Malware Analysis Report

2024-11-30 21:51

Sample ID 230205-qvxjbada7v
Target 5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Tags
aurora purecrypter downloader loader persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Threat Level: Known bad

The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.

Malicious Activity Summary

aurora purecrypter downloader loader persistence stealer

Aurora

Detect PureCrypter injector

PureCrypter

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-05 13:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-05 13:35

Reported

2023-02-05 13:38

Platform

win7-20221111-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Aurora

stealer aurora

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1540 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1540 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1540 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1300 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1300 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1300 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1300 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1188 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1188 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1188 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1188 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1188 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1188 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

Network

Country Destination Domain Proto
DE 45.9.74.11:8081 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

memory/1300-54-0x0000000000000000-mapping.dmp

memory/1300-56-0x0000000075C31000-0x0000000075C33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 4d7eca6fb47c5c8841dfcba0647776ab
SHA1 d502949611b4bc31a9b30655c40644ab30eff6b9
SHA256 9b34b09550860805a1bde855808d9474943a7a83458ae54c79ebd9f3bce74dfc
SHA512 dca33dbcbadf13fa3c0d808fe4bab466830c2aaa37a87d015b309310c28acaab456d59219de4078ab2399764bb44b5a485f3a462c14b275ced3b14fc67bee334

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 cd9ef61bb6ee9e661ae5c5970d29ffac
SHA1 17debe4b1c231bcc2b379077886764012f1a5588
SHA256 61938afa0a148bec26e0138249c00a3630e77618ba18d757a9fc6a1229939976
SHA512 f046551b99bce87b4771d9bd1ab9419c086616850ed1dc76b0215196718776b5c3aef9f890af45eb0b5702189a599812defdf21155ae611da04743a2950b9df8

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 6b8d779a2014f60918ad661c1ab7f238
SHA1 e84139c854e501b61504afc28018525ca9c5f0a9
SHA256 2a3fa1df8b67a7226cc1100a532c164ec157e98880d477a0cda4e3f46222af8c
SHA512 3e6f4aebe8230d76f21a054a26de5baf1a42181c1097f50548bbf11461724d18207ba9172ec5beb02a5f95d64567abd51a10ada81b29852604dcd03a26f8acc8

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 e380800fab17ddf75a1a89b4abf1e28c
SHA1 9f99a768cee6639efd5eb9c007c39c25710d94bc
SHA256 b8d998c04cede779c08f1e1b394fc40b4d1268b242787c84e3664aadd01bfe15
SHA512 616169c1ca53e16da071dac4ef01bafdf56da94c1a3b6046e23e7c4261ed54e38e59ad70e55cf5487bb37dcdf223c75d3eabb461bf32993af51acad1899fb58b

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 a2d46e222e7fd4c425386feb6e48150b
SHA1 40ba8494df5db79492cfd53290f2c4c1fc91e1f5
SHA256 09dba61f312603bc77f7e741ef103fd436389db0c1096402563c31b892669b97
SHA512 93378a6e0a834748320b4681b7b4273ec772df40b8199a0ec7cc11678b1e8a39a9bc9e0091345a6af5984bd9e2b6f1efc98aa6aebf911c44345733e06db0c0dc

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 71fa9caf52e001c875eeacfea3dc5fd9
SHA1 2a61b5248eb52427ac053db2b949b728d150d3ee
SHA256 d9765a09ceb82b5684b2b28b9e0a249de0d29578d041c01125ddd622fb5cd3a0
SHA512 013c1229f25ec82ce116c3d26d08aa601bde554016e210ae8400b31ac28aae1ff1b75a7a8a0f98bffdd249b4b795077bab8dec1e75d0316e2018455f47978877

memory/1188-62-0x0000000000000000-mapping.dmp

memory/1188-65-0x0000000000CE0000-0x0000000001454000-memory.dmp

memory/1188-66-0x0000000006490000-0x0000000006830000-memory.dmp

memory/1140-67-0x0000000000000000-mapping.dmp

memory/1140-69-0x000000006FF50000-0x00000000704FB000-memory.dmp

memory/1140-70-0x000000006FF50000-0x00000000704FB000-memory.dmp

memory/1140-71-0x000000006FF50000-0x00000000704FB000-memory.dmp

memory/1632-72-0x0000000000000000-mapping.dmp

memory/1188-73-0x0000000005260000-0x00000000053D2000-memory.dmp

memory/1664-74-0x0000000000000000-mapping.dmp

memory/112-75-0x0000000000400000-0x0000000000731000-memory.dmp

memory/112-76-0x0000000000400000-0x0000000000731000-memory.dmp

memory/112-79-0x0000000000400000-0x0000000000731000-memory.dmp

memory/112-82-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 341c6f360834aeb2e78bb653654c7b97
SHA1 b7dd21a19e7389dff00620283b78f609cc664cc8
SHA256 ea83722a9073378c34c087e4010c8e25413860334a78202809a989a972c3d9fc
SHA512 04bb495aabf267630d397770cca0a28b186b3dffcf88fcd8077b339732b4c33ee99ae4ad7b9f1a5e73f466a722e723ca2e3c00ae54d3bd60257cc9f284b9ae47

memory/112-85-0x0000000000400000-0x0000000000731000-memory.dmp

memory/112-84-0x0000000000400000-0x0000000000731000-memory.dmp

memory/1664-87-0x000000006FAD0000-0x000000007007B000-memory.dmp

memory/112-88-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 4afe5c3dc87e97a93d3e1fd6219c7903
SHA1 9dd8ff1e7a866be3e53a442f8e37d3eb225a42d6
SHA256 0d149c6078a1a0c40bd9906561a41e254edc2805eeaafbe7296f39a58d4c7ba1
SHA512 d7b6d86988c2e8c56f5c9bcf7d173e2f0306a028e328f86f06675d3832a7d8158779e822575427b696267e631c536e3e3c6d747ee298abb45f1daf0925b5dfe4

memory/112-90-0x0000000000464C20-mapping.dmp

memory/112-89-0x0000000000400000-0x0000000000731000-memory.dmp

memory/112-93-0x0000000000400000-0x0000000000731000-memory.dmp

memory/112-94-0x0000000000400000-0x0000000000731000-memory.dmp

memory/668-96-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-05 13:35

Reported

2023-02-05 13:38

Platform

win10v2004-20220812-en

Max time kernel

138s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Aurora

stealer aurora

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 4892 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 4892 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1016 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1016 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1016 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 3912 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4564 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 3912 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 3912 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
GB 51.132.193.104:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
DE 45.9.74.11:8081 tcp

Files

memory/1016-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

memory/3912-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

memory/3912-138-0x0000000000650000-0x0000000000DC4000-memory.dmp

memory/3912-139-0x00000000056E0000-0x0000000005702000-memory.dmp

memory/4188-140-0x0000000000000000-mapping.dmp

memory/4188-141-0x0000000002680000-0x00000000026B6000-memory.dmp

memory/4188-142-0x0000000004E50000-0x0000000005478000-memory.dmp

memory/4188-143-0x0000000005570000-0x00000000055D6000-memory.dmp

memory/4188-144-0x0000000005650000-0x00000000056B6000-memory.dmp

memory/4188-145-0x00000000049D0000-0x00000000049EE000-memory.dmp

memory/4188-146-0x00000000072A0000-0x000000000791A000-memory.dmp

memory/4188-147-0x0000000006170000-0x000000000618A000-memory.dmp

memory/4564-148-0x0000000000000000-mapping.dmp

memory/3528-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

memory/2180-151-0x0000000000000000-mapping.dmp

memory/3056-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 4e0ee541936eda55f1fb600340ae8cb7
SHA1 c7c716ea601e54d91a786f3222c8995082bbeb82
SHA256 27610219167f39ba791bcad5205d2497704f623aae4ea3b48e4f99b84afb0bfa
SHA512 58e46f0cd2ace6f6d84117e63f1591772d5558f73b3d14ea4689f4a7878eb974d701f77988d79429b3b4dce4fe6d45d24ef77ba1eb4e5eaa288f0c53bd4efe43

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 e5a6c58ca750b0bf624ea02699acea32
SHA1 8f724eaf1df9f426b58d076faebcdcd9f71d7eda
SHA256 9fe1da0d9dc05687d980270d2758b6d39aa59a9ed9409210a441d51c79909c43
SHA512 f24579f7e0bbae189ad160eda613abc066809335c38f7da985f4f9c98b35b2f7f467102049230fcf752150332d706132cfc9fc10ae407f3dc99b8ad7c5a4016a

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 4d01cf736f52444322f13c63d07f03dc
SHA1 fad2413d5a373fad6d3652a4839e6000a6c2d7fb
SHA256 8fde44b5a1ffc7a62d7321e15a061621beb2c8f00a04020e2bc838d4ef9d266b
SHA512 2f8ac746b49d6a7d40198416afac70b6f00e86ac8facc7a881fe208ee65054e4ade2d1ca872dfc7d736fd58d2d886bbfe7c65724ffe0040e61e3f9d48598b7d8

memory/3988-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3c27eaa7ba8319eba83a3ede7147fd3
SHA1 fabe33e589c1b1844c6a1406a1c0d437e6b884d3
SHA256 a50dc1aa7049f040d9eefc7e3c559ea76054fcc1d1bb19adab8ca18aa803e687
SHA512 cc243f227b39a127051ded06d9963f26181585d32ff53db9b78b4ae80eeb129abea44021b8dc65a7c34c1a77a24c334671406bcdef913ec20a7127141abf7b14

memory/4072-159-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 91a082f74067da275a5a8559f84f5d83
SHA1 f50b0db6dc044a3126ce6fa10258820730ca6160
SHA256 89cd20cd046b771ef5171af1d16f1d642f864e394d2c8a0d0d0284205ec8f356
SHA512 dcfcc9134d1fc0ad9364c2eee11ac19d968d7e7e5d9395a4d4f77790541ee26c93b6f99a2a1946a12914e31c6bbf6a82902a4c1c6b8002daa64739c814b6b869

memory/4072-162-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4072-158-0x0000000000000000-mapping.dmp

memory/4072-163-0x0000000000400000-0x0000000000731000-memory.dmp

memory/452-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/3528-166-0x0000000007810000-0x0000000007842000-memory.dmp

memory/3528-167-0x0000000075200000-0x000000007524C000-memory.dmp

memory/3528-168-0x00000000077F0000-0x000000000780E000-memory.dmp

memory/3528-169-0x0000000007A00000-0x0000000007A0A000-memory.dmp

memory/1532-170-0x0000000000000000-mapping.dmp

memory/3528-171-0x0000000007C40000-0x0000000007CD6000-memory.dmp

memory/3808-172-0x0000000000000000-mapping.dmp

memory/4368-173-0x0000000000000000-mapping.dmp

memory/368-174-0x0000000000000000-mapping.dmp

memory/3528-175-0x00000000064E0000-0x00000000064EE000-memory.dmp

memory/3528-176-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

memory/3528-177-0x0000000007B80000-0x0000000007B88000-memory.dmp