Analysis Overview
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Threat Level: Known bad
The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.
Malicious Activity Summary
PureCrypter
Aurora
Detect PureCrypter injector
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-05 13:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-05 13:27
Reported
2023-02-05 13:30
Platform
win7-20220812-en
Max time kernel
70s
Max time network
43s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Network
Files
memory/1476-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | 6d8d6ed4679f013a0ba4fbcf5969e267 |
| SHA1 | 2643025c6a16a192d2eb9eda3a1c48e6155547b9 |
| SHA256 | eab9e1af4e0cdbd04e2ea8fa57c645f3749c28a789e18397f8b7fe7b16eec87d |
| SHA512 | 5598d3a493116ed656e24da04cde279206fa2b7f7e35942c1153e277ee14f2f790a5b46f96921c5a5a74f1b9f07fdf059994accc7a3f9503bed92216a5e12946 |
memory/1476-56-0x00000000768A1000-0x00000000768A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | d97e2b0a5b0079b8aa93b7720c3a022f |
| SHA1 | 0fc819bb6e731f77c858f9d03b65996a6f7f15b1 |
| SHA256 | 87eb773eb2bc70190e09ce54eb13cc1dec70f1c038676bb692a3e3925b6702e0 |
| SHA512 | e2d9cad1740ecc20c355f89b163a3614a372b3ece74670ae7809109ee7165746f5a459cd90da3445c4c095c42e9b334985d625faff23ef18243cbbca7d789b0e |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | e741452ba85aa3d6ba8163cdc8923a82 |
| SHA1 | a29856502b981574217185bb8d659bab620c5ec7 |
| SHA256 | 19630d8dd57f25ed7acf2a7262a9a00409d9447474bebd203bb097ad1f7fa8e7 |
| SHA512 | 7674156a2268029dd10580a1ef534bb7f9baf48065facd854525975be3e809c8e3e16851510d373ec35b2753819579eda2d6762b653c203625ba95cf6056a5cf |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | bae958ae668a47d9b7910caf136a8f17 |
| SHA1 | 4d440457204227ccf31dc10731cc38881bcb3808 |
| SHA256 | 1dc97c1ca2291dfa654b8792c72490a275a5c8d6568a890e47737a7afda57bb1 |
| SHA512 | a1f3943d691724615fc75031756137bef1ead9eec81bf0e04097dcfecef46cc8a779f8e9ad7159b8a21367973f0bac485c34e1718d33c8476bfa74de7971e0d2 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | c1f6454f7bff3d79e58b25794b86e7e1 |
| SHA1 | edaaf2b40031aad38e2bf2223453b267e7c12089 |
| SHA256 | 0ec4bbc8fb74108431eed5ed7fd706530afb1086e77b99b2ac5003e70668ea89 |
| SHA512 | 014c0e1c1ed062f6616ca14830eb35c3c49ff59a447c023e84b8e4d35351a22f9fadf22928384001fe15824c6a75c02b6ac11446bd5f255d6527a6a2678dc514 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 0ce305a0a2c63da48baa85aebb15231f |
| SHA1 | b5b25f78f5cbca3a952c445961a2c59032f50c15 |
| SHA256 | 584550cf9418ce3188039348847c05d2c68a43652086be788aeffde33394746c |
| SHA512 | 998673367cac6bc0a501c010a641ef440f3cf82acbbe1706fec59d321a7ca8aef2ba8e810b132cece507c1e71b25ac7ee04ca0db6159f38d9d1b1aed754537a8 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | bf57171b625fbbda4fea7792baebc5a8 |
| SHA1 | 03464f884be949f2e12c89af1003c298859085fd |
| SHA256 | 3e5756120ca0610fef8636506fadaa18c7b5a3b5ac8a14f6c6e78350b5bef956 |
| SHA512 | 3b87e030a697ab3acd826e341468aa0d0a5942bb046aac7213b97a0f6472dfa4675cd679267a3aa1bced530e92729ec955fa8cb0ee4299c7908ae0fd5ea34217 |
memory/1112-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | b071ecfd09064d426497c0c01fd9ba47 |
| SHA1 | 527f6f38782992a605a33b2a383051149b257bb2 |
| SHA256 | 9c541f811c24729af861e312728db408c69e520b4828753fad736f985f57e5f0 |
| SHA512 | 27bfb0c96d17fa90025e4b1bc9a5d300ed8e0d7a02711cf6f1d47fdb01e598db54259cb85f3446cc37a58b6f1aef39145446987b9800d8ad9eb7a34b567a4ad2 |
memory/1112-65-0x0000000000280000-0x00000000009F4000-memory.dmp
memory/1112-66-0x0000000006430000-0x00000000067D0000-memory.dmp
memory/1568-67-0x0000000000000000-mapping.dmp
memory/1568-69-0x000000006FD00000-0x00000000702AB000-memory.dmp
memory/1568-70-0x000000006FD00000-0x00000000702AB000-memory.dmp
memory/1568-71-0x000000006FD00000-0x00000000702AB000-memory.dmp
memory/1672-72-0x0000000000000000-mapping.dmp
memory/1180-74-0x0000000000000000-mapping.dmp
memory/1112-73-0x0000000005400000-0x0000000005572000-memory.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 767d80a9c47fd7694080dce75299266b |
| SHA1 | 8f4c4703cbfd7a0e6074c9c172ab81f6439abe36 |
| SHA256 | 0a294cac2671d471316daeab55f4f4b399df8fd112534265c1bf00993ef6f3db |
| SHA512 | f40a0f6ded0990ab54d588dd0890f7b5db30e8a81e57e1ae2eae5adfa8acf36709847ffa37c31a6ea74eb9a03d66a2a66bfc8738acf3d4d1a02ca40f0f7ed1dc |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | f9437b7314bc7720d8b88eac4ed71e8e |
| SHA1 | 6b2ada53fbba0d3e73e65ed719f97bc04cbcdb95 |
| SHA256 | 6fc8683014d8622f87f4161f087dd62af00d70fa99055bfa6d7106ab7402ddaa |
| SHA512 | 036ec54a52eebaf1b570b1d6b482ebc344ec567ff10cb20c8b4328bf86044d0ea116e28176bfbb8f3c04acc8e71fae81b2cc866ffb2ec687004d41db1ccd9980 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | de634bb7c1e9c90be19cbb7245611f5a |
| SHA1 | 539bf38b8f8fdcb24c1bcf852aec92c56c1d0289 |
| SHA256 | 2ec2dd55c331b9eec884b2c6dfcbe238aab1143a23cd90e3606de1441a2b6633 |
| SHA512 | 4ca1ec79cc9ced2c7e06488d00d23b6224c268ba7f26d969adb7e0aab21c3574d37fce8efb3eb613e350d0ded7afbf211d755d67b4c43fdab7d64448ec3e6a3d |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | c3fff8d15591705d72431c1c0dec9caf |
| SHA1 | dd803b92c2b8eb987e8a1044fe392ebf057df7aa |
| SHA256 | f5f221e08b124006529bf7172c13da5ae1e216db63c6795b5aba739ea3f75599 |
| SHA512 | 91795c51d3d64cc69c7e7b959bbd599cc9d44249f902442938729df9d6caba275db893508ae501204d9abc6cae7b59c050bc89fc769c3ad596c6a8a82c2e1c9a |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 6119e7a33073ccee78e6229df326f950 |
| SHA1 | 51f1153ffa4a7ce2991c95900e22a3e8a16729ae |
| SHA256 | 0766ac59ba2a23b3541d1c2793efec7256583e727c0e1bc9b0cc241191552998 |
| SHA512 | cc700c7b9f4628eb1d446c329df7c50131364513f5882554bc0fcaa922c2469438e3cd5b31b02c07268c5d233df8456d532888f8b488581fa55573512436a4e9 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 24c512ccadf7a49e7cc2e0453ef433d4 |
| SHA1 | f4f6401c33e4d5381739a79b14db9a2d6401c65e |
| SHA256 | efdf573e885199a8ea1a2d2cefc2f37963149d8725bdbcb16443b03b5950fee4 |
| SHA512 | 8c41eb81f86b8fcd92631896e1a3f9264e127f3813129c73a76607e9b4523fd1dc8ab86768fe0e633813039c6bf1fbcaab8592090f815754d97e60f5e242a28f |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 33a042299e353143b80443d4c56a0b52 |
| SHA1 | 69352dce7c329c1ae7cb19296d9135ee88334ed6 |
| SHA256 | 5ee15a2d3a43e639508a59d78f36bc35693611bd3c2f718b0b4a329a82424979 |
| SHA512 | 67f6e093289a68c839cb42d7ffa858d89b2bf33c4eb4378d8f51d2d1fc7c722d2c10d85f323fcdb872f18c1e58af8a6793a0b3f59fbcaf48c1c6d7ca28ba9294 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | de634bb7c1e9c90be19cbb7245611f5a |
| SHA1 | 539bf38b8f8fdcb24c1bcf852aec92c56c1d0289 |
| SHA256 | 2ec2dd55c331b9eec884b2c6dfcbe238aab1143a23cd90e3606de1441a2b6633 |
| SHA512 | 4ca1ec79cc9ced2c7e06488d00d23b6224c268ba7f26d969adb7e0aab21c3574d37fce8efb3eb613e350d0ded7afbf211d755d67b4c43fdab7d64448ec3e6a3d |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 5b590eedf9620f62bd9ae8b749cbd4d7 |
| SHA1 | 1a007323cf2b2fb67ba7e11a60bb367bc3401b5b |
| SHA256 | 1382784ca9842c9ec9eaf9691dde6b231496ef42e28bbae8f9a21dbde5047490 |
| SHA512 | a390e4e3749bfedf03c3aca9d5224335bb176a587fa330d496e34056618ce959a81dbb0bf936ce472a4aaf5e3cdf7b2164e07bb499714eb8b9de19a6c585f33e |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 54e6dc2d0a217448033af32a7b72c89f |
| SHA1 | fa3db5fb2608e56c3963fb8d546ab964df439581 |
| SHA256 | 2077e5d243a5b4c9f304e50d5358a55f3403961dc294f1ad07fa60306da7f39b |
| SHA512 | e717dce66b25419e57f6cfb0919656940ba1f83a75dcfdc206659af68240a761a96246d140dbe4c1e3e6a50f8089a9e25c21276117692378d3e9a81c37965a90 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 34ae84a231c19118da25271b4f47f2d2 |
| SHA1 | e34711c76e527e8a1ec76335e95103ae450b9039 |
| SHA256 | 095a807a73cc229cc9f94c320482b3d37a7054446187f9ee07750e5e9de45eaf |
| SHA512 | f6b32a7fffb2fcfa5c480db7128a69648003d2d91e8fde6cd5afe3780cb0f02931e65f8fbfd3837af04cfb57daad91bddcb4cb23a8da4b76d70f85fa9fa219a3 |
memory/1180-87-0x000000006FCC0000-0x000000007026B000-memory.dmp
memory/1180-88-0x000000006FCC0000-0x000000007026B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-05 13:27
Reported
2023-02-05 13:30
Platform
win10v2004-20220812-en
Max time kernel
103s
Max time network
140s
Command Line
Signatures
Aurora
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2032 set thread context of 5104 | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| US | 13.89.179.8:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| DE | 45.9.74.11:8081 | tcp |
Files
memory/4568-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | ba50f2bca86ba947a8d2035bb9b35123 |
| SHA1 | a542b5c5d41174dc2475a219978123b7d14f958f |
| SHA256 | 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5 |
| SHA512 | 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | ba50f2bca86ba947a8d2035bb9b35123 |
| SHA1 | a542b5c5d41174dc2475a219978123b7d14f958f |
| SHA256 | 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5 |
| SHA512 | 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379 |
memory/2032-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 14a9737eb666769fee7c28a00eb14e82 |
| SHA1 | ab8f2279f13a546fc32233a4da0855660fb07ec0 |
| SHA256 | a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a |
| SHA512 | 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 14a9737eb666769fee7c28a00eb14e82 |
| SHA1 | ab8f2279f13a546fc32233a4da0855660fb07ec0 |
| SHA256 | a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a |
| SHA512 | 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7 |
memory/2032-138-0x00000000000F0000-0x0000000000864000-memory.dmp
memory/2032-139-0x00000000067B0000-0x00000000067D2000-memory.dmp
memory/2304-140-0x0000000000000000-mapping.dmp
memory/2304-141-0x0000000002DF0000-0x0000000002E26000-memory.dmp
memory/2304-142-0x0000000005600000-0x0000000005C28000-memory.dmp
memory/2304-143-0x0000000005C30000-0x0000000005C96000-memory.dmp
memory/2304-144-0x0000000005CA0000-0x0000000005D06000-memory.dmp
memory/2304-145-0x00000000063C0000-0x00000000063DE000-memory.dmp
memory/2304-147-0x00000000068A0000-0x00000000068BA000-memory.dmp
memory/2304-146-0x0000000007C30000-0x00000000082AA000-memory.dmp
memory/2260-148-0x0000000000000000-mapping.dmp
memory/3752-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/5104-151-0x0000000000000000-mapping.dmp
memory/5104-152-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 14a9737eb666769fee7c28a00eb14e82 |
| SHA1 | ab8f2279f13a546fc32233a4da0855660fb07ec0 |
| SHA256 | a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a |
| SHA512 | 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7 |
memory/5104-155-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3664692a65d4a32e4f0a3c0e34b04881 |
| SHA1 | 76a1b3845730f9e7e080bccf48e327f85c32bc3e |
| SHA256 | d0dc8d381edf4735d2ff12bb5585363ef263f4443e8c84f00500d31d739e876f |
| SHA512 | 89f53e259975683497a1d2dc15fc08ffa0d263f91a86719dec3a6a95ab6578a25468a24ab78772ee2529e17503628f54bfe36a0effaac7cbdee572cf88346cd4 |
memory/5104-157-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/4044-159-0x0000000000000000-mapping.dmp
memory/3752-160-0x0000000005FF0000-0x0000000006022000-memory.dmp
memory/1848-161-0x0000000000000000-mapping.dmp
memory/3752-162-0x00000000707D0000-0x000000007081C000-memory.dmp
memory/3752-163-0x0000000004870000-0x000000000488E000-memory.dmp
memory/2024-164-0x0000000000000000-mapping.dmp
memory/3752-165-0x0000000006F00000-0x0000000006F0A000-memory.dmp
memory/3156-166-0x0000000000000000-mapping.dmp
memory/2052-167-0x0000000000000000-mapping.dmp
memory/3752-168-0x00000000070F0000-0x0000000007186000-memory.dmp
memory/5104-169-0x0000000000400000-0x0000000000731000-memory.dmp
memory/3752-170-0x0000000006EF0000-0x0000000006EFE000-memory.dmp
memory/3752-171-0x00000000070A0000-0x00000000070BA000-memory.dmp
memory/5104-172-0x0000000000400000-0x0000000000731000-memory.dmp
memory/3752-173-0x0000000007090000-0x0000000007098000-memory.dmp