05dc08765d5cf13fe844161815474df73eb5e8208334a2771b0fff4f9ff407786bfdbdf1fb954e7f5797a945ed20d426245b8668b173b45183c0cc75906af18c16d32d573df539221d4dd92dc1ec0e4369cfc5f9b2d33cd8092c738edbf5d4c01dc3be83c3cef0c077ac887a34502b6e370fa87029dd6a7bfa0aab986e69c5578d515ae20163dd0b46fb2d744000000038cae75b09226a4ef381f049be16c8979b032402747931f64da38c459e058b8ab28375343c95f398df7088aa4d716c8cdbb8b82ac69d29b71c5277ce42d0a040 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424716906" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C82BC781-2BFC-11EF-A1BA-6AD47596CE83} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60daaf9c09c0da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protectio Macros(Check Protection)\C\Visual C++\vc_example.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240611-en

Max time kernel

120s

Max time network

133s

Command Line

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\Include\C\Via ASM module\How to add ASM files in your Solution.pdf"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\Include\C\Via ASM module\How to add ASM files in your Solution.pdf"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 21eb87056c68d5b9f6be2dc72f682157
SHA1 4a7af5974cf87420ac0c21b08cbf198e730ce126
SHA256 a5c868d0fbc0f5a8f1ff7fd48e6405a420cb65d21bea5e834f9297de2b9520fe
SHA512 28bb25c4b8074d0fd328ca1bd5370b39e90e027723cd64677d556f2551e5bb8dce7dd77f06239ae505fbad6301c775fe7015f8ad2e589bfeea30c40796500691

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240611-en

Max time kernel

142s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\CertificateAuthority.Request\CLSID C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\CertificateAuthority.Request C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\CertificateAuthority.Request\CLSID\Certificate Number (535603502) = 83246282e02b8c90 C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe

"C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe"

Network

Country Destination Domain Proto
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp

Files

memory/4232-1-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-0-0x00000000775A0000-0x00000000775A1000-memory.dmp

memory/4232-2-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-3-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-5-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-4-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-6-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-8-0x0000000000690000-0x00000000046D8000-memory.dmp

memory/4232-9-0x0000000000690000-0x00000000046D8000-memory.dmp

memory/4232-10-0x0000000000690000-0x00000000046D8000-memory.dmp

memory/4232-11-0x0000000000690000-0x00000000046D8000-memory.dmp

memory/4232-12-0x0000000000690000-0x00000000046D8000-memory.dmp

memory/4232-14-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-32-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-31-0x0000000077580000-0x0000000077670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4aab5b5c.dll

MD5 e1db733e43aa8d065fb7e8669db76524
SHA1 3f9c62ee28959959271632fdc7f5387d539a1d23
SHA256 9e65d9e8ebb895f3b03c95ce64f044c70251fff444a4bcbee83f558b599a614d
SHA512 3f6106f32932e72d197865f7b796eba072c8ab20c22b4d205f27de9b9fc6c139be8450ae25541fbdac37a06bc3ec2d1fab3f9b3216201a9231b70fcde6fb8eb3

memory/4232-38-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-37-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-40-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-39-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-42-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-43-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-44-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-46-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-45-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-41-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-49-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-47-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-48-0x0000000010000000-0x000000001204F000-memory.dmp

memory/4232-50-0x0000000000690000-0x00000000046D8000-memory.dmp

memory/4232-51-0x0000000000690000-0x00000000046D8000-memory.dmp

memory/4232-52-0x0000000000690000-0x00000000046D8000-memory.dmp

memory/4232-53-0x0000000000690000-0x00000000046D8000-memory.dmp

memory/4232-54-0x0000000000690000-0x00000000046D8000-memory.dmp

memory/4232-58-0x0000000000690000-0x00000000046D8000-memory.dmp

memory/4232-61-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-60-0x00000000775A0000-0x00000000775A1000-memory.dmp

memory/4232-62-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-63-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-64-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-65-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-66-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-69-0x0000000077580000-0x0000000077670000-memory.dmp

memory/4232-68-0x0000000077580000-0x0000000077670000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\WinlicenseSDK.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4172 wrote to memory of 3376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4172 wrote to memory of 3376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4172 wrote to memory of 3376 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\WinlicenseSDK.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\WinlicenseSDK.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3376 -ip 3376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaHelp.chm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaHelp.chm

Network

N/A

Files

memory/2124-27-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240226-en

Max time kernel

136s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\C\Debug\TestPlugin.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4264 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4264 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4264 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\C\Debug\TestPlugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\C\Debug\TestPlugin.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/1744-0-0x0000000075160000-0x0000000075185000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\C\x64\Debug\TestPlugin.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\C\x64\Debug\TestPlugin.dll,#1

Network

Country Destination Domain Proto
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\Delphi\TestPlugin.dll,#1

Signatures

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\2 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\hardware\description\system\centralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\Delphi\TestPlugin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Plugins\Examples\Delphi\TestPlugin.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:24

Platform

win7-20240611-en

Max time kernel

52s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CertificateAuthority.Request\CLSID C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CertificateAuthority.Request C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\CertificateAuthority.Request\CLSID\Certificate Number (535603502) = 83246282e02b8c90 C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe

"C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\build.exe"

Network

N/A

Files

memory/1900-0-0x0000000076291000-0x0000000076292000-memory.dmp

memory/1900-3-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-2-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-1-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-5-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-7-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-6-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-4-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-9-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-10-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-8-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-12-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-18-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-17-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-16-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-15-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-14-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-13-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-11-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-20-0x0000000000940000-0x0000000004988000-memory.dmp

memory/1900-21-0x0000000000940000-0x0000000004988000-memory.dmp

memory/1900-23-0x0000000000940000-0x0000000004988000-memory.dmp

memory/1900-22-0x0000000000940000-0x0000000004988000-memory.dmp

memory/1900-28-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-24-0x0000000000940000-0x0000000004988000-memory.dmp

\Users\Admin\AppData\Local\Temp\4aab5b5c.dll

MD5 e1db733e43aa8d065fb7e8669db76524
SHA1 3f9c62ee28959959271632fdc7f5387d539a1d23
SHA256 9e65d9e8ebb895f3b03c95ce64f044c70251fff444a4bcbee83f558b599a614d
SHA512 3f6106f32932e72d197865f7b796eba072c8ab20c22b4d205f27de9b9fc6c139be8450ae25541fbdac37a06bc3ec2d1fab3f9b3216201a9231b70fcde6fb8eb3

memory/1900-44-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-43-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-49-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-50-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-52-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-54-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-58-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-57-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-60-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-59-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-55-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-53-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-56-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-51-0x0000000010000000-0x000000001204F000-memory.dmp

memory/1900-61-0x0000000000940000-0x0000000004988000-memory.dmp

memory/1900-62-0x0000000000940000-0x0000000004988000-memory.dmp

memory/1900-63-0x0000000000940000-0x0000000004988000-memory.dmp

memory/1900-64-0x0000000000940000-0x0000000004988000-memory.dmp

memory/1900-66-0x0000000076291000-0x0000000076292000-memory.dmp

memory/1900-65-0x0000000000940000-0x0000000004988000-memory.dmp

memory/1900-67-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-71-0x0000000000940000-0x0000000004988000-memory.dmp

memory/1900-72-0x0000000076280000-0x0000000076390000-memory.dmp

memory/1900-74-0x0000000000940000-0x0000000004988000-memory.dmp

memory/1900-75-0x0000000000940000-0x0000000004988000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaHelp.chm

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaHelp.chm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4292,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3144 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\SecureEngineSDK32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\SecureEngineSDK32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\SecureEngineSDK32.dll,#1

Network

N/A

Files

memory/2008-2-0x0000000074A60000-0x0000000074A69000-memory.dmp

memory/2008-1-0x0000000074A50000-0x0000000074A59000-memory.dmp

memory/2008-0-0x0000000074A60000-0x0000000074A69000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240226-en

Max time kernel

132s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\SecureEngineSDK32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4392 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4392 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\SecureEngineSDK32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\SecureEngineSDK32.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/1428-0-0x0000000075270000-0x0000000075279000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20240611-en

Max time kernel

16s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CertificateAuthority.Request\CLSID C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CertificateAuthority.Request C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\CertificateAuthority.Request\CLSID\Certificate Number (535603502) = 83246282e02b8c90 C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe

"C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\Themida64.exe"

Network

N/A

Files

memory/1532-0-0x0000000075711000-0x0000000075712000-memory.dmp

memory/1532-1-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-3-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-6-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-7-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-8-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-9-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-10-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-11-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-5-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-4-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-13-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-22-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-21-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-20-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-24-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-19-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-18-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-17-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-16-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-15-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-14-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-12-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-23-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-2-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-28-0x00000000003F0000-0x000000000443A000-memory.dmp

memory/1532-27-0x00000000003F0000-0x000000000443A000-memory.dmp

memory/1532-29-0x00000000003F0000-0x000000000443A000-memory.dmp

memory/1532-26-0x00000000003F0000-0x000000000443A000-memory.dmp

memory/1532-30-0x00000000003F0000-0x000000000443A000-memory.dmp

memory/1532-37-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-49-0x0000000075700000-0x0000000075810000-memory.dmp

\Users\Admin\AppData\Local\Temp\b26b26d.dll

MD5 e1db733e43aa8d065fb7e8669db76524
SHA1 3f9c62ee28959959271632fdc7f5387d539a1d23
SHA256 9e65d9e8ebb895f3b03c95ce64f044c70251fff444a4bcbee83f558b599a614d
SHA512 3f6106f32932e72d197865f7b796eba072c8ab20c22b4d205f27de9b9fc6c139be8450ae25541fbdac37a06bc3ec2d1fab3f9b3216201a9231b70fcde6fb8eb3

memory/1532-55-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-54-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-57-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-62-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-65-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-58-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-56-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-66-0x00000000003F0000-0x000000000443A000-memory.dmp

memory/1532-60-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-59-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-61-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-63-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-64-0x0000000010000000-0x000000001206F000-memory.dmp

memory/1532-68-0x00000000003F0000-0x000000000443A000-memory.dmp

memory/1532-67-0x00000000003F0000-0x000000000443A000-memory.dmp

memory/1532-70-0x00000000003F0000-0x000000000443A000-memory.dmp

memory/1532-69-0x00000000003F0000-0x000000000443A000-memory.dmp

memory/1532-71-0x0000000075711000-0x0000000075712000-memory.dmp

memory/1532-75-0x0000000075700000-0x0000000075810000-memory.dmp

memory/1532-72-0x00000000003F0000-0x000000000443A000-memory.dmp

memory/1532-77-0x00000000003F0000-0x000000000443A000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protectio Macros(Check Protection)\C\CBuilder\Project1.js"

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\ThemidaSDK\ExamplesSDK\Protectio Macros(Check Protection)\C\CBuilder\Project1.js"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-16 16:23

Reported

2024-06-16 16:26

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\demangler.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4776 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4776 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4776 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\demangler.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Themida_x32_x64_v3.0.4.0_Repacked\demangler.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2760 -ip 2760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2760-0-0x0000000000400000-0x000000000041C000-memory.dmp