Malware Analysis Report

2024-11-30 21:51

Sample ID 230205-qwh3bahg42
Target 5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Tags
aurora persistence stealer purecrypter downloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Threat Level: Known bad

The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.

Malicious Activity Summary

aurora persistence stealer purecrypter downloader loader

Detect PureCrypter injector

PureCrypter

Aurora

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-05 13:36

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-05 13:36

Reported

2023-02-05 13:39

Platform

win10v2004-20221111-en

Max time kernel

127s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Aurora

stealer aurora

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1856 set thread context of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1048 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1048 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 3244 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 3244 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 3244 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1856 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 3696 wrote to memory of 3144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3696 wrote to memory of 3144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3696 wrote to memory of 3144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1856 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1856 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1856 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1856 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1856 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1856 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1856 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1856 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1856 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1856 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4492 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4492 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4492 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4492 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4808 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4808 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4492 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3176 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3176 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 72.21.81.240:80 tcp
US 72.21.81.240:80 tcp
NL 104.80.225.205:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
DE 45.9.74.11:8081 tcp

Files

memory/3244-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

memory/1856-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

memory/1856-138-0x0000000000440000-0x0000000000BB4000-memory.dmp

memory/1856-139-0x0000000006B00000-0x0000000006B22000-memory.dmp

memory/4176-140-0x0000000000000000-mapping.dmp

memory/4176-141-0x00000000030A0000-0x00000000030D6000-memory.dmp

memory/4176-142-0x0000000005980000-0x0000000005FA8000-memory.dmp

memory/4176-143-0x0000000005FB0000-0x0000000006016000-memory.dmp

memory/4176-144-0x0000000006020000-0x0000000006086000-memory.dmp

memory/4176-145-0x0000000005400000-0x000000000541E000-memory.dmp

memory/4176-146-0x0000000007CC0000-0x000000000833A000-memory.dmp

memory/4176-147-0x0000000006B80000-0x0000000006B9A000-memory.dmp

memory/3696-148-0x0000000000000000-mapping.dmp

memory/3144-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

memory/4492-151-0x0000000000000000-mapping.dmp

memory/4492-152-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4492-155-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7297cc6e4da2a9047969df3e6e1391ca
SHA1 56b30166e4c808c594a1673b935bc68f890ff124
SHA256 53c843e58fb5ca4a62579b24d4439e3853feabe8ec4a005420a2813382ceed8a
SHA512 e16bc7df21c6ce45b15de89af585f0c529632da557904224ddfeb70b4f7f9af483544b8ee5b765f1a65895a317b4a90b4631ad342453a32a81e78bc5677b368f

memory/4492-157-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/4332-159-0x0000000000000000-mapping.dmp

memory/3144-160-0x0000000006F90000-0x0000000006FC2000-memory.dmp

memory/3144-161-0x0000000073280000-0x00000000732CC000-memory.dmp

memory/3144-162-0x0000000006ED0000-0x0000000006EEE000-memory.dmp

memory/3144-163-0x0000000007D30000-0x0000000007D3A000-memory.dmp

memory/3144-164-0x0000000007F70000-0x0000000008006000-memory.dmp

memory/4808-165-0x0000000000000000-mapping.dmp

memory/3956-166-0x0000000000000000-mapping.dmp

memory/3176-167-0x0000000000000000-mapping.dmp

memory/4496-168-0x0000000000000000-mapping.dmp

memory/3144-169-0x0000000006800000-0x000000000680E000-memory.dmp

memory/3144-170-0x0000000007ED0000-0x0000000007EEA000-memory.dmp

memory/3144-171-0x0000000007EB0000-0x0000000007EB8000-memory.dmp

memory/4492-172-0x0000000000400000-0x0000000000731000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-05 13:36

Reported

2023-02-05 13:39

Platform

win7-20220901-en

Max time kernel

85s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 2028 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 2028 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 2028 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 2024 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 2024 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 2024 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 2024 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1332 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1332 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1332 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1332 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1332 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1332 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1332 wrote to memory of 824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1332 wrote to memory of 304 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 304 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 304 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 304 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1332 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 11ed745a8376773d3019ba088a94afbe
SHA1 22de556630cb1a0885e55f517e9897ae4c0b2a21
SHA256 23a5c2cb1814d4699b8f55426a5941c9d93b5a3e1a5a29e1ec59398a7807d534
SHA512 8edc38726bb01295d84a2ae6e035f5c23bd01c6a5ed9d2cbc0586bb7ebd58f70d75f7bb92cd85ab694fd0642f824dc060f621cbed0f5fc783dd4c669b05abb65

memory/2024-54-0x0000000000000000-mapping.dmp

memory/2024-56-0x0000000075A11000-0x0000000075A13000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 b39052b2b2b45e1060212b3b7eeb4151
SHA1 0087899ec04dcb70922c8e4458a4c6b8ae2caa9c
SHA256 b3130c5120c8efc4a5016455832ba6160ed4bf24bfd90c4d39ea2491fee67c72
SHA512 60ca700b3f3968d654c848a3ab741b0d99e992edde5138fdf5fd5106a2388d062c5202e2cb2e3c5053152579d58b474482d49a1b636821b79a2e71cfeb2a2c4f

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 f5c5ff6b7bc6ebba28991fbfc96b5b3e
SHA1 22ff93fa87edd0eecba5b7414f25e256e986c64d
SHA256 32e06cfa268a9a21db8dd2749aa916fd05bb524a258c4c864eb06391a6debca1
SHA512 25c0f96daa0e5c027307407a9a4404604ea2f2a3a888b0a48388e2e7b3cd0c1539851cf8a4caf8e91ef3392be7d22521bda6b282f92ef4f3381fa53de2386efe

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 e85c788e7733fce1c06a900a5b6566db
SHA1 6a171039ea3dd845a9ac3173d5dcb7e0d31c6e5d
SHA256 57b396cb4d4d250fbfa926c03e2acb30aa52bee1fc3f97b33173a664927ec863
SHA512 3d3d92a3b9836ca529e32a5a3ab34a8a0159c489783ff3d8abc0160be57daafb961472847ae0ca7895bf0ed9fa303402fae83215f3707077aa9d95d4d2188cf8

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 df9103f9f1966e62e346959491e1fe24
SHA1 c2c296dabbb0eb23ae7796929b53306025496b4b
SHA256 c2f2af837985aa579119184d6babbd50b555e30ef36bb33e762617234167d7b7
SHA512 c38766b2951cd6ff0a2f5160983594425b054839caca22d5184fc5c225f4dbb7acb0acaef3cf6813daf315ae6c0fd70d201ab4bed09da610ade5b88f9b58010e

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 4a6c139dd3f1b1f4353cae69a383c24e
SHA1 cd15af48827de96045c64b8690039ebf2441f94a
SHA256 202eeee36bfc0f181f4eb7efa8f99ffcd5eb707512f9ecd7475cd40c9664ce57
SHA512 8488c718cbef9079a25fd1a5e928a355367401bbc1c2fbd050205ecfbc0db092b1712783ec28d341e17c2d59454e37d703d68ef41f161154bbfc34d86c6bc987

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 c0e1b12d8455caf2eaae4ad48931f210
SHA1 f252617799f290afa1a98d74abc886ecb4ba828a
SHA256 260701ea6c5d5820694752504b31083a756e184c46071652e31c143fd2311de6
SHA512 ed9d18a5f5c47fd67a52fc97b37375aa463ca096bb85164e2d42a6b2fce44e3f276bd051c02768ad4fd24794957ca7061b70e092251be219b9ad174fcbc4f63d

memory/1332-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 c1f6454f7bff3d79e58b25794b86e7e1
SHA1 edaaf2b40031aad38e2bf2223453b267e7c12089
SHA256 0ec4bbc8fb74108431eed5ed7fd706530afb1086e77b99b2ac5003e70668ea89
SHA512 014c0e1c1ed062f6616ca14830eb35c3c49ff59a447c023e84b8e4d35351a22f9fadf22928384001fe15824c6a75c02b6ac11446bd5f255d6527a6a2678dc514

memory/1332-65-0x0000000000280000-0x00000000009F4000-memory.dmp

memory/1332-66-0x00000000065A0000-0x0000000006940000-memory.dmp

memory/1328-67-0x0000000000000000-mapping.dmp

memory/1328-69-0x000000006F460000-0x000000006FA0B000-memory.dmp

memory/1328-70-0x000000006F460000-0x000000006FA0B000-memory.dmp

memory/1328-71-0x000000006F460000-0x000000006FA0B000-memory.dmp

memory/824-72-0x0000000000000000-mapping.dmp

memory/1816-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e9f78e23387d4536f809e5ee09f89d08
SHA1 330ad77b5a28d425ae12a9ec490ba96568fc91e3
SHA256 a79470b0914efdb3a8c341213336f7bb02d6b094f6576cf666641f1be915a01e
SHA512 79e8249159f366b685a0b0f82ca72fd6a6567721eca98aa8dc4a7f4c879af87cbb703f288d70826fa888abd5f0a3566343cb54ea9dc60f9e999ead36ee5be751

memory/1332-76-0x0000000005370000-0x00000000054E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 769ec3cff666c6086759db2f18d52b9a
SHA1 1cf3715574446fb1429dcdeaf4b0f5c173b971cf
SHA256 8430c3974547778bdfce413521cfc6605648a3fa1d1d1aede7e73e45b8662287
SHA512 1772b4cc301de5deb6b1da4fa9e955543ef38c699c6dfd121490949c8f074a2b3c4fffd674352a8b70a7ab4ebf3caea87b2685dddb8d233577e741b3597d401c

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 2e1684f77dd66ef009dd3a1d356d9fa7
SHA1 25b33411b57e93cb4038a89966438a6de774a65a
SHA256 8753af8dc572d0028879c5900e2ae406220c67dada7dea4fb9d6cbd1e2c7ddcf
SHA512 5eb4d9fc9628cb862668e769718b5733d15c79f20a0361967a293c5bb65bdceb3509e69a047b6803909eabc90ede8f2c527eaee245359009a04c13da61c83bfe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 d70507d8e171ddd763ed93b85944f17c
SHA1 2ea85c12a9b6b41f1d08512fdb156e71e5cf31e2
SHA256 a0bdbb6684322f7c4c69ed890bfeda6bc08ded8d50dc03c4ab54ecd0f446a768
SHA512 dd4ed28951c6ba713ab7c8e8a0b0307ffd12043ba67c94ccbdcc800ab4fa0fb3d2202b31cb61ec724711515691c2cedb9e103cfe558e21965dbe0a27613ae86a

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 0d8db500c78fa66486664b93ae491604
SHA1 9909012089ba92be5f971d1b316e36eedf16fbdc
SHA256 c0c54b7ed4bb2ed12a4752bf5d9654d9312b8aeb37917b08688485a5ea50abe1
SHA512 0ff9de2179893e7d41ee8cd622ac1e683fdcc2a152300cdef6661fb7d35ff3204ea2a4fde80c35fd3b7507d5ca3a8f3553791395238d7c8cb84dc4be49a0c8c9

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 9aa181f5280174b0f70e50fe46268258
SHA1 29a83b5bd4a66b40f5b30a11918e7d6a354b5826
SHA256 211ac3526f52e3411536d077e74df332b526a1c16d218f7132964fce5cfa3739
SHA512 aa98b42da82b70fc9441fde3540f09faa6610122084c8498854f096acf0b3b158b9e543dc102095d1b0cefc09f77027bf7700329cc7992eaf0ee1d90c7e023c5

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 6437825c33db4c67678260008d0a121c
SHA1 d4f8f1460db349325205c828a02b2d05f923af4c
SHA256 eb6db04733252b737bb23c797d8bc9aec66ceea8ec76b64a52657982d6685162
SHA512 05584a47e59ab14eba197741acb8301059bdd44b32bf5b35d8680a22319763effd48cd92da53c956b8c1d55b70c8c49df036b741f76611fe78e265f33b0196c8

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 34636c99e693c57ee74defaa8a8d1df6
SHA1 4c2686e1d19cd7c731608d2d0155c615ba76dfdd
SHA256 11fc8eff24df743299cc8d83e73b13530509eef2418455d401be0a9c6a5494af
SHA512 60856dc1b648c3a35090650f6e6186cde71e0460c0f00e0f98a51dc1f4487fb0284f51aa38de545f4be2719c0c4a349125e4e61370fbcd1d174a3beae02d3877

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 27218f91008e087c20514f04a7249c43
SHA1 7bf45aec1a2489eaa4ea1d1c9ab37d4cfce53ee3
SHA256 f21aa91e922aa796bd88a03a876c07fcee35916d3f7d019a2a6e82fc4e0f96a4
SHA512 7d65ebd377e7cbe5c2fbecefc368f77076799cfe60d36570b3a1c666fe00bd7ee4b6084e9e2f7f4c54c1787169ac9875f04d01f03bf57f09af068535ced9d022

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 badfaf21155562f80b5baca768cbe7d9
SHA1 5cb06814694d486965680c7cdfa8a41650cac198
SHA256 9e1e094cf3f0e15c88de203422873bd706d0d3ea38449661a224a5a57a208c26
SHA512 0e17ebe6d8cae25683a5cb4502be666941ddb5319391bdbeaa2670417c559e8f52a001a3e5192af9940abd166d52f8e0e7d7d8870a7e4df1db29f2553e909516

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 c8d542bbccca9180f4b47e4fe5fecc55
SHA1 3ab20b3d6f0e59b111b2f4b6b6e6d95746caaf0c
SHA256 ccd793c484696bbeb406cd46925d6392ab362b59c33f3c4b6bb8b970afc914c1
SHA512 a36da8d209f7afaf288ce77d7dd7c6853dfdf4729a9b611dac1db7701aa34d1accda7bad4e97de1ddf8c26367a93070db5c52325bbeafc2f6532a9330b78ef0c

memory/1816-87-0x000000006F170000-0x000000006F71B000-memory.dmp