Analysis Overview
SHA256
44fbfac03f6b951c71960c0e3df9770fe0b17dd4405da33102b2eafd5a566e46
Threat Level: Known bad
The file install_windows.exe was found to be: Known bad.
Malicious Activity Summary
Aurora family
Executes dropped EXE
VMProtect packed file
Reads user/profile data of web browsers
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-20 14:57
Signatures
Aurora family
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-20 14:57
Reported
2023-01-20 15:21
Platform
win7-20221111-en
Max time kernel
25s
Max time network
80s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\install_windows.exe
"C:\Users\Admin\AppData\Local\Temp\install_windows.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe"
C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
"C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 45.15.156.210:8081 | tcp | |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
Files
memory/1212-54-0x00000000761E1000-0x00000000761E3000-memory.dmp
memory/1320-55-0x0000000000000000-mapping.dmp
memory/1304-57-0x0000000000000000-mapping.dmp
memory/1520-59-0x0000000000000000-mapping.dmp
memory/1732-61-0x0000000000000000-mapping.dmp
memory/1060-63-0x0000000000000000-mapping.dmp
memory/1360-65-0x0000000000000000-mapping.dmp
memory/1360-67-0x0000000073CE0000-0x000000007428B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
| MD5 | 9234d32cf8a0a0d2e510f10e41788965 |
| SHA1 | 1214d32602efb4a7531edf8a4c3e4aecaeb344bf |
| SHA256 | 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b |
| SHA512 | 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1 |
\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
| MD5 | 9234d32cf8a0a0d2e510f10e41788965 |
| SHA1 | 1214d32602efb4a7531edf8a4c3e4aecaeb344bf |
| SHA256 | 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b |
| SHA512 | 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1 |
memory/1660-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
| MD5 | 9234d32cf8a0a0d2e510f10e41788965 |
| SHA1 | 1214d32602efb4a7531edf8a4c3e4aecaeb344bf |
| SHA256 | 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b |
| SHA512 | 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1 |
memory/1360-75-0x0000000073CE0000-0x000000007428B000-memory.dmp
\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
| MD5 | 9234d32cf8a0a0d2e510f10e41788965 |
| SHA1 | 1214d32602efb4a7531edf8a4c3e4aecaeb344bf |
| SHA256 | 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b |
| SHA512 | 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1 |
\Users\Admin\AppData\Local\Temp\jR0TQxnUl6.exe
| MD5 | 9234d32cf8a0a0d2e510f10e41788965 |
| SHA1 | 1214d32602efb4a7531edf8a4c3e4aecaeb344bf |
| SHA256 | 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b |
| SHA512 | 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1 |
memory/1660-76-0x0000000000EC0000-0x00000000014CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-20 14:57
Reported
2023-01-20 15:21
Platform
win10v2004-20221111-en
Max time kernel
106s
Max time network
155s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\install_windows.exe
"C:\Users\Admin\AppData\Local\Temp\install_windows.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe"
C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe
"C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 45.15.156.210:8081 | tcp | |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 52.182.143.211:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp |
Files
memory/2036-132-0x0000000000000000-mapping.dmp
memory/636-133-0x0000000000000000-mapping.dmp
memory/3524-134-0x0000000000000000-mapping.dmp
memory/3572-135-0x0000000000000000-mapping.dmp
memory/1748-136-0x0000000000000000-mapping.dmp
memory/3616-137-0x0000000000000000-mapping.dmp
memory/3616-138-0x0000000004C10000-0x0000000004C46000-memory.dmp
memory/3616-139-0x0000000005280000-0x00000000058A8000-memory.dmp
memory/3616-140-0x00000000051B0000-0x00000000051D2000-memory.dmp
memory/3616-141-0x00000000059B0000-0x0000000005A16000-memory.dmp
memory/3616-142-0x0000000005AD0000-0x0000000005B36000-memory.dmp
memory/3616-143-0x0000000006190000-0x00000000061AE000-memory.dmp
memory/3616-144-0x0000000007370000-0x0000000007406000-memory.dmp
memory/3616-145-0x0000000006660000-0x000000000667A000-memory.dmp
memory/3616-146-0x00000000066B0000-0x00000000066D2000-memory.dmp
memory/3616-147-0x00000000079C0000-0x0000000007F64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe
| MD5 | 9234d32cf8a0a0d2e510f10e41788965 |
| SHA1 | 1214d32602efb4a7531edf8a4c3e4aecaeb344bf |
| SHA256 | 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b |
| SHA512 | 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1 |
memory/5108-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6LRRXdXAUP.exe
| MD5 | 9234d32cf8a0a0d2e510f10e41788965 |
| SHA1 | 1214d32602efb4a7531edf8a4c3e4aecaeb344bf |
| SHA256 | 9d51f6c4221624b269d1e94e2df70e77c1f16e701d03cc6e117a60652a98ec8b |
| SHA512 | 6bb264edba74438c54b34a50c959ed19bc5d960b18f7b0fb2b3e4cd759810f377fea6952d3662554dcbd03206bb0ae45fdf275a9390c446706b3374d124563b1 |
memory/5108-151-0x0000000000A00000-0x000000000100C000-memory.dmp