Malware Analysis Report

2024-11-30 21:51

Sample ID 230205-qtv9vshg28
Target 5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Tags
aurora persistence stealer purecrypter downloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Threat Level: Known bad

The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.

Malicious Activity Summary

aurora persistence stealer purecrypter downloader loader

Detect PureCrypter injector

PureCrypter

Aurora

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-05 13:33

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-05 13:33

Reported

2023-02-05 13:36

Platform

win10v2004-20221111-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Aurora

stealer aurora

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 536 set thread context of 4904 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3284 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 3284 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 3284 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 4648 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4648 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4648 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 536 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 4160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4596 wrote to memory of 4160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4596 wrote to memory of 4160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 536 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 536 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 536 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 536 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 536 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 536 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 536 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 536 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 536 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 536 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4904 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4904 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4904 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 20.42.65.89:443 tcp
NL 104.80.225.205:443 tcp
US 72.21.81.240:80 tcp
US 72.21.81.240:80 tcp
US 72.21.81.240:80 tcp
US 72.21.81.240:80 tcp
DE 45.9.74.11:8081 tcp

Files

memory/4648-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

memory/536-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

memory/536-138-0x0000000000FD0000-0x0000000001744000-memory.dmp

memory/536-139-0x0000000007690000-0x00000000076B2000-memory.dmp

memory/1072-140-0x0000000000000000-mapping.dmp

memory/1072-141-0x0000000003200000-0x0000000003236000-memory.dmp

memory/1072-142-0x0000000005980000-0x0000000005FA8000-memory.dmp

memory/1072-143-0x00000000060B0000-0x0000000006116000-memory.dmp

memory/1072-144-0x0000000006190000-0x00000000061F6000-memory.dmp

memory/1072-145-0x00000000067E0000-0x00000000067FE000-memory.dmp

memory/1072-146-0x0000000007DC0000-0x000000000843A000-memory.dmp

memory/1072-147-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

memory/4596-148-0x0000000000000000-mapping.dmp

memory/4160-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/4904-151-0x0000000000000000-mapping.dmp

memory/4904-152-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 85b6f1bf920b61728ad551e16ab03601
SHA1 a1969c83639371126a50c9854b6cd713d298ea50
SHA256 6265bd83e7ebfc671b6f66c1bff7068c9b1a7425240b67c5a0d8788a816dea5d
SHA512 60b8dfbdc9c37780caab07bebe5fa866f32b5efb9a63fd3091d392b71d8ac1695e949dbe95e622e7ef319e8ba81818e13771b2ad7e80bf208e81517e8cefe31a

memory/4904-155-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4904-156-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f8d5d40478bd63912ec15a8763a4ed7a
SHA1 364e29e4c2e2a4e0320cd2521e8439435647f672
SHA256 47586743c4ff8f7ed28ea28a7c6bd23a7e4f31cb8d0243382e88c0e8cbbff2a1
SHA512 4044b2c2763f956f61604641a4e77920aae6f445b735095ae089dc14c95589be81fed45e514ebcc754e0064d009927b7ebb3bc2f0112c2e75fbd2f6adee1017d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/4160-159-0x00000000077A0000-0x00000000077D2000-memory.dmp

memory/4160-160-0x0000000070E30000-0x0000000070E7C000-memory.dmp

memory/4160-161-0x0000000006D80000-0x0000000006D9E000-memory.dmp

memory/1452-162-0x0000000000000000-mapping.dmp

memory/4160-163-0x0000000007B90000-0x0000000007B9A000-memory.dmp

memory/4160-164-0x0000000007DD0000-0x0000000007E66000-memory.dmp

memory/4032-165-0x0000000000000000-mapping.dmp

memory/2332-166-0x0000000000000000-mapping.dmp

memory/2492-167-0x0000000000000000-mapping.dmp

memory/3744-168-0x0000000000000000-mapping.dmp

memory/4160-169-0x0000000006660000-0x000000000666E000-memory.dmp

memory/4160-170-0x0000000007D30000-0x0000000007D4A000-memory.dmp

memory/4160-171-0x0000000007D10000-0x0000000007D18000-memory.dmp

memory/4904-172-0x0000000000400000-0x0000000000731000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-05 13:33

Reported

2023-02-05 13:36

Platform

win7-20220812-en

Max time kernel

86s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1728 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1728 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1728 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 952 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 952 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 952 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 952 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1312 wrote to memory of 592 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 592 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 592 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 592 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 524 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1312 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Network

N/A

Files

memory/952-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 60ce69fc83365dcf75fd3fef57e1b727
SHA1 6a3c51f8f2c67056109c01625562575a146ad21d
SHA256 2cb1af41aeb2acb9ca635ebdbbfcc6caea4dc7bc1f24f7bca0ccada1850309a2
SHA512 fb70b631224043a097e032d2ce9a3a96ad0bcb1d283b8b53c9a0161dbb9f84ec05f06da705602a3f7bfc0e74ee2467dcd11ba249306411ac7df067613dae5cea

memory/952-56-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 f5f1d72788a9140475f943309dd6d5e4
SHA1 805af08224cd8b4dd0e1a7fe59419a7b1d7f07c8
SHA256 e0f2f2867d117b5bcc3f63cb700ae96eccf90be1ffe7a42614023981d52c4a17
SHA512 0e689ecdd6397424f5d43031ce057e1f1f31b4c1b3e5b234335f311c3e89ad749105bbf247b189107d9e4d784a552b2baef6813ffb20b3d9632e188e47968a72

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 d475b6cf6be3bf7c604094cec682e704
SHA1 3b3b87e2878e1d7fbd1d31203f4d14b67377ff6d
SHA256 27866f5184a5dbb08d452bdfff5d87405ba73658dfa3ab3fa4ee1b5c013b948f
SHA512 4e6a8648bae10d3c5935abb112deb26cd1d5c3956807a202ec5f804e4322f46a8ee35400d5e9e6d8f0052460050f08f66df96d2a6de9bb835648d9a329e148fe

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 ce179c2a45984e7dc1edda9dbf250274
SHA1 5e0d82729c4508c172997141436ebb86582a7e51
SHA256 a5c15078530cea94fc2b835fa486094f38e04035c1a380a0800e0b1f9e7431e4
SHA512 5c25326fced5d29651721e01ac678357131cc98d33d5bdb4b14a5dc4ff89baa0d068c29a305ed0517b90325ae0b4e86c9626abf5864fd9f65319c1eee2f5783c

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 3c82a2c874ddb75e2a45b0cf373221d5
SHA1 8d1006f5ff6dc1ed07a8beba5ea7c6191cff205c
SHA256 9bf0074f9521a7cc173ef281dacf02536351325215e4081fbec85b179a0dd0dd
SHA512 29b8ca39cbd60044b622b5bccb90a19394d87c75ce36d079b81a67e06ca12031c99e2a3a558fc0388f953c9fc908f8b940e91591f74f311cebd305ef7735a52d

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 8600fd1288dda16a120cb27366c353e4
SHA1 ca7d2da689261b9f1e238929766665f9fc4cef5d
SHA256 75b99b5d6dff7c4b103a32153e30af45b6675ab26d58dd5530168d9c9bb14084
SHA512 61fc2b284b6afd3c2e5077b741d43ce4189fc980c5555a3eb7c46cea7548af8631a617e8fb9b37f17647da926b5b06ccf5979feb067fb71cbf17f95ef1efb36f

memory/1312-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 507d618a86d89a02b040182c5bc9342c
SHA1 24d84110fe6dd3767d9fce4cca5e3d566c324f97
SHA256 9d3691114a97c0a29819e7da05cffaddce07387c4c1f7fd9d04a428955bb4e31
SHA512 6a38be454356b712bb143afbd7bd9c214dc41266e717bfb418dcdf9a5f6937840804f180a9d08c921ac6b85a509a77d0898ccab400aa4e077c01b6f435c34b3d

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 49fbffff141834be4bddc71a4e953fdc
SHA1 4350f25a05b77bc3f2ac1a2ccc91aff9a7182e9f
SHA256 306ab48ae58eb9fe8dd8afd5bc4bb23520e414ebb054bbd9956ade784eddd298
SHA512 36205020ed0b4a6dc7fa5896542ca18f6a87fbf8346d4392ea03efc56d7589dcee255bd5c922920311d06e53486719a56ebfa833b746442799345d78680ed05f

memory/1312-65-0x0000000000320000-0x0000000000A94000-memory.dmp

memory/1312-66-0x00000000064D0000-0x0000000006870000-memory.dmp

memory/1196-67-0x0000000000000000-mapping.dmp

memory/1196-69-0x000000006F5A0000-0x000000006FB4B000-memory.dmp

memory/1196-70-0x000000006F5A0000-0x000000006FB4B000-memory.dmp

memory/1196-71-0x000000006F5A0000-0x000000006FB4B000-memory.dmp

memory/1852-72-0x0000000000000000-mapping.dmp

memory/1312-73-0x00000000053A0000-0x0000000005512000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 643cf7240942bc023af792411056cebf
SHA1 8ebebdecccff5d2bf2d5f3c2ace3ba237e8aacb0
SHA256 856401329af80af877e94ec026e9f15b9e2edec4fa528cb7cb1e4880315a5dd5
SHA512 c886300d8079872213549ba014a591a9f979ca3d359cb503cf1b0b38cf701abcd5cc856577bbe7191d48e2ae1ca42bfe5bc9f6852ba9df3fcb12483bbea324c0

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 13f18bbe7b2165d7e344b0872aca4b9f
SHA1 fa0b72acdedeb31605b6c40b4d7abbceef56a446
SHA256 0da7ca9168fb1cf7e39ff12040d71f68e7739d0961137da0b4e9fec05e10521e
SHA512 f0663c811a2a8ec0dd2d05e80f041c07c4085d2841e98f46cbcf4d0dbda4fc1781f7e3bfc8acd366e012db5c75f2c6f06c3bbbd8dffce1c73e71e305e5c21f05

memory/996-74-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 5e5eb5f7da1d5cf928a1043771faadbf
SHA1 2a78eb58041ac3b4d74f85f988771eecd4a98ed2
SHA256 1540c0a54d33807a15fac41a27f68b45213b28093733e400b25bf616e7386133
SHA512 1d9fcfd3e4f98f4ecd3f600beb06add7bfa0cd30c407dce2ec820836a85da0adc803bda9de8a6739f45a309d7f3b58dacf7990a3004b7a1fefa7b3d6588b9a66

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 5a20766aa2701109963a37b0cd8a0c45
SHA1 a2d88ec91b1cf444d488547626f1af4e6f8a99f4
SHA256 af878b2702384f8401e1e9cbfb574a05eaa9be649c59bcf5e4a675ad0199b626
SHA512 0c90cf3cecbffc315e191427ac4468647d0f3c34ac32eee3206fb72ed6401a997bf2ebe3597c4f3a323f54e19ce2e4d6924d007e4068ae16e4f5d150969b3af0

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 c5a17458c54d4c86696d749a150a8026
SHA1 31276bda5ae97f09f1b5eafefddc942bfb5bb463
SHA256 14f3f66c43deffede31bdb214e06517c19a48be2711143815428d45fd81fe5b2
SHA512 70e129426b1b04e791137a87b88393a7f8e4d794d39511c57573c26eba39d9e79a4d14f40d2f704f2d602d3a982e943f308c6d46090c44164d01896d02226f37

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 f253306e14932da8cdc629c432fd741b
SHA1 440b65c5d8310c1ed4b1ba76ed365c2eb39f9262
SHA256 7b592f752786faaf172665483a7767c0dfbbd3004e2e481c4704a5c63735326b
SHA512 d83ad361933065c8466d19cb2f3982b99570eb1f25272df440460af3e7a6975b392f3ab73e91a89706bec8ec6c1de467be1464fa73ad868b4747e9d722e6dae2

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 c5a17458c54d4c86696d749a150a8026
SHA1 31276bda5ae97f09f1b5eafefddc942bfb5bb463
SHA256 14f3f66c43deffede31bdb214e06517c19a48be2711143815428d45fd81fe5b2
SHA512 70e129426b1b04e791137a87b88393a7f8e4d794d39511c57573c26eba39d9e79a4d14f40d2f704f2d602d3a982e943f308c6d46090c44164d01896d02226f37

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 4f627fc5c7710fa75132b25ad613ecb0
SHA1 bd690529c8fb5f508970c9a1059b0b57ecf39ef4
SHA256 0929e1d7e1c1998d6a76511c2a61e88bde6071c123fae6d16dfbe751476cb3e7
SHA512 e49212d68711e43f7dfa83f0251e61875a220a37c6337724c3dfcd93646e5a45e23758380065b655efe7500d264693b444061c14024b7943a083a577feeb06ef

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 4f35c0d0a3c25d5d1418dd919618494c
SHA1 df608fa4563790e926576aa66f2d173d611a2775
SHA256 7f71614346999a99b84ff9f2430c9ee7cac59f0aba724bb9f186b5e6f2ff3492
SHA512 02aa5fdb2282175f06a1f1ecc8e8a2dfe13631366f0f8618af49658d05c8189f9030af4725afb37eab1db6843646c418ab2567d7b051877f96d083d5f4a029d4

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 eb00da285839072ef5a6160eb8428884
SHA1 6b056fedd14a05a37139974799396361c9bb41ea
SHA256 3e59b955efcc34b94def0ef44ad22d59bd60086da5bdc3396002c08a8a4b1814
SHA512 c68a1939d29125523516cc6e91e28dde08d40717520b7d92251921eefd188e61e025fbd887a701590efe7506cb77da503f7e3d60c16f365ceb04f8a51fedc966

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 c5a17458c54d4c86696d749a150a8026
SHA1 31276bda5ae97f09f1b5eafefddc942bfb5bb463
SHA256 14f3f66c43deffede31bdb214e06517c19a48be2711143815428d45fd81fe5b2
SHA512 70e129426b1b04e791137a87b88393a7f8e4d794d39511c57573c26eba39d9e79a4d14f40d2f704f2d602d3a982e943f308c6d46090c44164d01896d02226f37

memory/996-87-0x000000006F2F0000-0x000000006F89B000-memory.dmp