a4142ecf52657bd6e06b66573919ac342ef460a61f4ee7d35c235c54640c3a39

Resubmissions

15/04/2023, 15:59

230415-te8s7agc4w 8

15/04/2023, 15:41

230415-s45x6agb5z 8

Analysis

max time kernel
145s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
15/04/2023, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirtualBox-7.0.6-155176-Win.exe
Size

105.3MB
MD5

2ad82b25d85fca75b78f34df3223bbfe
SHA1

af9ece37b9d1bd7e8d942f48afe4d5cea8e1b206
SHA256

a4142ecf52657bd6e06b66573919ac342ef460a61f4ee7d35c235c54640c3a39
SHA512

c787271617785e94719e2bc5ec9a9f70455b61e6408f5f69e0bdaf2718d0d7e00fa8b7f044bbe78b98abbc474c6b25767520efb4c5baf80cd1f91369126e5688
SSDEEP

1572864:IloHyCtX4f1cFecNDgiA13VIfR89CrpWIlof8gM0GnPuCPIY4HaiTFJX0w0WCi4:dtX4d8Nkf13aRffloUgtGZPoXJkw0Fi4

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET32F3.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetLwf.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF52D.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET1E12.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETF52D.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF879.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETF879.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET1E12.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET32F3.tmp	MsiExec.exe

Executes dropped EXE 4 IoCs

pid	Process
2152	VirtualBox.exe
3088	VBoxSVC.exe
1632	VBoxSDS.exe
3680	VirtualBox.exe

Loads dropped DLL 54 IoCs

pid	Process
4092	MsiExec.exe
4092	MsiExec.exe
4092	MsiExec.exe
4092	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
4076	MsiExec.exe
4328	MsiExec.exe
4328	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
4328	MsiExec.exe
2152	VirtualBox.exe
2152	VirtualBox.exe
2152	VirtualBox.exe
2152	VirtualBox.exe
2152	VirtualBox.exe
2152	VirtualBox.exe
2152	VirtualBox.exe
2152	VirtualBox.exe
2152	VirtualBox.exe
2152	VirtualBox.exe
2152	VirtualBox.exe
2152	VirtualBox.exe
2152	VirtualBox.exe
3088	VBoxSVC.exe
3088	VBoxSVC.exe
1632	VBoxSDS.exe
1632	VBoxSDS.exe
3088	VBoxSVC.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe
3680	VirtualBox.exe

Registers COM server for autorun 1 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free"	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\I:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\F:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\J:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\N:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.0.6-155176-Win.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.6-155176-Win.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_37b41c46e926407a\VBoxNetAdp6.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}\SET3023.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}\VBoxNetLwf.sys	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_8BDD7342E6939F9EFF2A3BE8C98ABA32E702D589\VBoxSup.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_8931aaf37ae96d4c\VBoxUSB.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}\SET1BC1.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}\SET1BD2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_56290c9e296b5be9\netpacer.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}\SET1BA1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}\SET1BC1.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_960a76222168b3fa\ndiscap.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}\SET1BD2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}\SET3024.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_286311b3ad406c73\netrass.PNF	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_25D4EE63297B90F35CC8733338A301DAFF6BD770\VBoxUSBMon.cat	MsiExec.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_8BDD7342E6939F9EFF2A3BE8C98ABA32E702D589\VBoxSup.sys	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_ecd984f601508a74\netserv.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}\SETFA40.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_37b41c46e926407a\VBoxNetAdp6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}\SET3035.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_8BDD7342E6939F9EFF2A3BE8C98ABA32E702D589\VBoxSup.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}\SETFA3E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}\SET3024.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}\SET3023.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}\VBoxNetLwf.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_739e9ec110147b31\netbrdg.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_9b48be32f09b1fb6\netnwifi.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}\SETFA3F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}\SET3035.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_8BDD7342E6939F9EFF2A3BE8C98ABA32E702D589\VBoxSup.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_37b41c46e926407a\VBoxNetAdp6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_40a3826078769700\VBoxNetLwf.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_e610f6f65afdc230\netnb.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}\VBoxNetAdp6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}\VBoxNetAdp6.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_40a3826078769700\vboxnetlwf.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}\SETFA3F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}\SET1BA1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}\VBoxNetAdp6.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_40a3826078769700\VBoxNetLwf.sys	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_25D4EE63297B90F35CC8733338A301DAFF6BD770\VBoxUSBMon.inf	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}\SETFA3E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}\VBoxNetLwf.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_ded82fc1c2b41e6b\netvwififlt.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_8931aaf37ae96d4c\VBoxUSB.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_23069e5b67ce90a4\c_netservice.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_8931aaf37ae96d4c\VBoxUSB.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_40a3826078769700\VBoxNetLwf.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_8931aaf37ae96d4c\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}\SETFA40.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	MsiExec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\VBoxRT.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAutostartSvc.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UICommon.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\vbox-img.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_th.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\styles\qwindowsvistastyle.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestPropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_zh_TW.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_preseed.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxC.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5GuiVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_es.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_eu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_response_files.rsp	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_nl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxLibSsh.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox.VisualElementsManifest.xml	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_cid_install.cmd	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBalloonCtrl.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_es.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_uk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapisetup.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxClient-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5OpenGLVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxRes.dll	msiexec.exe

Drops file in Windows directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC3BD.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5C50439B-4A95-4615-A77B-6D250D734303}	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIC7C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF78A.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\Installer\e57bebe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F67.tmp	msiexec.exe
File created	C:\Windows\INF\oem1.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIC68F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFE9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{5C50439B-4A95-4615-A77B-6D250D734303}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI2ECA.tmp	msiexec.exe
File created	C:\Windows\INF\oem5.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSICECE.tmp	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem4.PNF	svchost.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\e57bebc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B31.tmp	msiexec.exe
File created	C:\Windows\INF\oem0.PNF	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\e57bebc.msi	msiexec.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI33FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3650.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC564.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID1FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF8E3.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File created	C:\Windows\INF\oem2.PNF	MsiExec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC5F2.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{5C50439B-4A95-4615-A77B-6D250D734303}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	MsiExec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3400	3680	WerFault.exe	91

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD3E2654-A161-41F1-B583-4892F4A9D5D5}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F01F1066-F231-11EA-8EEE-33BB2AFB0B6E}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70401EEF-C8E9-466B-9660-45CB3E9979E4}\ProxyStubClsid32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{966303D0-36A8-4180-8971-18650B0D1055}\NumMethods	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69BFB134-80F6-4266-8E20-16371F68FA25}\ = "IReusableEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78861431-D545-44AA-8013-181B8C288554}\ = "IExtPackPlugIn"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D70F7915-DA7C-44C8-A7AC-9F173490446A}\ProxyStubClsid32	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABEF51AE-1493-49F4-AA03-EFAF106BF086}\NumMethods\ = "14"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5DDB370-08A7-4C8F-910D-47AABD67253A}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A5E65BA-EEB9-11EA-AE38-73242BC0F172}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{232E9151-AE84-4B8E-B0F3-5C20C35CAAC9}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5BBDB7D-8CE7-469F-A4C2-6476F581FF72}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B79DE686-EABD-4FA6-960A-F1756C99EA1C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{147816C8-17E0-11EB-81FA-87CEA6263E1A}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5094F67A-8084-11E9-B185-DBE296E54799}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91F33D6F-E621-4F70-A77E-15F0E3C714D5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93405C559A451647AB7D652D0373430\ProductIcon = "C:\\Windows\\Installer\\{5C50439B-4A95-4615-A77B-6D250D734303}\\IconVirtualBox"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946B4}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A06253A7-DCD2-44E3-8689-9C9C4B6B6234}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3D2799E-D3AD-4F73-91EF-7D839689F6D6}\NumMethods\ = "13"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31587F93-2D12-4D7C-BA6D-CE51D0D5B265}\TypeLib	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\ = "IProcess"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DE887F2-B7DB-4616-AAC6-CFB94D89BA78}\NumMethods\ = "18"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{234F0627-866D-48C2-91A5-4C9D50F04928}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFA7E4F5-B4A4-44CE-85A8-127AC5EB59DC}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{b5ddb370-08a7-4c8f-910d-47aabd67253a}	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxClient.1\CLSID\ = "{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{081FC833-C6FA-430E-6020-6A505D086387}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c4b1b5f4-8cdf-4923-9ef6-b92476a84109}	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA05E40C-CB31-423B-B3B7-A5B19300F40C}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{00892186-A4AF-4627-B21F-FC561CE4473C}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAAF9016-1F04-4191-AA2F-1FAC9646AE4C}\NumMethods\ = "13"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{024F00CE-6E0B-492A-A8D0-968472A94DC7}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D76090}\ = "IGuestMonitorChangedEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4B301A9-5F86-4D65-AD1B-87CA284FB1C8}\NumMethods\ = "28"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{53FAC49A-B7F1-4A5A-A4EF-A11DD9C2A458}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.vdi\ = "Virtual Disk Image"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3ba329dc-659c-488b-835c-4eca7ae71c6c}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9709DB9B-3346-49D6-8F1C-41B0C4784FF2}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC6C7CB-A371-4C58-AB51-0616896B2F2C}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{234F0627-866D-48C2-91A5-4C9D50F04928}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F2F7FAE4-4A06-81FC-A916-78B2DA1FA0E5}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C48F3401-4A9E-43F4-B7A7-54BD285E22F4}\NumMethods\ = "15"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70401EEF-C8E9-466B-9660-45CB3E9979E4}\ = "IExtPackManager"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B55CF856-1F8B-4692-ABB4-462429FAE5E9}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D70F7915-DA7C-44C8-A7AC-9F173490446A}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{81314D14-FD1C-411A-95C5-E9BB1414E632}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D984A7E-B855-40B8-AB0C-44D3515B4528}\NumMethods\ = "15"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48C7F4C0-C9D6-4742-957C-A6FD52E8C4AE}\ProxyStubClsid32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{537707F7-EBF9-4D5C-7AEA-877BFC4256BA}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E253EE8-477A-2497-6759-88B8292A5AF0}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50CE4B51-0FF7-46B7-A138-3C6E5AC946B4}\NumMethods	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CFDE1265-3140-4048-A81F-A1E280DFBD75}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755E6BDF-1640-41F9-BD74-3EF5FD653250}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F9B9E1CF-CB63-47A1-84FB-02C4894B89A9}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{97C78FCD-D4FC-485F-8613-5AF88BFCFCDC}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EE3CBCB-486F-40DB-9150-DEEE3FD24189}\NumMethods\ = "17"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{e28e227a-f231-11ea-9641-9b500c6d5365}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4f529a14-ace3-407c-9c49-066e8e8027f0}	VirtualBox.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VirtualBox-7.0.6-155176-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.6-155176-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.6-155176-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.6-155176-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.0.6-155176-Win.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2152	VirtualBox.exe
3680	VirtualBox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1416	msiexec.exe
1416	msiexec.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeIncreaseQuotaPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeSecurityPrivilege	1416	msiexec.exe
Token: SeCreateTokenPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeAssignPrimaryTokenPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeLockMemoryPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeIncreaseQuotaPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeMachineAccountPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeTcbPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeSecurityPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeTakeOwnershipPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeLoadDriverPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeSystemProfilePrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeSystemtimePrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeProfSingleProcessPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeIncBasePriorityPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreatePagefilePrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreatePermanentPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeBackupPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeRestorePrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeShutdownPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeDebugPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeAuditPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeSystemEnvironmentPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeChangeNotifyPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeRemoteShutdownPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeUndockPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeSyncAgentPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeEnableDelegationPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeManageVolumePrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeImpersonatePrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreateGlobalPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreateTokenPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeAssignPrimaryTokenPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeLockMemoryPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeIncreaseQuotaPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeMachineAccountPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeTcbPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeSecurityPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeTakeOwnershipPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeLoadDriverPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeSystemProfilePrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeSystemtimePrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeProfSingleProcessPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeIncBasePriorityPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreatePagefilePrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreatePermanentPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeBackupPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeRestorePrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeShutdownPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeDebugPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeAuditPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeSystemEnvironmentPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeChangeNotifyPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeRemoteShutdownPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeUndockPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeSyncAgentPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeEnableDelegationPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeManageVolumePrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeImpersonatePrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreateGlobalPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeCreateTokenPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeAssignPrimaryTokenPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe
Token: SeLockMemoryPrivilege	4960	VirtualBox-7.0.6-155176-Win.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4960	VirtualBox-7.0.6-155176-Win.exe
4960	VirtualBox-7.0.6-155176-Win.exe
4960	VirtualBox-7.0.6-155176-Win.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2152	VirtualBox.exe
3680	VirtualBox.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4092	1416	msiexec.exe	68
PID 1416 wrote to memory of 4092	1416	msiexec.exe	68
PID 1416 wrote to memory of 4532	1416	msiexec.exe	72
PID 1416 wrote to memory of 4532	1416	msiexec.exe	72
PID 1416 wrote to memory of 4328	1416	msiexec.exe	74
PID 1416 wrote to memory of 4328	1416	msiexec.exe	74
PID 1416 wrote to memory of 4076	1416	msiexec.exe	75
PID 1416 wrote to memory of 4076	1416	msiexec.exe	75
PID 1416 wrote to memory of 4076	1416	msiexec.exe	75
PID 1416 wrote to memory of 940	1416	msiexec.exe	76
PID 1416 wrote to memory of 940	1416	msiexec.exe	76
PID 3440 wrote to memory of 3268	3440	svchost.exe	78
PID 3440 wrote to memory of 3268	3440	svchost.exe	78
PID 1416 wrote to memory of 1208	1416	msiexec.exe	80
PID 1416 wrote to memory of 1208	1416	msiexec.exe	80
PID 1416 wrote to memory of 1208	1416	msiexec.exe	80
PID 3440 wrote to memory of 32	3440	svchost.exe	81
PID 3440 wrote to memory of 32	3440	svchost.exe	81
PID 3440 wrote to memory of 4604	3440	svchost.exe	85
PID 3440 wrote to memory of 4604	3440	svchost.exe	85
PID 4960 wrote to memory of 2152	4960	VirtualBox-7.0.6-155176-Win.exe	87
PID 4960 wrote to memory of 2152	4960	VirtualBox-7.0.6-155176-Win.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.6-155176-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.6-155176-Win.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
  "C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2152

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 30792CF65C553E60F57902AC51FDE766 C
  2⤵
  - Loads dropped DLL
  PID:4092
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4532
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4650C83D5B61AB26F56A13B3984F6572
  2⤵
  - Loads dropped DLL
  PID:4328
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B796C0500C953B2EFC54FC98C68A23A2
  2⤵
  - Loads dropped DLL
  PID:4076
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4B3EF7F97B8B928BCFB483540A1A54DD E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:940
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A622AB4539BC198534D09CE0CDD74957 M Global\MSI0000
  2⤵
  PID:1208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4140

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3268
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000178" "WinSta0\Default" "0000000000000180" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:32
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000180" "WinSta0\Default" "0000000000000170" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4604

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:2568

C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3088

C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:32

C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
"C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3680 -s 1724
  2⤵
  - Program crash
  PID:3400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57bebd.rbs

Filesize
2.5MB

MD5
808eb192890803e142a5d8fc18fc1200

SHA1
6dfab1f2af96fed91bdf03c722daf05c537566c2

SHA256
2917c51b6e25428f064330d02ec610c04a1cae7f0a1340c493cb687db7eb7bc5

SHA512
2447b3e01ff80ffa4a680a4d165c8ed94b68aa44346e099ddaced0ff2fe31b64d412561be72bec472a9288ee9471ee18915eee627c62810d8ec4f1776ad17ce7

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat

Filesize
11KB

MD5
38ecdcc0e16ee8efa2df0d4d4de2726d

SHA1
f47e3afade60c6c6a034ad876eb411a746602b91

SHA256
29140fb42bf7613d46f03dc5eb2fbc2a06b27a61f71ef345fedb5b3ee6836803

SHA512
1b70f36c09b698a89e353ee6ceb58932bd4ab93b0284c78e093a9c1a5b0e0732fdd65c3f35887101fab2393132710bde6a5aed1677e946e0bd2e86e80aaeeee0

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

Filesize
184KB

MD5
b77609ac3c22505fd581a479669fcaf7

SHA1
aefb74fb327c8f16db178523f514057cf941ca58

SHA256
0c8a1b57e188d13b176d70df6bdb53088c26c419c89d0147b5b9b6c30a22e95a

SHA512
0799164e30045b2785998d7dec59a3cedd71c09fff7b486d598332dfc3ff90c1004e445c0f1b8576d534da3f731f6fac67351a309f8dd804318bd9d15d1e3dee

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.cat

Filesize
11KB

MD5
9a1ddecfe072c0faac0c5362719a2647

SHA1
9ad147b08cf5b0df46f1a8ba5e8d4cd8ac0a9245

SHA256
6528be5482a19564d5736e5e74666be5b7ebd3e0557e1abf6cc3c9d7418c137e

SHA512
16b65a7fb762217a87762e2cd54973b1a9edec1248b33c9b3f7248fccacf792b03b87c02abb34080328f92fe47ceafbf31af0f0d6aee7e1fad5dc0f54e3090e5

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.sys

Filesize
248KB

MD5
4fe3a6d20bd2f446246306c042a06cbd

SHA1
5cd84b67235f2494a76705f77a133f500e0a52fe

SHA256
e3f0ab3e40aa9cb242c4f4340a0f2872f340cc72e40a730e0399022c49d4570e

SHA512
64595b8555e41fed7bb10f9514ca1125c3d74ceb8e93216d026157e064e66e9964ebbbdf6d3fb92af872f86c4195329dce526fa1df242b72158f70e0ac1dc645

Download Submit
C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

Filesize
890KB

MD5
9fe8febe27cd49bba4c9bbd80ca47c6d

SHA1
8dfc301b0dc2b4aba7d7f7676c932069a095f3f6

SHA256
2358b998567ca3bb2403136791405ee5cf13ac37a2b2d32fe490bcc33947796d

SHA512
dc299f14a5e0a52f8bec76b60864bf076bd4f3a8a255151c5473ad6be081a5ae00931b77bc1e2c401002cc72f246048678c3f9ca95eda99b9514d87a221b116e

Download Submit
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

Filesize
2.5MB

MD5
4a1fd24a63b39d6bd42d0724e0dcf97a

SHA1
1a1cbbef6f14ae5298c38c22f6b621749c3fb668

SHA256
0e7c8fd7ea6e25989e611ffa93cd7671b830643a60481659a4b37741614fe536

SHA512
1d1e7a2aa32f74bc268ffa37002047435e115d35f98c996d1170c378b67587275820c2b9bbba429d95f92251b5d34c94828dda43899e43e03d859ff0f395fcc9

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

Filesize
2KB

MD5
17e9670c4564449df57fc77d5071c111

SHA1
e7fd16bf5e4d467afd54f59a66e47246b5ef97a7

SHA256
9cf31ccaaa74fedca38e86107ff1306515b8b2eb6cbff2bf1870b175f8b0bbf1

SHA512
ffb79546c42a3540d42a1c0b2c25190355db3f70003321451caa642f07e7c74ab35693489bfd22c8f0a4daf40c6af5e7cef851d2c81955b02c9c99b836bca6e7

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

Filesize
11KB

MD5
05034423c239836e333be1cef40e5e2f

SHA1
25d4ee63297b90f35cc8733338a301daff6bd770

SHA256
0d84c0e1691ebaabfe2c0e5abe94e3492a4344359fcf7619d5ecc74fcf4e6ee2

SHA512
602f330ce354200e3c75d2077b41ce73f9c8f89e69483f4666ded95544585f9283446dca799b2b7415d3c2112cc894ddf6587cfb1c98e0d6c2ec3d269ac724aa

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

Filesize
3KB

MD5
a5bf8890523c7ed164205653e2a9a0c8

SHA1
00dfcaa510e994b03c82048d30c7f4067162bf8d

SHA256
d0158c872c126e27ea93433a166c062738a2ccd4ac9d497bc10ede29e6f04d3a

SHA512
15e9cd38cd747a76c2b78218fb1cf92ab804809fd143a4baae1c214ec4172c7a231460b0c3a5579380fc0c049bd5d5becd86b6c03cab477b49f0f7fa1f4256a2

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

Filesize
199KB

MD5
7745e88eec59d2192884b4ad5e0e309f

SHA1
009dd8ac8228d0261960d3b973d2a2a85fca3b4e

SHA256
9aba33f59fd751e07fb14c90bbbd45bf4383bb2b8dfb7ae3516a44bbee4d8892

SHA512
2e3fe36bbacf8571989cbc7f865b2aeae464f9e942aaa6df21052ea5d181febcc8f56e2f3ca29a23ac11a61e49e0ba4b88d3a6b97e4e53ff4ff3033c9286d1e5

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf

Filesize
3KB

MD5
74a0675423ed88231a502297e079df56

SHA1
06f9ec95fe9b5058e29878ea844bef7fa8112358

SHA256
5c211ffa9c0a04629fdece0a759e0c48590f07486c35f41060602483c2d0aa36

SHA512
0a5d02843046cf2377464a4353df61efc20de6b75cd99f301235366c4f9ebd9a86282bfb3a77945ccb5b9d260359a2dacd920eb5db6205b8e04e0aa8dd5fc423

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

Filesize
11KB

MD5
ceb5da97c2ca30da40bc6ab5479e65a1

SHA1
8bdd7342e6939f9eff2a3be8c98aba32e702d589

SHA256
e2301dc9778a4286f19efc0f7c39f79a10c4446d3fed6a54f0b4a2cc30eb3f2c

SHA512
2a628d351ce19fc63df27c37bd6956876d9ab30ea5a2f6c29c10ff90ea91149ebac96faf0b04b2d63bc07bf6a65a58f7af3ace82fd55574ea10a4770968b303e

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

Filesize
3KB

MD5
ca46180e5bfe8ee22a6836633de3ef1b

SHA1
c6e0b1f2e19134788af6062657168ea8d376a6f9

SHA256
a6735bc29e28bc35fd1cd4f2610f06353a604801ddd89de1913c0b86f5f91148

SHA512
e0d1d8a5043db391286af3d35c915432778d03395e9b009187a15f0f90d6a8c46652583acaaa7672eba8f8e29f7c9d505d10578fb4c58280643834226fdc1455

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

Filesize
1.0MB

MD5
edd61c0b048f8d3f1979a045e970cb2e

SHA1
ee9dbda0b64f59c4b1b977c33ee2cfb1728b80f2

SHA256
a184f362bc1ff530d89829899336e2c7c81da9eb8e1f75b15026344883b305f4

SHA512
01b9e760c824d6683e967769bbdc80df15f507d789245b5c59cdb964196209e077b58694a8a4ff55402afb7eae0d5bed31cc9fcfe52b6021b111c1bb214ca295

Download Submit
C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

Filesize
664KB

MD5
4e07c7e25becf7dfbff7ef5e6a6453e1

SHA1
887ef8c0fe25b6e306f996f9456a89af5e7db511

SHA256
c5a660e3b7033d38c948a9e46b7cd5e2281a8bd83fd6dcb3015a4a9eac5f2aaa

SHA512
187c085b019cde9667feec527529c1683ce12040c5d240467c3153a22441b8e69f63d4f7bc9a534e6132a1aded92082b910d9d8991511694d95d3095ee3a3dda

Download Submit
C:\Users\Admin\.VirtualBox\VirtualBox.xml

Filesize
1KB

MD5
d9d28bd2ef7192fb0efb99607d7a0807

SHA1
7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a

SHA256
dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5

SHA512
e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
3b8734adc28101aebb01d117131db221

SHA1
c56ac8369e87dff31179811001bf3422239402b6

SHA256
1d7958df3d99a5b242bada00108773386c2fea116e526f40a1c07f13bb2066c0

SHA512
c5ca5eef2ea9487acf3dd769c4689542d52813fd77822fef01a8c9d604a2d1e3f310b9e3e2ecd26030319848b85e67297197d2227ad44ebbb3d3560b535a8f19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_683B8EA584E734D2258F215F97D5554B

Filesize
471B

MD5
083dfe7f88c333321bdc792cd3fc02d8

SHA1
60cfd6f38df44189b1ca58cd5a752e84d358e8f4

SHA256
06f47a7bfb0eb52d0fca2e9dc9edfe57598345bb039480b62f231aef1bca3069

SHA512
039a55633c512f1adf1661da9455edcbb3fd4f8ff8a3597662d71d51dcff270a9a3e3c9ae0e44242855d676519ba15c3864870e684bc52a50587d2e83f37887f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
8a3a9f706321af5b27243f241af401a1

SHA1
74624d5e8effe8f8b7f7057a78e6c36bdc57ac33

SHA256
2c3d4616ad435b1843bfc0764863eb4d169d0384c981a05de3d362de6b189b89

SHA512
651ac97ca7d41fa7da9b72fd76d6094a5cac44a37ae51d4c591a2ef45576486a98f08cf5d005cf34870a2daab0d57bdc92c8a8ab460a60afb9e6901da1e618ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_683B8EA584E734D2258F215F97D5554B

Filesize
434B

MD5
922a4f95ba040ccb703dcde5f71f7c54

SHA1
75a3ae2419e89b822ca702d36aa2ab7809da847d

SHA256
60ac326815abf82f6f33eb939db3ae16ee66a10588c996147cc46cdfe01a37cd

SHA512
88a76d6cbcadb71fdb8f74fbfb351af8c4d2b48d2b4414f863decf8c4392296ba65cd919b68fe4d9e33cb67874635ed017c00c644ed2b772734a3a125e9482bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE890.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEAA4.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEAF3.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEAF3.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEB71.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ueflk3mgs20zsfbj69pnnl2j\2w49skmmuo52rtsuss2gywp6.msi

Filesize
104.7MB

MD5
671e00c0b7e8a58a709467b6364bce4a

SHA1
d75192b8be4ecfc2b2a2bf7a9b39887b6806b3c9

SHA256
d64f01a383a02f2f76f4e537ba53fdeb9c06ad773fc33e2b3e20b58adabb465a

SHA512
7f889d526bcb3eab8633058012e9df515fb00ea9d09afb8d9da27aaf69548e9facc19f400506c586420b7f109905f7b5bfb0429c19f64e835d2eb094986a5143

Download Submit
C:\Users\Admin\AppData\Local\Temp\ueflk3mgs20zsfbj69pnnl2j\2w49skmmuo52rtsuss2gywp6.msi

Filesize
104.7MB

MD5
671e00c0b7e8a58a709467b6364bce4a

SHA1
d75192b8be4ecfc2b2a2bf7a9b39887b6806b3c9

SHA256
d64f01a383a02f2f76f4e537ba53fdeb9c06ad773fc33e2b3e20b58adabb465a

SHA512
7f889d526bcb3eab8633058012e9df515fb00ea9d09afb8d9da27aaf69548e9facc19f400506c586420b7f109905f7b5bfb0429c19f64e835d2eb094986a5143

Download Submit
C:\Windows\INF\oem4.PNF

Filesize
8KB

MD5
47b8f26c139a73b0ec2ab0101d5ad938

SHA1
5360c21aa47971801bbd6ef7b2f190527b12ff62

SHA256
47d63f14f561b761dcbeb8c3b16548d9115b20f764eafd9bcaee8b7e43450ee1

SHA512
bd3141280c0add8b092c80e6036ceb1a8b158cb489386c7a32bd30cbfc7d4bdef4f8c6d79e0cf74e04c9b7a27244f8b7ed2ee283962172a7aa17419aa2ad2bf4

Download Submit
C:\Windows\INF\oem4.inf

Filesize
3KB

MD5
74a0675423ed88231a502297e079df56

SHA1
06f9ec95fe9b5058e29878ea844bef7fa8112358

SHA256
5c211ffa9c0a04629fdece0a759e0c48590f07486c35f41060602483c2d0aa36

SHA512
0a5d02843046cf2377464a4353df61efc20de6b75cd99f301235366c4f9ebd9a86282bfb3a77945ccb5b9d260359a2dacd920eb5db6205b8e04e0aa8dd5fc423

Download Submit
C:\Windows\Installer\MSI1B31.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Windows\Installer\MSI2ECA.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Windows\Installer\MSI2F67.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Windows\Installer\MSIC3BD.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Windows\Installer\MSIC564.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Windows\Installer\MSIC5F2.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Windows\Installer\MSIC68F.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIC7C8.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Windows\Installer\MSID1FC.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
C:\Windows\Installer\MSIDF2D.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Windows\Installer\MSIDFE9.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
C:\Windows\Installer\MSIF1EC.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\Installer\MSIF78A.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\Installer\MSIF8E3.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\Installer\MSIF8E3.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
181KB

MD5
47e2c19f120dd5c5cbe116c406e98557

SHA1
2e42b7a2b1c4aa61942e8b50414f8d061c000210

SHA256
d6b62641749dd20d79c76c87446bef5ee619e98a601559baac216412bf3c3703

SHA512
e7773b56712f1bca4c19a5f1e967f63834d2e20f255a1864f6184ac5c40640adbdde8f6f5fba016117a7e0a2456e689d5804658de30018a465c90a0d6a4af3d9

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
181KB

MD5
8afa5dc48e3b30513cc8ad3d620d586f

SHA1
7fde3066db9a3e7be9fdf5d1c36c81e66bfffa5b

SHA256
f0e04f01c6c365a51a09be59978a4d74c6bed1938632f5e47d52bf47b38109b5

SHA512
8b924da3b4fb4174ceb0a7620062304aee30fb444a8b6048a3f3d0174735b7722aac53e07d34ece48cdd0ddd812d97e7f07efa6bf31ac6f1017608c6f083e833

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
181KB

MD5
1e5e0f303f83e21ea8e0044e614a76aa

SHA1
2ac49dbcdd9306bdf4a248de231a5221f01685b5

SHA256
2a3c7ce466da147585113686eb215e41ec5d7ede847d56fdda0064ea5e9fc208

SHA512
8c7069c7f246449c15bd5934c085e4dfd2408992db313d775da9092ae4d6e9089b94a2148df0bfe46f500d6d6396b68be7cbd28e88238c6c9c4c7de56917dbc8

Download Submit
C:\Windows\System32\DRVSTORE\VBoxSup_8BDD7342E6939F9EFF2A3BE8C98ABA32E702D589\VBoxSup.sys

Filesize
1.0MB

MD5
edd61c0b048f8d3f1979a045e970cb2e

SHA1
ee9dbda0b64f59c4b1b977c33ee2cfb1728b80f2

SHA256
a184f362bc1ff530d89829899336e2c7c81da9eb8e1f75b15026344883b305f4

SHA512
01b9e760c824d6683e967769bbdc80df15f507d789245b5c59cdb964196209e077b58694a8a4ff55402afb7eae0d5bed31cc9fcfe52b6021b111c1bb214ca295

Download Submit
C:\Windows\System32\DRVSTORE\VBoxUSBMon_25D4EE63297B90F35CC8733338A301DAFF6BD770\VBoxUSBMon.sys

Filesize
199KB

MD5
7745e88eec59d2192884b4ad5e0e309f

SHA1
009dd8ac8228d0261960d3b973d2a2a85fca3b4e

SHA256
9aba33f59fd751e07fb14c90bbbd45bf4383bb2b8dfb7ae3516a44bbee4d8892

SHA512
2e3fe36bbacf8571989cbc7f865b2aeae464f9e942aaa6df21052ea5d181febcc8f56e2f3ca29a23ac11a61e49e0ba4b88d3a6b97e4e53ff4ff3033c9286d1e5

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_8931aaf37ae96d4c\VBoxUSB.cat

Filesize
11KB

MD5
38ecdcc0e16ee8efa2df0d4d4de2726d

SHA1
f47e3afade60c6c6a034ad876eb411a746602b91

SHA256
29140fb42bf7613d46f03dc5eb2fbc2a06b27a61f71ef345fedb5b3ee6836803

SHA512
1b70f36c09b698a89e353ee6ceb58932bd4ab93b0284c78e093a9c1a5b0e0732fdd65c3f35887101fab2393132710bde6a5aed1677e946e0bd2e86e80aaeeee0

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_8931aaf37ae96d4c\VBoxUSB.inf

Filesize
2KB

MD5
17e9670c4564449df57fc77d5071c111

SHA1
e7fd16bf5e4d467afd54f59a66e47246b5ef97a7

SHA256
9cf31ccaaa74fedca38e86107ff1306515b8b2eb6cbff2bf1870b175f8b0bbf1

SHA512
ffb79546c42a3540d42a1c0b2c25190355db3f70003321451caa642f07e7c74ab35693489bfd22c8f0a4daf40c6af5e7cef851d2c81955b02c9c99b836bca6e7

Download Submit
C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}\VBoxNetLwf.cat

Filesize
11KB

MD5
03ae02d6fda8156e86ddc0cc0cd00f6a

SHA1
6f06d9ee23c07f809ec40c8cbd373aa63175e4eb

SHA256
725421279bb8982e2e692221fe0c168db93493c5613de849ece38765c3098c5b

SHA512
a84f316257d6b05ab4dbd2a489b869a49f11696b0f98608318527eaeb2f15e17de26b7622f4b7660d0726fc6f945ce4c0f9cd6938c7bb2c212f4800837051f7e

Download Submit
C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}\VBoxNetLwf.inf

Filesize
4KB

MD5
7a3680ed8f94f0b0690f4fd9e1362643

SHA1
08be0cfad3bb9a01b52de057a23c911e2ac3ceb4

SHA256
6382610dd285c5ebdc187025d8d2eab17b49783c19a7d2e71217d72252f0eb0d

SHA512
0dc34badf380790889128f4a494bce7392a90753082f1528e721aeb0c0fb595c9ad1c7f5a869957bea3062643437cdc55cfb9b759395e1810fa9e6026d6eb6b1

Download Submit
C:\Windows\System32\DriverStore\Temp\{087c7a95-46e6-d648-ba02-1d3973bb5a1e}\VBoxNetLwf.sys

Filesize
259KB

MD5
29d5b63a41bb0427e7136bfda4573bdb

SHA1
3eb7416fc9848b54721b785967deee188161d259

SHA256
5e1cabc8204cd8c83bb66ed33cf3ff12138437b85a9bdd31ac09ff03828ce26d

SHA512
274e4738524c412674e78e09319019b49fece9427694d91793e3eb7416e42a566344d6782154b3c3a8aa59d8536ce080fdca5cf80ab4be41588518520648527c

Download Submit
C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}\VBoxUSB.cat

Filesize
11KB

MD5
38ecdcc0e16ee8efa2df0d4d4de2726d

SHA1
f47e3afade60c6c6a034ad876eb411a746602b91

SHA256
29140fb42bf7613d46f03dc5eb2fbc2a06b27a61f71ef345fedb5b3ee6836803

SHA512
1b70f36c09b698a89e353ee6ceb58932bd4ab93b0284c78e093a9c1a5b0e0732fdd65c3f35887101fab2393132710bde6a5aed1677e946e0bd2e86e80aaeeee0

Download Submit
C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}\VBoxUSB.inf

Filesize
2KB

MD5
17e9670c4564449df57fc77d5071c111

SHA1
e7fd16bf5e4d467afd54f59a66e47246b5ef97a7

SHA256
9cf31ccaaa74fedca38e86107ff1306515b8b2eb6cbff2bf1870b175f8b0bbf1

SHA512
ffb79546c42a3540d42a1c0b2c25190355db3f70003321451caa642f07e7c74ab35693489bfd22c8f0a4daf40c6af5e7cef851d2c81955b02c9c99b836bca6e7

Download Submit
C:\Windows\System32\DriverStore\Temp\{a8ef586a-9b0b-e145-a690-b91486b94e3c}\VBoxUSB.sys

Filesize
184KB

MD5
b77609ac3c22505fd581a479669fcaf7

SHA1
aefb74fb327c8f16db178523f514057cf941ca58

SHA256
0c8a1b57e188d13b176d70df6bdb53088c26c419c89d0147b5b9b6c30a22e95a

SHA512
0799164e30045b2785998d7dec59a3cedd71c09fff7b486d598332dfc3ff90c1004e445c0f1b8576d534da3f731f6fac67351a309f8dd804318bd9d15d1e3dee

Download Submit
C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}\VBoxNetAdp6.cat

Filesize
11KB

MD5
9a1ddecfe072c0faac0c5362719a2647

SHA1
9ad147b08cf5b0df46f1a8ba5e8d4cd8ac0a9245

SHA256
6528be5482a19564d5736e5e74666be5b7ebd3e0557e1abf6cc3c9d7418c137e

SHA512
16b65a7fb762217a87762e2cd54973b1a9edec1248b33c9b3f7248fccacf792b03b87c02abb34080328f92fe47ceafbf31af0f0d6aee7e1fad5dc0f54e3090e5

Download Submit
C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}\VBoxNetAdp6.inf

Filesize
3KB

MD5
74a0675423ed88231a502297e079df56

SHA1
06f9ec95fe9b5058e29878ea844bef7fa8112358

SHA256
5c211ffa9c0a04629fdece0a759e0c48590f07486c35f41060602483c2d0aa36

SHA512
0a5d02843046cf2377464a4353df61efc20de6b75cd99f301235366c4f9ebd9a86282bfb3a77945ccb5b9d260359a2dacd920eb5db6205b8e04e0aa8dd5fc423

Download Submit
C:\Windows\System32\DriverStore\Temp\{bf35d0e7-37db-4e4a-890c-e132d5777f05}\VBoxNetAdp6.sys

Filesize
248KB

MD5
4fe3a6d20bd2f446246306c042a06cbd

SHA1
5cd84b67235f2494a76705f77a133f500e0a52fe

SHA256
e3f0ab3e40aa9cb242c4f4340a0f2872f340cc72e40a730e0399022c49d4570e

SHA512
64595b8555e41fed7bb10f9514ca1125c3d74ceb8e93216d026157e064e66e9964ebbbdf6d3fb92af872f86c4195329dce526fa1df242b72158f70e0ac1dc645

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
181KB

MD5
1e5e0f303f83e21ea8e0044e614a76aa

SHA1
2ac49dbcdd9306bdf4a248de231a5221f01685b5

SHA256
2a3c7ce466da147585113686eb215e41ec5d7ede847d56fdda0064ea5e9fc208

SHA512
8c7069c7f246449c15bd5934c085e4dfd2408992db313d775da9092ae4d6e9089b94a2148df0bfe46f500d6d6396b68be7cbd28e88238c6c9c4c7de56917dbc8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
3a108ebe2a4614908b534e83d3f4dbd2

SHA1
7bc7bc8fce547d6d5c11b330b0eba4c3d27da831

SHA256
60ef98720a47718f3b602a6954f734a71e3031b42abc8fdf25a4a6a95a625e81

SHA512
fefbba86e20c190e18031bda505c4984aef199e8b0df78f7d0333b2c4a3f0edca7b23c234c2032709566018a41710aa2d9e001d6c4ee69a6b9c044b704c069dc

Download Submit
\??\Volume{b2c2c2d8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9ad409c5-9f0c-4fd9-9313-b71ace7e354e}_OnDiskSnapshotProp

Filesize
5KB

MD5
c5a48baab6806f4911e25b1ddae12c97

SHA1
bd3079d10d43e676ed3fe24f4ae629606b435aef

SHA256
277513e1fa8b8dcd6e8b3faf4c8402d611516e272ab3ea0654b7d13165725259

SHA512
5d93f5b3a531aad857d42984c8abe641f7ce82545a1a80eeeeef844480559425f7509e9b519b990216289ecd764e304729cf979a5a714e7394c8f7a61e2ee2d6

Download Submit
\Users\Admin\AppData\Local\Temp\MSIE890.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Users\Admin\AppData\Local\Temp\MSIEAA4.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Users\Admin\AppData\Local\Temp\MSIEAF3.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Users\Admin\AppData\Local\Temp\MSIEB71.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Windows\Installer\MSI1B31.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Windows\Installer\MSI2ECA.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Windows\Installer\MSI2F67.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Windows\Installer\MSIC3BD.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Windows\Installer\MSIC564.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Windows\Installer\MSIC5F2.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Windows\Installer\MSIC68F.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\Windows\Installer\MSIC7C8.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Windows\Installer\MSID1FC.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
\Windows\Installer\MSIDF2D.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Windows\Installer\MSIDFE9.tmp

Filesize
297KB

MD5
61c9992e504032dae2156f0f9f44ebc3

SHA1
1572a86f8c245a569c2a80ab0e74c3e1db78a2ba

SHA256
4315debc4219e3a49c62533abf7c82b5239b4cf6a652d452d28b9019ecb1dd4d

SHA512
2857bbe849b9146312e05adf168ee8fa980fac276ae6932bf91d2b1152d0316d2401f2467ccf539f9adeda260b00c9cbd91c747515d0838073212c9b15dbe2f1

Download Submit
\Windows\Installer\MSIF1EC.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
\Windows\Installer\MSIF78A.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
\Windows\Installer\MSIF8E3.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
memory/2152-663-0x000002A055540000-0x000002A057117000-memory.dmp

Filesize
27.8MB

Download
memory/2152-662-0x00007FF74D450000-0x00007FF74D6D2000-memory.dmp

Filesize
2.5MB

Download
memory/2152-664-0x000002A0571A0000-0x000002A0571B0000-memory.dmp

Filesize
64KB

Download
memory/2152-661-0x00007FFC8F740000-0x00007FFC8FC81000-memory.dmp

Filesize
5.3MB

Download
memory/2152-673-0x000002A055540000-0x000002A057117000-memory.dmp

Filesize
27.8MB

Download
memory/2152-674-0x000002A0571A0000-0x000002A0571B0000-memory.dmp

Filesize
64KB

Download
memory/3680-677-0x00007FF74D450000-0x00007FF74D6D2000-memory.dmp

Filesize
2.5MB

Download
memory/3680-676-0x00007FFC8E730000-0x00007FFC90307000-memory.dmp

Filesize
27.8MB

Download
memory/3680-678-0x00000214B67C0000-0x00000214B6D01000-memory.dmp

Filesize
5.3MB

Download
memory/3680-682-0x00000214B6680000-0x00000214B6690000-memory.dmp

Filesize
64KB

Download
memory/3680-685-0x00000214B67C0000-0x00000214B6D01000-memory.dmp

Filesize
5.3MB

Download