Malware Analysis Report

2025-03-14 23:42

Sample ID 240407-xftx7sbd4z
Target 1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f
SHA256 1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f

Threat Level: Shows suspicious behavior

The file 1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Deletes itself

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:48

Reported

2024-04-07 18:50

Platform

win7-20240221-en

Max time kernel

150s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Error.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Error.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Error.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Error.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Error.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Error.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Error.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe C:\Users\Admin\AppData\Roaming\Error.exe
PID 1728 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe C:\Users\Admin\AppData\Roaming\Error.exe
PID 1728 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe C:\Users\Admin\AppData\Roaming\Error.exe
PID 1728 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe C:\Users\Admin\AppData\Roaming\Error.exe
PID 1044 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\Error.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
PID 1044 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\Error.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
PID 1044 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\Error.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
PID 1044 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\Error.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
PID 2608 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
PID 2608 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
PID 2608 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
PID 2608 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
PID 2532 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
PID 2532 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
PID 2532 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
PID 2532 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
PID 2492 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
PID 2492 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
PID 2492 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
PID 2492 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
PID 2492 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
PID 2492 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
PID 2492 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
PID 2492 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
PID 2468 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe

"C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe"

C:\Users\Admin\AppData\Roaming\Error.exe

"C:\Users\Admin\AppData\Roaming\Error.exe" C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe

C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe

"C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk

C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe

"C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2

C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe

"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3

C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

"C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute

C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe

"C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f

Network

N/A

Files

memory/1728-3-0x0000000000620000-0x0000000000660000-memory.dmp

memory/1728-1-0x0000000000620000-0x0000000000660000-memory.dmp

memory/1728-4-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/1728-0-0x0000000074880000-0x0000000074E2B000-memory.dmp

\Users\Admin\AppData\Roaming\Error.exe

MD5 bdd0a35ae59dafb2bc0e2eb6ecd54c2e
SHA1 da23703bceb8aa92dc21ab94cbe12ec58f5bc6d4
SHA256 9162995d2502f9322dbe4e39949e111dc59fe3ac107a9e688bd83ac656d129b3
SHA512 3fc3dbbc1d2b8379bd56fb4d2766c57f3ebac2d67c8ae916a4a6a3c1f3262f0c17ff7dceee037b918eca947592ff0d2978cf238183c34aa1b8de26474a387eee

\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe

MD5 bcbc51a47b55e16e5b214c48690ed130
SHA1 75c9b0f609906847420ebb6d3c617b85765fcdbd
SHA256 a078548f78e5d958eb2d578aea4f6fb32957313998bb85114f402bd534d8be71
SHA512 f795dc04d0705563aa8019b2f28d02a85404e43b4be67ef74eec7bc8e0a2d56084ac8f66f908c9615285e0aad8e9ce4bfb58e0f0966b6112d52af01ae40e2193

memory/1728-11-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/1044-20-0x0000000000750000-0x0000000000790000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe

MD5 0fbb4f11c8523a064ef2dd6ba06f72d6
SHA1 c52f0311e169e2f22d8c9c7aa0e2e14a1ab36c53
SHA256 171f37fed90ee650f85bf382acc25ff134ee0d1f80c1564764b6c5f41e7e1c53
SHA512 c1bf63f808576c41d26b638ce710ad6ae505ff141e73b46256e01544b52c450468d489f5d727791fa92f6825e643b2ddac6b2e94953ec76208a67f55b409c32d

memory/1044-24-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/1044-16-0x0000000074880000-0x0000000074E2B000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe

MD5 64a916a305bf05317bacdd331fc38a89
SHA1 6ff4b6c8124c6136bf309bcdf957d8bc4510b5cc
SHA256 8c9366c5205e88917826035b0ae8db611f7d6f085a7561c4fe83e4f29cb77367
SHA512 6debd9a400ce545b8f25adcecff57003949ec65de2c4d3067ae03825f0a4cad9e7644ecc5b1427e1a96be82694ba4c0aa42a5a4b7765233c413b25a6a5d780fc

memory/2608-39-0x0000000000C60000-0x0000000000CA0000-memory.dmp

memory/1044-36-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2492-50-0x0000000000590000-0x00000000005D0000-memory.dmp

memory/2404-54-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2404-53-0x0000000002000000-0x0000000002040000-memory.dmp

memory/2404-52-0x0000000002000000-0x0000000002040000-memory.dmp

memory/2468-51-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2492-49-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2468-48-0x00000000008A0000-0x00000000008E0000-memory.dmp

memory/2608-47-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2532-55-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2608-56-0x0000000000C60000-0x0000000000CA0000-memory.dmp

memory/2532-57-0x0000000000670000-0x00000000006B0000-memory.dmp

memory/2492-62-0x0000000000590000-0x00000000005D0000-memory.dmp

memory/2492-61-0x0000000000590000-0x00000000005D0000-memory.dmp

memory/2404-66-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2404-65-0x0000000002000000-0x0000000002040000-memory.dmp

memory/2404-64-0x0000000002000000-0x0000000002040000-memory.dmp

memory/2468-63-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2492-60-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2468-59-0x00000000008A0000-0x00000000008E0000-memory.dmp

memory/2608-58-0x0000000074880000-0x0000000074E2B000-memory.dmp

memory/2468-70-0x00000000008A0000-0x00000000008E0000-memory.dmp

memory/2532-69-0x0000000000670000-0x00000000006B0000-memory.dmp

memory/2532-68-0x0000000000670000-0x00000000006B0000-memory.dmp

memory/2532-67-0x0000000074880000-0x0000000074E2B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:48

Reported

2024-04-07 18:50

Platform

win10v2004-20240226-en

Max time kernel

105s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe

"C:\Users\Admin\AppData\Local\Temp\1382c991e06e02deb63451a20d29d5e279badf604c2e934ed10f7683d504425f.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 920

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1736-0-0x00000000747A0000-0x0000000074D51000-memory.dmp

memory/1736-1-0x00000000031F0000-0x0000000003200000-memory.dmp

memory/1736-2-0x00000000747A0000-0x0000000074D51000-memory.dmp

memory/1736-9-0x00000000747A0000-0x0000000074D51000-memory.dmp