Analysis Overview
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Threat Level: Known bad
The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.
Malicious Activity Summary
Detect PureCrypter injector
PureCrypter
Aurora
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-05 13:36
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-05 13:36
Reported
2023-02-05 13:39
Platform
win10v2004-20221111-en
Max time kernel
127s
Max time network
148s
Command Line
Signatures
Aurora
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1856 set thread context of 4492 | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| DE | 45.9.74.11:8081 | tcp |
Files
memory/3244-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | ba50f2bca86ba947a8d2035bb9b35123 |
| SHA1 | a542b5c5d41174dc2475a219978123b7d14f958f |
| SHA256 | 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5 |
| SHA512 | 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | ba50f2bca86ba947a8d2035bb9b35123 |
| SHA1 | a542b5c5d41174dc2475a219978123b7d14f958f |
| SHA256 | 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5 |
| SHA512 | 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379 |
memory/1856-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 14a9737eb666769fee7c28a00eb14e82 |
| SHA1 | ab8f2279f13a546fc32233a4da0855660fb07ec0 |
| SHA256 | a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a |
| SHA512 | 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 14a9737eb666769fee7c28a00eb14e82 |
| SHA1 | ab8f2279f13a546fc32233a4da0855660fb07ec0 |
| SHA256 | a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a |
| SHA512 | 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7 |
memory/1856-138-0x0000000000440000-0x0000000000BB4000-memory.dmp
memory/1856-139-0x0000000006B00000-0x0000000006B22000-memory.dmp
memory/4176-140-0x0000000000000000-mapping.dmp
memory/4176-141-0x00000000030A0000-0x00000000030D6000-memory.dmp
memory/4176-142-0x0000000005980000-0x0000000005FA8000-memory.dmp
memory/4176-143-0x0000000005FB0000-0x0000000006016000-memory.dmp
memory/4176-144-0x0000000006020000-0x0000000006086000-memory.dmp
memory/4176-145-0x0000000005400000-0x000000000541E000-memory.dmp
memory/4176-146-0x0000000007CC0000-0x000000000833A000-memory.dmp
memory/4176-147-0x0000000006B80000-0x0000000006B9A000-memory.dmp
memory/3696-148-0x0000000000000000-mapping.dmp
memory/3144-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 6195a91754effb4df74dbc72cdf4f7a6 |
| SHA1 | aba262f5726c6d77659fe0d3195e36a85046b427 |
| SHA256 | 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5 |
| SHA512 | ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89 |
memory/4492-151-0x0000000000000000-mapping.dmp
memory/4492-152-0x0000000000400000-0x0000000000731000-memory.dmp
memory/4492-155-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 14a9737eb666769fee7c28a00eb14e82 |
| SHA1 | ab8f2279f13a546fc32233a4da0855660fb07ec0 |
| SHA256 | a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a |
| SHA512 | 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7297cc6e4da2a9047969df3e6e1391ca |
| SHA1 | 56b30166e4c808c594a1673b935bc68f890ff124 |
| SHA256 | 53c843e58fb5ca4a62579b24d4439e3853feabe8ec4a005420a2813382ceed8a |
| SHA512 | e16bc7df21c6ce45b15de89af585f0c529632da557904224ddfeb70b4f7f9af483544b8ee5b765f1a65895a317b4a90b4631ad342453a32a81e78bc5677b368f |
memory/4492-157-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/4332-159-0x0000000000000000-mapping.dmp
memory/3144-160-0x0000000006F90000-0x0000000006FC2000-memory.dmp
memory/3144-161-0x0000000073280000-0x00000000732CC000-memory.dmp
memory/3144-162-0x0000000006ED0000-0x0000000006EEE000-memory.dmp
memory/3144-163-0x0000000007D30000-0x0000000007D3A000-memory.dmp
memory/3144-164-0x0000000007F70000-0x0000000008006000-memory.dmp
memory/4808-165-0x0000000000000000-mapping.dmp
memory/3956-166-0x0000000000000000-mapping.dmp
memory/3176-167-0x0000000000000000-mapping.dmp
memory/4496-168-0x0000000000000000-mapping.dmp
memory/3144-169-0x0000000006800000-0x000000000680E000-memory.dmp
memory/3144-170-0x0000000007ED0000-0x0000000007EEA000-memory.dmp
memory/3144-171-0x0000000007EB0000-0x0000000007EB8000-memory.dmp
memory/4492-172-0x0000000000400000-0x0000000000731000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-05 13:36
Reported
2023-02-05 13:39
Platform
win7-20220901-en
Max time kernel
85s
Max time network
48s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | 11ed745a8376773d3019ba088a94afbe |
| SHA1 | 22de556630cb1a0885e55f517e9897ae4c0b2a21 |
| SHA256 | 23a5c2cb1814d4699b8f55426a5941c9d93b5a3e1a5a29e1ec59398a7807d534 |
| SHA512 | 8edc38726bb01295d84a2ae6e035f5c23bd01c6a5ed9d2cbc0586bb7ebd58f70d75f7bb92cd85ab694fd0642f824dc060f621cbed0f5fc783dd4c669b05abb65 |
memory/2024-54-0x0000000000000000-mapping.dmp
memory/2024-56-0x0000000075A11000-0x0000000075A13000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | b39052b2b2b45e1060212b3b7eeb4151 |
| SHA1 | 0087899ec04dcb70922c8e4458a4c6b8ae2caa9c |
| SHA256 | b3130c5120c8efc4a5016455832ba6160ed4bf24bfd90c4d39ea2491fee67c72 |
| SHA512 | 60ca700b3f3968d654c848a3ab741b0d99e992edde5138fdf5fd5106a2388d062c5202e2cb2e3c5053152579d58b474482d49a1b636821b79a2e71cfeb2a2c4f |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | f5c5ff6b7bc6ebba28991fbfc96b5b3e |
| SHA1 | 22ff93fa87edd0eecba5b7414f25e256e986c64d |
| SHA256 | 32e06cfa268a9a21db8dd2749aa916fd05bb524a258c4c864eb06391a6debca1 |
| SHA512 | 25c0f96daa0e5c027307407a9a4404604ea2f2a3a888b0a48388e2e7b3cd0c1539851cf8a4caf8e91ef3392be7d22521bda6b282f92ef4f3381fa53de2386efe |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | e85c788e7733fce1c06a900a5b6566db |
| SHA1 | 6a171039ea3dd845a9ac3173d5dcb7e0d31c6e5d |
| SHA256 | 57b396cb4d4d250fbfa926c03e2acb30aa52bee1fc3f97b33173a664927ec863 |
| SHA512 | 3d3d92a3b9836ca529e32a5a3ab34a8a0159c489783ff3d8abc0160be57daafb961472847ae0ca7895bf0ed9fa303402fae83215f3707077aa9d95d4d2188cf8 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | df9103f9f1966e62e346959491e1fe24 |
| SHA1 | c2c296dabbb0eb23ae7796929b53306025496b4b |
| SHA256 | c2f2af837985aa579119184d6babbd50b555e30ef36bb33e762617234167d7b7 |
| SHA512 | c38766b2951cd6ff0a2f5160983594425b054839caca22d5184fc5c225f4dbb7acb0acaef3cf6813daf315ae6c0fd70d201ab4bed09da610ade5b88f9b58010e |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 4a6c139dd3f1b1f4353cae69a383c24e |
| SHA1 | cd15af48827de96045c64b8690039ebf2441f94a |
| SHA256 | 202eeee36bfc0f181f4eb7efa8f99ffcd5eb707512f9ecd7475cd40c9664ce57 |
| SHA512 | 8488c718cbef9079a25fd1a5e928a355367401bbc1c2fbd050205ecfbc0db092b1712783ec28d341e17c2d59454e37d703d68ef41f161154bbfc34d86c6bc987 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | c0e1b12d8455caf2eaae4ad48931f210 |
| SHA1 | f252617799f290afa1a98d74abc886ecb4ba828a |
| SHA256 | 260701ea6c5d5820694752504b31083a756e184c46071652e31c143fd2311de6 |
| SHA512 | ed9d18a5f5c47fd67a52fc97b37375aa463ca096bb85164e2d42a6b2fce44e3f276bd051c02768ad4fd24794957ca7061b70e092251be219b9ad174fcbc4f63d |
memory/1332-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | c1f6454f7bff3d79e58b25794b86e7e1 |
| SHA1 | edaaf2b40031aad38e2bf2223453b267e7c12089 |
| SHA256 | 0ec4bbc8fb74108431eed5ed7fd706530afb1086e77b99b2ac5003e70668ea89 |
| SHA512 | 014c0e1c1ed062f6616ca14830eb35c3c49ff59a447c023e84b8e4d35351a22f9fadf22928384001fe15824c6a75c02b6ac11446bd5f255d6527a6a2678dc514 |
memory/1332-65-0x0000000000280000-0x00000000009F4000-memory.dmp
memory/1332-66-0x00000000065A0000-0x0000000006940000-memory.dmp
memory/1328-67-0x0000000000000000-mapping.dmp
memory/1328-69-0x000000006F460000-0x000000006FA0B000-memory.dmp
memory/1328-70-0x000000006F460000-0x000000006FA0B000-memory.dmp
memory/1328-71-0x000000006F460000-0x000000006FA0B000-memory.dmp
memory/824-72-0x0000000000000000-mapping.dmp
memory/1816-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | e9f78e23387d4536f809e5ee09f89d08 |
| SHA1 | 330ad77b5a28d425ae12a9ec490ba96568fc91e3 |
| SHA256 | a79470b0914efdb3a8c341213336f7bb02d6b094f6576cf666641f1be915a01e |
| SHA512 | 79e8249159f366b685a0b0f82ca72fd6a6567721eca98aa8dc4a7f4c879af87cbb703f288d70826fa888abd5f0a3566343cb54ea9dc60f9e999ead36ee5be751 |
memory/1332-76-0x0000000005370000-0x00000000054E2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 769ec3cff666c6086759db2f18d52b9a |
| SHA1 | 1cf3715574446fb1429dcdeaf4b0f5c173b971cf |
| SHA256 | 8430c3974547778bdfce413521cfc6605648a3fa1d1d1aede7e73e45b8662287 |
| SHA512 | 1772b4cc301de5deb6b1da4fa9e955543ef38c699c6dfd121490949c8f074a2b3c4fffd674352a8b70a7ab4ebf3caea87b2685dddb8d233577e741b3597d401c |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 2e1684f77dd66ef009dd3a1d356d9fa7 |
| SHA1 | 25b33411b57e93cb4038a89966438a6de774a65a |
| SHA256 | 8753af8dc572d0028879c5900e2ae406220c67dada7dea4fb9d6cbd1e2c7ddcf |
| SHA512 | 5eb4d9fc9628cb862668e769718b5733d15c79f20a0361967a293c5bb65bdceb3509e69a047b6803909eabc90ede8f2c527eaee245359009a04c13da61c83bfe |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | d70507d8e171ddd763ed93b85944f17c |
| SHA1 | 2ea85c12a9b6b41f1d08512fdb156e71e5cf31e2 |
| SHA256 | a0bdbb6684322f7c4c69ed890bfeda6bc08ded8d50dc03c4ab54ecd0f446a768 |
| SHA512 | dd4ed28951c6ba713ab7c8e8a0b0307ffd12043ba67c94ccbdcc800ab4fa0fb3d2202b31cb61ec724711515691c2cedb9e103cfe558e21965dbe0a27613ae86a |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 0d8db500c78fa66486664b93ae491604 |
| SHA1 | 9909012089ba92be5f971d1b316e36eedf16fbdc |
| SHA256 | c0c54b7ed4bb2ed12a4752bf5d9654d9312b8aeb37917b08688485a5ea50abe1 |
| SHA512 | 0ff9de2179893e7d41ee8cd622ac1e683fdcc2a152300cdef6661fb7d35ff3204ea2a4fde80c35fd3b7507d5ca3a8f3553791395238d7c8cb84dc4be49a0c8c9 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 9aa181f5280174b0f70e50fe46268258 |
| SHA1 | 29a83b5bd4a66b40f5b30a11918e7d6a354b5826 |
| SHA256 | 211ac3526f52e3411536d077e74df332b526a1c16d218f7132964fce5cfa3739 |
| SHA512 | aa98b42da82b70fc9441fde3540f09faa6610122084c8498854f096acf0b3b158b9e543dc102095d1b0cefc09f77027bf7700329cc7992eaf0ee1d90c7e023c5 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 6437825c33db4c67678260008d0a121c |
| SHA1 | d4f8f1460db349325205c828a02b2d05f923af4c |
| SHA256 | eb6db04733252b737bb23c797d8bc9aec66ceea8ec76b64a52657982d6685162 |
| SHA512 | 05584a47e59ab14eba197741acb8301059bdd44b32bf5b35d8680a22319763effd48cd92da53c956b8c1d55b70c8c49df036b741f76611fe78e265f33b0196c8 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 34636c99e693c57ee74defaa8a8d1df6 |
| SHA1 | 4c2686e1d19cd7c731608d2d0155c615ba76dfdd |
| SHA256 | 11fc8eff24df743299cc8d83e73b13530509eef2418455d401be0a9c6a5494af |
| SHA512 | 60856dc1b648c3a35090650f6e6186cde71e0460c0f00e0f98a51dc1f4487fb0284f51aa38de545f4be2719c0c4a349125e4e61370fbcd1d174a3beae02d3877 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 27218f91008e087c20514f04a7249c43 |
| SHA1 | 7bf45aec1a2489eaa4ea1d1c9ab37d4cfce53ee3 |
| SHA256 | f21aa91e922aa796bd88a03a876c07fcee35916d3f7d019a2a6e82fc4e0f96a4 |
| SHA512 | 7d65ebd377e7cbe5c2fbecefc368f77076799cfe60d36570b3a1c666fe00bd7ee4b6084e9e2f7f4c54c1787169ac9875f04d01f03bf57f09af068535ced9d022 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | badfaf21155562f80b5baca768cbe7d9 |
| SHA1 | 5cb06814694d486965680c7cdfa8a41650cac198 |
| SHA256 | 9e1e094cf3f0e15c88de203422873bd706d0d3ea38449661a224a5a57a208c26 |
| SHA512 | 0e17ebe6d8cae25683a5cb4502be666941ddb5319391bdbeaa2670417c559e8f52a001a3e5192af9940abd166d52f8e0e7d7d8870a7e4df1db29f2553e909516 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | c8d542bbccca9180f4b47e4fe5fecc55 |
| SHA1 | 3ab20b3d6f0e59b111b2f4b6b6e6d95746caaf0c |
| SHA256 | ccd793c484696bbeb406cd46925d6392ab362b59c33f3c4b6bb8b970afc914c1 |
| SHA512 | a36da8d209f7afaf288ce77d7dd7c6853dfdf4729a9b611dac1db7701aa34d1accda7bad4e97de1ddf8c26367a93070db5c52325bbeafc2f6532a9330b78ef0c |
memory/1816-87-0x000000006F170000-0x000000006F71B000-memory.dmp