5e417084ac49332d27ddef4f8a5ea389913741f8553fdfc3e0db18562bcf69f9

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
Size

260KB
MD5

012c9316f832d3edb155b4f13fbb9a8e
SHA1

3b1e81c9d0de6f1758bcde5005553aff0eed16bb
SHA256

5e417084ac49332d27ddef4f8a5ea389913741f8553fdfc3e0db18562bcf69f9
SHA512

629f6f563ea3ac61a0841082b519287231e6fd7a5912c3dd7a2850900487db5d3d88e25dbc68d06e6e438e947afb1a52ff6efa7296382bbf10dee726ca427f97
SSDEEP

6144:dIZzVYQckd0ANv494D83pdcl6AjOvgEMHHEMH:dIZ5YQckqANv494D83psqMEM

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2212	configuração.exe

Executes dropped EXE 6 IoCs

pid	Process
2212	configuração.exe
2344	wmiintegrator.exe
2808	wmihostwin.exe
2392	wmimic.exe
2804	wmisecure.exe
2572	wmisecure64.exe

Loads dropped DLL 6 IoCs

pid	Process
1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
2212	configuração.exe
2344	wmiintegrator.exe
2808	wmihostwin.exe
2392	wmimic.exe
2392	wmimic.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
2212	configuração.exe
2212	configuração.exe
2212	configuração.exe
2212	configuração.exe
2212	configuração.exe
2212	configuração.exe
2344	wmiintegrator.exe
2344	wmiintegrator.exe
2344	wmiintegrator.exe
2344	wmiintegrator.exe
2344	wmiintegrator.exe
2344	wmiintegrator.exe
2344	wmiintegrator.exe
2808	wmihostwin.exe
2808	wmihostwin.exe
2808	wmihostwin.exe
2808	wmihostwin.exe
2808	wmihostwin.exe
2808	wmihostwin.exe
2392	wmimic.exe
2392	wmimic.exe
2392	wmimic.exe
2392	wmimic.exe
2392	wmimic.exe
2392	wmimic.exe
2392	wmimic.exe
2344	wmiintegrator.exe
2808	wmihostwin.exe
2572	wmisecure64.exe
2572	wmisecure64.exe
2572	wmisecure64.exe
2572	wmisecure64.exe
2572	wmisecure64.exe
2804	wmisecure.exe
2804	wmisecure.exe
2804	wmisecure.exe
2804	wmisecure.exe
2804	wmisecure.exe
2344	wmiintegrator.exe
2392	wmimic.exe
2392	wmimic.exe
2808	wmihostwin.exe
2344	wmiintegrator.exe
2392	wmimic.exe
2392	wmimic.exe
2808	wmihostwin.exe
2344	wmiintegrator.exe
2392	wmimic.exe
2392	wmimic.exe
2808	wmihostwin.exe
2344	wmiintegrator.exe
2392	wmimic.exe
2392	wmimic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2212	1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2212	1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2212	1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2212	1028	012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2344	2212	configuração.exe	29
PID 2212 wrote to memory of 2344	2212	configuração.exe	29
PID 2212 wrote to memory of 2344	2212	configuração.exe	29
PID 2212 wrote to memory of 2344	2212	configuração.exe	29
PID 2344 wrote to memory of 2808	2344	wmiintegrator.exe	30
PID 2344 wrote to memory of 2808	2344	wmiintegrator.exe	30
PID 2344 wrote to memory of 2808	2344	wmiintegrator.exe	30
PID 2344 wrote to memory of 2808	2344	wmiintegrator.exe	30
PID 2808 wrote to memory of 2392	2808	wmihostwin.exe	31
PID 2808 wrote to memory of 2392	2808	wmihostwin.exe	31
PID 2808 wrote to memory of 2392	2808	wmihostwin.exe	31
PID 2808 wrote to memory of 2392	2808	wmihostwin.exe	31
PID 2392 wrote to memory of 2804	2392	wmimic.exe	32
PID 2392 wrote to memory of 2804	2392	wmimic.exe	32
PID 2392 wrote to memory of 2804	2392	wmimic.exe	32
PID 2392 wrote to memory of 2804	2392	wmimic.exe	32
PID 2392 wrote to memory of 2572	2392	wmimic.exe	33
PID 2392 wrote to memory of 2572	2392	wmimic.exe	33
PID 2392 wrote to memory of 2572	2392	wmimic.exe	33
PID 2392 wrote to memory of 2572	2392	wmimic.exe	33
PID 2572 wrote to memory of 2724	2572	wmisecure64.exe	34
PID 2572 wrote to memory of 2724	2572	wmisecure64.exe	34
PID 2572 wrote to memory of 2724	2572	wmisecure64.exe	34
PID 2572 wrote to memory of 2724	2572	wmisecure64.exe	34
PID 2572 wrote to memory of 2908	2572	wmisecure64.exe	36
PID 2572 wrote to memory of 2908	2572	wmisecure64.exe	36
PID 2572 wrote to memory of 2908	2572	wmisecure64.exe	36
PID 2572 wrote to memory of 2908	2572	wmisecure64.exe	36
PID 2572 wrote to memory of 3040	2572	wmisecure64.exe	38
PID 2572 wrote to memory of 3040	2572	wmisecure64.exe	38
PID 2572 wrote to memory of 3040	2572	wmisecure64.exe	38
PID 2572 wrote to memory of 3040	2572	wmisecure64.exe	38
PID 2572 wrote to memory of 2020	2572	wmisecure64.exe	40
PID 2572 wrote to memory of 2020	2572	wmisecure64.exe	40
PID 2572 wrote to memory of 2020	2572	wmisecure64.exe	40
PID 2572 wrote to memory of 2020	2572	wmisecure64.exe	40
PID 2572 wrote to memory of 2040	2572	wmisecure64.exe	42
PID 2572 wrote to memory of 2040	2572	wmisecure64.exe	42
PID 2572 wrote to memory of 2040	2572	wmisecure64.exe	42
PID 2572 wrote to memory of 2040	2572	wmisecure64.exe	42
PID 2572 wrote to memory of 544	2572	wmisecure64.exe	44
PID 2572 wrote to memory of 544	2572	wmisecure64.exe	44
PID 2572 wrote to memory of 544	2572	wmisecure64.exe	44
PID 2572 wrote to memory of 544	2572	wmisecure64.exe	44
PID 2572 wrote to memory of 2712	2572	wmisecure64.exe	46
PID 2572 wrote to memory of 2712	2572	wmisecure64.exe	46
PID 2572 wrote to memory of 2712	2572	wmisecure64.exe	46
PID 2572 wrote to memory of 2712	2572	wmisecure64.exe	46
PID 2572 wrote to memory of 2700	2572	wmisecure64.exe	48
PID 2572 wrote to memory of 2700	2572	wmisecure64.exe	48
PID 2572 wrote to memory of 2700	2572	wmisecure64.exe	48
PID 2572 wrote to memory of 2700	2572	wmisecure64.exe	48
PID 2572 wrote to memory of 1324	2572	wmisecure64.exe	52
PID 2572 wrote to memory of 1324	2572	wmisecure64.exe	52
PID 2572 wrote to memory of 1324	2572	wmisecure64.exe	52
PID 2572 wrote to memory of 1324	2572	wmisecure64.exe	52
PID 2572 wrote to memory of 2888	2572	wmisecure64.exe	54
PID 2572 wrote to memory of 2888	2572	wmisecure64.exe	54
PID 2572 wrote to memory of 2888	2572	wmisecure64.exe	54
PID 2572 wrote to memory of 2888	2572	wmisecure64.exe	54

C:\Users\Admin\AppData\Local\Temp\012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Roaming\configuração.exe
  "C:\Users\Admin\AppData\Roaming\configuração.exe" C:\Users\Admin\AppData\Local\Temp\012c9316f832d3edb155b4f13fbb9a8e_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
    "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe

Filesize
260KB

MD5
e111e6e8a2444724b293ecfb654bcd03

SHA1
261cdde3169f2105e858a3d2028125dbf5ac4546

SHA256
5b209a704522b2a9241572d3e7e4fbe48228dbbc21ce346c7c5a323639e9f61a

SHA512
a188b17e1a723d66d83449389ba4194c262b7e12db7438cef508504e511be0529b92d367ea8852d37f263dae869a580a84502c1173a2a7ed7d44ca3ea133af12

Download Submit
\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe

Filesize
260KB

MD5
4d3b8e918f9cd1575e639b4895ee7bc6

SHA1
6d82ae9b0f4408a295ffbe1753648b6bae50c361

SHA256
fbdb3c951cbc02752b700169ab91d4dc65047ddc61ab85e7a4084bb34814c46f

SHA512
4641d397cf37ac41edb5368a84732f66b7126bcd649e95cf0a82d2468fd298abbfc95587da65857357902d1d338f85c50ec18d01423c1a1421aa39d7525361ef

Download Submit
\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe

Filesize
260KB

MD5
785a5b1c47b76ba9e0ea92b36bac10bf

SHA1
7ad7aef8aa895baeb374b89e8b063ed97704fbd3

SHA256
cd0ebaea7f89985f5d9b987a8b9f6756f216ed196f23ae71e15a27c2e0fa522e

SHA512
618ea75c86a15635fdb5b074a7bd7d39d70c9ad03c671eb63fc1a1879dbf71763bf5e71cd70f2a1dc948a00a4276967d03b3ff2c5f3cb2d323b57a57a6a9f6bb

Download Submit
\Users\Admin\AppData\Roaming\configuração.exe

Filesize
260KB

MD5
d492d28590e92d81ac9d25698a9d6301

SHA1
59dcc889fa3cb5df1d703e0f0ce32e07e1516f03

SHA256
fb00e894bc040097091c3f19b4e1e5dc26d4183b3bd42cbc480a3e641c2515b8

SHA512
9d443e7a25deaa2039ddbc7babe6f34174c9eda7ddf3f816cbce60b2845a601be23268588600d50035dfe608777f9cd682a72b112293cefac67266f749296653

Download Submit
memory/1028-0-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/1028-1-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/1028-2-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/1028-3-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/1028-11-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-13-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/2212-12-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-38-0x0000000074B50000-0x00000000750FB000-memory.dmp

Filesize
5.7MB

Download