Malware Analysis Report

2025-01-18 04:40

Sample ID 230904-px5r2agb5v
Target Antidetect Patreon Premium Edition 2022.exe
SHA256 316e21b3e68b522fc33f29723770f031ca472f39c6b192f3e4534b5198652372
Tags
revengerat nyan-cat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

316e21b3e68b522fc33f29723770f031ca472f39c6b192f3e4534b5198652372

Threat Level: Known bad

The file Antidetect Patreon Premium Edition 2022.exe was found to be: Known bad.

Malicious Activity Summary

revengerat nyan-cat persistence stealer trojan

RevengeRAT

RevengeRat Executable

Drops file in Drivers directory

Loads dropped DLL

Registers COM server for autorun

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-04 12:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-04 12:43

Reported

2023-09-04 12:45

Platform

win7-20230831-en

Max time kernel

67s

Max time network

75s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2224 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2224 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2224 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2224 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2224 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2604 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2604 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2604 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 2528 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2528 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2528 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 2224 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
PID 2224 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
PID 2224 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
PID 2224 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

Processes

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe

"C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

"C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 capeturk.com udp
SG 45.76.189.18:80 capeturk.com tcp
SG 45.76.189.18:80 capeturk.com tcp
US 8.8.8.8:53 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com udp
NL 142.251.36.33:443 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com tcp
NL 142.251.36.33:443 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com tcp
US 8.8.8.8:53 blog.capeturk.com udp
VN 103.190.107.26:1111 blog.capeturk.com tcp
VN 103.190.107.26:1111 blog.capeturk.com tcp

Files

memory/2224-0-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/2224-1-0x0000000000970000-0x00000000009F0000-memory.dmp

memory/2224-2-0x0000000000D20000-0x0000000006168000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

memory/2364-10-0x0000000000F90000-0x0000000000FFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

memory/2364-12-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/2364-13-0x0000000000AE0000-0x0000000000B60000-memory.dmp

memory/2364-14-0x0000000000A90000-0x0000000000AB8000-memory.dmp

memory/2364-16-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/2604-17-0x0000000000B50000-0x0000000000BD0000-memory.dmp

memory/2604-18-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/2604-19-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/2364-20-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 1303779b354738a8c93cc522ffb21f11
SHA1 ce29a26e1363ddfdc830e2934fed935f15032187
SHA256 0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5
SHA512 b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 1303779b354738a8c93cc522ffb21f11
SHA1 ce29a26e1363ddfdc830e2934fed935f15032187
SHA256 0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5
SHA512 b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

memory/2528-31-0x0000000000F90000-0x0000000000FDE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 1303779b354738a8c93cc522ffb21f11
SHA1 ce29a26e1363ddfdc830e2934fed935f15032187
SHA256 0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5
SHA512 b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

memory/2528-33-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2604-32-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/2528-34-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/2528-35-0x0000000000AD0000-0x0000000000B50000-memory.dmp

memory/2528-36-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/2224-37-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/2224-38-0x0000000000970000-0x00000000009F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 8e3d99e6a1064f89744ccb24dc6802bb
SHA1 1b6c31ab4236538c8423c19575c1e19a031b3876
SHA256 d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8
SHA512 f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 8e3d99e6a1064f89744ccb24dc6802bb
SHA1 1b6c31ab4236538c8423c19575c1e19a031b3876
SHA256 d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8
SHA512 f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 8e3d99e6a1064f89744ccb24dc6802bb
SHA1 1b6c31ab4236538c8423c19575c1e19a031b3876
SHA256 d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8
SHA512 f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

memory/3028-49-0x0000000000840000-0x0000000000858000-memory.dmp

memory/3028-50-0x00000000007A0000-0x00000000007A8000-memory.dmp

memory/3028-51-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/3028-52-0x00000000003B0000-0x0000000000430000-memory.dmp

memory/3028-53-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/2528-57-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/2528-58-0x0000000000AD0000-0x0000000000B50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

MD5 fc409978e611a143502044848f8d470f
SHA1 dae419b77c277fe1fba610c2da94586dcef16701
SHA256 bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70
SHA512 e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

MD5 fc409978e611a143502044848f8d470f
SHA1 dae419b77c277fe1fba610c2da94586dcef16701
SHA256 bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70
SHA512 e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

memory/2224-64-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/3028-65-0x0000000002130000-0x000000000213C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VirtualBox\VirtualBox-6.1.28-r147628.msi

MD5 577825097157487c7afd2c591ee413bb
SHA1 6b4c3f8b88edb5925b05338fd1e9b1f3e5c665db
SHA256 3ccd35abf2dcfff22ad6d3ffda5cf79f3fdc4fac4244caf6ac4bde72f05b402d
SHA512 5d2f72b490e06bc0f69cdf0528fe43332b7420f92f21f573c9fe890b00b6ae002ef21566e1ba1be27ee61aa2e85535102c8b12661e4f101143e62a7c4a5748e8

C:\Users\Admin\AppData\Local\Temp\CabC90.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarE77.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2528-140-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/3028-141-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

memory/3028-142-0x00000000003B0000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-04 12:43

Reported

2023-09-04 12:46

Platform

win10v2004-20230831-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\DRIVERS\SET4656.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET5AAA.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxNetLwf.sys C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SETF5C5.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SETF930.tmp C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SETF930.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxUSBMon.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SETF5C5.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\VBoxDrv.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET4656.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET5AAA.tmp C:\Windows\System32\MsiExec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VBoxSVC.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VBoxSVC.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VBoxSVC.exe N/A
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VBoxSVC.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Vektor T13\\VirtualBox\\VBoxProxyStub.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32 C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ = "C:\\Program Files\\Vektor T13\\VirtualBox\\VBoxC.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32 C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32\ = "\"C:\\Program Files\\Vektor T13\\VirtualBox\\VBoxSDS.exe\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32 C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32 C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Vektor T13\\VirtualBox\\VBoxSVC.exe\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ = "C:\\Program Files\\Vektor T13\\VirtualBox\\VBoxC.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32 C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_e9194d6fe801980a\VBoxNetAdp6.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a1623fc1066c21c4\VBoxUSB.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966}\SET429D.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\VBoxUSB.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a1623fc1066c21c4\VBoxUSB.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966}\SET429D.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{83015b23-0d15-9a4c-887b-469b5f51e949}\VBoxNetLwf.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_52cd6779cf12d0c8\VBoxNetLwf.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966}\SET42BD.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{83015b23-0d15-9a4c-887b-469b5f51e949} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\SETFB26.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{83015b23-0d15-9a4c-887b-469b5f51e949}\VBoxNetLwf.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a1623fc1066c21c4\VBoxUSB.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE\VBoxDrv_256ADCB0C73AC91BD2ED7B3C97C603E386E609E4\VBoxDrv.inf C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxUSBMon_4E4DFAD311D140B5C1E14C2EC604833042CE3C58\VBoxUSBMon.inf C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966}\SET42ED.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_a1623fc1066c21c4\VBoxUSB.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966}\SET42BD.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966}\VBoxNetAdp6.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966}\SET42ED.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_52cd6779cf12d0c8\VBoxNetLwf.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_52cd6779cf12d0c8\vboxnetlwf.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\SETFB14.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{83015b23-0d15-9a4c-887b-469b5f51e949}\SET53B5.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxDrv_256ADCB0C73AC91BD2ED7B3C97C603E386E609E4\VBoxDrv.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\VBoxUSB.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\SETFB14.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{83015b23-0d15-9a4c-887b-469b5f51e949}\SET53C5.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\VBoxUSB.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966}\VBoxNetAdp6.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966}\VBoxNetAdp6.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_e9194d6fe801980a\VBoxNetAdp6.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\SETFB25.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\SETFB25.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{83015b23-0d15-9a4c-887b-469b5f51e949}\SET53A4.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{83015b23-0d15-9a4c-887b-469b5f51e949}\SET53B5.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\system32\DRVSTORE\VBoxDrv_256ADCB0C73AC91BD2ED7B3C97C603E386E609E4\VBoxDrv.cat C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db C:\Windows\system32\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Vektor T13\VirtualBox\VBoxNetNAT.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_th.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\UnattendedTemplates\ol_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_da.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_ko.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\platforms\qwindows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VMMR0.r0 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\VirtualBox_es.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_pl.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxDTrace.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\drivers\USB\device\VBoxUSB.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\VirtualBox_cs.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\VirtualBox_it.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_hr_HR.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_ja.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_zh_TW.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\UnattendedTemplates\rhel4_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxAuthSimple.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\drivers\USB\device\VBoxUSB.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\VirtualBox_el.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_en.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\UnattendedTemplates\win_postinstall.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxBugReport.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxDbg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\VirtualBox_lt.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxHostChannel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxSDL.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxVMM.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\VirtualBox_bg.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxAutostartSvc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxCAPI.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxDD.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxSharedFolders.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\VirtualBox_ca.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\VirtualBox_zh_CN.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_el.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\UnattendedTemplates\fedora_ks.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxBalloonCtrl.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\x86\VBoxRT-x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_ca.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\Qt5WinExtras.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\drivers\vboxdrv\VBoxDrv.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxSupLib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\UnattendedTemplates\debian_preseed.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\Qt5Gui.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\drivers\vboxdrv\VBoxDrv.cat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\platforms\qminimal.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\UICommon.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\UnattendedTemplates\redhat_postinstall.sh C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_hu.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\x86\VBoxClient-x86.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\SDL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\VirtualBox_da.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\VirtualBox_id.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\drivers\USB\device\VBoxUSB.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\VirtualBox_de.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxSVC.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\sdk\install\vboxapisetup.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\VBoxNetDHCP.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\VirtualBox_ko.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_fa.qm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Vektor T13\VirtualBox\nls\qt_ru.qm C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIF81B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF9A2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\{650FF4A9-7502-4AFB-8ACA-57414EC42BD1}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5169.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem5.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE9C1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI414B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI5BCB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE26C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI51E7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem3.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\inf\oem5.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Windows\Installer\SourceHash{650FF4A9-7502-4AFB-8ACA-57414EC42BD1} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE367.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem2.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\e58dbd4.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF3E4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem0.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\INF\oem1.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\e58dbd4.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{650FF4A9-7502-4AFB-8ACA-57414EC42BD1}\IconVirtualBox C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58dbd6.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5DB1.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Windows\System32\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000520669ec286f84810000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000520669ec0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900520669ec000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d520669ec000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000520669ec00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\System32\MsiExec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1E775EA3-9070-4F9C-B0D5-53054496DBE0}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C354A762-3FF2-4F2E-8F09-07382EE25088}\NumMethods\ = "14" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\progId_VirtualBox.Shell.ovf\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4EE3CBCB-486F-40DB-9150-DEEE3FD24189}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08E25756-08A2-41AF-A05F-D7C661ABAEBE}\ = "IVRDEServer" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD6A1080-E1B7-4339-A549-F0878115596E}\TypeLib C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{b55cf856-1f8b-4692-abb4-462429fae5e9} C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{35CF4B3F-4453-4F3E-C9B8-5686939C80B6}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{35CF4B3F-4453-4F3E-C9B8-5686939C80B6}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D095CB0-0126-43E0-B05D-326E74ABB356}\NumMethods\ = "28" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A4FF0562057BFA4A8AC7514E44CB21D\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d05c91e2-3e8a-11e9-8082-db8ae479ef87} C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{179F8647-319C-4E7E-8150-C5837BD265F6}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D89E2B3-C6EA-45B6-9D43-DC6F70CC9F02}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CAC21692-7997-4595-A731-3A509DB604E5}\ = "IClipboardModeChangedEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C40C2B86-73A5-46CC-8227-93FE57D006A6}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{806DA61B-6679-422A-B629-51B06B0C6D93}\TypeLib C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{081FC833-C6FA-430E-6020-6A505D086387} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8FAEF61E-6E15-4F71-A6A5-94E707FAFBCC}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9622225A-5409-414B-BD16-77DF7BA3451E}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F05D7E60-1BCF-4218-9807-04E036CC70F1}\ = "IProgressPercentageChangedEvent" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{01510F40-C196-4D26-B8DB-4C8C389F1F82}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000_Classes\CLSID C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C19073DD-CC7B-431B-98B2-951FDA8EAB89}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB6F0F2C-8384-11E9-921D-8B984E28A686}\NumMethods\ = "37" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\VersionIndependentProgID C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BB335CC-1C58-440C-BB7B-3A1397284C7B}\NumMethods\ = "14" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D70F7915-DA7C-44C8-A7AC-9F173490446A}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DDCA7247-BF98-47FB-AB2F-B5177533F493}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{806DA61B-6679-422A-B629-51B06B0C6D93} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{431685DA-3618-4EBC-B038-833BA829B4B2}\ProxyStubClsid32 C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89A63ACE-0C65-11EA-AD23-0FF257C71A7F}\ProxyStubClsid32 C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2514881B-23D0-430A-A7FF-7ED7F05534BC}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CAC21692-7997-4595-A731-3A509DB604E5}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DC83C2C-81A9-4005-9D52-FC45A78BF3F5}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D095CB0-0126-43E0-B05D-326E74ABB356}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{91F33D6F-E621-4F70-A77E-15F0E3C714D5}\NumMethods C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD47AD09-787B-44AB-B343-A082A3F2DFB1}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE8A0EB5-F4F4-4DD0-9D30-C89B873247EC}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.vdi\DefaultIcon\ = "\"C:\\Program Files\\Vektor T13\\VirtualBox\\VBoxRes.dll\",-303" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6620DB85-44E0-CA69-E9E0-D4907CECCBE5}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{24EEF068-C380-4510-BC7C-19314A7352F1}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{81314D14-FD1C-411A-95C5-E9BB1414E632}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{97C78FCD-D4FC-485F-8613-5AF88BFCFCDC} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D05C91E2-3E8A-11E9-8082-DB8AE479EF87}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Vektor T13\\VirtualBox\\VBoxSVC.exe\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{1E8D3F27-B45C-48AE-8B36-D35E83D207AA} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{3890B2C8-604D-11E9-92D3-53CB473DB9FB}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.ovf\ = "Open Virtualization Format" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59A235AC-2F1A-4D6C-81FC-E3FA843F49AE}\TypeLib C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11BE93C7-A862-4DC9-8C89-BF4BA74A886A}\ = "IMediumFormat" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{93BADC0C-61D9-4940-A084-E6BB29AF3D83}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{890ed3dc-cc19-43fa-8ebf-baecb6b9ec87} C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89A63ACE-0C65-11EA-AD23-0FF257C71A7F}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{2405F0E5-6588-40A3-9B0A-68C05BA52C4B}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59A235AC-2F1A-4D6C-81FC-E3FA843F49AE}\TypeLib\Version = "1.3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{9EA9227C-E9BB-49B3-BFC7-C5171E93EF38}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9709DB9B-3346-49D6-8F1C-41B0C4784FF2}\NumMethods C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B31C4052-7BDC-11E9-8BC2-8FFDB8B19219}\ProxyStubClsid32 C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41A033B8-CC87-4F6E-A0E9-47BB7F2D4BE5}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}" C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 3164 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 3164 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 3164 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4344 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 4344 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 1108 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 1108 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
PID 3164 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
PID 3164 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
PID 3164 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
PID 4352 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 4352 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
PID 3040 wrote to memory of 4364 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3040 wrote to memory of 4364 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3040 wrote to memory of 1984 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3040 wrote to memory of 1984 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3040 wrote to memory of 4152 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3040 wrote to memory of 4152 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4812 wrote to memory of 1728 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4812 wrote to memory of 1728 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 1728 wrote to memory of 4960 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 1728 wrote to memory of 4960 N/A C:\Windows\system32\DrvInst.exe C:\Windows\system32\rundll32.exe
PID 3040 wrote to memory of 568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3040 wrote to memory of 568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3040 wrote to memory of 568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4812 wrote to memory of 1176 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4812 wrote to memory of 1176 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4812 wrote to memory of 3348 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4812 wrote to memory of 3348 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2696 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe
PID 2696 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe

"C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

"C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 845AE8FB33007546A017AF743BC0A214

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 048399A32A6C7690B7A3C218724F786C E Global\MSI0000

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Vektor T13\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "44c03ccb3" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Vektor T13\VirtualBox\drivers\USB\device"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{56ebb0bf-f7d3-604d-9cd2-94ce2d197eaa} Global\{ad33cbad-e106-cc4f-a07b-b37a72d341b2} C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\VBoxUSB.inf C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\VBoxUSB.cat

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 05EE6663CED6F6CCDAC5FD63B0A0045E M Global\MSI0000

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Vektor T13\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "414293377" "0000000000000168" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Vektor T13\VirtualBox\drivers\network\netadp6"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files\Vektor T13\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "442d4ec77" "000000000000015C" "WinSta0\Default" "0000000000000154" "208" "C:\Program Files\Vektor T13\VirtualBox\drivers\network\netlwf"

C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe

"C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe"

C:\Program Files\Vektor T13\VirtualBox\VBoxSVC.exe

"C:\Program Files\Vektor T13\VirtualBox\VBoxSVC.exe" -Embedding

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39ab055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 capeturk.com udp
SG 45.76.189.18:80 capeturk.com tcp
SG 45.76.189.18:80 capeturk.com tcp
SG 45.76.189.18:80 capeturk.com tcp
US 8.8.8.8:53 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com udp
NL 142.251.36.33:443 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com tcp
US 8.8.8.8:53 18.189.76.45.in-addr.arpa udp
US 8.8.8.8:53 33.36.251.142.in-addr.arpa udp
NL 142.251.36.33:443 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com tcp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 blog.capeturk.com udp
VN 103.190.107.26:1111 blog.capeturk.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
VN 103.190.107.26:1111 blog.capeturk.com tcp
US 8.8.8.8:53 224.104.207.23.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
VN 103.190.107.26:1111 blog.capeturk.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 3.4.5.7.8.2.d.d.d.f.8.2.c.8.5.1.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa udp
N/A 255.255.255.255:67 udp
VN 103.190.107.26:1111 blog.capeturk.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/3164-0-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/3164-1-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/3164-2-0x00000000066D0000-0x00000000066E0000-memory.dmp

memory/3164-3-0x00000000008B0000-0x0000000005CF8000-memory.dmp

memory/3164-4-0x0000000020D30000-0x0000000020DD6000-memory.dmp

memory/3164-5-0x00000000212B0000-0x000000002177E000-memory.dmp

memory/3164-6-0x0000000021820000-0x00000000218BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

memory/4344-18-0x0000000000F20000-0x0000000000F8E000-memory.dmp

memory/4344-19-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/4344-20-0x0000000001960000-0x0000000001970000-memory.dmp

memory/4344-22-0x000000001BEC0000-0x000000001BEE8000-memory.dmp

memory/4344-21-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 ada0cbc54989b2cd2959601c7a5b8499
SHA1 9c8739d476016fe0a87b176bb95f3a5bcbeff0de
SHA256 a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96
SHA512 f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

memory/1108-27-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/1108-29-0x00000000016B0000-0x00000000016C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 1303779b354738a8c93cc522ffb21f11
SHA1 ce29a26e1363ddfdc830e2934fed935f15032187
SHA256 0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5
SHA512 b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

memory/1108-35-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

MD5 fc409978e611a143502044848f8d470f
SHA1 dae419b77c277fe1fba610c2da94586dcef16701
SHA256 bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70
SHA512 e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 1303779b354738a8c93cc522ffb21f11
SHA1 ce29a26e1363ddfdc830e2934fed935f15032187
SHA256 0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5
SHA512 b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

memory/3164-48-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/2620-49-0x0000000000BC0000-0x0000000000C0E000-memory.dmp

memory/2620-50-0x000000001BD60000-0x000000001BD68000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

MD5 1303779b354738a8c93cc522ffb21f11
SHA1 ce29a26e1363ddfdc830e2934fed935f15032187
SHA256 0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5
SHA512 b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

memory/4352-56-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/1108-55-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/4344-54-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/2620-53-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

MD5 70f08e6585ed9994d97a4c71472fccd8
SHA1 3f44494d4747c87fb8b94bb153c3a3d717f9fd63
SHA256 87fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa
SHA512 d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388

memory/2620-57-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/4352-58-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

MD5 fc409978e611a143502044848f8d470f
SHA1 dae419b77c277fe1fba610c2da94586dcef16701
SHA256 bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70
SHA512 e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe

MD5 fc409978e611a143502044848f8d470f
SHA1 dae419b77c277fe1fba610c2da94586dcef16701
SHA256 bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70
SHA512 e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

memory/3164-64-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VirtualBox\VirtualBox-6.1.28-r147628.msi

MD5 577825097157487c7afd2c591ee413bb
SHA1 6b4c3f8b88edb5925b05338fd1e9b1f3e5c665db
SHA256 3ccd35abf2dcfff22ad6d3ffda5cf79f3fdc4fac4244caf6ac4bde72f05b402d
SHA512 5d2f72b490e06bc0f69cdf0528fe43332b7420f92f21f573c9fe890b00b6ae002ef21566e1ba1be27ee61aa2e85535102c8b12661e4f101143e62a7c4a5748e8

memory/2620-74-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 8e3d99e6a1064f89744ccb24dc6802bb
SHA1 1b6c31ab4236538c8423c19575c1e19a031b3876
SHA256 d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8
SHA512 f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 8e3d99e6a1064f89744ccb24dc6802bb
SHA1 1b6c31ab4236538c8423c19575c1e19a031b3876
SHA256 d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8
SHA512 f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

MD5 8e3d99e6a1064f89744ccb24dc6802bb
SHA1 1b6c31ab4236538c8423c19575c1e19a031b3876
SHA256 d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8
SHA512 f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

memory/1904-92-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/1904-94-0x0000000000DA0000-0x0000000000DB8000-memory.dmp

memory/1904-95-0x00000000016D0000-0x00000000016D8000-memory.dmp

memory/1904-93-0x0000000001700000-0x0000000001710000-memory.dmp

memory/1904-97-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/1904-98-0x000000001BCA0000-0x000000001BCAC000-memory.dmp

memory/1904-102-0x000000001D890000-0x000000001D8F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

MD5 2f142977932b7837fa1cc70278e53361
SHA1 0a3212d221079671bfdeee176ad841e6f15904fc
SHA256 961ca2c0e803a7201adb3b656ed3abafc259d6d376e8ade66f0afff10a564820
SHA512 a25e45e41933902bcc0ea38b4daa64e96cbcd8900b446e1326cffb8c91eb1886b1e90686190bdba30d7014490001a732f91f2869bb9987c0213a8d798c7b3421

memory/4352-120-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/1904-121-0x00007FFC42880000-0x00007FFC43221000-memory.dmp

memory/1904-122-0x0000000001700000-0x0000000001710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VirtualBox\VirtualBox-6.1.28-r147628.msi

MD5 577825097157487c7afd2c591ee413bb
SHA1 6b4c3f8b88edb5925b05338fd1e9b1f3e5c665db
SHA256 3ccd35abf2dcfff22ad6d3ffda5cf79f3fdc4fac4244caf6ac4bde72f05b402d
SHA512 5d2f72b490e06bc0f69cdf0528fe43332b7420f92f21f573c9fe890b00b6ae002ef21566e1ba1be27ee61aa2e85535102c8b12661e4f101143e62a7c4a5748e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_72694C6727E2E7C86AB39E0B21D2306A

MD5 259b65bc8c235312437d2ffc604721fc
SHA1 7fd304131e49972410e214a40859509923be2326
SHA256 99000a65f341375fb5ec68540ed091ce873f7924d46cba252e93e415ca50c183
SHA512 f3129d54e6acf1edc9cc9a93c962fe5fcc48db72b50ceaf4ee2a7e48ea37f9973f061bd27e72cee8029b84a1c9b066579cd3e01a7082d4ee7f84908b3a189df4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_72694C6727E2E7C86AB39E0B21D2306A

MD5 febbec29d168d9a2865f6debd9364936
SHA1 40ecd053469fcf82c19d19b05ecfd2592806eb9f
SHA256 afd572632b3df1b46d93e6ed183237207cc284fa807c9fe86b0ecb09f412a847
SHA512 42205bba18e90c5eb11a9d7cad088003daf42b00f3ed4b8818ee0d29f98f67e71022c5732c5b55ffc32b104c27fa681911cdb5134a8edfa027003f7375de6ba5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 088405ee532b866febb7d355770a5b9b
SHA1 ea4c95cbfea8928e941f9d4a2781d5bf88323e6a
SHA256 34541aade2fdc72195b5810b0c6cfc84ed0fe7ac8365521cf88e2627bd073aba
SHA512 9328097721928bc8e30d9034eceed09ab366122313593076346ce8dae145625510fc5f2877b0d3c81d228a3f660900588b11895d9d5fbe1ad9370fd5d05f387b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

MD5 dfa9010cf1980e4a68cc89e9eaab895e
SHA1 b57ab47345beb161d4e81fdf72133b45ed3b8863
SHA256 97546c684b77c8e0fa996e160740fbf251620b2fc4a7f3033dc1817d381064e0
SHA512 ea7a6dcf76b19edb0ad577de89efe42973d45d0c3395aea184956f39faf1acb413dae747c3e6e455ac9db1d7746f82c5802d27f43253905f316451ed42ea9161

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

MD5 4ee47adfaaa7d60aeaf49d3ea01c7b82
SHA1 b69c838e71dde3e84426815b7d3e29f315e2f67a
SHA256 879749391ef3479ebe3a88492b42ebdb565bca17de526049b4e02fae84b41bc9
SHA512 0042f195d7bad948cd73772563f6023cd3fdd7b62d1b849988ce0ec55d000d4d35c08da444533f728f8250c9ba882c2e9cf6b61f6f891dab2038225090c29f49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C

MD5 410a7217946514d8f1b656052006bed1
SHA1 f6d542a533f23aaf563a5e55528d7a4fbdda16ab
SHA256 1ca1b2afe753ed9eb544ac01ae7e40a1ea0c36d6e7c06a6cb6cf44075c653001
SHA512 32d9f882296febe16f85008b0552bc8f37e20f4ec6983a53e11a2838a5530e5445759ff967a3183f1390520d9f11fd25ad50f12bb4593e8c0c398fc38c5aca72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

MD5 dcc4206ffd9093e1a350f79fa919666c
SHA1 0502a8bd400e92c5b96c5aeb3a2061600feefd2f
SHA256 fc895a406c613a70898726966d79cbc7bff0c2d57309a182ba7f452363fbb51b
SHA512 aa5406b192c95bc4ba0b2bd1231528ce171894aea0a9351d62ebe7246dcbe5b8f911bce842f2c046cbeb636f21e01bbd1314ad817c17e3b0c91f2347ed004296

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

MD5 53692790dee7f0b9286980ed137bb373
SHA1 2fee4c8607152362aef28409f628c03bf2ef979f
SHA256 d9bc2c1dd0d7d9c6159c9e280918c2a0aed4f6d0f409489e7b82d340e24d5d6c
SHA512 ac53c117ae5e8160276315c0251f736aa94c22187d5554be5bae905164fd5b6af18e0e8da6675d9283ad7cf8c69b6d136acaa6c9ddf15ba8f2b06891405e7b2a

C:\Windows\Installer\MSIE367.tmp

MD5 418322f7be2b68e88a93a048ac75a757
SHA1 09739792ff1c30f73dacafbe503630615922b561
SHA256 ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b
SHA512 253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

C:\Windows\Installer\MSIE367.tmp

MD5 418322f7be2b68e88a93a048ac75a757
SHA1 09739792ff1c30f73dacafbe503630615922b561
SHA256 ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b
SHA512 253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

C:\Windows\Installer\MSIE9C1.tmp

MD5 f97b9cde9f9de44a9de69363eb66dce5
SHA1 846fb6f0ef3c704d97779034ac48464fd1bdb881
SHA256 e67c83feb3a099f9908af211546b7471bc7b42fde80b11a7448ba5932b6c01b9
SHA512 5c0749886aa240e010eaa078a7201b2a7d8caf9c1a6797b71499cd15012b19daed3cb51f1602cf82600e298f4e5e9a9667b9412e25d6256f077f00dcb9d18ce1

C:\Windows\Installer\MSIE9C1.tmp

MD5 f97b9cde9f9de44a9de69363eb66dce5
SHA1 846fb6f0ef3c704d97779034ac48464fd1bdb881
SHA256 e67c83feb3a099f9908af211546b7471bc7b42fde80b11a7448ba5932b6c01b9
SHA512 5c0749886aa240e010eaa078a7201b2a7d8caf9c1a6797b71499cd15012b19daed3cb51f1602cf82600e298f4e5e9a9667b9412e25d6256f077f00dcb9d18ce1

C:\Windows\Installer\MSIF3E4.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Windows\Installer\MSIF3E4.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Program Files\Vektor T13\VirtualBox\drivers\vboxdrv\VBoxDrv.inf

MD5 2bb7330b6796d8018f50723b4300bce1
SHA1 a268682f991c3ef8fed568e7213c146846819f18
SHA256 a74ed746efd1b0713c0ec23171bc4311853936ff41dcd024e63ebf65bf5893ad
SHA512 eed5a7ceb88fdbb4c9fa942d52d568e1a63214130f8525cccf6de3b0a3bac45e954ea1d6d6e184fc4cef51d2765fae548161b56b465be37d176d5d7129289a65

C:\Program Files\Vektor T13\VirtualBox\drivers\vboxdrv\VBoxDrv.cat

MD5 da6c40b2b2962b8b9eb21ef56b7b3dcf
SHA1 256adcb0c73ac91bd2ed7b3c97c603e386e609e4
SHA256 afe786fb69e3dba876abb3c49979a08b42270abbe7c37274955c013de3ef3670
SHA512 084dff20aa145a12832020448172bffa2d3d4589e36d692e323bb0f6fce2eedb9eb87fbd28d21f16cfdfa93ee005c1311cac3917302235db29533b1d9dc14753

C:\Program Files\Vektor T13\VirtualBox\drivers\vboxdrv\VBoxDrv.sys

MD5 53b6d078510da6f9da9de35fc286f6df
SHA1 26dbabf8a40d2203e745f6ea66b888794a23973c
SHA256 bf083aba584e5cb31a26c4d7ae2bbf0f4dff3ae0d0f9bd8922203b463f59021b
SHA512 4420be234eade61663e8bedc5f62878df5fa1764058f2ab0a0195f96ebfb228b450a58cdce2baaab8cf5694b7b059032d9fd440946b102569acb73878c657c2e

C:\Windows\System32\DRVSTORE\VBoxDrv_256ADCB0C73AC91BD2ED7B3C97C603E386E609E4\VBoxDrv.sys

MD5 53b6d078510da6f9da9de35fc286f6df
SHA1 26dbabf8a40d2203e745f6ea66b888794a23973c
SHA256 bf083aba584e5cb31a26c4d7ae2bbf0f4dff3ae0d0f9bd8922203b463f59021b
SHA512 4420be234eade61663e8bedc5f62878df5fa1764058f2ab0a0195f96ebfb228b450a58cdce2baaab8cf5694b7b059032d9fd440946b102569acb73878c657c2e

C:\Windows\Installer\MSIF81B.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Windows\Installer\MSIF81B.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Program Files\Vektor T13\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

MD5 ac4abd3f90352559932287fb97d527d1
SHA1 276d8a42b659eafc5fed20406c17eed77c68530a
SHA256 f66796576e7307da709aec482724b4af17c5ea59fd016df042819be9d7e6df9b
SHA512 08940c1667debfa7039b91a09bd31ea5b6efc7f3002b8606e2d37f7d3700dcc10dccf2d681b70271bd95528875a7113530babc340240ce4b7f76f80a22cc2d83

C:\Program Files\Vektor T13\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

MD5 2efae31236f042ce07eb23fcb562c630
SHA1 4e4dfad311d140b5c1e14c2ec604833042ce3c58
SHA256 7326823e899a8e0a59f9d64d6164cc60267ea37a9c20842d85b60d91dcd1c0a6
SHA512 1f7dfe83528b4230e555001ca8add6b5aabb6be99ffd2168861a008fbdacc33f21c5dba86fc992dede14bd7ffd5be765810d07f794e7f195e04dec5f88a43db5

C:\Program Files\Vektor T13\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

MD5 18f19e03735dc5a7e6476b36140232e6
SHA1 ef1d3f764784499443088f6f32d3770c753c9036
SHA256 f1b7ae6c62345d73069dc7b96f4a0ddb7303647863d58485a8627ba69f189ee6
SHA512 6a10d971c19e6c7b9709a632b84cf3bf9284f976e8f1bcfbcc7d98ab5cd9ccdb748ccaee3d420f2dddcf8f41b56c437ff422ea126068cf49831462b478ee60a8

C:\Windows\System32\DRVSTORE\VBoxUSBMon_4E4DFAD311D140B5C1E14C2EC604833042CE3C58\VBoxUSBMon.sys

MD5 18f19e03735dc5a7e6476b36140232e6
SHA1 ef1d3f764784499443088f6f32d3770c753c9036
SHA256 f1b7ae6c62345d73069dc7b96f4a0ddb7303647863d58485a8627ba69f189ee6
SHA512 6a10d971c19e6c7b9709a632b84cf3bf9284f976e8f1bcfbcc7d98ab5cd9ccdb748ccaee3d420f2dddcf8f41b56c437ff422ea126068cf49831462b478ee60a8

C:\Windows\Installer\MSIF9A2.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Windows\Installer\MSIF9A2.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Windows\Installer\MSIF9A2.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Program Files\Vektor T13\VirtualBox\drivers\USB\device\VBoxUSB.inf

MD5 65346b5991286bb6bbe4038768f7e245
SHA1 d1a1f5cc3c1b9afacd4b9d65adcc58b2948a6f7f
SHA256 5b9f9965e3b7a42f52a36df2b035523106863247010e122dab253e3107b70ce7
SHA512 ed435b1c509361f4e6f9eef47f3a8ad980cbc8aaa84f27c9cb6b125a33d20034f0cc60a8a5679bc4bbcef2ef8f5bbea447b35d2c2d3047fab028db4b379af634

C:\PROGRA~1\VEKTOR~1\VIRTUA~1\drivers\USB\device\VBoxUSB.cat

MD5 8e879e3b069a863ea28cd8ccb102c3b8
SHA1 385ee7ec19e2698e0d30f15182889b3e536c5e4d
SHA256 10d8016a168c3c1fc756d716b02b400616d026a2a5b4cb143cd7a5f809b55516
SHA512 99d7de7b95adb3509bae7a38c3625a7a9fee5e85112f5238c438c580d1118fa7d73dd42d73443dafe4e06e1989edc1c510a62d7e8db5ee13ff1d8ae21b45754a

C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\VBoxUSB.inf

MD5 65346b5991286bb6bbe4038768f7e245
SHA1 d1a1f5cc3c1b9afacd4b9d65adcc58b2948a6f7f
SHA256 5b9f9965e3b7a42f52a36df2b035523106863247010e122dab253e3107b70ce7
SHA512 ed435b1c509361f4e6f9eef47f3a8ad980cbc8aaa84f27c9cb6b125a33d20034f0cc60a8a5679bc4bbcef2ef8f5bbea447b35d2c2d3047fab028db4b379af634

C:\PROGRA~1\VEKTOR~1\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

MD5 066955d033308d27c08ddd9605ccfe7a
SHA1 1ee93f373c7ef8e17540ed56fcf2ce1541db5997
SHA256 a0fc2ddcb775de51f992a5a49a9447b2722323948e576f84a8ba7d3ce06c31fe
SHA512 822e488046c93b816c53c905d748e9864006bf6d7c169f68698cbaf35d580ddad65f1bf915648b73f8a2571e836a6c7c97bb0bd1a5f8864194219191341e0837

C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\VBoxUSB.cat

MD5 8e879e3b069a863ea28cd8ccb102c3b8
SHA1 385ee7ec19e2698e0d30f15182889b3e536c5e4d
SHA256 10d8016a168c3c1fc756d716b02b400616d026a2a5b4cb143cd7a5f809b55516
SHA512 99d7de7b95adb3509bae7a38c3625a7a9fee5e85112f5238c438c580d1118fa7d73dd42d73443dafe4e06e1989edc1c510a62d7e8db5ee13ff1d8ae21b45754a

C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\VBoxUSB.sys

MD5 066955d033308d27c08ddd9605ccfe7a
SHA1 1ee93f373c7ef8e17540ed56fcf2ce1541db5997
SHA256 a0fc2ddcb775de51f992a5a49a9447b2722323948e576f84a8ba7d3ce06c31fe
SHA512 822e488046c93b816c53c905d748e9864006bf6d7c169f68698cbaf35d580ddad65f1bf915648b73f8a2571e836a6c7c97bb0bd1a5f8864194219191341e0837

C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\VBoxUSB.inf

MD5 65346b5991286bb6bbe4038768f7e245
SHA1 d1a1f5cc3c1b9afacd4b9d65adcc58b2948a6f7f
SHA256 5b9f9965e3b7a42f52a36df2b035523106863247010e122dab253e3107b70ce7
SHA512 ed435b1c509361f4e6f9eef47f3a8ad980cbc8aaa84f27c9cb6b125a33d20034f0cc60a8a5679bc4bbcef2ef8f5bbea447b35d2c2d3047fab028db4b379af634

C:\Windows\System32\DriverStore\Temp\{8b2ec6c2-2531-1641-9164-2e5f288deae2}\VBoxUSB.cat

MD5 8e879e3b069a863ea28cd8ccb102c3b8
SHA1 385ee7ec19e2698e0d30f15182889b3e536c5e4d
SHA256 10d8016a168c3c1fc756d716b02b400616d026a2a5b4cb143cd7a5f809b55516
SHA512 99d7de7b95adb3509bae7a38c3625a7a9fee5e85112f5238c438c580d1118fa7d73dd42d73443dafe4e06e1989edc1c510a62d7e8db5ee13ff1d8ae21b45754a

\??\Volume{ec690652-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0b082f8b-d63f-42cf-920c-faaa28891d4c}_OnDiskSnapshotProp

MD5 8610ae9c041d5f5ca90f7c37a0b3b2b3
SHA1 74c5bfc1c65a0722a6b277ecff01bdcc0227a510
SHA256 b5bca8c1aa01140a7385eaab64e347ae56f0f15dd15725ea58b9d6790f5cc618
SHA512 b2af9b87426c86bd289acccfa0340ae81cf5c284e74a941fde2364823e49592c1bb3ad3b9d72d3ac27db3988fa24ad04b613e7ef10fe00d481b55a3fba30b840

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 69e80de5ca6e11eb595d5b7e3c776b36
SHA1 5c79a54ef203779afa844752f1bf632e444a4ad8
SHA256 a3155c099a9fb3f5974f0d58aef29a14e57a5a3aefcf7eeb175bee7a82a9002e
SHA512 728f2b867c5ab34b42198c067c1fdb9fc6abce927960782c5ab42244d0c82f67d35e6426ed8c1aff14db3eadfcbe52508d611c0f3357a602798764e0f205139b

C:\Windows\System32\CatRoot2\dberr.txt

MD5 379de51ea59b127610fea3dec1967eeb
SHA1 6b07f29f288402ecaeedf96970de74d75ce2aac5
SHA256 43ad95ea088224781793afe9b2dfd53171fd7097841d5e37c685b429a5399237
SHA512 0d577e4b9d3dfb880498bf40b85e516ad3bcc578d8c10ee74417f2f867c6a04e36aa421338c60784610bb2fbafc8fa9029f37f76f4af9efd83874625d98cd2b3

C:\Windows\System32\CatRoot2\dberr.txt

MD5 1d948ec1c8e96eec445eb89152f1733a
SHA1 c83f91e4938986ed154a49b289bf982d21bb6a45
SHA256 2898e84e5f99d1a9e4383b29a5ec2dae58f3091fbfd6116c44752797afb8e90d
SHA512 42730d44fc33815be7d9a6c577d037339d1ea75044422e2c12bfd14663f51c00ff323fd28cc4c779f0e215b1ecaec7c4aea46b9db4443053498b817629a0f145

C:\Program Files\Vektor T13\VirtualBox\VirtualBox.exe

MD5 2f14a2853900e97f4943242b1b407c86
SHA1 675ca10eea2eaac50674012fb0f9e4b2649faf2d
SHA256 97c8a5a19486d8a8735ab787b4a4c587a4ae6909e1f992b10ac91cb2c09b1741
SHA512 0498a503060908714bb61ea4931be28a0211ad64481220f6dec4024b7b49be5d33e8496d9906ddbdd8b251d6ddd31a8ab15c435632adb3a86012cc29991e6160

C:\Program Files\Vektor T13\VirtualBox\VBoxProxyStub.dll

MD5 b2c2f48bd25fe77420b5363860fcd904
SHA1 42c5a4ee090f304e506472531e3b71acc91bcf2e
SHA256 f1bb391a09870493a26066b531fb2d1969a9503037ebf6ba87a58e3268ea2ec6
SHA512 b6c6c78ccceddaa39b2ee957dea931d1597d54ce3b8e29e6d051de7d54044ea5ff9dce5056de04fa7cecdc39c0c25c96b1b232894d3f270d5daca924207c0d98

C:\Program Files\Vektor T13\VirtualBox\x86\VBoxProxyStub-x86.dll

MD5 d48799db5ba631002258b5972b332e00
SHA1 df6a04162e148eafa2e17442ae9c0a3b0ebc650d
SHA256 3b78e45616ba825a508dec60d05f7909bc15a5d1f5029e4d04ca0d603f02f0fa
SHA512 45a5b1710e2cee64e1b87b82fcbe8e8109cb580396a65dd53a8bca934ae2d525d967507f4807febf277b8aa8c50af1bcb0f00a8cbd0d40ef70bf6bb8b7649e70

C:\Windows\Installer\MSI414B.tmp

MD5 f97b9cde9f9de44a9de69363eb66dce5
SHA1 846fb6f0ef3c704d97779034ac48464fd1bdb881
SHA256 e67c83feb3a099f9908af211546b7471bc7b42fde80b11a7448ba5932b6c01b9
SHA512 5c0749886aa240e010eaa078a7201b2a7d8caf9c1a6797b71499cd15012b19daed3cb51f1602cf82600e298f4e5e9a9667b9412e25d6256f077f00dcb9d18ce1

C:\Windows\Installer\MSI414B.tmp

MD5 f97b9cde9f9de44a9de69363eb66dce5
SHA1 846fb6f0ef3c704d97779034ac48464fd1bdb881
SHA256 e67c83feb3a099f9908af211546b7471bc7b42fde80b11a7448ba5932b6c01b9
SHA512 5c0749886aa240e010eaa078a7201b2a7d8caf9c1a6797b71499cd15012b19daed3cb51f1602cf82600e298f4e5e9a9667b9412e25d6256f077f00dcb9d18ce1

C:\Program Files\Vektor T13\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf

MD5 b12511df122f31364b87b071a62901e1
SHA1 9b81fe3af4c64748abff3964080e691ec25f02dc
SHA256 1e3de2fe2bb1069091850d5307b0c869d7d802cf1ffb824e3f82057294a3f395
SHA512 2aad66c44e8eda6797c1ab4143303ae3090ee9dac60633547ac9aeef60982a1f5df91e4ee7cabcb2d5dc63f029979f65225a1792c41c2bfaa31d5cde7fc273f0

C:\PROGRA~1\VEKTOR~1\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.sys

MD5 c6f08995f2d2c18caf8e91db9b1e2249
SHA1 e03dad0181f930e320206f733306a4e9ca3fef8a
SHA256 da3b498352c645db952878ba25975e9689d92840d7f77e6476a0463fe6f4d87d
SHA512 a7c3d7c7f5dafd81f9737db5dfce03e52bf5fc9cd1e863f883dff86d0f90e9d66b726ea774f7ee15b073676fbbc8746167086f3721202085445259f925ec31c0

C:\PROGRA~1\VEKTOR~1\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.cat

MD5 76db37d9887f6424687a2cea966678ce
SHA1 3ad513cc7694a1811a3c86db74c27e0fdde56a5d
SHA256 0edc02470245df9811ff1cf69aa47ce0b3e70cb0beac2349f54176fa08f992c6
SHA512 1b269a569f16b9296a9660d4655478bddc659a39bf3a5fb51b9011e4f6bcd6382e1023f7ee2b3d8c63e814e68e062af47eb5d26f404038cba3b79775e4272313

C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966}\VBoxNetAdp6.inf

MD5 b12511df122f31364b87b071a62901e1
SHA1 9b81fe3af4c64748abff3964080e691ec25f02dc
SHA256 1e3de2fe2bb1069091850d5307b0c869d7d802cf1ffb824e3f82057294a3f395
SHA512 2aad66c44e8eda6797c1ab4143303ae3090ee9dac60633547ac9aeef60982a1f5df91e4ee7cabcb2d5dc63f029979f65225a1792c41c2bfaa31d5cde7fc273f0

C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966}\VBoxNetAdp6.cat

MD5 76db37d9887f6424687a2cea966678ce
SHA1 3ad513cc7694a1811a3c86db74c27e0fdde56a5d
SHA256 0edc02470245df9811ff1cf69aa47ce0b3e70cb0beac2349f54176fa08f992c6
SHA512 1b269a569f16b9296a9660d4655478bddc659a39bf3a5fb51b9011e4f6bcd6382e1023f7ee2b3d8c63e814e68e062af47eb5d26f404038cba3b79775e4272313

C:\Windows\System32\DriverStore\Temp\{a0db408f-a228-314f-8329-9df243684966}\VBoxNetAdp6.sys

MD5 c6f08995f2d2c18caf8e91db9b1e2249
SHA1 e03dad0181f930e320206f733306a4e9ca3fef8a
SHA256 da3b498352c645db952878ba25975e9689d92840d7f77e6476a0463fe6f4d87d
SHA512 a7c3d7c7f5dafd81f9737db5dfce03e52bf5fc9cd1e863f883dff86d0f90e9d66b726ea774f7ee15b073676fbbc8746167086f3721202085445259f925ec31c0

C:\Windows\System32\CatRoot2\dberr.txt

MD5 8c1652635ab45a9e0a0fcef4cdee9d66
SHA1 de998f95ce1a7051dd2adf664e87b86841287943
SHA256 54b7d4f1fefc7d72977c0700cb8667e145ce10550f195e6948d45f64c7a41f56
SHA512 331ef6076ee0798be7eefe57d3e1708e34490ea1910769b63a60d5a69cf38d9c2be14c50a9d1bb006fd663fb3af2e8dcb9f42658ed774443c769253a94bfc410

C:\Windows\System32\catroot2\dberr.txt

MD5 8c1652635ab45a9e0a0fcef4cdee9d66
SHA1 de998f95ce1a7051dd2adf664e87b86841287943
SHA256 54b7d4f1fefc7d72977c0700cb8667e145ce10550f195e6948d45f64c7a41f56
SHA512 331ef6076ee0798be7eefe57d3e1708e34490ea1910769b63a60d5a69cf38d9c2be14c50a9d1bb006fd663fb3af2e8dcb9f42658ed774443c769253a94bfc410

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Installer\MSI5169.tmp

MD5 f97b9cde9f9de44a9de69363eb66dce5
SHA1 846fb6f0ef3c704d97779034ac48464fd1bdb881
SHA256 e67c83feb3a099f9908af211546b7471bc7b42fde80b11a7448ba5932b6c01b9
SHA512 5c0749886aa240e010eaa078a7201b2a7d8caf9c1a6797b71499cd15012b19daed3cb51f1602cf82600e298f4e5e9a9667b9412e25d6256f077f00dcb9d18ce1

C:\Windows\Installer\MSI5169.tmp

MD5 f97b9cde9f9de44a9de69363eb66dce5
SHA1 846fb6f0ef3c704d97779034ac48464fd1bdb881
SHA256 e67c83feb3a099f9908af211546b7471bc7b42fde80b11a7448ba5932b6c01b9
SHA512 5c0749886aa240e010eaa078a7201b2a7d8caf9c1a6797b71499cd15012b19daed3cb51f1602cf82600e298f4e5e9a9667b9412e25d6256f077f00dcb9d18ce1

C:\Windows\Installer\MSI5169.tmp

MD5 f97b9cde9f9de44a9de69363eb66dce5
SHA1 846fb6f0ef3c704d97779034ac48464fd1bdb881
SHA256 e67c83feb3a099f9908af211546b7471bc7b42fde80b11a7448ba5932b6c01b9
SHA512 5c0749886aa240e010eaa078a7201b2a7d8caf9c1a6797b71499cd15012b19daed3cb51f1602cf82600e298f4e5e9a9667b9412e25d6256f077f00dcb9d18ce1

C:\Windows\Installer\MSI51E7.tmp

MD5 f97b9cde9f9de44a9de69363eb66dce5
SHA1 846fb6f0ef3c704d97779034ac48464fd1bdb881
SHA256 e67c83feb3a099f9908af211546b7471bc7b42fde80b11a7448ba5932b6c01b9
SHA512 5c0749886aa240e010eaa078a7201b2a7d8caf9c1a6797b71499cd15012b19daed3cb51f1602cf82600e298f4e5e9a9667b9412e25d6256f077f00dcb9d18ce1

C:\Windows\Installer\MSI51E7.tmp

MD5 f97b9cde9f9de44a9de69363eb66dce5
SHA1 846fb6f0ef3c704d97779034ac48464fd1bdb881
SHA256 e67c83feb3a099f9908af211546b7471bc7b42fde80b11a7448ba5932b6c01b9
SHA512 5c0749886aa240e010eaa078a7201b2a7d8caf9c1a6797b71499cd15012b19daed3cb51f1602cf82600e298f4e5e9a9667b9412e25d6256f077f00dcb9d18ce1

C:\Windows\INF\oem3.inf

MD5 65346b5991286bb6bbe4038768f7e245
SHA1 d1a1f5cc3c1b9afacd4b9d65adcc58b2948a6f7f
SHA256 5b9f9965e3b7a42f52a36df2b035523106863247010e122dab253e3107b70ce7
SHA512 ed435b1c509361f4e6f9eef47f3a8ad980cbc8aaa84f27c9cb6b125a33d20034f0cc60a8a5679bc4bbcef2ef8f5bbea447b35d2c2d3047fab028db4b379af634

C:\Program Files\Vektor T13\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf

MD5 12663dbd027adc66ef1d9cdf59c0f8cf
SHA1 667da2234c0613711920086a991328acfce58985
SHA256 232fabfc5d2201eeaa9b32fce26903eda4d8519613e6ec8967fbf11935f135ac
SHA512 7b3482f2d87c7de175964ec8a8cc0b4341e8782d3de44b6ea5eb9150c2e5b582a896a32609272fed3f26d7fa57cc8e6709d47708129b739d391364bbaae93d31

C:\PROGRA~1\VEKTOR~1\VIRTUA~1\drivers\network\netlwf\VBoxNetLwf.cat

MD5 4a8db3582e8ce1687b107db4eac1f1b5
SHA1 17a401cc2bc872e3299ddde2fdd153c624a9f666
SHA256 b792e5e904dd4c75433e9f6fd9e5b81f8274c7b8580f174fea124b97ef11d90e
SHA512 cbb299247dc8e41b9d45d488f164937781a51762337d7f4fc82af82829c3529f8906ab55a9eb0aa19a0d74b18f542f22f3434a6ebe061a6d21be3d1f16c9f84d

C:\PROGRA~1\VEKTOR~1\VIRTUA~1\drivers\network\netlwf\VBoxNetLwf.sys

MD5 be2d61e34859a88ab785b1579767488a
SHA1 55eed9cfecb2a77299528abd5503916dad342c6e
SHA256 fc4d51468f49dfcb2be252670a32be264e8e5e570172c431bd8010fbebcf7e82
SHA512 8f17ed77cbace1b8f9ea25b91d298edf51fe6af2e0086eca0e47a3ce639994afa47e8f0e223ebdb1abfbb8940415e1e57caaf6d1b5b817333893c3cb1480fc22

C:\Windows\System32\DriverStore\Temp\{83015b23-0d15-9a4c-887b-469b5f51e949}\VBoxNetLwf.inf

MD5 12663dbd027adc66ef1d9cdf59c0f8cf
SHA1 667da2234c0613711920086a991328acfce58985
SHA256 232fabfc5d2201eeaa9b32fce26903eda4d8519613e6ec8967fbf11935f135ac
SHA512 7b3482f2d87c7de175964ec8a8cc0b4341e8782d3de44b6ea5eb9150c2e5b582a896a32609272fed3f26d7fa57cc8e6709d47708129b739d391364bbaae93d31

C:\Windows\System32\DriverStore\Temp\{83015b23-0d15-9a4c-887b-469b5f51e949}\VBoxNetLwf.cat

MD5 4a8db3582e8ce1687b107db4eac1f1b5
SHA1 17a401cc2bc872e3299ddde2fdd153c624a9f666
SHA256 b792e5e904dd4c75433e9f6fd9e5b81f8274c7b8580f174fea124b97ef11d90e
SHA512 cbb299247dc8e41b9d45d488f164937781a51762337d7f4fc82af82829c3529f8906ab55a9eb0aa19a0d74b18f542f22f3434a6ebe061a6d21be3d1f16c9f84d

C:\Windows\System32\DriverStore\Temp\{83015b23-0d15-9a4c-887b-469b5f51e949}\VBoxNetLwf.sys

MD5 be2d61e34859a88ab785b1579767488a
SHA1 55eed9cfecb2a77299528abd5503916dad342c6e
SHA256 fc4d51468f49dfcb2be252670a32be264e8e5e570172c431bd8010fbebcf7e82
SHA512 8f17ed77cbace1b8f9ea25b91d298edf51fe6af2e0086eca0e47a3ce639994afa47e8f0e223ebdb1abfbb8940415e1e57caaf6d1b5b817333893c3cb1480fc22

C:\Windows\System32\CatRoot2\dberr.txt

MD5 8a4a7f9ec35a24a6f4e80b9c247accfe
SHA1 3e24b0cb9848e9e2c9e6e45ff4d417370cc138dc
SHA256 c3141409cf807b59098c5c4b538996e8cad66b60141dd95db135f7d38d55b072
SHA512 1af896e7ebc178e4f8c3a02c0565689fb476e0712191cf85750fbead54def6a609127e294a9e6fe4ef8fbc89dfb21a2af30ca169ba63b9000b89063853261938

C:\Config.Msi\e58dbd5.rbs

MD5 0522c9782c70e162e78324c6762e6c59
SHA1 cde85d75713f663a48240d07c9a325649287893a
SHA256 21d01e310df62e0e60c598dad3af83bd9459d96f5ff2496dfcf489bea81327ff
SHA512 09fa76891af10cfb5bb2237349ac38a132892c51ef79b7a6e593744f8500ee380dc139c4ec5642a29b2a2bfaffe1a61e58da57f02cf26dff0367a12c98414768

memory/4124-614-0x0000000068770000-0x0000000068CBE000-memory.dmp

memory/4124-613-0x00007FFC3CD50000-0x00007FFC3F0CA000-memory.dmp

memory/4124-615-0x00007FF7B84D0000-0x00007FF7B86F6000-memory.dmp

memory/1904-616-0x00007FFC42880000-0x00007FFC43221000-memory.dmp