Malware Analysis Report

2025-03-14 23:29

Sample ID 240407-w4bwvsba3w
Target 0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f
SHA256 0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f

Threat Level: Shows suspicious behavior

The file 0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:28

Reported

2024-04-07 18:30

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Backup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Backup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Backup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Backup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Backup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Backup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Backup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe C:\Users\Admin\AppData\Roaming\Backup.exe
PID 2984 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe C:\Users\Admin\AppData\Roaming\Backup.exe
PID 2984 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe C:\Users\Admin\AppData\Roaming\Backup.exe
PID 2984 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe C:\Users\Admin\AppData\Roaming\Backup.exe
PID 2972 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\Backup.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
PID 2972 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\Backup.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
PID 2972 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\Backup.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
PID 2972 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\Backup.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
PID 2252 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
PID 2252 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
PID 2252 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
PID 2252 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
PID 2532 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
PID 2532 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
PID 2532 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
PID 2532 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
PID 2796 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
PID 2796 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
PID 2796 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
PID 2796 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
PID 2796 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
PID 2796 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
PID 2796 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
PID 2796 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
PID 2384 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe

"C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe"

C:\Users\Admin\AppData\Roaming\Backup.exe

"C:\Users\Admin\AppData\Roaming\Backup.exe" C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe

C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe

"C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk

C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe

"C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2

C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe

"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3

C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

"C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute

C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe

"C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

Network

N/A

Files

memory/2984-1-0x0000000000200000-0x0000000000240000-memory.dmp

memory/2984-0-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2984-2-0x0000000074660000-0x0000000074C0B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Backup.exe

MD5 030094ece3c072d4f24a7945f8e6cb8f
SHA1 bfe5c74702ec1ea6ed3713b68731ebca9a122a99
SHA256 6d3f582d551db26150c2d963514c6c1f3a64bf0e4be6c266b7b836bd715d6285
SHA512 0ab0e0edb3e805cf0e1f68e0b60452b44bd5e2bb2fe5e760c9afd8d85d57b9c3a9ef6688f7272c075477e4fef036f5b0f02a10bd68a523f5a186ff41cd836cbe

memory/2972-11-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2972-13-0x0000000000590000-0x00000000005D0000-memory.dmp

memory/2972-14-0x0000000000590000-0x00000000005D0000-memory.dmp

memory/2984-10-0x0000000074660000-0x0000000074C0B000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe

MD5 ea99d617a119283066da694ed3c11dac
SHA1 c07a34916b227b5a80dc1d9b4819a8d08849922f
SHA256 4a15e50e2d2798adeabed637b7219945d117459fe6e3666a077456afb6f89dae
SHA512 5aade6a17b3934a9bb667e3984824539a89356e2d7c035b0a336e99d88d3ab3fbf01f70df285af5a8906ee056bb24d3fd59fe88501f3d920522180799a07cc1d

memory/2252-21-0x0000000000790000-0x00000000007D0000-memory.dmp

memory/2252-23-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2252-24-0x0000000000790000-0x00000000007D0000-memory.dmp

memory/2972-20-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2796-40-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2532-38-0x0000000074660000-0x0000000074C0B000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

MD5 30a82ff7a84e1d439f220a039b4bfdd1
SHA1 7ff1e39a13b6a11ae72b812ec0a64f8537243111
SHA256 2a14d5450329aac0f497013d5c030a344dd5fad86facfc2c3e6c2ff02a881518
SHA512 1a34a0e0d0ff1565307311d8133e6ed5ae46417d819e1285648e280302ac25f106e021fae1d60297568f7abb94a6a35f7f47b1f9a6d77599da8c7435b065c1a7

\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe

MD5 c8b7fa1e915e8dec5e90ff0bbc5c60b6
SHA1 c32c8a8e4fa76f386b5919147b7fe355cfec2898
SHA256 103d228d4d56158795dc5c818b5ac07ad492c75345451ad8deaacb9375607b6d
SHA512 975ca097532c37ef17d2ba15b89871cf958a8de69105f4c7cc7047ca1a87167e999358496b3c090d59c6eb3e28a92de3983e6e0facc375fe5eecf9d38aa374a6

memory/1204-53-0x0000000000C30000-0x0000000000C70000-memory.dmp

memory/2384-55-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/1204-54-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2972-57-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2384-56-0x0000000002410000-0x0000000002450000-memory.dmp

memory/2796-46-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2796-58-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2532-36-0x0000000000E30000-0x0000000000E70000-memory.dmp

memory/2532-31-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2252-59-0x0000000000790000-0x00000000007D0000-memory.dmp

memory/2252-60-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2252-61-0x0000000000790000-0x00000000007D0000-memory.dmp

memory/2532-63-0x0000000000E30000-0x0000000000E70000-memory.dmp

memory/2796-62-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2384-65-0x0000000002410000-0x0000000002450000-memory.dmp

memory/2384-66-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2384-64-0x0000000002410000-0x0000000002450000-memory.dmp

memory/2532-68-0x0000000000E30000-0x0000000000E70000-memory.dmp

memory/2532-67-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/1204-73-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/1204-72-0x0000000000C30000-0x0000000000C70000-memory.dmp

memory/1204-71-0x0000000000C30000-0x0000000000C70000-memory.dmp

memory/2796-70-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2796-69-0x0000000000540000-0x0000000000580000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:28

Reported

2024-04-07 18:30

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe

"C:\Users\Admin\AppData\Local\Temp\0b48bd8b7e0a7ef821cc81bb00e8d2bc2a49ac97da9cd5c8331e933a204c718f.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 876

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/2560-0-0x0000000074AE0000-0x0000000075091000-memory.dmp

memory/2560-1-0x0000000074AE0000-0x0000000075091000-memory.dmp

memory/2560-2-0x00000000031B0000-0x00000000031C0000-memory.dmp

memory/2560-9-0x0000000074AE0000-0x0000000075091000-memory.dmp