Malware Analysis Report

2024-11-30 23:15

Sample ID 230225-feptescb44
Target 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA256 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
Tags
aurora spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165

Threat Level: Known bad

The file 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 was found to be: Known bad.

Malicious Activity Summary

aurora spyware stealer

Aurora family

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-25 04:47

Signatures

Aurora family

aurora

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-25 04:47

Reported

2023-02-25 04:52

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1808 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1808 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1808 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1808 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1124 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1124 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1124 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1808 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1948 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1948 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1948 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe

"C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
NL 212.87.204.93:8081 tcp

Files

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

MD5 7634ebd082abbba35a8e6a300ec83c51
SHA1 953666e70fbed932e4bed446f1d1e432781972b7
SHA256 792aa1b2f647c981a8778a35717809ff0783bc4b6c022e6ed049c1029f6c584f
SHA512 6f95e7c7c4548ad206294e5fc13f9ed0bad9476e5775ac4e06bd324c6e0a14382fcf5f604e5899084ee2f3733405716d60842f3393d5fa174902dbb055d40f3e

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-25 04:47

Reported

2023-02-25 04:52

Platform

win10-20230220-en

Max time kernel

49s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 380 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 380 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 380 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3152 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3152 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 380 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4144 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4144 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe

"C:\Users\Admin\AppData\Local\Temp\07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
NL 212.87.204.93:8081 tcp
US 8.8.8.8:53 93.204.87.212.in-addr.arpa udp
NL 52.178.17.3:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 95a12fa5756d0040e1c1284371ea17e4
SHA1 a9c9c457a87ecca994364b6b0a8bbe815c64197d
SHA256 805458918a058fbae738b7e4fc57e4d3b8317adf26d11b9b9e53e22bc946b562
SHA512 1d71748f56e83e3d8e68bcec6a17ace238d904e767a10ef20c86be8c785ab3c3fea60c832e3b68e0277467ac1b053849d1f3d52bd872b2b9aa7206616ced56c5