Malware Analysis Report

2025-04-03 08:54

Sample ID 230120-sbqmrsgg66
Target install_windows.exe
SHA256 44fbfac03f6b951c71960c0e3df9770fe0b17dd4405da33102b2eafd5a566e46
Tags
aurora spyware stealer vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44fbfac03f6b951c71960c0e3df9770fe0b17dd4405da33102b2eafd5a566e46

Threat Level: Known bad

The file install_windows.exe was found to be: Known bad.

Malicious Activity Summary

aurora spyware stealer vmprotect

Aurora family

Executes dropped EXE

VMProtect packed file

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-20 14:57

Signatures

Aurora family

aurora

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-20 14:57

Reported

2023-01-20 15:21

Platform

win7-20221111-en

Max time kernel

25s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\install_windows.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1212 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1212 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1212 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1212 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1212 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1212 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1212 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1304 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1304 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1304 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1304 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1304 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1304 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1212 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1732 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1732 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1732 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1732 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1732 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1732 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1212 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1360 wrote to memory of 1660 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
PID 1360 wrote to memory of 1660 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
PID 1360 wrote to memory of 1660 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
PID 1360 wrote to memory of 1660 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
PID 1360 wrote to memory of 1660 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
PID 1360 wrote to memory of 1660 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
PID 1360 wrote to memory of 1660 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\install_windows.exe

"C:\Users\Admin\AppData\Local\Temp\install_windows.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe"

C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe

"C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe"

Network

Country Destination Domain Proto
N/A 45.15.156.210:8081 tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.135.233:443 cdn.discordapp.com tcp

Files

memory/1212-54-0x00000000761E1000-0x00000000761E3000-memory.dmp

memory/1320-55-0x0000000000000000-mapping.dmp

memory/1304-57-0x0000000000000000-mapping.dmp

memory/1520-59-0x0000000000000000-mapping.dmp

memory/1732-61-0x0000000000000000-mapping.dmp

memory/1060-63-0x0000000000000000-mapping.dmp

memory/1360-65-0x0000000000000000-mapping.dmp

memory/1360-67-0x0000000073CE0000-0x000000007428B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe

MD5 9234d32cf8a0a0d2e510f10e41788965
SHA1 1214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA256 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA512 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1

\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe

MD5 9234d32cf8a0a0d2e510f10e41788965
SHA1 1214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA256 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA512 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1

memory/1660-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe

MD5 9234d32cf8a0a0d2e510f10e41788965
SHA1 1214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA256 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA512 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1

memory/1360-75-0x0000000073CE0000-0x000000007428B000-memory.dmp

\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe

MD5 9234d32cf8a0a0d2e510f10e41788965
SHA1 1214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA256 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA512 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1

\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe

MD5 9234d32cf8a0a0d2e510f10e41788965
SHA1 1214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA256 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA512 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1

memory/1660-76-0x0000000000EC0000-0x00000000014CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-20 14:57

Reported

2023-01-20 15:21

Platform

win10v2004-20221111-en

Max time kernel

106s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\install_windows.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1848 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 636 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 636 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1848 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3572 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3572 wrote to memory of 1748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1848 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\install_windows.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 5108 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe
PID 3616 wrote to memory of 5108 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe
PID 3616 wrote to memory of 5108 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\install_windows.exe

"C:\Users\Admin\AppData\Local\Temp\install_windows.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe"

C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe

"C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe"

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 45.15.156.210:8081 tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 52.182.143.211:443 tcp
N/A 104.80.225.205:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 87.248.202.1:80 tcp

Files

memory/2036-132-0x0000000000000000-mapping.dmp

memory/636-133-0x0000000000000000-mapping.dmp

memory/3524-134-0x0000000000000000-mapping.dmp

memory/3572-135-0x0000000000000000-mapping.dmp

memory/1748-136-0x0000000000000000-mapping.dmp

memory/3616-137-0x0000000000000000-mapping.dmp

memory/3616-138-0x0000000004C10000-0x0000000004C46000-memory.dmp

memory/3616-139-0x0000000005280000-0x00000000058A8000-memory.dmp

memory/3616-140-0x00000000051B0000-0x00000000051D2000-memory.dmp

memory/3616-141-0x00000000059B0000-0x0000000005A16000-memory.dmp

memory/3616-142-0x0000000005AD0000-0x0000000005B36000-memory.dmp

memory/3616-143-0x0000000006190000-0x00000000061AE000-memory.dmp

memory/3616-144-0x0000000007370000-0x0000000007406000-memory.dmp

memory/3616-145-0x0000000006660000-0x000000000667A000-memory.dmp

memory/3616-146-0x00000000066B0000-0x00000000066D2000-memory.dmp

memory/3616-147-0x00000000079C0000-0x0000000007F64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe

MD5 9234d32cf8a0a0d2e510f10e41788965
SHA1 1214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA256 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA512 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1

memory/5108-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe

MD5 9234d32cf8a0a0d2e510f10e41788965
SHA1 1214d32602efb4a7531edf8a4c3e4aecaeb344bf
SHA256 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b
SHA512 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1

memory/5108-151-0x0000000000A00000-0x000000000100C000-memory.dmp