Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 16, 2024, 11:09 a.m.	Oct. 16, 2024, 11:16 a.m.

Size	2.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`51514245009764a9f3e9455c23711df8`
SHA256	`86c8e804eeb34d0f0aff2bacb297a0c0077a7e0e3ca423609a0970b5221c13bc`
CRC32	`CA77CEB7`
ssdeep	`49152:m7MDRZ9IBVL+s0ezJGd80SHMsThF35Hj1BzuQZVkkANv494D83ppbB:QMDtIXLr06AdfEThF35Pzug`
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

actives.exe "C:\Users\test22\AppData\Local\Temp\actives.exe"
2540
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\zbe2024101632843703.bat" "
  2608
  - schtasks.exe Schtasks.Exe /delete /tn "Maintenance" /f
    2692
  - schtasks.exe Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\test22\AppData\Local\Temp\zx2024101632843703.xml"
    2808
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\zb2024101632843703.bat" "
  2736
  - chcp.com chcp 1251
    2852
  - actives.exe "C:\Users\test22\AppData\Local\Temp\actives.exe"
    2904
    - Minha Conta.exe "C:\Users\test22\AppData\Roaming\Minha Conta.exe" C:\Users\test22\AppData\Local\Temp\actives.exe
      3044
      - wmiintegrator.exe "C:\Users\test22\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
        1152
        
        wmihostwin.exe "C:\Users\test22\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
        2168
        
        wmimic.exe "C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" unk3
        2628
        
        wmisecure.exe "C:\Users\test22\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        2768
        
        wmisecure64.exe "C:\Users\test22\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        2824
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        3020
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        2072
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        2196
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        2648
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        204
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        1852
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        2284
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        1332
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        2788
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        544
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        1080
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        2856
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        2176
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        1264
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        1252
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        1040
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        2684
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        3036
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        2604
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        1928
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        1736
        
        reg.exe "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        1576
  - timeout.exe timeout /t 3 /nobreak
    2988

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Oct. 16, 2024, 11:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 11:08 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2024, 11:08 a.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 11:08 a.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 11:08 a.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 11:08 a.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 11:08 a.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 11:08 a.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 11:08 a.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 11:08 a.m.			0	0

Command line console output was observed (30 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 16, 2024, 11:08 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 16, 2024, 11:08 a.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 16, 2024, 11:08 a.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:08 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 16, 2024, 11:08 a.m.	buffer: SUCCESS: The scheduled task "Maintenance" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:08 a.m.	buffer: Active code page: 1251 console_handle: 0x00000013	1	1
WriteConsoleW Oct. 16, 2024, 11:08 a.m.	buffer: Waiting for 3 console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:08 a.m.	buffer: seconds, press CTRL+C to quit ... console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:08 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:09 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:09 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:09 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:09 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:09 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:09 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:09 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:09 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:09 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:09 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:09 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:09 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:10 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:10 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:10 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:10 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:10 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:10 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:10 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:10 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 16, 2024, 11:10 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2024, 11:08 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 332 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00533000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00534000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00538000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00718000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 11:08 a.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

wmisecure64.exe tried to sleep 170 seconds, actually delayed analysis time by 170 seconds

Creates executable files on the filesystem (9 events)

file	C:\Users\test22\AppData\Roaming\Maintenance\apps\maintenance.exe
file	C:\Users\test22\AppData\Roaming\Minha Conta.exe
file	C:\Users\test22\AppData\Roaming\Windows Objects\wmihostwin.exe
file	C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe
file	C:\Users\test22\AppData\Roaming\Windows Objects\wmisecure.exe
file	C:\Users\test22\AppData\Local\Temp\zb2024101632843703.bat
file	C:\Users\test22\AppData\Roaming\Windows Objects\wmisecure64.exe
file	C:\Users\test22\AppData\Roaming\Windows Objects\wmiintegrator.exe
file	C:\Users\test22\AppData\Local\Temp\zbe2024101632843703.bat

Creates a suspicious process (2 events)

cmdline	Schtasks.Exe /delete /tn "Maintenance" /f
cmdline	Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\test22\AppData\Local\Temp\zx2024101632843703.xml"

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\zbe2024101632843703.bat
file	C:\Users\test22\AppData\Local\Temp\zb2024101632843703.bat
file	C:\Users\test22\AppData\Local\Temp\actives.exe

Drops an executable to the user AppData folder (7 events)

file	C:\Users\test22\AppData\Roaming\Windows Objects\wmisecure.exe
file	C:\Users\test22\AppData\Roaming\Maintenance\apps\maintenance.exe
file	C:\Users\test22\AppData\Roaming\Minha Conta.exe
file	C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe
file	C:\Users\test22\AppData\Local\Temp\actives.exe
file	C:\Users\test22\AppData\Roaming\Windows Objects\wmisecure64.exe
file	C:\Users\test22\AppData\Roaming\Windows Objects\wmihostwin.exe

A process created a hidden window (30 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 16, 2024, 11:08 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\zbe2024101632843703.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\zbe2024101632843703.bat	1	1
ShellExecuteExW Oct. 16, 2024, 11:08 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\zb2024101632843703.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\zb2024101632843703.bat	1	1
CreateProcessInternalW Oct. 16, 2024, 11:08 a.m.	thread_identifier: 3048 thread_handle: 0x000001b4 process_identifier: 3044 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\Minha Conta.exe" C:\Users\test22\AppData\Local\Temp\actives.exe filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000001c4	1	1
CreateProcessInternalW Oct. 16, 2024, 11:08 a.m.	thread_identifier: 940 thread_handle: 0x000001c4 process_identifier: 1152 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000001d4	1	1
CreateProcessInternalW Oct. 16, 2024, 11:08 a.m.	thread_identifier: 1400 thread_handle: 0x000001c8 process_identifier: 2168 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2 filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000001dc	1	1
CreateProcessInternalW Oct. 16, 2024, 11:08 a.m.	thread_identifier: 2620 thread_handle: 0x000001dc process_identifier: 2628 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" unk3 filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000001ec	1	1
CreateProcessInternalW Oct. 16, 2024, 11:08 a.m.	thread_identifier: 2780 thread_handle: 0x000001e8 process_identifier: 2768 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\Windows Objects\wmisecure.exe" execute filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x000001f8	1	1
CreateProcessInternalW Oct. 16, 2024, 11:08 a.m.	thread_identifier: 2844 thread_handle: 0x000001e8 process_identifier: 2824 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000208	1	1
ShellExecuteExW Oct. 16, 2024, 11:08 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:09 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:09 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:09 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:09 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:09 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:09 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:09 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:09 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:09 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:09 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:09 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:09 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:10 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:10 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:10 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:10 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:10 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:10 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:10 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:10 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1
ShellExecuteExW Oct. 16, 2024, 11:10 a.m.	show_type: 0 filepath_r: reg.exe parameters: add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f filepath: reg.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (45 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: smss.exe process_identifier: 224	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: services.exe process_identifier: 444	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: pw.exe process_identifier: 988	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: mobsync.exe process_identifier: 2280	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: pw.exe process_identifier: 2324	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: wsqmcons.exe process_identifier: 2348	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: taskhost.exe process_identifier: 2364	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: sdclt.exe process_identifier: 2372	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: schtasks.exe process_identifier: 2668	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: conhost.exe process_identifier: 2676	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: cmd.exe process_identifier: 2736	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: conhost.exe process_identifier: 2776	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: actives.exe process_identifier: 2904	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001a4 process_name: inject-x86.exe process_identifier: 2964	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001b4 process_name: timeout.exe process_identifier: 2988	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001b4 process_name: Minha Conta.exe process_identifier: 3044	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001ac process_name: wmiintegrator.exe process_identifier: 1152	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001c8 process_name: wmihostwin.exe process_identifier: 2168	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001c8 process_name: svchost.exe process_identifier: 2256	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001dc process_name: wmimic.exe process_identifier: 2628	1	1
Process32NextW Oct. 16, 2024, 11:08 a.m.	snapshot_handle: 0x000001e8 process_name: wmisecure.exe process_identifier: 2768	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00248200', u'virtual_address': u'0x00010000', u'entropy': 7.810987964931411, u'name': u'.rsrc', u'virtual_size': u'0x002480c4'}

entropy

7.81098796493

description

A section with a high entropy has been found

entropy

0.984203875316

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (4 events)

url	http://purl.org/rss/1.0/
url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://serverjarvis.sytes.net/resource_vir/command.php?version=0019
url	http://www.passport.com

Yara rule detected in process memory (33 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
cmdline	chcp 1251
cmdline	Schtasks.Exe /delete /tn "Maintenance" /f
cmdline	"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
cmdline	Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\test22\AppData\Local\Temp\zx2024101632843703.xml"

Installs itself for autorun at Windows startup (22 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\KeybordDriver	reg_value	"C:\Users\test22\AppData\Roaming\Windows Objects\wmimic.exe" winstart

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Roaming\Windows Objects\wmihostwin.exe

Creates a slightly modified copy of itself (6 events)

description	Possibly a polymorphic version of itself	file	{u'size': 2697256, u'yara': [{u'strings': [u'PW5ldXRyYWw=', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o77': [[91551L, 1], [117436L, 1]], u'o116': [[113750L, 0]]}}, {u'strings': [u'VVJMRG93bmxvYWRUb0ZpbGU=', u'VVJMRG93bmxvYWRUb0ZpbGVX', u'dXJsbW9uLmRsbA=='], u'meta': {u'version': u'0.1', u'description': u'File Downloader', u'author': u'x0r'}, u'name': u'Network_Downloader', u'offsets': {u'f1': [[124628L, 2]], u'c1': [[91333L, 0], [91833L, 0], [124586L, 0], [124608L, 0]], u'c5': [[91333L, 1], [124608L, 1]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'Is_DotNET_EXE', u'offsets': {}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'ZXNzSGVhcA=='], u'meta': {u'date': u'2021-03-16', u'description': u'Generic Malware', u'author': u'r0d'}, u'name': u'Generic_Malware_Zero', u'offsets': {u'o480': [[91693L, 0], [117389L, 0]]}}, {u'strings': [u'Pz8yQFlBUA==', u'Y2Vzc29y', u'dF9mZGl2'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's55': [[261600L, 1]], u's53': [[125056L, 0]], u's190': [[116678L, 2]]}}], u'sha1': u'e711e5339bce8dd4c321ab48cc56f5c0dce244e4', u'name': u'e7e7525b2703f64a_wmisecure.exe', u'filepath': u'C:\\Users\\test22\\AppData\\Roaming\\Windows Objects\\wmisecure.exe', u'sha512': u'dea53c74ab3be328f30491c0a3cdf877c9830eda8701876e24aac1602b13a11f5131ab5b2f72635e59f5deed7041ed12846f1461ca8ea5e175ad40c7fe090130', u'urls': [u'http://serverjarvis.sytes.net/resource_vir/command.php?version=0019'], u'crc32': u'CCF9BFBA', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/54755/files/e7e7525b2703f64a_wmisecure.exe', u'ssdeep': u'49152:0ZVkkANv494D83pYbN5qUHj1FhW825PlJ0TJcttcCmIf+u9YZrpk9BRVvdWaiic9:lHjTo82Pb0c0NZrq9BRVvUdoQ', u'sha256': u'e7e7525b2703f64a83128a9e9474b04a7fcd096ad3b1e493b3cfefca416b1fc0', u'type': u'PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows', u'pids': [2628], u'md5': u'0629440d232de64df747d0b43e10c400', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 2697256, u'yara': [{u'strings': [u'PW5ldXRyYWw=', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o77': [[91551L, 1], [117436L, 1]], u'o116': [[113750L, 0]]}}, {u'strings': [u'VVJMRG93bmxvYWRUb0ZpbGU=', u'VVJMRG93bmxvYWRUb0ZpbGVX', u'dXJsbW9uLmRsbA=='], u'meta': {u'version': u'0.1', u'description': u'File Downloader', u'author': u'x0r'}, u'name': u'Network_Downloader', u'offsets': {u'f1': [[124628L, 2]], u'c1': [[91333L, 0], [91833L, 0], [124586L, 0], [124608L, 0]], u'c5': [[91333L, 1], [124608L, 1]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'Is_DotNET_EXE', u'offsets': {}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'ZXNzSGVhcA=='], u'meta': {u'date': u'2021-03-16', u'description': u'Generic Malware', u'author': u'r0d'}, u'name': u'Generic_Malware_Zero', u'offsets': {u'o480': [[91693L, 0], [117389L, 0]]}}, {u'strings': [u'Pz8yQFlBUA==', u'Y2Vzc29y', u'dF9mZGl2'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's55': [[261600L, 1]], u's53': [[125056L, 0]], u's190': [[116678L, 2]]}}], u'sha1': u'7941b041e894e804560c1c0c7bd4d00ae24eac7a', u'name': u'6e3132c4606bee41_minha conta.exe', u'filepath': u'C:\\Users\\test22\\AppData\\Roaming\\Minha Conta.exe', u'sha512': u'1756beb7cd4223eacf5d25ef02bff3fe744b06c467a0828918ccc161098f531d1c7cb00e04499d86e2f9dec2bf3c2234792a47d96f127340d6e20b37a07fea95', u'urls': [u'http://serverjarvis.sytes.net/resource_vir/command.php?version=0019'], u'crc32': u'794C9178', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/54755/files/6e3132c4606bee41_minha conta.exe', u'ssdeep': u'49152:TZVkkANv494D83pfbN5qUHj1FhW825PlJ0TJcttcCmIf+u9YZrpk9BRVvdWaiic9:lHjTo82Pb0c0NZrq9BRVvUdoQ', u'sha256': u'6e3132c4606bee41469f5b40ca67166a927dd077d93d4efff9a974597bb08b2d', u'type': u'PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows', u'pids': [2904], u'md5': u'73cea56d3f81767747c14bb58393c35c', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 2697256, u'yara': [{u'strings': [u'PW5ldXRyYWw=', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o77': [[91551L, 1], [117436L, 1]], u'o116': [[113750L, 0]]}}, {u'strings': [u'VVJMRG93bmxvYWRUb0ZpbGU=', u'VVJMRG93bmxvYWRUb0ZpbGVX', u'dXJsbW9uLmRsbA=='], u'meta': {u'version': u'0.1', u'description': u'File Downloader', u'author': u'x0r'}, u'name': u'Network_Downloader', u'offsets': {u'f1': [[124628L, 2]], u'c1': [[91333L, 0], [91833L, 0], [124586L, 0], [124608L, 0]], u'c5': [[91333L, 1], [124608L, 1]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'Is_DotNET_EXE', u'offsets': {}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'ZXNzSGVhcA=='], u'meta': {u'date': u'2021-03-16', u'description': u'Generic Malware', u'author': u'r0d'}, u'name': u'Generic_Malware_Zero', u'offsets': {u'o480': [[91693L, 0], [117389L, 0]]}}, {u'strings': [u'Pz8yQFlBUA==', u'Y2Vzc29y', u'dF9mZGl2'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's55': [[261600L, 1]], u's53': [[125056L, 0]], u's190': [[116678L, 2]]}}], u'sha1': u'b5e2c13568fb86487d531b57fa0ef8f902a17c2b', u'name': u'13c0968e576d0a9e_wmimic.exe', u'filepath': u'C:\\Users\\test22\\AppData\\Roaming\\Windows Objects\\wmimic.exe', u'sha512': u'2a45b569053a16087408d78fd6d4c83b6b8d7f4f80a9b7f2c9e4ebf3dcb983e2968f91f9f022263131e4759a230fdec764097e6702601cb0b022bc6efbda230e', u'urls': [u'http://serverjarvis.sytes.net/resource_vir/command.php?version=0019'], u'crc32': u'FF745353', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/54755/files/13c0968e576d0a9e_wmimic.exe', u'ssdeep': u'49152:uZVkkANv494D83p4bN5qUHj1FhW825PlJ0TJcttcCmIf+u9YZrpk9BRVvdWaiic9:zHjTo82Pb0c0NZrq9BRVvUdoQ', u'sha256': u'13c0968e576d0a9ed0c2cdd6bc7d4b6953156ee1d2c0142b63557490d651b82f', u'type': u'PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows', u'pids': [2168], u'md5': u'37c19933b8e70d5045c8688ebad9be7c', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 2697256, u'yara': [{u'strings': [u'PW5ldXRyYWw=', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o77': [[91551L, 1], [117436L, 1]], u'o116': [[113750L, 0]]}}, {u'strings': [u'VVJMRG93bmxvYWRUb0ZpbGU=', u'VVJMRG93bmxvYWRUb0ZpbGVX', u'dXJsbW9uLmRsbA=='], u'meta': {u'version': u'0.1', u'description': u'File Downloader', u'author': u'x0r'}, u'name': u'Network_Downloader', u'offsets': {u'f1': [[124628L, 2]], u'c1': [[91333L, 0], [91833L, 0], [124586L, 0], [124608L, 0]], u'c5': [[91333L, 1], [124608L, 1]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'Is_DotNET_EXE', u'offsets': {}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'ZXNzSGVhcA=='], u'meta': {u'date': u'2021-03-16', u'description': u'Generic Malware', u'author': u'r0d'}, u'name': u'Generic_Malware_Zero', u'offsets': {u'o480': [[91693L, 0], [117389L, 0]]}}, {u'strings': [u'Pz8yQFlBUA==', u'Y2Vzc29y', u'dF9mZGl2'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's55': [[261600L, 1]], u's53': [[125056L, 0]], u's190': [[116678L, 2]]}}], u'sha1': u'd305a410f48c345798704fc893f43d1ede10ceeb', u'name': u'5dd7da512241f11c_actives.exe', u'filepath': u'C:\\Users\\test22\\AppData\\Local\\Temp\\actives.exe', u'sha512': u'53a5ff494f4f5d101cb99c4117c34757d7390f4410052b626ec0e03967c4dd9254f2d3e8fea0b0582a55c81d57fd8a7d1686d04354a26fded5b2399934049c62', u'urls': [u'http://serverjarvis.sytes.net/resource_vir/command.php?version=0019'], u'crc32': u'F31F5FDE', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/54755/files/5dd7da512241f11c_actives.exe', u'ssdeep': u'49152:xZVkkANv494D83ppbN5qUHj1FhW825PlJ0TJcttcCmIf+u9YZrpk9BRVvdWaiic9:JHjTo82Pb0c0NZrq9BRVvUdoQ', u'sha256': u'5dd7da512241f11ce03c0c387cdcc37615642f3ae2bde0d9d83b5ee7737e893d', u'type': u'PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows', u'pids': [2540, 2736, 3044], u'md5': u'bcb34b6b0955f915cb44e7edc9bbb5e9', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 2697256, u'yara': [{u'strings': [u'PW5ldXRyYWw=', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o77': [[91551L, 1], [117436L, 1]], u'o116': [[113750L, 0]]}}, {u'strings': [u'VVJMRG93bmxvYWRUb0ZpbGU=', u'VVJMRG93bmxvYWRUb0ZpbGVX', u'dXJsbW9uLmRsbA=='], u'meta': {u'version': u'0.1', u'description': u'File Downloader', u'author': u'x0r'}, u'name': u'Network_Downloader', u'offsets': {u'f1': [[124628L, 2]], u'c1': [[91333L, 0], [91833L, 0], [124586L, 0], [124608L, 0]], u'c5': [[91333L, 1], [124608L, 1]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'Is_DotNET_EXE', u'offsets': {}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'ZXNzSGVhcA=='], u'meta': {u'date': u'2021-03-16', u'description': u'Generic Malware', u'author': u'r0d'}, u'name': u'Generic_Malware_Zero', u'offsets': {u'o480': [[91693L, 0], [117389L, 0]]}}, {u'strings': [u'Pz8yQFlBUA==', u'Y2Vzc29y', u'dF9mZGl2'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's55': [[261600L, 1]], u's53': [[125056L, 0]], u's190': [[116678L, 2]]}}], u'sha1': u'0338644d5b82f04fe0fd0bc1b533004aac13e698', u'name': u'6aa1bd6b5a42cb04_wmisecure64.exe', u'filepath': u'C:\\Users\\test22\\AppData\\Roaming\\Windows Objects\\wmisecure64.exe', u'sha512': u'ecd02ac942cf18c737e138f8718152224c1e97387d7ac3c37dc4586abdcd97b09ab2c405fc0f81e74b38e0d0adc3ff37acbad5b14f74aa7ca2c4af8dcc0fa77f', u'urls': [u'http://serverjarvis.sytes.net/resource_vir/command.php?version=0019'], u'crc32': u'8FFF5C13', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/54755/files/6aa1bd6b5a42cb04_wmisecure64.exe', u'ssdeep': u'49152:LZVkkANv494D83p7bN5qUHj1FhW825PlJ0TJcttcCmIf+u9YZrpk9BRVvdWaiic9:pHjTo82Pb0c0NZrq9BRVvUdoQ', u'sha256': u'6aa1bd6b5a42cb04822c6a81a0898aab4a4b50478cae42f1e2cadd75d4e0ba50', u'type': u'PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows', u'pids': [2628], u'md5': u'a588627a554a855b4cd0a91989867ead', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 2697256, u'yara': [{u'strings': [u'PW5ldXRyYWw=', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o77': [[91551L, 1], [117436L, 1]], u'o116': [[113750L, 0]]}}, {u'strings': [u'VVJMRG93bmxvYWRUb0ZpbGU=', u'VVJMRG93bmxvYWRUb0ZpbGVX', u'dXJsbW9uLmRsbA=='], u'meta': {u'version': u'0.1', u'description': u'File Downloader', u'author': u'x0r'}, u'name': u'Network_Downloader', u'offsets': {u'f1': [[124628L, 2]], u'c1': [[91333L, 0], [91833L, 0], [124586L, 0], [124608L, 0]], u'c5': [[91333L, 1], [124608L, 1]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'Is_DotNET_EXE', u'offsets': {}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'ZXNzSGVhcA=='], u'meta': {u'date': u'2021-03-16', u'description': u'Generic Malware', u'author': u'r0d'}, u'name': u'Generic_Malware_Zero', u'offsets': {u'o480': [[91693L, 0], [117389L, 0]]}}, {u'strings': [u'Pz8yQFlBUA==', u'Y2Vzc29y', u'dF9mZGl2'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's55': [[261600L, 1]], u's53': [[125056L, 0]], u's190': [[116678L, 2]]}}], u'sha1': u'0abde7c95ee098192652d2b92b0df50a27e57b31', u'name': u'6fd46ced4deabc81_wmihostwin.exe', u'filepath': u'C:\\Users\\test22\\AppData\\Roaming\\Windows Objects\\wmihostwin.exe', u'sha512': u'402b6feb77c408d78c1f16778bc20cd9be943bb4bb5cb7cfd5bde45af5f7b528a10203fa14c4717065434b3526f0fff267212be3361e9f115fa16828da645784', u'urls': [u'http://serverjarvis.sytes.net/resource_vir/command.php?version=0019'], u'crc32': u'049A5AA7', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/54755/files/6fd46ced4deabc81_wmihostwin.exe', u'ssdeep': u'49152:3ZVkkANv494D83pDbN5qUHj1FhW825PlJ0TJcttcCmIf+u9YZrpk9BRVvdWaiic9:hHjTo82Pb0c0NZrq9BRVvUdoQ', u'sha256': u'6fd46ced4deabc813b82d2c808a459945858adfb7a9c118fb77113aff74508b4', u'type': u'PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows', u'pids': [1152], u'md5': u'f7e3e41a68b674a849943e72829e4226', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}

Expresses interest in specific running processes (9 events)

process: potential process injection target	services.exe
process: potential process injection target	csrss.exe
process	wmimic.exe
process	system
process: potential process injection target	explorer.exe
process	wmiintegrator.exe
process: potential process injection target	svchost.exe
process	wmisecure.exe
process	wmihostwin.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2736 resumed a thread in remote process 2904
NtResumeThread Oct. 16, 2024, 11:08 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2904	1	0	0

Creates and runs a batch file to remove the original binary (1 event)

file	c09082ea79f27d79_zb2024101632843703.bat

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Aenjaris.j!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Generic.TRFH11
Skyhigh	BehavesLike.Win32.Generic.vc
ALYac	Trojan.GenericKD.63927678
Cylance	Unsafe
VIPRE	Trojan.GenericKD.63927678
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Trojan.GenericKD.63927678
K7GW	Trojan ( 005106591 )
K7AntiVirus	Trojan ( 005106591 )
Arcabit	Trojan.Generic.D3CF757E
Symantec	W32.Styes
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDropper.Agent.RPQ
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Malware.Dfay-9787661-0
Kaspersky	HEUR:Trojan-Ransom.MSIL.Blocker.gen
NANO-Antivirus	Trojan.Win32.Zusy.iokixr
MicroWorld-eScan	Trojan.GenericKD.63927678
Rising	Trojan.Agent!1.AA9A (CLASSIC)
Emsisoft	Trojan.GenericKD.63927678 (B)
F-Secure	Heuristic.HEUR/AGEN.1320007
DrWeb	Trojan.MulDrop16.12743
Zillya	Dropper.Agent.Win32.446862
TrendMicro	Trojan.MSIL.AENJARIS.SM
McAfeeD	Real Protect-LS!515142450097
Trapmine	malicious.high.ml.score
CTX	exe.trojan.generic
Sophos	Troj/Agent-AZXX
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.51514245009764a9
Jiangmin	TrojanDropper.Agent.glre
Google	Detected
Avira	HEUR/AGEN.1320007
Antiy-AVL	Trojan[Dropper]/Win32.Agent
Kingsoft	MSIL.Trojan-Ransom.Blocker.gen
Gridinsoft	Trojan.Win32.XMRig.tr
Microsoft	Trojan:Win32/Aenjaris!pz
ZoneAlarm	HEUR:Trojan-Ransom.MSIL.Blocker.gen
GData	Win32.Trojan.PSE.1722EZK
Varist	W32/Agent.CHJ.gen!Eldorado
AhnLab-V3	Trojan/Win32.Aenjaris.R247429
Acronis	suspicious
McAfee	GenericRXNM-US!515142450097
TACHYON	Ransom/W32.Blocker.2697256
DeepInstinct	MALICIOUS

actives.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All