4719b38e7a276b43099ce4d6349e6bfc80edf644ee59d9dafd264bc7ed7691f4

Analysis

max time kernel
103s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

VirtualBox-7.0.14-161095-Win.exe
Size

106.0MB
MD5

cdf2059571281b67a232c4933d7632e2
SHA1

5a7496a1adfb5dd3ce6b02ef51dffa0a5c0ea2c7
SHA256

4719b38e7a276b43099ce4d6349e6bfc80edf644ee59d9dafd264bc7ed7691f4
SHA512

bca6b7770162cf02dce019230097d107ff876c0ca6a32fd78e7a361f6a5a183698ad4d0bc026c59dff5eb43ac209434ca2e0adc3e9f6b4f9dab20fd3542c2d28
SSDEEP

3145728:/GjAJr3F4hLioOZmlnZJK1pTMOZ68wsoI:/xr3uLiogmlZnwkI

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETD099.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETDCC0.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETB06F.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETB06F.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETD099.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETDCC0.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetLwf.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETAE6B.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETAE6B.tmp	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\O:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\K:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\X:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\H:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\R:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a5cf7bd5-83fd-a14f-9f8c-3ed8349d3233}\VBoxNetAdp6.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a5cf7bd5-83fd-a14f-9f8c-3ed8349d3233}\SETCB89.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a5cf7bd5-83fd-a14f-9f8c-3ed8349d3233}\VBoxNetAdp6.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3c10ced6-1f98-2e4d-a912-8b481afd816c}\SETDA21.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_5018924056E84EABA285BB0DE5B18677DC64C518\VBoxSup.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0549fada-c34b-a34a-ace4-4faec316a48d}\SETB199.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0549fada-c34b-a34a-ace4-4faec316a48d}\SETB1A9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0549fada-c34b-a34a-ace4-4faec316a48d}\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_6389ef9a2a816fc1\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3c10ced6-1f98-2e4d-a912-8b481afd816c}\VBoxNetLwf.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c5e1a8904c87a072\VBoxNetLwf.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3c10ced6-1f98-2e4d-a912-8b481afd816c}\SETDA21.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c5e1a8904c87a072\VBoxNetLwf.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_5018924056E84EABA285BB0DE5B18677DC64C518\VBoxSup.cat	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_4DC22822E5ED15CFAF42864CC0F1E63EBC74D076\VBoxUSBMon.sys	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{0549fada-c34b-a34a-ace4-4faec316a48d}\SETB199.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a5cf7bd5-83fd-a14f-9f8c-3ed8349d3233}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_4DC22822E5ED15CFAF42864CC0F1E63EBC74D076\VBoxUSBMon.cat	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{0549fada-c34b-a34a-ace4-4faec316a48d}\SETB198.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_6389ef9a2a816fc1\VBoxUSB.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_ee187df79249cd72\VBoxNetAdp6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0549fada-c34b-a34a-ace4-4faec316a48d}\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0549fada-c34b-a34a-ace4-4faec316a48d}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3c10ced6-1f98-2e4d-a912-8b481afd816c}\SETDA0F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c5e1a8904c87a072\VBoxNetLwf.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a5cf7bd5-83fd-a14f-9f8c-3ed8349d3233}\SETCB4A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a5cf7bd5-83fd-a14f-9f8c-3ed8349d3233}\SETCB89.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_ee187df79249cd72\VBoxNetAdp6.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3c10ced6-1f98-2e4d-a912-8b481afd816c}\VBoxNetLwf.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_4DC22822E5ED15CFAF42864CC0F1E63EBC74D076\VBoxUSBMon.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_6389ef9a2a816fc1\VBoxUSB.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3c10ced6-1f98-2e4d-a912-8b481afd816c}\SETDA0F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3c10ced6-1f98-2e4d-a912-8b481afd816c}\SETDA10.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0549fada-c34b-a34a-ace4-4faec316a48d}\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a5cf7bd5-83fd-a14f-9f8c-3ed8349d3233}\SETCB4A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3c10ced6-1f98-2e4d-a912-8b481afd816c}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_6389ef9a2a816fc1\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a5cf7bd5-83fd-a14f-9f8c-3ed8349d3233}\SETCB8A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_5018924056E84EABA285BB0DE5B18677DC64C518\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{a5cf7bd5-83fd-a14f-9f8c-3ed8349d3233}\SETCB8A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0549fada-c34b-a34a-ace4-4faec316a48d}\SETB198.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a5cf7bd5-83fd-a14f-9f8c-3ed8349d3233}\VBoxNetAdp6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3c10ced6-1f98-2e4d-a912-8b481afd816c}\VBoxNetLwf.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_c5e1a8904c87a072\vboxnetlwf.PNF	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_5018924056E84EABA285BB0DE5B18677DC64C518\VBoxSup.sys	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_ee187df79249cd72\VBoxNetAdp6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3c10ced6-1f98-2e4d-a912-8b481afd816c}\SETDA10.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	MsiExec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBalloonCtrl.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxManage.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5WidgetsVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_bg.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UICommon.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UserManual.qch	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_response_files.rsp	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt6_unattended.xml	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxClient-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqlite.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5GuiVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qwindows.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxExtPackHelperApp.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxCAPI.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_bg.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel5_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_id.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\styles\qwindowsvistastyle.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxTestOGL.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxWebSrv.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ja.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_uk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_CN.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qoffscreen.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapisetup.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDbg.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox.VisualElementsManifest.xml	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5PrintSupportVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\__init__.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\License_en_US.rtf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg	msiexec.exe

Drops file in Windows directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIA338.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	MsiExec.exe
File created	C:\Windows\INF\oem3.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIDD89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI93EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{8DDF4B7A-DE1A-4619-B426-959B44E40A87}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID838.tmp	msiexec.exe
File created	C:\Windows\Installer\{8DDF4B7A-DE1A-4619-B426-959B44E40A87}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem5.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI940F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACDE.tmp	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem1.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI9390.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSICAF8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9887.tmp	msiexec.exe
File created	C:\Windows\Installer\e588faa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID8B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF5F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e588fa8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI945E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94DC.tmp	msiexec.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\INF\oem0.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFCD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB0B8.tmp	msiexec.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8DDF4B7A-DE1A-4619-B426-959B44E40A87}	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIA2BA.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\Installer\e588fa8.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9934.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3580	VirtualBox.exe

Loads dropped DLL 32 IoCs

pid	Process
1980	MsiExec.exe
1980	MsiExec.exe
1980	MsiExec.exe
1980	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3292	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
4884	MsiExec.exe
4884	MsiExec.exe
4884	MsiExec.exe
4884	MsiExec.exe
4884	MsiExec.exe
4884	MsiExec.exe
4884	MsiExec.exe
4884	MsiExec.exe
4884	MsiExec.exe
3964	MsiExec.exe
3580	VirtualBox.exe
3580	VirtualBox.exe
3580	VirtualBox.exe
3580	VirtualBox.exe
3580	VirtualBox.exe
3580	VirtualBox.exe
3580	VirtualBox.exe
3580	VirtualBox.exe
3580	VirtualBox.exe
3580	VirtualBox.exe
3580	VirtualBox.exe
3580	VirtualBox.exe

Registers COM server for autorun 1 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\""	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	MsiExec.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fe4aef237c2afe490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fe4aef230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fe4aef23000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfe4aef23000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fe4aef2300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28935887-782B-4C94-8410-CE557B9CFE44}\ = "ILanguageChangedEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6DC83C2C-81A9-4005-9D52-FC45A78BF3F5}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABEF51AE-1493-49F4-AA03-EFAF106BF086}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vdi\ = "progId_VirtualBox.Shell.vdi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01ADB2D6-AEDF-461C-BE2C-99E91BDAD8A1}\ProxyStubClsid32	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{755E6BDF-1640-41F9-BD74-3EF5FD653250}\NumMethods\ = "22"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3D2799E-D3AD-4F73-91EF-7D839689F6D6}\ProxyStubClsid32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DDEF35E-4737-457B-99FC-BC52C851A44F}\TypeLib	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{101AE042-1A29-4A19-92CF-02285773F3B5}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{269D8F6B-FA1E-4CEE-91C7-6D8496BEA3C1}\ = "INATNetworkStartStopEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{300763AF-5D6B-46E6-AA96-273EAC15538A}\NumMethods\ = "245"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6AC83D89-6EE7-4E33-8AE6-B257B2E81BE8}\ = "IConsole"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27C0B3D-6038-422C-B45E-6D4A0503D9F1}\ = "ISnapshotTakenEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B79DE686-EABD-4FA6-960A-F1756C99EA1C}\ProxyStubClsid32	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6F89464F-7773-436A-A4DF-592E4E537FA0}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B1D978B8-F7B7-4B05-900E-2A9253C00F51}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\ProgID\ = "VirtualBox.VirtualBox.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c39ef4d6-7532-45e8-96da-eb5986ae76e4}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{024F00CE-6E0B-492A-A8D0-968472A94DC7}\NumMethods	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BB335CC-1C58-440C-BB7B-3A1397284C7B}\TypeLib	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{83795A4C-FCE1-11EA-8A17-636028AE0BE2}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{00892186-A4AF-4627-B21F-FC561CE4473C}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{327E3C00-EE61-462F-AED3-0DFF6CBF9904}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6F89464F-7773-436A-A4DF-592E4E537FA0}\NumMethods\ = "88"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{806DA61B-6679-422A-B629-51B06B0C6D93}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{D7B98D2B-30E8-447E-99CB-E31BECAE6AE4}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E062A915-3CF5-4C0A-BC90-9B8D4CC94D89}\ = "IGuestFileWriteEvent"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{78861431-D545-44AA-8013-181B8C288554}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F01F1066-F231-11EA-8EEE-33BB2AFB0B6E}\ProxyStubClsid32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7c5e945f-2354-4267-883f-2f417d216519}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{14C2DB8A-3EE4-11E9-B872-CB9447AAD965}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B7FDA727-7A08-46EE-8DD8-F8D7308B519C}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D947ADF5-4022-DC80-5535-6FB116815604}\TypeLib	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FAC49A-B7F1-4A5A-A4EF-A11DD9C2A458}\NumMethods	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B14290AD-CD54-400C-B858-797BCB82570E}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DFE56449-6989-4002-80CF-3607F377D40C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{4376693C-CF37-453B-9289-3B0F521CAF27}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{22363CFC-07DA-41EC-AC4A-3DD99DB35594}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C39EF4D6-7532-45E8-96DA-EB5986AE76E4}\ = "IVRDEServerInfo"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{b55cf856-1f8b-4692-abb4-462429fae5e9}	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CADEF0A2-A1A9-4AC2-8E80-C049AF69DAC8}\NumMethods\ = "27"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1474BB3A-F096-4CD7-A857-8D8E3CEA7331}\ = "IGuestDebugControl"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6AC83D89-6EE7-4E33-8AE6-B257B2E81BE8}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22363CFC-07DA-41EC-AC4A-3DD99DB35594}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{41A033B8-CC87-4F6E-A0E9-47BB7F2D4BE5}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46735DE7-F4C4-4020-A185-0D2881BCFA8B}\NumMethods\ = "56"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0A0904D-2F05-4D28-855F-488F96BAD2B2}\NumMethods\ = "14"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DDEF35E-4737-457B-99FC-BC52C851A44F}\NumMethods	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0447716-FF5A-4795-B57A-ECD5FFFA18A4}\ = "ISession"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5BFD8965-B81B-469F-8649-F717CE97A5D5}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516B}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{0F7B8A22-C71F-4A36-8E5F-A77D01D76090}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7569351-1750-46F0-936E-BD127D5BC264}\1.3\0\win64	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7191CF38-3E8A-11E9-825C-AB7B2CABCE23}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABEF51AE-1493-49F4-AA03-EFAF106BF086}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{890ED3DC-CC19-43FA-8EBF-BAECB6B9EC87}\ = "IVirtualBoxSDS"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{147816C8-17E0-11EB-81FA-87CEA6263E1A}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{3DB2AB1A-6CF7-42F1-8BF5-E1C0553E0B30}\ProxyStubClsid32	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3580	VirtualBox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3268	msiexec.exe
3268	msiexec.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeIncreaseQuotaPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeSecurityPrivilege	3268	msiexec.exe
Token: SeCreateTokenPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeAssignPrimaryTokenPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeLockMemoryPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeIncreaseQuotaPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeMachineAccountPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeTcbPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeSecurityPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeTakeOwnershipPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeLoadDriverPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeSystemProfilePrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeSystemtimePrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeProfSingleProcessPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeIncBasePriorityPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreatePagefilePrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreatePermanentPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeBackupPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeRestorePrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeShutdownPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeDebugPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeAuditPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeSystemEnvironmentPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeChangeNotifyPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeRemoteShutdownPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeUndockPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeSyncAgentPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeEnableDelegationPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeManageVolumePrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeImpersonatePrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreateGlobalPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreateTokenPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeAssignPrimaryTokenPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeLockMemoryPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeIncreaseQuotaPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeMachineAccountPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeTcbPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeSecurityPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeTakeOwnershipPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeLoadDriverPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeSystemProfilePrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeSystemtimePrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeProfSingleProcessPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeIncBasePriorityPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreatePagefilePrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreatePermanentPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeBackupPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeRestorePrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeShutdownPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeDebugPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeAuditPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeSystemEnvironmentPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeChangeNotifyPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeRemoteShutdownPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeUndockPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeSyncAgentPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeEnableDelegationPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeManageVolumePrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeImpersonatePrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreateGlobalPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreateTokenPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeAssignPrimaryTokenPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe
Token: SeLockMemoryPrivilege	1220	VirtualBox-7.0.14-161095-Win.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1220	VirtualBox-7.0.14-161095-Win.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3580	VirtualBox.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 1980	3268	msiexec.exe	90
PID 3268 wrote to memory of 1980	3268	msiexec.exe	90
PID 3268 wrote to memory of 4388	3268	msiexec.exe	101
PID 3268 wrote to memory of 4388	3268	msiexec.exe	101
PID 3268 wrote to memory of 3964	3268	msiexec.exe	103
PID 3268 wrote to memory of 3964	3268	msiexec.exe	103
PID 3268 wrote to memory of 3292	3268	msiexec.exe	104
PID 3268 wrote to memory of 3292	3268	msiexec.exe	104
PID 3268 wrote to memory of 3292	3268	msiexec.exe	104
PID 3268 wrote to memory of 4884	3268	msiexec.exe	105
PID 3268 wrote to memory of 4884	3268	msiexec.exe	105
PID 2556 wrote to memory of 3620	2556	svchost.exe	107
PID 2556 wrote to memory of 3620	2556	svchost.exe	107
PID 3268 wrote to memory of 2408	3268	msiexec.exe	109
PID 3268 wrote to memory of 2408	3268	msiexec.exe	109
PID 3268 wrote to memory of 2408	3268	msiexec.exe	109
PID 2556 wrote to memory of 4880	2556	svchost.exe	110
PID 2556 wrote to memory of 4880	2556	svchost.exe	110
PID 2556 wrote to memory of 1044	2556	svchost.exe	112
PID 2556 wrote to memory of 1044	2556	svchost.exe	112
PID 1220 wrote to memory of 3580	1220	VirtualBox-7.0.14-161095-Win.exe	114
PID 1220 wrote to memory of 3580	1220	VirtualBox-7.0.14-161095-Win.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.14-161095-Win.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
  "C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3580

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding C080F5BB6190B05814431C7F252DEEF5 C
  2⤵
  - Loads dropped DLL
  PID:1980
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4388
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding A823A89B38A6F88BC2F2CAB8A7281028
  2⤵
  - Loads dropped DLL
  PID:3964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C158DD6450269729F5990F7ED27460AC
  2⤵
  - Loads dropped DLL
  PID:3292
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 23C1B95BAA485E99A14CE3518F46A7B6 E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4884
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E3A9546510914D457704904ADD88FBA3 M Global\MSI0000
  2⤵
  PID:2408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3620
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000158" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4880
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "000000000000015C" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1044

C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
1⤵
PID:2660

C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
1⤵
PID:3400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39a5855 /state1:0x41c64e6d
1⤵
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e588fa9.rbs

Filesize
2.5MB

MD5
3d81d03910ff38672d0ca70ed23958fc

SHA1
cb4fd0824332e95d2bf43fb4a070f29a592357f3

SHA256
72e5b63c7c52b0992653d7cc15f385081769ab8105ee71a91bbc901955610461

SHA512
32bd16e74462a106fa4aa7eefd0ade8829391e7c03efa60f57c783593184a9ffdf17b0d06619baeb2a92f02655169bd1bdcf5e752ebd15ea43b0913c2cd5d953

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat

Filesize
11KB

MD5
351ea41c61b4b84fbc0a461b1768e104

SHA1
e9fb74d027a25e4298eb751e2ae156c8806428c6

SHA256
36b73da2bc1b809022fa8c8072a52d082a869243dd78b08dfcf75f1146255a31

SHA512
d0b2f30bcce8e324856f6184f50f7bc24ecf220b575c14166a81ebad7acaa3b14250aefce10e095bb90ea0565be85c7638a03ea289f61c46921b800d3b5a5b5f

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

Filesize
184KB

MD5
4669d1db0f07515d41f21f308b4b390d

SHA1
3400d9f8ce5541e5fd59f546a7a44d98ca7eb331

SHA256
a6c70813d6afd3c9e191de5127c219d912a11db1a6fda80fd6793a97e5a9e692

SHA512
3b285fa9b2fc63cd8f7b756dfcba56022b67aa4ddf5d40fd4611037af92a31502df43b0c2ffe8f28faf5ae97e69497d540cc4028be1abf42b34cc6433eb307a3

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.cat

Filesize
11KB

MD5
75eb3dc02a8ee04f1f3c96bd80e253a2

SHA1
ace2f9f1eac41cf6bd3dbb2d69530c6f044afefb

SHA256
a27ffe3f719b5f87c694b273af7e5796cf93a495cd195aff25e44e24fecf8e1b

SHA512
3d451852408ac7045c1558fb97a21a61d99bae207e3e28050109170999fcaf7f091108d3a15596946aed55497611110040726bccb939850744c5b628db369a75

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.sys

Filesize
248KB

MD5
2ac0caba931fd7736866c3867f8ca6eb

SHA1
610700909bb66d0842706dbdeb6540bc843a5d89

SHA256
4e619bb6370f4bc4be52f43d6c43f3a86e3e2ce7bb04baadff17d3b731f18f3f

SHA512
cfb1dbd3227941e3f04f366ae661ebe3503ef789e70bc0a438569fbbdc2a2bd89e8d3b978db44e5182f81a0b98b01cc5d70690ebc8d0b5b24a00bba48c3eb866

Download Submit
C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

Filesize
887KB

MD5
166f9409ec301bd79860933cbb8b6708

SHA1
aa51281832ad1767b8480ae48760d0e8e1088710

SHA256
74dbea34d5b2c424281719df754bd1e4a28cc3c03759cc1d38e23b8fc120a7fd

SHA512
13f9953e5da10c778c39228e1b379e24647cecad07e8621220569e8869f84db4ce9c0f82faeccb0ec1935e9a161e052fc446e6dc83868554b8a9631a9627e356

Download Submit
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

Filesize
2.6MB

MD5
be3cbab296ab1c9fbbe7dc8e97b06e07

SHA1
1f6a242ff2039606ac558c56e4237cc9a9fe28fd

SHA256
f640902d85cbeed89f1f2237297b2eba3240cb4431c64131f2253331e0b67f6d

SHA512
2742b09e99d45201d2f70df76d9d69369eb666194c39b99627c0d8a06da4de19f3bdc5b83fee7e7f84e7a26db123b5463060b748f4b27eeb3a27049a8589e28a

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

Filesize
2KB

MD5
9cbb45c10d1d5920e4d9320e8dde36d4

SHA1
3efb47a5381654a7f996c4049ffcb7ad671f2c3f

SHA256
b97746731c3f8ceb709020ef1be969721b004f001ea2e55f61a0c395d611b109

SHA512
e72d534560789d15a6bdaa481d022fb5111b75e8321f0e1947e653c598e7cb8ed1ca25dcc01a4c341cc7bb0fca133f6c92bbb7f3cfb188fdafa0babc7d558ee1

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

Filesize
11KB

MD5
421e43a41fac5422bead785c7dafece6

SHA1
4dc22822e5ed15cfaf42864cc0f1e63ebc74d076

SHA256
0d80dc9215057156589b2345f793df8884b6d684e83b1ac725c4e47debd6759e

SHA512
2d3af370d66e54b260c4ee27c01dd6f97111949593b05fdddd9d1b4a58f882982a96a3ae1628a3ddc7dc7a6e2729842723c1fcd62a180700390c6214b1d751c1

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

Filesize
3KB

MD5
16ea0763f8e734401a17973aa0aa366c

SHA1
f206e753616e3ffda643a2f9c657df591020ee93

SHA256
23cfad6bdfdac3f08ac6f9d7b79292affe78c834d19939a3a554c2844f54f452

SHA512
0d7504e67cdab21733f95188776f1238c2f532d7aeb372963c221c33f2d971e0745ddc86862935c15ab8ed812a0cd77818cffefab221d5f4cac6ac8d8cf43563

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

Filesize
199KB

MD5
ea4f74bf86589c6e8f0fb2866b3820aa

SHA1
17a542351d8cefbc25ba2a184f80a6897566ac7b

SHA256
ade2e8d684cb59bfea99ad09e55bc5f2a808d824c2905ded1366b7d32e906529

SHA512
397a2129d9df502636776d49c62ce2887999f3e24f975905f108bf7c2a7196e0227f20f7644cceba9513384781f2988c6e1ce8047f705c872fb3970ce15466cb

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf

Filesize
3KB

MD5
6016637d32182738bfc71e7e86bfa1a3

SHA1
ee76c95ba76286743ab9d3420c58c41e0f1793eb

SHA256
68fca318c6f63b1d46f3a75ad62aedf1977d135411d82e850f09a6e6e7e8765d

SHA512
dc1c2584c8f25b527df9aaebba3ff7cb5ea9427825b1af9f72005f6789aa8502bfe2a16ce1c2229d1ee62b3d553b7792ff943807d753fb5dd50f084cc1815ddc

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf

Filesize
4KB

MD5
4b79c4041164c4d8b24a4f51f25b026a

SHA1
e877f526967674a90108da7be7cf38744e5969c9

SHA256
dbcc2c6f3dc2a68eabc698d2d7d94837e9f79711dd13b414299e20c00c016779

SHA512
8c7ab281df799538f0dd1a2b353c072cb1cada3b57e6aceba5e7f228cecfe5634e26ff05b927d46a6fe0f9e6cdabb4c266cfc1e1a425f04f0f2be9a179bd4a30

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

Filesize
11KB

MD5
0b017252806546852e7808267d223e93

SHA1
5018924056e84eaba285bb0de5b18677dc64c518

SHA256
dd54bdd004785dc8e0b0824f49b6ec0665ac0d4623162c3d9dd636ec11dd3a25

SHA512
155c330306ca91a4991ee9a5107a2339630e9cd34696206c7ae1526cd2b9fd092753f52cba2ff8bb0da6bb69fdb19fc6f9aaaef6473b5f5765aacd201573dff7

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

Filesize
3KB

MD5
73baef81f0ea58b6dd1b8e38e199e567

SHA1
66e89f5fee1ebfa980160984940bd5fa910b7180

SHA256
b24d35b010526a896ddd4108f10e235054593d79f5939a2d484da12517d351a0

SHA512
978a94895e7a9d88eff50f4b552ba7ebdf73b4654d48590afda8b09cddd3d188d11d4bfcad3cac374348237b69d249467ccf04159c88da9fb783fb65d49f14aa

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

Filesize
1.0MB

MD5
6276906d6a4ee29b29ca50b4825d4098

SHA1
b542ea87c12b788c87ed693d549fcffd562c354f

SHA256
73fa8b463ee9a95930d98da3f9dd0637e63f06e8cd510bcaa285d91e4dcae2c7

SHA512
bab6e0947bcc54b95e504e24d5305dbfb7d6c1e60795655a5c308c0a9fd2433bf4449b838f8cbb021479dcf6383f853445f719c8347a7e13f1e05b622b09207a

Download Submit
C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

Filesize
666KB

MD5
6d3c7d2e108cbb7b5389f51ff68bcb9a

SHA1
e47006dbd81b0ad005dfe95339bb54ac59b20f47

SHA256
53ed3512437fbeb4277c24790ce67db048f81b60c3669765541495ef88056b88

SHA512
0b69c294c32beff25e91ccfc5fd3b26ff76e8a92b81b3f69fc0065ae6c8d8a676039303cc5195bff1d71735a1af97f920ed1a9911bcbcd27a7532f7539605fdf

Download Submit
C:\Users\Admin\.VirtualBox\VirtualBox.xml

Filesize
1KB

MD5
d9d28bd2ef7192fb0efb99607d7a0807

SHA1
7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a

SHA256
dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5

SHA512
e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
55e2cf3645659ef4671142a2d2e94f11

SHA1
374f3423e8776debd590839103e87e6f69f3fe40

SHA256
dc2753729ea8906f330d8dd8723e4dad5fc38a060f6ee0337259576fa57eb22f

SHA512
3833388a9bdea474f645aed448052a53f0d752fd96076a03c367c177c2005dfd1c7816f396fb892160e2f69c730d145469fb194ba70c4147a6845a8b7622f7ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_683B8EA584E734D2258F215F97D5554B

Filesize
471B

MD5
d5512c7fbd68833a334fee39b10779ad

SHA1
f475eb72287647bb281f091936ce500672215ef2

SHA256
b7752cb3a31c3af2e78e8a9bb246150e55b7f10e67aa316fbb7d9bcd13d24d4e

SHA512
4538504fab3be00282e36a118983039ded0430378c07f45f2466e2852ec3b407ac652b9a8266cf217ce1de6e82a4fad5cd5b9870728756b177ab9a653063a67b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
ec18675e668007dbfd801c3cfab9a996

SHA1
abfcf03f09b8518d1df488b84a25e4ddccd3fc4e

SHA256
0f2b9f01b857130262fbc4cadf57ab52e5dfbaa226f9f180ffe62aaa426bcfd5

SHA512
23f52e4e357bd0f3262828b3fdd775b3ceafd159ed9c0424328a7479d9e692252012673eca97d368b8e0023536a8b12df7c95b4c516f50047d9b701ddb6e5128

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_683B8EA584E734D2258F215F97D5554B

Filesize
404B

MD5
97e3914c5d06e3ee7c768a669608df15

SHA1
c3b270837ce8ec7da2cab5a8f88a54d11471b534

SHA256
8fb1def38fd6f10292e43fa8f8cdfa2abf41cd46b52778322f92ff3928a0bc87

SHA512
38c257cbb97784d8cec1f1be8d475554e700e0d665451ff4ab9b4b691be6c8fab09a9a7de38d3a601f7bccbc7921cedc4eed4e31967cf69bf1813abe88ec2ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA690.tmp

Filesize
138KB

MD5
4e30acdf81592a067705bc40198efe6e

SHA1
8647e39aac17a0fc1f615df3cce5135e65e2d44c

SHA256
466a171b411bd032d0821a8fc93c7f0d5f06830f78e64601b295e48c47cb3ead

SHA512
2849304549a9463e625f59354498333a8f8b08787e6aecbfa91ea08defc9ef9cf205a31c3f805e861d243fc639bbb1724d2b79ffed97bebd7aabede3d9c47414

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA690.tmp

Filesize
188KB

MD5
ce12d59fbf7ec9dfacd8969f82aeddd7

SHA1
967524679bdb0d6314da5c4998ea0e619a469e38

SHA256
1f57c9cbce0d36876526e8debecba6ce9ed2769f913a003d1854752c874449eb

SHA512
c445c69d5a97e417bb502630fa364abb3f581a224bacdc27adf39eb6b28d0ba2853f03684f7d006eff38ff1c7dbfd6cd3d8d367b2706ae78cc6424b8826d3f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA74D.tmp

Filesize
44KB

MD5
01f337930612619e67057243ab0aa9d8

SHA1
4401d78ba4792f71e4c9d53941a52133867b9fbc

SHA256
b7d7e3dc828935f1b3aaae4fbd0fd0fd7681d5f13cf25d1f2f90b43698a6f056

SHA512
c0092c0e878d0fc49be7e670e5604e2351098ee4973904dd8baf12dfbf53987db245e3512ccb44fd5de4e98161ddee0baec59da714e8c9823789bc1c34d8104f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA75E.tmp

Filesize
11KB

MD5
131e0f9859f7f9abf99df841d2eeaf4b

SHA1
c5a8a3f12c1f44b38fda0a01d82da05d8517029f

SHA256
dee15e2d52b2878dd32770964caeee93406930e34ca393cdc13a7ae19b675c32

SHA512
15d18af2a29245ea8220c7371c41a7358c489759f2ed9062d40bcdb04ce8048e5b59d36a81d3f7315c9ca4efddc3380ec56613e4a75ca89ecd5f8a5b077727a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA77E.tmp

Filesize
40KB

MD5
8a7369e635c62b0ca4eba50d19493fe5

SHA1
ee32717150f48bc8f3e6004f377b6cae22267131

SHA256
1e42fe6ca2eb5eed595d1599f94bfcc87fdd336c2083e49a96bb20d17f16bd1f

SHA512
34b88f72d563317e8ae99940a884ead55ccfc21a2c1c6ea88b8f5b16282c2d939913b2efb52a603aeda3df01038ef5643016caa327c8400906b8097ae900f579

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA77E.tmp

Filesize
297KB

MD5
3e96d4bbea9f87cccdb9f1ba6d14309e

SHA1
1de6ef91b7d961ea5cbd4e23ca14174dc966b4e3

SHA256
b5cc30d5a2678bf4a8d1889e1db385bccac012156562551e6c508e0801e912ff

SHA512
e25fcca4699aaeae4f0953c69b65b2ea150c0049c5cf5e4370e279617d6553461f7ce2729fce049d4118ff66c2cd3f7eb537e0fcd8249fad32ce17373cf4b9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dyni5b7nhzu4hleuvuyyyp6p\1coi380vu05q5l7uc2jkdahm.msi

Filesize
15.3MB

MD5
258f587d804e705d0e5ac94805786a67

SHA1
f0c9ca722346639f91cae329f55293860e27a0b2

SHA256
e6876d11cf979adc24485b9c2849453112ca9b06e1a932629ac3c3dc3659fcc7

SHA512
1f5ef58a0e7675262c86fd3c514a234faabdfeea772c808bf6124df35d19cebfddbbb6169e99feddf2e6dd9e163864a4a0821fe654afa6773392a6101c75cf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\dyni5b7nhzu4hleuvuyyyp6p\1coi380vu05q5l7uc2jkdahm.msi

Filesize
1.1MB

MD5
41faa5e5ed3ed82944798c4a6bbda2e4

SHA1
d82d0e13d9da9d27ed384aea56a7813a8a31dc3a

SHA256
96269d46be10f6ead88b9af81243ca695ff588a2043f0a64ce7bca6617c97535

SHA512
8768af81f8914b674340021f1a85f0eaf61361aba4e38b4c126c5249bb44ae78e1e77c38618bf2905dbbf6ed2801cb87d8052652121bb0c017062676408081ae

Download Submit
C:\Windows\Installer\MSI945E.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI9934.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
C:\Windows\Installer\MSIACDE.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
148KB

MD5
a0b3ecf0c531e8004ab92d70ec6375da

SHA1
01ce1affe226f1f4d0b8413058401e32cb2a4a1f

SHA256
87bfacce01c160ec076da89e91fd3135ea3fac38b2e5e370554a7aff2edf7263

SHA512
073712bdc51bfbc2552add2cc1c59fe41e0039bf265d42953b89202463f51873cbcda16557132c2d1d00257c60689bcaf0602a88cf0f67bdd20d40b44ca98446

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
148KB

MD5
165b0c27c46feff78d667ac320134dda

SHA1
7ed8474fbb01b11e07740a00ed5c878fcc041c69

SHA256
1b8d1425954e722cd9dab4499baf1db2524f5695828b3865ad0422526ae297c5

SHA512
981edb831c8f8f88a317a13b728bcaca6d3343fbff185f0c67a51db59dc6d79d71d197c322ad98f59c624790bc49ad68fc51223124ea6c3dec37b9cae717fcd2

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
149KB

MD5
1d3b410ca55b8c05cdbaaa5dc9417ed1

SHA1
b24b559c7c5893b1f9ca2b76fe1f7c4a42ea42e6

SHA256
611b9b685ae24fb97d8d9fe089de5c0939642f8eeeeeeb295740a825f8bb651e

SHA512
b63b3a39ceddb17e7de98b58911fb8be94bf4b15d3f45038dd96d59c8c20241a68de0ae1b0e046c6602ff615d5cb1ec7779b13b3887fa1ad3fe1a4f843e864d6

Download Submit
C:\Windows\System32\DriverStore\Temp\{3c10ced6-1f98-2e4d-a912-8b481afd816c}\VBoxNetLwf.cat

Filesize
11KB

MD5
6d9d62401ebc8d8b48e6724c2e162d2e

SHA1
7d64d6c2b98e6545382a5c3ec31bc71e2d6b3035

SHA256
e308cfc6edf3b6e969a115eeb111d0fefe0be93e00856ab1280459dd83a9f93f

SHA512
46244a02f61d6048630312a0827f0141b8e99501d367a6feeaa5d9ae5c157f98969dc50642ad4d03b5863b196456d8d903241b1077809d280b860bd6aba6bee4

Download Submit
C:\Windows\System32\DriverStore\Temp\{3c10ced6-1f98-2e4d-a912-8b481afd816c}\VBoxNetLwf.sys

Filesize
259KB

MD5
96a60dbff3c4c7217741e0007d0f4abb

SHA1
1651f89d9ab8455dd4458f605bee3a4ce429e42c

SHA256
cd3af3b853c27626fcfc85997feead0a48e56d618e2129f62fe1b96a203a44c7

SHA512
bb7de376b7fbb8e8dcf2a49f9c4e195510ae5895d0f612dd9f80fa56197b55b81cd31151bdcacafc616c7998513cca81192460e09b9a433f9b688d706ebf3d48

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
a7343d0b4ad121c67a6189136ec7bfca

SHA1
b5934ea344de10a9ba6be62e0f4a938e4687cd75

SHA256
a278bb155c4b949df15890d638131b8424207f9d12698ae444b6ce2f00ed80a7

SHA512
3ae0b298a134709f20eb44486c3f176e2845f43ded1520a8ba0e3e2c215dcf476c91f3402f4d57975ec4e35a770be6d719200eda652f3cfe29cfea27c0de982b

Download Submit
\??\Volume{23ef4afe-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{caa227dc-dccb-4817-be8d-bea0bc954dcc}_OnDiskSnapshotProp

Filesize
6KB

MD5
0b7e9f4527ad147a969b0011ce79af32

SHA1
86c05efcb2c70d187a082bbfb1eb3ddf090485ec

SHA256
132cb1673703a4edcde7189aeffc803fd25a3202495813ae1a995559d9535f04

SHA512
01bd4b994b34be60612264c476f88cb5588415731e082f5c745717aad203b8a1654867b24a5848489a27faface4efcab625e3f0c7add506db51910d203bae0ab

Download Submit
memory/3580-542-0x00007FF7B0930000-0x00007FF7B0BB4000-memory.dmp

Filesize
2.5MB

Download
memory/3580-543-0x00007FFD28100000-0x00007FFD28641000-memory.dmp

Filesize
5.3MB

Download
memory/3580-545-0x000001D7C40F0000-0x000001D7C4100000-memory.dmp

Filesize
64KB

Download
memory/3580-544-0x00007FFD299A0000-0x00007FFD2B57E000-memory.dmp

Filesize
27.9MB

Download
memory/3580-557-0x000001D7C67E0000-0x000001D7C6BBC000-memory.dmp

Filesize
3.9MB

Download
memory/3580-558-0x000001D7C40F0000-0x000001D7C4100000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads