Malware Analysis Report

2024-11-30 21:52

Sample ID 230205-qsm7vshg23
Target 5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Tags
aurora purecrypter downloader loader persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Threat Level: Known bad

The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.

Malicious Activity Summary

aurora purecrypter downloader loader persistence stealer

Detect PureCrypter injector

Aurora

PureCrypter

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-05 13:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-05 13:31

Reported

2023-02-05 13:34

Platform

win7-20221111-en

Max time kernel

124s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Aurora

stealer aurora

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1536 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1536 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1536 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1364 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1364 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1364 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1364 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 752 wrote to memory of 552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 552 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 752 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 752 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 752 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

Network

Country Destination Domain Proto
DE 45.9.74.11:8081 tcp

Files

memory/1364-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 316661fef51418ca29eaf49c3f44107d
SHA1 120c4fce94338b40a6658a0159ca5bc57b6b59df
SHA256 8060e8429e6d38e988b10fe0fd5e851bad66b4a22b098e96d35268b2ab569998
SHA512 764329f3263e0c9852e99a0f79bc3e862f7bb17d781eb4c5715a4603d125d3462272a721e32c897987d3ef85bdaba84a6f04d4c3b3c67c4c11f76bd5d018f700

memory/1364-56-0x0000000076581000-0x0000000076583000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 74cca91834ad419e4d906f0161cbbe71
SHA1 d0bd26117779d90bf18c88635a08338ec900d104
SHA256 5bf558e9071ad5c8f8a2ffbdc6c9ca436507fe0f6ac637cf9206d9d710e736dc
SHA512 304abdb11ba65edc2c95e36dfd9bd9d411984b22d84de977e9de0f80a13938dcf472bd9b3938c9c2d85382348489a65c775d09487ba21f623ad3a3c59766d2a7

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 6086ca64da2fe10c229ac469223d9d72
SHA1 3393164d7295980cc22c2762262ed745986251b8
SHA256 dc01750dc9903c0226916b006b1a734d43460032412e07da9d4265f3c1237966
SHA512 673d4e7dd2373b6fe0b928550cd9f57e6839857531e1d07adbc6a6687a689caa26e1ed1e78fe211e43d500ec08a0dd41f7a5c5e78c1a9ea087d3293c920a4a55

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 8e4da8bc478244c4abd023c6ebf2e32a
SHA1 2d3b7ff4038f9dfdd6b90f6695dbe9b07fc43d20
SHA256 30c54887e2122d1da452def7225a07fd97fe16af8a6eedc4c7c692fda0d53b75
SHA512 8cb40908aae1d4440d1824ac18fff00079909d8c18da6cc10972a9f2b5d1b007a42d3940be07d6ba7ae5a3575c92da71f62124bec06972d835cb90164d9dc283

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 7a460091621e197dff02b6e2438e5b80
SHA1 67b8dda845dfc0bfa02e4a2f8217d023d0979d96
SHA256 9308313f3ca6fa6587008d00b718eb8b2cfab7ea1717e1c60e54d6b34087a996
SHA512 e6ca0b2676c3dfded832f2592e033d5b023ca2e112ae7b77c6efe7fd067be36674038725b28695dffe26f9e7641cf278a74772ff24f33074f26c0d329b07627c

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 d9f0baf69a059c55473ec49c935e3188
SHA1 ef339d043378da9aa1c00dab0d60134cc5da7281
SHA256 ba03cb4a867ecbb5b52ef87a63b9b34c8d7c07dc01b63fa25a2e1d733d4b7e11
SHA512 027561801fddc100c780e8818476339bd3986abebcace393778b5831e27e3874b59369b7144d8f819eea1357b9aac41767f05821a953041ac4c4f7f65370f88d

memory/752-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 b1d07b34927ba49a6214bd826a02cad3
SHA1 cd940b799d16a9661ef0020eb8ff9d6e413fc7f8
SHA256 02a4a49299edecb83c66adfa300ef2355b2f766d7132c74987ae3da9ed928a3d
SHA512 31c8eb50cea4f2d05204faa41879bf3233efa3c15c08afb5cc4cef8b2db0fe0e22613fe98e3004193f6556cd3ab8e6ab7df4e83213747d1d223ccf728707f877

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 23b8d53b72b6e0d7bfe7faeefede6e99
SHA1 227b48b2e6475ad4b6b88d5a172924a77ad5499c
SHA256 636b0a26f999afd32de4d833036fd31dabea314ded830b7e47733ff36ab814aa
SHA512 a65aec57e45d54154b916097921ef4d54d118b6e5e4eab200d68396fbce1caafc9d4401b2ef89bd8f3ddb66a7f077b1a1eff3b3e63864f51fa6c32a74ed09e61

memory/752-65-0x0000000000F10000-0x0000000001684000-memory.dmp

memory/752-66-0x0000000006430000-0x00000000067D0000-memory.dmp

memory/552-67-0x0000000000000000-mapping.dmp

memory/552-69-0x0000000070070000-0x000000007061B000-memory.dmp

memory/552-70-0x0000000070070000-0x000000007061B000-memory.dmp

memory/552-71-0x0000000070070000-0x000000007061B000-memory.dmp

memory/824-72-0x0000000000000000-mapping.dmp

memory/1512-73-0x0000000000000000-mapping.dmp

memory/752-74-0x00000000053E0000-0x0000000005552000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 f282ba01eb5252d7b5a957753e75f467
SHA1 fb32f42c77d605f80a1a529183be34b64de0809e
SHA256 225cd282b3459be8b89e77a5ff6158e231159fa89c6bf399d57d65b8abd602cf
SHA512 f371eddd1d1c9039b24051460e80c208fe0354025f7271b8d81087014279dd3dcf302a7eb0303f0c615941aba9cb173a76b9ffa9a5079a009e7d236d71fd446d

memory/1708-77-0x0000000000400000-0x0000000000731000-memory.dmp

memory/1708-78-0x0000000000400000-0x0000000000731000-memory.dmp

memory/1708-80-0x0000000000400000-0x0000000000731000-memory.dmp

memory/1512-82-0x000000006FAC0000-0x000000007006B000-memory.dmp

memory/1708-83-0x0000000000400000-0x0000000000731000-memory.dmp

memory/1708-85-0x0000000000400000-0x0000000000731000-memory.dmp

memory/1708-86-0x0000000000400000-0x0000000000731000-memory.dmp

memory/1708-88-0x0000000000400000-0x0000000000731000-memory.dmp

memory/1708-89-0x0000000000400000-0x0000000000731000-memory.dmp

memory/1708-90-0x0000000000464C20-mapping.dmp

memory/1512-91-0x000000006FAC0000-0x000000007006B000-memory.dmp

memory/1708-94-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 8fd26745c53fd39c2c19f2ae7ad0f0c6
SHA1 e621999bd94cae26f464ee538371fb6b2201aa32
SHA256 8ecf0f963b11cea52a4ee5ebd48f5df80939ff9d75c273f0e49fef5af44dcbe0
SHA512 026285a54eb747372a97c7f3ba2d6ec96991ec69fb369b24e5457720d85fcf9c2550889b10ed7f49d35926cabe91c46e0dd6bf94b357ccb7c9edfcfb731f8201

memory/1708-95-0x0000000000400000-0x0000000000731000-memory.dmp

memory/1620-96-0x0000000000000000-mapping.dmp

memory/1556-97-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-05 13:31

Reported

2023-02-05 13:34

Platform

win10v2004-20220812-en

Max time kernel

133s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Aurora

stealer aurora

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3460 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 3460 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 3460 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 4280 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4280 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4280 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4092 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4092 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4092 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4092 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4092 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
NL 8.238.21.126:80 tcp
US 20.42.65.90:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
DE 45.9.74.11:8081 tcp

Files

memory/4280-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

memory/4092-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

memory/4092-138-0x0000000000D20000-0x0000000001494000-memory.dmp

memory/4092-139-0x0000000005DA0000-0x0000000005DC2000-memory.dmp

memory/3728-140-0x0000000000000000-mapping.dmp

memory/3728-141-0x0000000002B20000-0x0000000002B56000-memory.dmp

memory/3728-142-0x00000000056B0000-0x0000000005CD8000-memory.dmp

memory/3728-143-0x0000000005600000-0x0000000005666000-memory.dmp

memory/3728-144-0x0000000005DD0000-0x0000000005E36000-memory.dmp

memory/3728-145-0x00000000063F0000-0x000000000640E000-memory.dmp

memory/3728-146-0x0000000007C30000-0x00000000082AA000-memory.dmp

memory/3728-147-0x00000000068F0000-0x000000000690A000-memory.dmp

memory/4468-148-0x0000000000000000-mapping.dmp

memory/2028-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/4536-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 4c976ed646698096d43cf40fd033af7b
SHA1 51bca38b77ea5aa7651813f9b1682b8c673bf972
SHA256 c3bb7c8ced315b819fe6e99b89c6427ba35902bd52dc8483985eef5471796ea5
SHA512 fac03b2fca42aeb77a9ebb1bf5caec384b4545b025305eecb0fcb2cdeedfab2b887a0e3fe4050ea42343b517c82361c03a37be8e80c2cf66deec3187683f34ba

memory/1172-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 faad2b07da6e85958ea504d38d2273cc
SHA1 006ae0dde3ea76f0c6d528f6f01038f7a0958d02
SHA256 b94e0f8fc03f628743237fb0afd938294ce173ac49dd3be52c4f526ad93bbe29
SHA512 8ea953250823561f1ce2db6b9d989054af3f8915f69592820aece79a545c51e03e7a9e928962a698bf23622a2c2380fc8b199c8a16b352f5aacb15850028b71e

memory/2540-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 1e8c89f803c13b0dd117e12f3c1bfada
SHA1 43e62bea3931689d8dfb7abc044261a97dd3424f
SHA256 d5c6942a88fcf08a511f0ce6bf68812ecd30c35fa760289a6f61b55726b1cab1
SHA512 0203267ddcecd2a7caa554feceb7be2501e793ba34085b7b9249877e589da53872129c30e473a15899004667121fac1d5be817847c3d01d69f19f47be7929281

memory/960-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 535cfbb1f6798a776277008b740cf790
SHA1 ee1d3ea40dd986dfe016caa5b916babb5afca4ef
SHA256 a71eaa6b524c8df1574db3fc24e11a8e6a99325573e3a55da660d609b5ce7962
SHA512 ee3066fa541a025114ad8a0afa547dc97de81099f0978e6089605cee45a082f43b3eb82b3dddff66bd8204f30a138456eb8dccdeb5e82bf5e6b975c5598f3908

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 7237374e8e0509e92b908ea3a426f4ba
SHA1 1d28ade53812b241587c8f0363b151d307f0f87b
SHA256 ce4ca8c51c1600cd87e6f01d48c73d3c759c2c5372b2ad96e272a52bff46347e
SHA512 f8f06f0227c37ffc1481969aa3bbfccaac3da9097c7ee8e58ef09c44830e62f2785597f6ef75c9f49b58882e1a0b5c0a6ec098ac3a36810f53c89a7f49e54a6d

memory/956-153-0x0000000000000000-mapping.dmp

memory/4252-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 82424df15a62ae7ba2f32489ebdfff4a
SHA1 91355cd77d7a73dd7e2e23f675b681c8b1ceb725
SHA256 b3310adbef89836f5601a42cc946bdbfbb708982e261d107bf3ac325b7953af3
SHA512 91889f762f13d89aab3e9dcc1202aa6573433460bea3d7b3708b18a450e871033b4239239bf251c3dc316b8c90800e596506045926c6ff76c107dfc32810e5ee

memory/4252-165-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4252-162-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4252-166-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 402af14a54d868a5f546f9443190af7f
SHA1 f17064903551de86edb00ef17ae4c0302c213c21
SHA256 ab551cf016c5df119575f3c956f30d772e21a5107c9c6990c5a9749efa7d9f0e
SHA512 a7e05686bc3e1b96a984541e77a39614086fb043b7bfe91099d43916c5b57e584f8d954500e6158493b34907e9dcec0ce31851e57578239c1e072119dd57677c

memory/3192-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/2028-170-0x00000000065D0000-0x0000000006602000-memory.dmp

memory/2028-171-0x0000000073B40000-0x0000000073B8C000-memory.dmp

memory/2028-172-0x00000000065B0000-0x00000000065CE000-memory.dmp

memory/4500-173-0x0000000000000000-mapping.dmp

memory/4508-174-0x0000000000000000-mapping.dmp

memory/2028-175-0x0000000007440000-0x000000000744A000-memory.dmp

memory/2480-176-0x0000000000000000-mapping.dmp

memory/1800-177-0x0000000000000000-mapping.dmp

memory/2028-178-0x0000000007690000-0x0000000007726000-memory.dmp

memory/2028-179-0x0000000005F20000-0x0000000005F2E000-memory.dmp

memory/2028-180-0x00000000075F0000-0x000000000760A000-memory.dmp

memory/2028-181-0x00000000075D0000-0x00000000075D8000-memory.dmp

memory/4252-182-0x0000000000400000-0x0000000000731000-memory.dmp