Malware Analysis Report

2024-11-30 21:52

Sample ID 230205-qw2jnada8v
Target 5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Tags
purecrypter downloader loader persistence aurora stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Threat Level: Known bad

The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.

Malicious Activity Summary

purecrypter downloader loader persistence aurora stealer

PureCrypter

Aurora

Detect PureCrypter injector

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-05 13:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-05 13:37

Reported

2023-02-05 13:40

Platform

win7-20220901-en

Max time kernel

91s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1288 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1288 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1288 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1280 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1280 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1280 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1280 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1104 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 648 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 648 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 648 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 648 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1736 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 6beb8a3521d42c8beb6f6a762780fbd8
SHA1 98839d0503a2a772cfe3a84046fa1948040f5dac
SHA256 88f8fb7d596afd14c206da369ef92549be1f2afe9e3e090f527834a532ce10a8
SHA512 37a1910df19bf5b44358e26132f70c50b7dd7cf2fdb95979b52c08ee756e88defe496a22d3242316570d8fcbe09fbee021cd77c1f44a38371a3872fcc0952dbb

memory/1280-54-0x0000000000000000-mapping.dmp

memory/1280-56-0x00000000752B1000-0x00000000752B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 1ade2ffb0cb99195001374eb9291869f
SHA1 136f8615094920c993f88e0e17a7e7e3a37ade8e
SHA256 3d6d4d770fd2611dafe3e6b2c00e86b167180a8429a065d0283a432f6c4f18de
SHA512 d7b054e8dbc713d82a427b5556fa3ae48309dddde8d678c80a5dfdfc1125dc61d8c53f205a9dfe6e4d4a184f4c1df0b121afc19acb3260c01549829769161698

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 effb7be7cd75b6362ed732e39e53740a
SHA1 434b758102cc35a27aa4836d8cca07374b64f4ee
SHA256 cb34917a365e48fbc033108162287c96e43d133a0ee7a2b6b2375a6d8f4b4ffc
SHA512 167a973494e96139aa6ffd15d12eaf9fdc70f26cae0b3531979ab54e7aec7701b4fe358c516173a18db0eeeef258171c86ec9bc6e5e903717430c2c26e147d08

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 5a0aa6da9c83bbc3bb0b0e3f129d9b63
SHA1 347aacde3260377cac72ac2ab376df194db49bd7
SHA256 73de6d55bb5252a701113265d37d4cee4905f0f7316bbf38cd9745b7ebe99c24
SHA512 0adfdd98f72a8c76d3109ad0e535862cbe3b3387174b3480b2f0e75e8699220610ba6013620d9c513de6c36e684b807b91257ef5b850c2c49f668ab4cd7812e3

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 e4f67f9abbc0bbd859f79230d61b0579
SHA1 8fbaee4e938b53526aac6150cef1a5a56e5e5e47
SHA256 b46a281d150cd6ea252e2bb513ea9534009df0e453248643c3fd5da9b1a2cb45
SHA512 dc54228c61d66d1979e8d4daf5fca6cd319d73595655d84fdd41f4b51202ccb6fa0e67952230db806ce07d2de33459794fdf5ff0628414c5efc21022572361c7

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 385383ea7afaff46236860d95629baa5
SHA1 426a56190240839927ff876899cad2a7e04723d8
SHA256 2ffb9a0d0f716e530b9bd8969cfac6696a4ac918cc075ad401d04cbc0204d1ad
SHA512 ac711ee4f86826f5f8b2750545730c452d2e506e84c3e0093bf0d8f1b2e7614165499ba8768996e97068a8aae21d2840ec7184bc92fdf239eb757642e0747417

memory/1736-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 b17da03ddd2274ee483d704fc8b46f15
SHA1 ff707f4902bb5bccbcae5a258d10264894a9acdb
SHA256 711aa5c4d56489c41457a07b1e4c4003e030cd709822d0a351f22be4a05f6db5
SHA512 4429322dbc8fcb6e49df9412f49a1bf82a385a91c15b48c0d60360d1edd44ccd710dedcb7f20e355a96f109e346d8db9fbf44c5edb7a6eee36ed9ecb7ed1b97d

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 0f89683cd243fde623430fd6351b8069
SHA1 673dba0d57175d904bf012615c748de3a79988ce
SHA256 df8274a6f1e5252bb7f4a4bcd3706367b03d857c62d1e14556e192aeda689d7f
SHA512 d04188113380f66f084a94bb0213edba99e3f02e168dc99cbd531d76348a7311a838031a4f1e101e6735b70f4932d72a4dbe1e1fbe2021b721be3335be423937

memory/1736-65-0x0000000000200000-0x0000000000974000-memory.dmp

memory/1736-66-0x00000000064A0000-0x0000000006840000-memory.dmp

memory/1068-67-0x0000000000000000-mapping.dmp

memory/1068-69-0x000000006F1A0000-0x000000006F74B000-memory.dmp

memory/1068-70-0x000000006F1A0000-0x000000006F74B000-memory.dmp

memory/1068-71-0x000000006F1A0000-0x000000006F74B000-memory.dmp

memory/1104-72-0x0000000000000000-mapping.dmp

memory/1736-73-0x00000000052F0000-0x0000000005462000-memory.dmp

memory/1872-74-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 e8d4cc4e6b5546ce9b43d7a979d89697
SHA1 cb20e061fada675881729e6feaa945ac4a05d0ad
SHA256 edef89087834afb9753aaded4b85bb4ba25a7a6b2f702325d67ab0b511384cc9
SHA512 3385cf1a731f164a8f52753a9a59fde9694a216ef88fc87339a6455349bf4b7642275333291a92168f6cf32d8ca829329603d2f4649b127e4dca0b63187366b7

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 5ac8b18822f868443c4115c89340396a
SHA1 a568a9cb518796d5d4cc36dfcbeda74b5cc32077
SHA256 e4dc0df4595a843cba9e988883b2328130da400978d76b38bf4701951a1a411c
SHA512 6b06fc89f3eabc44eb240f379b47896189ca1201f70dfd9f1b6523b272b2f70d5e0923f603822187ef6dc16bdadb039baac9b488242b8d331d159d7641a3a571

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 f51807b8e4976fea474fff83e524c7d2
SHA1 42dc7ccfe7f06d116c4208c52218a1d6e9da9900
SHA256 4d0a0bcbe6abc2776f03f5f0817f9a897a6bf5015a71db5661da2dbb7009b989
SHA512 b3e7e45f7a2ef72660ae190b36244cf2ff52bb6a3a0e8d4d19ffad7a85bb97a39892511b3d5df238b33d7f1909533d5ca3aff04a455f7c0328edfea67bf9681c

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 46ff12adc736e041b7adc128256734d4
SHA1 2b3f7800a64adb43356feadd679e0be91971fede
SHA256 3536424f26f49f71259efe4698eb7af9b84bcac3f288126564586e84137c31aa
SHA512 ee05425034a8a6e4799fe742eb507a346186eb13b8b3fc9285b9713af25bf1b5519758404421fbbe5418903bccb5f2b19248adbb3ecc6d556dff489477a8f687

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 5a1da2d0b85e6dfa46a0ccc674b3f550
SHA1 6d3d0aa221aacbb1ec65b216bb22f11fe21ac1e7
SHA256 f64fc17ed57562eff792891813c0696f8c076675d2a9d3c893f030a28ec298b1
SHA512 72746bf90f68f05f0796d5b3f0edf962b88ecec07895a0505ea969479a43b171b12ac4da33fb66574decff6d6bef8748baa9b188a129ce668c9be08152a1c89c

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 37f82d88e091ff26f266eebe25aa11b2
SHA1 90f77ffa04a64e992b1e56c11bb05c492da2114e
SHA256 39b7e76f49c90bea30e0d0f69e24755a40555566a9c683b108ce4028088a7613
SHA512 cd47fccc89f96ec75bd0ac6a3f0e308d01ec8127afdc8485b607acf918c4cce2d17b462f049bb0d2fc3266c62d9bbd97d7013f58bbe5208619162270691d15ff

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 3cc12ec8f264ea2cf669599ed2c0a392
SHA1 8bcccb8895d03955244695e86bc7f4603d4a1f5f
SHA256 af456192dfc0082b60e09542ab13050b032a0e406e7741c0ea4852d011c9939c
SHA512 12b1a575a63568c45fc1077def0e68b7585edb29fd9910c4f7eef2d4c4cecc3c90c7bfaac250f08363d3ff728808d4bc2ee6980c753fdd207da3f82a2dbe3120

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 37f82d88e091ff26f266eebe25aa11b2
SHA1 90f77ffa04a64e992b1e56c11bb05c492da2114e
SHA256 39b7e76f49c90bea30e0d0f69e24755a40555566a9c683b108ce4028088a7613
SHA512 cd47fccc89f96ec75bd0ac6a3f0e308d01ec8127afdc8485b607acf918c4cce2d17b462f049bb0d2fc3266c62d9bbd97d7013f58bbe5208619162270691d15ff

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 3cc12ec8f264ea2cf669599ed2c0a392
SHA1 8bcccb8895d03955244695e86bc7f4603d4a1f5f
SHA256 af456192dfc0082b60e09542ab13050b032a0e406e7741c0ea4852d011c9939c
SHA512 12b1a575a63568c45fc1077def0e68b7585edb29fd9910c4f7eef2d4c4cecc3c90c7bfaac250f08363d3ff728808d4bc2ee6980c753fdd207da3f82a2dbe3120

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 45022d9c99bc520b38a26ff9078e46be
SHA1 b326e8b4e221ef93159043671395d635c7967d01
SHA256 9c804d7c3806186b2638218a27d926e9e0c624910428bee12daf2cd482709128
SHA512 d2bf0aef6271e4c2b2a1240b367f40561fcfc21b0588c91e37f63d50662845333de6f57af81d35687a3a5ee09b1ac874e58c548c3b2bec892e43c8db72f3feae

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 5bb3714360c25b80651018c798ee2bf4
SHA1 bd1b213f29acf1d3b5252ff8da9da4688de1f78d
SHA256 f8737b1da17e9c489fb9d7ca38f67b02e7a75cc46ce8953e61f85f6d95df42d5
SHA512 115c9d4b73978cc3d749353ef6cc68bf6a6bade27b89d50f63a90cc703b11ebe4bf35da42a063f117f0d8c987bd5ea9ad0960331fab495b2be98e2009755087d

memory/1872-87-0x000000006F160000-0x000000006F70B000-memory.dmp

memory/1872-88-0x000000006F160000-0x000000006F70B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-05 13:37

Reported

2023-02-05 13:40

Platform

win10v2004-20220812-en

Max time kernel

131s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Aurora

stealer aurora

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5008 set thread context of 1128 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 676 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 676 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 676 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 5028 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5028 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5028 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5008 wrote to memory of 508 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 508 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 508 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5008 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5008 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5008 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5008 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5008 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5008 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5008 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5008 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5008 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 5008 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1128 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1128 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1128 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1128 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3256 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3256 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
DE 162.19.139.184:2222 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
AU 104.46.162.224:443 tcp
NL 104.80.225.205:443 tcp
DE 45.9.74.11:8081 tcp

Files

memory/5028-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

memory/5008-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

memory/5008-138-0x0000000000590000-0x0000000000D04000-memory.dmp

memory/5008-139-0x0000000006C90000-0x0000000006CB2000-memory.dmp

memory/508-140-0x0000000000000000-mapping.dmp

memory/508-141-0x00000000026B0000-0x00000000026E6000-memory.dmp

memory/508-142-0x0000000004E20000-0x0000000005448000-memory.dmp

memory/508-143-0x0000000004D70000-0x0000000004DD6000-memory.dmp

memory/508-144-0x0000000005640000-0x00000000056A6000-memory.dmp

memory/508-145-0x00000000049F0000-0x0000000004A0E000-memory.dmp

memory/508-146-0x00000000072D0000-0x000000000794A000-memory.dmp

memory/508-147-0x0000000006190000-0x00000000061AA000-memory.dmp

memory/4212-148-0x0000000000000000-mapping.dmp

memory/3168-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/1128-151-0x0000000000000000-mapping.dmp

memory/1128-152-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 b4d95160aa00515bfde8bbbfdc2b191f
SHA1 a44d72801fcb0cb225d3b0e49a06f7000c6b31fd
SHA256 8610266929c66757c1e28943997b0601164b5b12bb1fe47d9ed0d3307545e442
SHA512 70797e097d41780782040a290c674fc37761b39f40e2edc62910ad667b0713884590ed849b5b387cd9309e5d63058481ced3366c83e6a983755b396bbce62dce

memory/1128-155-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 901f167f644cde6d413e2e354f67c328
SHA1 c5c5003ceb3d9311600344c4edb7c3cd7b5705b2
SHA256 e22d61c636e05b5ae29cb9ea2600153dc45e4ca7133ab00a21b93b72046b3381
SHA512 1f534872642644ab416ae470b606c712751a96bb3d7af14bc30d5d2b90254e9b8a68dc06e7ac3826809fa68adea8f6b7d4624ead5bef94234a133500790750fc

memory/1128-157-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/4200-159-0x0000000000000000-mapping.dmp

memory/3168-160-0x0000000006730000-0x0000000006762000-memory.dmp

memory/3168-161-0x00000000734D0000-0x000000007351C000-memory.dmp

memory/3168-162-0x0000000006710000-0x000000000672E000-memory.dmp

memory/3168-163-0x0000000007500000-0x000000000750A000-memory.dmp

memory/3256-164-0x0000000000000000-mapping.dmp

memory/3168-166-0x0000000007740000-0x00000000077D6000-memory.dmp

memory/4808-165-0x0000000000000000-mapping.dmp

memory/1492-167-0x0000000000000000-mapping.dmp

memory/2388-168-0x0000000000000000-mapping.dmp

memory/3168-169-0x0000000006000000-0x000000000600E000-memory.dmp

memory/3168-170-0x00000000076C0000-0x00000000076DA000-memory.dmp

memory/3168-171-0x00000000076A0000-0x00000000076A8000-memory.dmp