Analysis Overview
SHA256
21baf3dbca077ed7a34990db99eb22ea6a085977af4e38436002b06b42cfb96c
Threat Level: Known bad
The file install_win64.exe was found to be: Known bad.
Malicious Activity Summary
Aurora
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Themida packer
Reads user/profile data of web browsers
Loads dropped DLL
Checks BIOS information in registry
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-25 19:47
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-25 19:47
Reported
2023-01-25 19:49
Platform
win7-20220812-en
Max time kernel
40s
Max time network
118s
Command Line
Signatures
Aurora
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vByeKk59Tc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\install_win64.exe
"C:\Users\Admin\AppData\Local\Temp\install_win64.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\vByeKk59Tc.exe"
C:\Users\Admin\AppData\Local\Temp\vByeKk59Tc.exe
"C:\Users\Admin\AppData\Local\Temp\vByeKk59Tc.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 45.15.156.210:8081 | tcp | |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.130.233:443 | cdn.discordapp.com | tcp |
Files
memory/1460-54-0x00000000768A1000-0x00000000768A3000-memory.dmp
memory/1460-55-0x00000000011E0000-0x0000000001B4F000-memory.dmp
memory/1460-56-0x00000000011E0000-0x0000000001B4F000-memory.dmp
memory/1460-57-0x00000000011E0000-0x0000000001B4F000-memory.dmp
memory/1460-59-0x00000000011E0000-0x0000000001B4F000-memory.dmp
memory/1460-60-0x0000000077AA0000-0x0000000077C20000-memory.dmp
memory/1460-58-0x00000000011E0000-0x0000000001B4F000-memory.dmp
memory/1460-62-0x00000000011E0000-0x0000000001B4F000-memory.dmp
memory/1460-61-0x00000000011E0000-0x0000000001B4F000-memory.dmp
memory/1936-63-0x0000000000000000-mapping.dmp
memory/1188-64-0x0000000000000000-mapping.dmp
memory/652-65-0x0000000000000000-mapping.dmp
memory/2028-66-0x0000000000000000-mapping.dmp
memory/1844-67-0x0000000000000000-mapping.dmp
memory/1460-68-0x00000000011E0000-0x0000000001B4F000-memory.dmp
memory/1460-69-0x0000000077AA0000-0x0000000077C20000-memory.dmp
memory/740-70-0x0000000000000000-mapping.dmp
memory/740-72-0x0000000074340000-0x00000000748EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vByeKk59Tc.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
\Users\Admin\AppData\Local\Temp\vByeKk59Tc.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
memory/1284-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vByeKk59Tc.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
memory/740-77-0x0000000074340000-0x00000000748EB000-memory.dmp
memory/1284-79-0x0000000001360000-0x0000000001A43000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-25 19:47
Reported
2023-01-25 19:49
Platform
win10v2004-20220812-en
Max time kernel
91s
Max time network
146s
Command Line
Signatures
Aurora
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kkypeFvKJP.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\install_win64.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\install_win64.exe
"C:\Users\Admin\AppData\Local\Temp\install_win64.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\kkypeFvKJP.exe"
C:\Users\Admin\AppData\Local\Temp\kkypeFvKJP.exe
"C:\Users\Admin\AppData\Local\Temp\kkypeFvKJP.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.253.208.113:80 | tcp | |
| N/A | 45.15.156.210:8081 | tcp | |
| N/A | 67.24.35.254:80 | tcp | |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.253.208.113:80 | tcp | |
| N/A | 8.253.208.113:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.253.208.113:80 | tcp | |
| N/A | 8.253.208.113:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/1716-132-0x0000000000BB0000-0x000000000151F000-memory.dmp
memory/1716-133-0x0000000000BB0000-0x000000000151F000-memory.dmp
memory/1716-135-0x00000000772E0000-0x0000000077483000-memory.dmp
memory/1716-134-0x0000000000BB0000-0x000000000151F000-memory.dmp
memory/1716-136-0x0000000000BB0000-0x000000000151F000-memory.dmp
memory/1716-137-0x0000000000BB0000-0x000000000151F000-memory.dmp
memory/1716-138-0x0000000000BB0000-0x000000000151F000-memory.dmp
memory/1716-139-0x0000000000BB0000-0x000000000151F000-memory.dmp
memory/3092-140-0x0000000000000000-mapping.dmp
memory/852-141-0x0000000000000000-mapping.dmp
memory/4364-142-0x0000000000000000-mapping.dmp
memory/1144-143-0x0000000000000000-mapping.dmp
memory/1100-144-0x0000000000000000-mapping.dmp
memory/1516-145-0x0000000000000000-mapping.dmp
memory/1516-146-0x0000000005370000-0x00000000053A6000-memory.dmp
memory/1516-147-0x0000000005B50000-0x0000000006178000-memory.dmp
memory/1516-148-0x0000000005950000-0x0000000005972000-memory.dmp
memory/1516-149-0x0000000006180000-0x00000000061E6000-memory.dmp
memory/1516-150-0x00000000062A0000-0x0000000006306000-memory.dmp
memory/1516-151-0x0000000006910000-0x000000000692E000-memory.dmp
memory/1716-152-0x0000000000BB0000-0x000000000151F000-memory.dmp
memory/1516-153-0x0000000007AD0000-0x0000000007B66000-memory.dmp
memory/1516-154-0x0000000006E00000-0x0000000006E1A000-memory.dmp
memory/1516-155-0x0000000006E50000-0x0000000006E72000-memory.dmp
memory/1516-156-0x0000000008120000-0x00000000086C4000-memory.dmp
memory/1716-157-0x00000000772E0000-0x0000000077483000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kkypeFvKJP.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
memory/212-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\kkypeFvKJP.exe
| MD5 | fd3921d7f42c4a42115ce88d1c9fe031 |
| SHA1 | 30d5b2cd633667a340047e1ff1ce44628555eba0 |
| SHA256 | 0ea7ac01f7c8cb0ad3574688fd83265cceb7c3c16f89f29799b8be1b3a314a6a |
| SHA512 | 8216ba2c9da3e6021f8f90c824a9da14632069477e508117948d841fd7dcc7fe28e1fb3d9cae854afe32db3ed46c6ba9cc49b3840ec875f66f3fa252ae11fb70 |
memory/212-161-0x00000000000F0000-0x00000000007D3000-memory.dmp