hxxps://virtualbox[.]en[.]softonic[.]com/download?utm_source=SEM&utm_medium=paid&utm_campaign=EN_AR_DSA

Analysis

max time kernel
129s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01-01-2023 20:58

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://virtualbox.en.softonic.com/download?utm_source=SEM&utm_medium=paid&utm_campaign=EN_AR_DSA

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET6935.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET6935.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET844E.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET6741.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET6741.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET844E.tmp	MsiExec.exe

Executes dropped EXE 1 IoCs

pid	Process
3840	VirtualBox-7.0.2-154219-Win.exe

Registers COM server for autorun 1 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe\""	msiexec.exe

Loads dropped DLL 16 IoCs

pid	Process
5300	MsiExec.exe
5300	MsiExec.exe
5300	MsiExec.exe
5300	MsiExec.exe
5208	MsiExec.exe
5208	MsiExec.exe
5208	MsiExec.exe
6556	MsiExec.exe
5208	MsiExec.exe
5208	MsiExec.exe
6604	MsiExec.exe
6604	MsiExec.exe
6604	MsiExec.exe
6604	MsiExec.exe
6604	MsiExec.exe
6604	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\X:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\I:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\J:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\N:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	VirtualBox-7.0.2-154219-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_1cb0100ed9e307bf\VBoxUSB.sys	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_E9CFB8BC60D435FC8108B92A3CC60614D10316E8\VBoxSup.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{27068eac-1186-114f-b9a2-78f3a3556f42}\SET6CB0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{27068eac-1186-114f-b9a2-78f3a3556f42}\SET6CB1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{714451d6-7e66-f04c-a6e7-cd3a05027375}\VBoxNetAdp6.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{27068eac-1186-114f-b9a2-78f3a3556f42}\SET6CA0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_1cb0100ed9e307bf\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{27068eac-1186-114f-b9a2-78f3a3556f42}\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_0a77bf590e19998d\VBoxNetAdp6.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_E9CFB8BC60D435FC8108B92A3CC60614D10316E8\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_58433010012FB98A52D8421B82725377DB713189\VBoxUSBMon.inf	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{714451d6-7e66-f04c-a6e7-cd3a05027375}\SET82C8.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_E9CFB8BC60D435FC8108B92A3CC60614D10316E8\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_58433010012FB98A52D8421B82725377DB713189\VBoxUSBMon.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{27068eac-1186-114f-b9a2-78f3a3556f42}\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{714451d6-7e66-f04c-a6e7-cd3a05027375}\VBoxNetAdp6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_0a77bf590e19998d\VBoxNetAdp6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{27068eac-1186-114f-b9a2-78f3a3556f42}\SET6CB0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{714451d6-7e66-f04c-a6e7-cd3a05027375}\SET82C7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{714451d6-7e66-f04c-a6e7-cd3a05027375}\SET82C9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{714451d6-7e66-f04c-a6e7-cd3a05027375}\SET82C7.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_E9CFB8BC60D435FC8108B92A3CC60614D10316E8\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_1cb0100ed9e307bf\VBoxUSB.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{27068eac-1186-114f-b9a2-78f3a3556f42}\SET6CB1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{27068eac-1186-114f-b9a2-78f3a3556f42}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{714451d6-7e66-f04c-a6e7-cd3a05027375}\VBoxNetAdp6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{714451d6-7e66-f04c-a6e7-cd3a05027375}\SET82C8.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{714451d6-7e66-f04c-a6e7-cd3a05027375}\SET82C9.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_58433010012FB98A52D8421B82725377DB713189\VBoxUSBMon.sys	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{27068eac-1186-114f-b9a2-78f3a3556f42}\SET6CA0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{27068eac-1186-114f-b9a2-78f3a3556f42}\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_0a77bf590e19998d\VBoxNetAdp6.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{714451d6-7e66-f04c-a6e7-cd3a05027375}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_1cb0100ed9e307bf\VBoxUSB.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_util.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_bg.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_nl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UICommon.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapisetup.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pt_BR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxC.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ja.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt5_unattended.sif	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAudioTest.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAutostartSvc.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxRes.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ca.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDTrace.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5PrintSupportVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_bg.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5OpenGLVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5WidgetsVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\styles\qwindowsvistastyle.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_tr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_zh_TW.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_uk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_fa.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm	msiexec.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{6F1855EE-52D3-4E5B-B77B-55005C239B71}\IconVirtualBox	msiexec.exe
File created	C:\Windows\Installer\e582519.msi	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI325A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI38D3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI69CD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DA4.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI5509.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI8296.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e582517.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DC4.tmp	msiexec.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\Installer\SourceHash{6F1855EE-52D3-4E5B-B77B-55005C239B71}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65A5.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68D2.tmp	msiexec.exe
File created	C:\Windows\Installer\e582517.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CB8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E03.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B45.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5567.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{6F1855EE-52D3-4E5B-B77B-55005C239B71}\IconVirtualBox	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	MsiExec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE5581F63D25B5E47BB75500C532B917\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{21637B0E-34B8-42D3-ACFB-7E96DAF77C22}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A3D2799E-D3AD-4F73-91EF-7D839689F6D6}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20479EAF-D8ED-44CF-85AC-C83A26C95A4D}\ = "IToken"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{FF58A51D-54A1-411C-93E9-3047EB4DCD21}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93BADC0C-61D9-4940-A084-E6BB29AF3D83}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D5ABC823-04D0-4DB6-8D66-DC2F033120E1}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VirtualBox.Session\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C48F3401-4A9E-43F4-B7A7-54BD285E22F4}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97C78FCD-D4FC-485F-8613-5AF88BFCFCDC}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B55CF856-1F8B-4692-ABB4-462429FAE5E9}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8E3496E-735F-4FDE-8A54-427D49409B5F}\NumMethods\ = "33"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{755E6BDF-1640-41F9-BD74-3EF5FD653250}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C5E945F-2354-4267-883F-2F417D216519}\NumMethods\ = "18"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{AD47AD09-787B-44AB-B343-A082A3F2DFB1}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{755E6BDF-1640-41F9-BD74-3EF5FD653250}\ = "IKeyboard"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAAF9016-1F04-4191-AA2F-1FAC9646AE4C}\NumMethods\ = "13"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD3E2654-A161-41F1-B583-4892F4A9D5D5}\NumMethods\ = "13"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E54F6256-97A7-4947-8A78-10C013DDF4B8}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8E3496E-735F-4FDE-8A54-427D49409B5F}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{813C99FC-9849-4F47-813E-24A75DC85615}\ = "IParallelPortChangedEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F05D7E60-1BCF-4218-9807-04E036CC70F1}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25360A74-55E5-4F14-AC2A-F5CF8E62E4AF}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{2A88033D-82DB-4AC2-97B5-E786C839420E}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{813C99FC-9849-4F47-813E-24A75DC85615}\NumMethods\ = "13"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DA2DEC7-71B2-4817-9A64-4ED12C17388E}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9ACD33F-647D-45AC-8FE9-F49B3183BA37}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11BE93C7-A862-4DC9-8C89-BF4BA74A886A}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5155BFD3-7BA7-45A8-B26D-C91AE3754E37}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2DB178A-7485-11EC-AEC4-2FBF90681A84}\ = "ICloudClient"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B55CF856-1F8B-4692-ABB4-462429FAE5E9}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CF11D345-0241-4EA9-AC4C-C69ED3D674E3}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\NumMethods\ = "44"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\NumMethods\ = "13"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4376693C-CF37-453B-9289-3B0F521CAF27}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDCA7247-BF98-47FB-AB2F-B5177533F493}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.vhd	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{179F8647-319C-4E7E-8150-C5837BD265F6}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{22363CFC-07DA-41EC-AC4A-3DD99DB35594}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{334DF94A-7556-4CBC-8C04-043096B02D82}\ = "IBandwidthGroupChangedEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABE94809-2E88-4436-83D7-50F3E64D0503}\ = "IMachineDataChangedEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\ = "IDHCPIndividualConfig"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D134C6B6-4479-430D-BB73-68A452BA3E67}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C984D15F-E191-400B-840E-970F3DAD7296}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D7B98D2B-30E8-447E-99CB-E31BECAE6AE4}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{FA43579A-2272-47C4-A443-9713F19A902F}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9B6E1AEE-35F3-4F4D-B5BB-ED0ECEFD8538}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\ = "IGuestProcessInputNotifyEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{714A3EEF-799A-4489-86CD-FE8E45B2FF8E}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E106366-4521-44CC-DF95-186E4D057C83}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{07541941-8079-447A-A33E-47A69C7980DB}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{86A98347-7619-41AA-AECE-B21AC5C1A7E6}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F01F1066-F231-11EA-8EEE-33BB2AFB0B6E}\ = "ICloudProviderUninstallEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7191CF38-3E8A-11E9-825C-AB7B2CABCE23}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08889892-1EC6-4883-801D-77F56CFD0103}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20479EAF-D8ED-44CF-85AC-C83A26C95A4D}\NumMethods\ = "12"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{52F40B16-520E-473F-9428-3E69B0D915C3}\ = "IAudioSettings"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2600	chrome.exe
2600	chrome.exe
2176	chrome.exe
2176	chrome.exe
5804	chrome.exe
5804	chrome.exe
6352	chrome.exe
6352	chrome.exe
6864	chrome.exe
6864	chrome.exe
6872	chrome.exe
6872	chrome.exe
5300	MsiExec.exe
5300	MsiExec.exe
5232	chrome.exe
5232	chrome.exe
2176	chrome.exe
2176	chrome.exe
4744	chrome.exe
4744	chrome.exe
4516	msiexec.exe
4516	msiexec.exe
6812	chrome.exe
6812	chrome.exe
6812	chrome.exe
6812	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeIncreaseQuotaPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeSecurityPrivilege	4516	msiexec.exe
Token: SeCreateTokenPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeAssignPrimaryTokenPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeLockMemoryPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeIncreaseQuotaPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeMachineAccountPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeTcbPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeSecurityPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeTakeOwnershipPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeLoadDriverPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeSystemProfilePrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeSystemtimePrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeProfSingleProcessPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeIncBasePriorityPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeCreatePagefilePrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeCreatePermanentPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeBackupPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeRestorePrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeShutdownPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeDebugPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeAuditPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeSystemEnvironmentPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeChangeNotifyPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeRemoteShutdownPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeUndockPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeSyncAgentPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeEnableDelegationPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeManageVolumePrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeImpersonatePrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeCreateGlobalPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeCreateTokenPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeAssignPrimaryTokenPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeLockMemoryPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeIncreaseQuotaPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeMachineAccountPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeTcbPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeSecurityPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeTakeOwnershipPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeLoadDriverPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeSystemProfilePrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeSystemtimePrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeProfSingleProcessPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeIncBasePriorityPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeCreatePagefilePrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeCreatePermanentPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeBackupPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeRestorePrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeShutdownPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeDebugPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeAuditPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeSystemEnvironmentPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeChangeNotifyPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeRemoteShutdownPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeUndockPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeSyncAgentPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeEnableDelegationPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeManageVolumePrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeImpersonatePrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeCreateGlobalPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeCreateTokenPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeAssignPrimaryTokenPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe
Token: SeLockMemoryPrivilege	3840	VirtualBox-7.0.2-154219-Win.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
3840	VirtualBox-7.0.2-154219-Win.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2128	2176	chrome.exe	66
PID 2176 wrote to memory of 2128	2176	chrome.exe	66
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 3812	2176	chrome.exe	69
PID 2176 wrote to memory of 2600	2176	chrome.exe	68
PID 2176 wrote to memory of 2600	2176	chrome.exe	68
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70
PID 2176 wrote to memory of 2820	2176	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://virtualbox.en.softonic.com/download?utm_source=SEM&utm_medium=paid&utm_campaign=EN_AR_DSA
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa04c54f50,0x7ffa04c54f60,0x7ffa04c54f70
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1580 /prefetch:2
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4288 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7532 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7940 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8148 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9004 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9184 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9312 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9532 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9832 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9704 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9712 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9852 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10124 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10204 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10548 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10688 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11336 /prefetch:8
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11476 /prefetch:8
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11740 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11452 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11880 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12140 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9092 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11372 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13356 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13220 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13088 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12940 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12804 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9028 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=14304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11344 /prefetch:8
  2⤵
  PID:6408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=14256 /prefetch:8
  2⤵
  PID:6400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8380 /prefetch:1
  2⤵
  PID:6480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:6472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:6536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11384 /prefetch:1
  2⤵
  PID:6592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
  2⤵
  PID:6644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11396 /prefetch:1
  2⤵
  PID:6660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12836 /prefetch:1
  2⤵
  PID:6652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=14584 /prefetch:1
  2⤵
  PID:6800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:6856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=14784 /prefetch:1
  2⤵
  PID:6880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=13560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=15016 /prefetch:1
  2⤵
  PID:7024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10308 /prefetch:1
  2⤵
  PID:7088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10220 /prefetch:1
  2⤵
  PID:7096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=14296 /prefetch:8
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=14736 /prefetch:8
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7532 /prefetch:1
  2⤵
  PID:6436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=15592 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=15356 /prefetch:1
  2⤵
  PID:6460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=15340 /prefetch:1
  2⤵
  PID:6400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:1
  2⤵
  PID:6432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=16012 /prefetch:1
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=16184 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=15220 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=14352 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10660 /prefetch:1
  2⤵
  PID:7020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12092 /prefetch:1
  2⤵
  PID:6932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8048 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8004 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10064 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=17512 /prefetch:8
  2⤵
  PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=17568 /prefetch:8
  2⤵
  PID:5684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=17556 /prefetch:8
  2⤵
  PID:5676
- C:\Users\Admin\Downloads\VirtualBox-7.0.2-154219-Win.exe
  "C:\Users\Admin\Downloads\VirtualBox-7.0.2-154219-Win.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3840
- - C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
    "C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
    3⤵
    PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9712 /prefetch:8
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13192 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=17592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=17872 /prefetch:8
  2⤵
  PID:5660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=12348 /prefetch:8
  2⤵
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=12332 /prefetch:8
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4188 /prefetch:8
  2⤵
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1676 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2428 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=17156 /prefetch:1
  2⤵
  PID:6328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:6192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:6256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8424 /prefetch:1
  2⤵
  PID:6232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8456 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:6156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:6160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=15196 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=15168 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=123 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7080 /prefetch:8
  2⤵
  PID:6160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1568,2334927863784495719,1076378884445516288,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7080 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6812

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 0499829FDF05E00BA18D2F840B0E045A C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5300
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5228
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B5D01A44298692563693154DF4407E4E
  2⤵
  - Loads dropped DLL
  PID:5208
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F1933EE7647D92ED8B4760FA22AC8259
  2⤵
  - Loads dropped DLL
  PID:6556
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 9D84EEA732283E9220337A3FB21D8B12 E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:6604
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FD5D7F14AF5E9153F488D893CF5E3BA1 M Global\MSI0000
  2⤵
  PID:5260

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x348
1⤵
PID:5796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:4504

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:4308
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4856
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000184" "WinSta0\Default" "0000000000000180" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:196
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000180" "WinSta0\Default" "0000000000000194" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
  2⤵
  PID:5776

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:6320

C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
1⤵
PID:5688

C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
1⤵
PID:4508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:6576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af1855 /state1:0x41c64e6d
1⤵
PID:7076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3228-329-0x000002349D680000-0x000002349D690000-memory.dmp

Filesize
64KB

Download
memory/3228-326-0x000002349D680000-0x000002349D690000-memory.dmp

Filesize
64KB

Download
memory/3840-145-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-122-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-126-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-127-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-129-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-134-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-130-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-131-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-133-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-132-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-136-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-139-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-138-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-141-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-143-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-144-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-142-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-140-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-146-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-148-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-147-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-149-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-152-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-151-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-153-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-154-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-155-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-150-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-156-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-157-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-158-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-159-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-160-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-124-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-137-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-135-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-128-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-125-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-165-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-163-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-164-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-162-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-166-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-167-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-168-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-169-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-170-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-171-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-172-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-174-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-173-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-175-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-176-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-177-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-178-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-179-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-180-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-182-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-183-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-181-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-184-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-185-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-161-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3840-123-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads