Malware Analysis Report

2024-11-30 21:51

Sample ID 230205-qlrlpshf64
Target 5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Tags
purecrypter downloader loader persistence aurora stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Threat Level: Known bad

The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.

Malicious Activity Summary

purecrypter downloader loader persistence aurora stealer

Detect PureCrypter injector

Aurora

PureCrypter

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-05 13:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-05 13:21

Reported

2023-02-05 13:23

Platform

win7-20221111-en

Max time kernel

145s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 960 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 960 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 960 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 880 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 880 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 880 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 880 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 636 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

Network

N/A

Files

memory/880-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

memory/880-56-0x00000000757C1000-0x00000000757C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 b962ba4b520e9c0428b74a379b57a164
SHA1 159c7416b3e93e22964a918cbc8a99289392ed81
SHA256 8893107a72f6b30bf5ef99fb5cab8e7adbc8f60a8fdb51bc299b7567e5cbf4e4
SHA512 1a4ad9a8e94e798994aa805981aa3a6a30316ad8d4fb2dbf579e6bce2e1a64868b81ce26364d65da033e3672894834a223f361343f3866b4d7d71980933116ba

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 8594f5b69c6e88150a86beaa456e74a6
SHA1 4f2ca01c37381494f547b7e8f915bab450e4b61d
SHA256 088a474e61cb61dea884589e8b161c87102b4f531d89ecd16a7ddbd9dd1dbf5e
SHA512 093402b503790998de21b5ecaf77085e3c974ff4ef1db65870c108c8f9df3a71c671b99fd40e13b554ae115e03c7e343abc51a167f42f6caa0066f23cde46fff

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 dd6347f6cbdb716d1f349d006211b186
SHA1 7ed52731779fcfeba1e5e5ccb9ac356874275db9
SHA256 0993a664820ce6c1974c264bd515e7bc0b5171cdc07f430055daa79347b35860
SHA512 fdf6af282c3359bcd6346b6fa35dbd4bec81b8df6d2426f79228e357cd30cbdbbdb985adfd38b2dd771fbd01369e4aaaa47dc5a66c96f56f3a8ccae6be398874

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 3da027f7651afd68af397458748c324a
SHA1 672398295ef4221abd574d28e77db588c3e6db47
SHA256 fbcab7c3924c867ee263d5c86c41f04c93aaa41b09766b081610286df3158a41
SHA512 98352fb825b751fc4fe96f2f30d246e8dd8ecce5d1f001da15b3bc2f96cf273813ad114f4f286ab7225a8990f4b25506f8f0f9398370922e560b3bea5dc6fe69

memory/1520-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 f1f43f2d783500d814097de5f254f285
SHA1 c1cde86349a00b5014d661baa2b4719db5aa79cd
SHA256 a60d51b5b3ffce32dc18529eb1f6da4598f45ab7ba5a33c9ee2f2ff5d9688d22
SHA512 0ed441c266b576e42b4beb0ab2f81ad8a35707c50286a4f15020bba2d60eeed2999b8e9693b37925b677b501b39bb3337d1fe2a5fc6fcb3a745cdd95bee1aed8

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 23911db7c22df976d1f6cf5b7368a3ea
SHA1 fd2cb2944adc520d2e3b013c1800b74aa797c231
SHA256 b8c48db744c06e0a8498e65ccca875c568d857ee5b38bc3e8b45250453a8552f
SHA512 7db86fbd00b145a414d134a1cb0e5c044e50a75321071ec17fa1976bf2238694216935a6b5f54dc27412e99d5e83fb02568febc44d692d5a28b2a14519d381ed

memory/1520-65-0x0000000001380000-0x0000000001AF4000-memory.dmp

memory/1520-66-0x0000000006610000-0x00000000069B0000-memory.dmp

memory/636-67-0x0000000000000000-mapping.dmp

memory/636-69-0x000000006FC80000-0x000000007022B000-memory.dmp

memory/636-70-0x000000006FC80000-0x000000007022B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-05 13:21

Reported

2023-02-05 13:23

Platform

win10v2004-20221111-en

Max time kernel

117s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Aurora

stealer aurora

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 204 set thread context of 4560 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4184 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 4184 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 4184 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 4816 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4816 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4816 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 204 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 204 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 204 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 204 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 204 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 204 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 204 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 52.182.143.208:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
DE 45.9.74.11:8081 tcp

Files

memory/4816-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

memory/204-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

memory/204-138-0x0000000000550000-0x0000000000CC4000-memory.dmp

memory/204-139-0x0000000006C10000-0x0000000006C32000-memory.dmp

memory/3684-140-0x0000000000000000-mapping.dmp

memory/3684-141-0x0000000004CB0000-0x0000000004CE6000-memory.dmp

memory/3684-142-0x00000000053E0000-0x0000000005A08000-memory.dmp

memory/3684-143-0x0000000005AB0000-0x0000000005B16000-memory.dmp

memory/3684-144-0x0000000005B90000-0x0000000005BF6000-memory.dmp

memory/3684-145-0x0000000006280000-0x000000000629E000-memory.dmp

memory/3684-146-0x00000000078C0000-0x0000000007F3A000-memory.dmp

memory/3684-147-0x0000000006770000-0x000000000678A000-memory.dmp

memory/3040-148-0x0000000000000000-mapping.dmp

memory/4008-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

memory/4728-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 87da05817c96a0e43d3fd217bd55d487
SHA1 113729e74392904cf784f75d51ff45ddf0bab5af
SHA256 2c09df05726f5792bf69f357b25babb5e9fff0b2c6aa7a8ac07c3e558221d152
SHA512 6926c45427a4167205dac17f516e5a756b9580bae3044f6616efe7ebbd9e8c426ef9d605da66e42da1c85351f1e8541aef1373c1a6f4a0d52b279d72dc58a518

memory/4560-153-0x0000000000000000-mapping.dmp

memory/4560-154-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 079d95ce70af305d9758e05590df3801
SHA1 fe2e8d595219d6e33541d0848ec7def367989a2c
SHA256 0288f39b74b22888b96c8eae0918355f478e61ed8fc7eb7ca7bd0db39a810f6c
SHA512 61c6349ce3c8ba14d160fc7369a985f365e7ba959f45e671d390a5ab3790def60c4e65824af9019278a48a97daa6977a8a65616b1fd5855f650c0a8ddef5e165

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4745188f2ef7836f16d172a976e2416d
SHA1 8040ddba934b417b62c29eaaf3081d83b830c458
SHA256 92d47c4a9f882f22603f69b222e3c25998d7dbfa6f6bd560b1c3d8cbe33f522f
SHA512 b6ea66f18f0b3f6109f7cacb525730e223f5db1799d5079dd5bbfcc0282a82361d3f856c00103f9522781c3d0b0226839ea859c0840742b10166090bf3548d47

memory/4560-157-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4560-159-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4908-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/4008-162-0x00000000075D0000-0x0000000007602000-memory.dmp

memory/4008-163-0x0000000074F50000-0x0000000074F9C000-memory.dmp

memory/4008-164-0x0000000006B00000-0x0000000006B1E000-memory.dmp

memory/4852-165-0x0000000000000000-mapping.dmp

memory/4008-166-0x0000000007950000-0x000000000795A000-memory.dmp

memory/856-167-0x0000000000000000-mapping.dmp

memory/4008-168-0x0000000007B90000-0x0000000007C26000-memory.dmp

memory/1196-169-0x0000000000000000-mapping.dmp

memory/4712-170-0x0000000000000000-mapping.dmp

memory/4008-171-0x0000000006480000-0x000000000648E000-memory.dmp

memory/4008-172-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

memory/4008-173-0x0000000007AD0000-0x0000000007AD8000-memory.dmp