Malware Analysis Report

2024-11-30 21:51

Sample ID 230205-qrffmahf98
Target 5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Tags
purecrypter downloader loader persistence aurora stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Threat Level: Known bad

The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.

Malicious Activity Summary

purecrypter downloader loader persistence aurora stealer

Detect PureCrypter injector

Aurora

PureCrypter

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-05 13:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-05 13:29

Reported

2023-02-05 13:32

Platform

win7-20220812-en

Max time kernel

137s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1916 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1916 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1916 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 976 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 976 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 976 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 976 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

Network

N/A

Files

memory/976-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

memory/976-56-0x0000000075A81000-0x0000000075A83000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 70ca98f6b6e2f19d58fd88341aaf4373
SHA1 58d77cb1b50f819cd1b20d742f83481638cc1cd6
SHA256 085fed4f510b09d3f804dc663024ac190bde5c0c2db1922c8223435e4ee5d84d
SHA512 754f558e1cc2273aaa011b530d67cbac682d6b5a94c14e4c6b2ba978730e6155a975b6f1eff6420d7f45b220ab66a5e2a65994de84dca8afe140aee4535c61b2

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 25ec587592d75b44f6d7106b7b206788
SHA1 c55e27e0700ba61e31495d60b692975549d6fca7
SHA256 fd7a0a53d63a3e3a2af1c4c44d01df27d9a775db51e005af2f95abc9333e8cde
SHA512 1c36f1aa3f33ec4d7949a882a3724d630d2ab3ae5e00988676951cfd92b800e63e6371706c002628856983704629805107ec1f4c50e276616a83c2e27c082480

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 819e52f78d32ed5456091b1476c8c9bc
SHA1 fcb172d81b2bf3bca6b35a67a214b420d015ccb9
SHA256 750b1fdc3460234f43055f9990fac114e431e1f5d96a17556e8adbc29501527a
SHA512 8e6b2349043a52b481701ef5c24ff8afdd96db9a908cde4ee19fbfa71c461dd9cc807234687f12ddb5cc991b88412a4c33e7a1efd671c91eca1f933526f931f3

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 ab62da9cf1f6aac48c79866376f134a4
SHA1 4d944d80cb465ac2dfef5045d7651b1e286ec352
SHA256 a9441308bfbfccd79b1240b4f44a09ea132fed07c2d8caeee56f4b3a1a66d682
SHA512 0a330772aebdc75ffb90cc8d3c18e486c940764671cb3393e98e76d412c7421f9c15806ac5d6a664ef7e3ebfb4d7fcc76380009c68e667a0423caa144964673c

memory/1520-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 24e56541f863b3425ee342fdeb1fa9d6
SHA1 0b6cda9b618ac4f9c9c59ac50849552d9a55d2be
SHA256 649683fce740a3a8b61ecb227d22da051d1b014710e6c932c5b4d7f056c84e1f
SHA512 aa327fd41a26e68c993afcb2e665ec498b36542beb6924495edc84051b60132253ab15b37de0ee66f8476bf3af6017b9fb72cae434dc94eb90402bf1c8c61ffc

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 69acf52b98e54723f8e9654456f26a76
SHA1 b90ec07466ad17fd3e5aae0cbf10416b2c40f522
SHA256 e10643095e20dbba531f2ddb1f9f7d811ef320023eb360346f36b7f57df44944
SHA512 e9e417949d53a699a69f448f72bb3b346bb73516ae9708c5e20653680ac36cd0ed3ba06402e551a1c79e794f9913720b133177c4ba2f38b1b47a04dfde7533b0

memory/1520-65-0x0000000000BF0000-0x0000000001364000-memory.dmp

memory/1520-66-0x0000000006450000-0x00000000067F0000-memory.dmp

memory/1740-67-0x0000000000000000-mapping.dmp

memory/1740-69-0x000000006F570000-0x000000006FB1B000-memory.dmp

memory/1740-70-0x000000006F570000-0x000000006FB1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-05 13:29

Reported

2023-02-05 13:32

Platform

win10v2004-20221111-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Aurora

stealer aurora

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1288 set thread context of 3552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 2904 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 2904 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 484 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 484 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 484 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1288 wrote to memory of 204 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 204 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 204 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1288 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1288 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1288 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1288 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1288 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1288 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1288 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1288 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1288 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1288 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 3552 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3552 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3552 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 20.189.173.10:443 tcp
DE 45.9.74.11:8081 tcp

Files

memory/484-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

memory/1288-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

memory/1288-138-0x0000000000DF0000-0x0000000001564000-memory.dmp

memory/1288-139-0x00000000074B0000-0x00000000074D2000-memory.dmp

memory/204-140-0x0000000000000000-mapping.dmp

memory/204-141-0x0000000003320000-0x0000000003356000-memory.dmp

memory/204-142-0x0000000005A90000-0x00000000060B8000-memory.dmp

memory/204-143-0x00000000060C0000-0x0000000006126000-memory.dmp

memory/204-144-0x0000000006220000-0x0000000006286000-memory.dmp

memory/204-145-0x0000000006880000-0x000000000689E000-memory.dmp

memory/204-146-0x00000000080C0000-0x000000000873A000-memory.dmp

memory/204-147-0x0000000006D80000-0x0000000006D9A000-memory.dmp

memory/4492-148-0x0000000000000000-mapping.dmp

memory/3648-149-0x0000000000000000-mapping.dmp

memory/3552-150-0x0000000000000000-mapping.dmp

memory/3552-151-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 0987692cd77cdaab33ca400b4ba2880b
SHA1 475f8d163f4c4a2f5dcf5c1e7a415144283c1cc0
SHA256 0b78c329099d788ff1fb61433347eaed47f8f3aab4e66406e31e602a594140a7
SHA512 fc50da481b3ea68a9cb3f8cf839a252e0b367829230a9a85e6918957aa9891975a83365800927330f5af4e9b95a397a8bdddabe1153ac28ad9718faed8318da7

memory/3552-154-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae6a293b7b9f26fa935156d5571afc86
SHA1 c1b2f06fe93ca42e024ada986e9243317158c702
SHA256 c66d1a0ed07e0b44789109df2ab3424b7bd1428e95e9b97e579e41df6ac1a7b0
SHA512 69d697a4e7893906036f59a84ad17e713ab54bd20153416b75fb6c758949f9183687b2566e5b6aff28c10de6a343779e7fca38d98ef761a19fe71d2fb8f61661

memory/3552-156-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 ea1a294133d0f531d5a520ab06fa1881
SHA1 dccd5b851a9cbe7902e9f53c4e2ebd98e65f6436
SHA256 221a11a74006bf538f78315a7860110688f7d028a757ef1b26185284fdc1f954
SHA512 af109b037d059b3b61c10ee24554c09259f470d48031cbc69e07286bb505d330f59b71f0254c93607f47d0387be78a9dc638292ab527e03656bdde2e9149d1bf

memory/3180-158-0x0000000000000000-mapping.dmp

memory/3648-159-0x00000000077C0000-0x00000000077F2000-memory.dmp

memory/3648-160-0x0000000074CC0000-0x0000000074D0C000-memory.dmp

memory/3648-161-0x0000000006BD0000-0x0000000006BEE000-memory.dmp

memory/3648-162-0x00000000079C0000-0x00000000079CA000-memory.dmp

memory/3648-163-0x0000000007BE0000-0x0000000007C76000-memory.dmp

memory/2452-164-0x0000000000000000-mapping.dmp

memory/1440-165-0x0000000000000000-mapping.dmp

memory/4048-166-0x0000000000000000-mapping.dmp

memory/3580-167-0x0000000000000000-mapping.dmp

memory/3648-168-0x00000000060F0000-0x00000000060FE000-memory.dmp

memory/3648-169-0x0000000007B60000-0x0000000007B7A000-memory.dmp

memory/3648-170-0x0000000007B40000-0x0000000007B48000-memory.dmp

memory/3552-171-0x0000000000400000-0x0000000000731000-memory.dmp