hxxps://download[.]virtualbox[.]org/virtualbox/7[.]0[.]14/VirtualBox-7[.]0[.]14-161095-Win[.]exe

Analysis

max time kernel
152s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.virtualbox.org/virtualbox/7.0.14/VirtualBox-7.0.14-161095-Win.exe

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET7B31.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET7B31.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET7DC1.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET7DC1.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe

Loads dropped DLL 15 IoCs

pid	Process
5208	MsiExec.exe
5208	MsiExec.exe
5208	MsiExec.exe
5208	MsiExec.exe
5456	MsiExec.exe
5456	MsiExec.exe
5456	MsiExec.exe
2304	MsiExec.exe
5456	MsiExec.exe
5456	MsiExec.exe
1064	MsiExec.exe
1064	MsiExec.exe
1064	MsiExec.exe
1064	MsiExec.exe
1064	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\X:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\K:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\O:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\R:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\E:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\I:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\J:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.0.14-161095-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in System32 directory 25 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRVSTORE\VBoxSup_5018924056E84EABA285BB0DE5B18677DC64C518\VBoxSup.sys	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_5018924056E84EABA285BB0DE5B18677DC64C518\VBoxSup.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_6389ef9a2a816fc1\VBoxUSB.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_6389ef9a2a816fc1\VBoxUSB.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2acd05c8-a062-1a44-9caa-5d24b2b18105}\SET8DE0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2acd05c8-a062-1a44-9caa-5d24b2b18105}	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_5018924056E84EABA285BB0DE5B18677DC64C518\VBoxSup.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2acd05c8-a062-1a44-9caa-5d24b2b18105}\VBoxUSB.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2acd05c8-a062-1a44-9caa-5d24b2b18105}\SET8DDF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2acd05c8-a062-1a44-9caa-5d24b2b18105}\VBoxUSB.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2acd05c8-a062-1a44-9caa-5d24b2b18105}\SET8DE0.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_4DC22822E5ED15CFAF42864CC0F1E63EBC74D076\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_6389ef9a2a816fc1\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_5018924056E84EABA285BB0DE5B18677DC64C518\VBoxSup.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_4DC22822E5ED15CFAF42864CC0F1E63EBC74D076\VBoxUSBMon.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2acd05c8-a062-1a44-9caa-5d24b2b18105}\SET8DDE.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2acd05c8-a062-1a44-9caa-5d24b2b18105}\SET8DDE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2acd05c8-a062-1a44-9caa-5d24b2b18105}\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_4DC22822E5ED15CFAF42864CC0F1E63EBC74D076\VBoxUSBMon.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2acd05c8-a062-1a44-9caa-5d24b2b18105}\SET8DDF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_6389ef9a2a816fc1\VBoxUSB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\platforms\qminimal.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5WidgetsVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapisetup.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxLibSsh.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt5_unattended.sif	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\vbox-img.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_el.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_nl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\fedora_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5PrintSupportVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAudioTest.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxRes.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt6_unattended.xml	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestControlSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_es.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_bg.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_es.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_tr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_zh_TW.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5GuiVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_uk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol8_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UICommon.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestPropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\styles\qwindowsvistastyle.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxExtPackHelperApp.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5WinExtrasVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHeadless.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDD.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_response_files.rsp	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qoffscreen.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\__init__.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ka.qm	msiexec.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5959fd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F81.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8DDF4B7A-DE1A-4619-B426-959B44E40A87}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D00.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI64FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6ABC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{8DDF4B7A-DE1A-4619-B426-959B44E40A87}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\Installer\e5959fd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F03.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI6A4E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A31.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E1B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI642F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65B9.tmp	msiexec.exe
File created	C:\Windows\Installer\{8DDF4B7A-DE1A-4619-B426-959B44E40A87}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI64AD.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 47 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ed06fb648d6ef2080000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ed06fb640000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ed06fb64000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1ded06fb64000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ed06fb6400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2240	msiexec.exe
2240	msiexec.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeIncreaseQuotaPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeSecurityPrivilege	2240	msiexec.exe
Token: SeCreateTokenPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeAssignPrimaryTokenPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeLockMemoryPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeIncreaseQuotaPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeMachineAccountPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeTcbPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeSecurityPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeTakeOwnershipPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeLoadDriverPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeSystemProfilePrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeSystemtimePrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeProfSingleProcessPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeIncBasePriorityPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreatePagefilePrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreatePermanentPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeBackupPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeRestorePrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeShutdownPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeDebugPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeAuditPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeSystemEnvironmentPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeChangeNotifyPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeRemoteShutdownPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeUndockPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeSyncAgentPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeEnableDelegationPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeManageVolumePrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeImpersonatePrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreateGlobalPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreateTokenPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeAssignPrimaryTokenPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeLockMemoryPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeIncreaseQuotaPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeMachineAccountPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeTcbPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeSecurityPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeTakeOwnershipPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeLoadDriverPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeSystemProfilePrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeSystemtimePrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeProfSingleProcessPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeIncBasePriorityPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreatePagefilePrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreatePermanentPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeBackupPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeRestorePrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeShutdownPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeDebugPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeAuditPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeSystemEnvironmentPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeChangeNotifyPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeRemoteShutdownPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeUndockPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeSyncAgentPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeEnableDelegationPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeManageVolumePrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeImpersonatePrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreateGlobalPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeCreateTokenPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeAssignPrimaryTokenPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe
Token: SeLockMemoryPrivilege	4972	VirtualBox-7.0.14-161095-Win.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4972	VirtualBox-7.0.14-161095-Win.exe
4972	VirtualBox-7.0.14-161095-Win.exe
4972	VirtualBox-7.0.14-161095-Win.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 5208	2240	msiexec.exe	125
PID 2240 wrote to memory of 5208	2240	msiexec.exe	125
PID 2240 wrote to memory of 5328	2240	msiexec.exe	133
PID 2240 wrote to memory of 5328	2240	msiexec.exe	133
PID 2240 wrote to memory of 5456	2240	msiexec.exe	137
PID 2240 wrote to memory of 5456	2240	msiexec.exe	137
PID 2240 wrote to memory of 2304	2240	msiexec.exe	139
PID 2240 wrote to memory of 2304	2240	msiexec.exe	139
PID 2240 wrote to memory of 2304	2240	msiexec.exe	139
PID 2240 wrote to memory of 1064	2240	msiexec.exe	143
PID 2240 wrote to memory of 1064	2240	msiexec.exe	143
PID 3224 wrote to memory of 5428	3224	svchost.exe	145
PID 3224 wrote to memory of 5428	3224	svchost.exe	145

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.virtualbox.org/virtualbox/7.0.14/VirtualBox-7.0.14-161095-Win.exe
1⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3340 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:1
1⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=1412 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:1
1⤵
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5316 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
1⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5848 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
1⤵
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5948 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:1
1⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6268 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
1⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6148 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:1
1⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
1⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6980 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
1⤵
PID:724

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c8 0x33c
1⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7028 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
1⤵
PID:2432

C:\Users\Admin\Downloads\VirtualBox-7.0.14-161095-Win.exe
"C:\Users\Admin\Downloads\VirtualBox-7.0.14-161095-Win.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4972

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 504AD932370FDCCE9D5D175BE53A178D C
  2⤵
  - Loads dropped DLL
  PID:5208
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5328
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding DD2496C5A79278A9DBEFA2AB89B1C563
  2⤵
  - Loads dropped DLL
  PID:5456
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7FFE68B75FA3E210CF76613645B23557
  2⤵
  - Loads dropped DLL
  PID:2304
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 1691C1304F1AC40FAEFBD8C7111AFA23 E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=7288 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
1⤵
PID:5340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "000000000000013C" "WinSta0\Default" "0000000000000150" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=4332 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:1
1⤵
PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=5152 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:1
1⤵
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=2192 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:1
1⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6428 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
1⤵
PID:5444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat

Filesize
11KB

MD5
351ea41c61b4b84fbc0a461b1768e104

SHA1
e9fb74d027a25e4298eb751e2ae156c8806428c6

SHA256
36b73da2bc1b809022fa8c8072a52d082a869243dd78b08dfcf75f1146255a31

SHA512
d0b2f30bcce8e324856f6184f50f7bc24ecf220b575c14166a81ebad7acaa3b14250aefce10e095bb90ea0565be85c7638a03ea289f61c46921b800d3b5a5b5f

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

Filesize
184KB

MD5
4669d1db0f07515d41f21f308b4b390d

SHA1
3400d9f8ce5541e5fd59f546a7a44d98ca7eb331

SHA256
a6c70813d6afd3c9e191de5127c219d912a11db1a6fda80fd6793a97e5a9e692

SHA512
3b285fa9b2fc63cd8f7b756dfcba56022b67aa4ddf5d40fd4611037af92a31502df43b0c2ffe8f28faf5ae97e69497d540cc4028be1abf42b34cc6433eb307a3

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

Filesize
2KB

MD5
9cbb45c10d1d5920e4d9320e8dde36d4

SHA1
3efb47a5381654a7f996c4049ffcb7ad671f2c3f

SHA256
b97746731c3f8ceb709020ef1be969721b004f001ea2e55f61a0c395d611b109

SHA512
e72d534560789d15a6bdaa481d022fb5111b75e8321f0e1947e653c598e7cb8ed1ca25dcc01a4c341cc7bb0fca133f6c92bbb7f3cfb188fdafa0babc7d558ee1

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

Filesize
11KB

MD5
421e43a41fac5422bead785c7dafece6

SHA1
4dc22822e5ed15cfaf42864cc0f1e63ebc74d076

SHA256
0d80dc9215057156589b2345f793df8884b6d684e83b1ac725c4e47debd6759e

SHA512
2d3af370d66e54b260c4ee27c01dd6f97111949593b05fdddd9d1b4a58f882982a96a3ae1628a3ddc7dc7a6e2729842723c1fcd62a180700390c6214b1d751c1

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

Filesize
3KB

MD5
16ea0763f8e734401a17973aa0aa366c

SHA1
f206e753616e3ffda643a2f9c657df591020ee93

SHA256
23cfad6bdfdac3f08ac6f9d7b79292affe78c834d19939a3a554c2844f54f452

SHA512
0d7504e67cdab21733f95188776f1238c2f532d7aeb372963c221c33f2d971e0745ddc86862935c15ab8ed812a0cd77818cffefab221d5f4cac6ac8d8cf43563

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

Filesize
199KB

MD5
ea4f74bf86589c6e8f0fb2866b3820aa

SHA1
17a542351d8cefbc25ba2a184f80a6897566ac7b

SHA256
ade2e8d684cb59bfea99ad09e55bc5f2a808d824c2905ded1366b7d32e906529

SHA512
397a2129d9df502636776d49c62ce2887999f3e24f975905f108bf7c2a7196e0227f20f7644cceba9513384781f2988c6e1ce8047f705c872fb3970ce15466cb

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

Filesize
11KB

MD5
0b017252806546852e7808267d223e93

SHA1
5018924056e84eaba285bb0de5b18677dc64c518

SHA256
dd54bdd004785dc8e0b0824f49b6ec0665ac0d4623162c3d9dd636ec11dd3a25

SHA512
155c330306ca91a4991ee9a5107a2339630e9cd34696206c7ae1526cd2b9fd092753f52cba2ff8bb0da6bb69fdb19fc6f9aaaef6473b5f5765aacd201573dff7

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

Filesize
3KB

MD5
73baef81f0ea58b6dd1b8e38e199e567

SHA1
66e89f5fee1ebfa980160984940bd5fa910b7180

SHA256
b24d35b010526a896ddd4108f10e235054593d79f5939a2d484da12517d351a0

SHA512
978a94895e7a9d88eff50f4b552ba7ebdf73b4654d48590afda8b09cddd3d188d11d4bfcad3cac374348237b69d249467ccf04159c88da9fb783fb65d49f14aa

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

Filesize
896KB

MD5
553cec908850f2449a515ce31977a674

SHA1
cf804e4f97379793ace32c8b7f128e951db2164e

SHA256
0e828e54655e75c19797599d4c948d03ab8f7a2f5ecda087c4959da7e223cdc0

SHA512
7665b07d0e4e1b465c6923c20cd0b82b223f821a3584c11ff822a3910698fb749ab4360dab33ddd81bfff3205c6c171862f60ab4f10abf8f5b4d9a66bc49e227

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI197E.tmp

Filesize
297KB

MD5
3e96d4bbea9f87cccdb9f1ba6d14309e

SHA1
1de6ef91b7d961ea5cbd4e23ca14174dc966b4e3

SHA256
b5cc30d5a2678bf4a8d1889e1db385bccac012156562551e6c508e0801e912ff

SHA512
e25fcca4699aaeae4f0953c69b65b2ea150c0049c5cf5e4370e279617d6553461f7ce2729fce049d4118ff66c2cd3f7eb537e0fcd8249fad32ce17373cf4b9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1B84.tmp

Filesize
116KB

MD5
37cf3b572729154e54b2c85b22641866

SHA1
7bff730ee23523a86ac86f46f1f713f98dae871b

SHA256
d5af9756fe144a339a105ac720a92e8146975fa03037bf42375509bc622a41f4

SHA512
7722e6e71d223c9b0e03d3d5096f1d40620290e1637cd3faf6fd5477bd773cc7c01981bc56b965139ce6c16a6222339f26d7d2039d09b648707e6a8677555695

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1B84.tmp

Filesize
128KB

MD5
26825ce6939281205c70f3fee4f72df1

SHA1
26d40ae01a27387cc5feda4bbcdf99b19afd309d

SHA256
c168d5701159cbeabc2ee3f9a5d614e36f84c45ec911056ad114ce189a2d6dd2

SHA512
275ca33690ba393e68eaec7c22b767112f4f770d387b45483665a41568edbe74d39e0c9b7c1d26150bbc3ea1e02b51877a1cdc7464c1c166088ff5af044f7d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\zg25g7ijlgxca3ychwtpeegl\7rlbj5gc9zrviaxnqvgwpg9s.msi

Filesize
15.0MB

MD5
565228c5eb83e383426b80f369ccac83

SHA1
9b87cbd4b4a52d6b1799473df303a9390dc14a9a

SHA256
056aaab9f5bf4f460764c2fb26023d11c35fb0f9408200076da5411cbbe1ee02

SHA512
b7e8d34653b3499680d9dc840dfa9e6cc33568b4b727806740de23028698d09d1c8e7a8a59edc8743e332038659c2b2446a8b21dd962f37df44ee9c705186782

Download Submit
C:\Users\Admin\AppData\Local\Temp\zg25g7ijlgxca3ychwtpeegl\7rlbj5gc9zrviaxnqvgwpg9s.msi

Filesize
1.8MB

MD5
ede88dcc5d24f97dabea239aaa7a49ad

SHA1
d2bb943ae7731dbd6421ec6b1c425d63cf709c01

SHA256
fb11c3ed4ef9c0e8d221b5f6dba129997ff36ebbc9b476552705aa1b6cd0eb49

SHA512
8c3997ce2b69f805c241380122148bc6a5fe151781bdc44c20b8c0c21b4beb0ec9f18ffcad1d94e99d3ebd31cd10d5395d11c7fccb58a71b5848ba7324e123c8

Download Submit
C:\Windows\Installer\MSI64FD.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI6ABC.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
C:\Windows\Installer\MSI7A31.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\Installer\MSI7E1B.tmp

Filesize
640KB

MD5
920ab6b163ea72729154736e7fe92fd8

SHA1
d7ab63bc2b7727d5f618e7312544f8bcb6090f28

SHA256
47072f9ec526ce6c3ffd0197602dd3537fe3d31da8f349e3802a08f6d8b84989

SHA512
cb9a6cd651086553157151a9354f42c2bcfa4fa1fc2579fca484c1124958787b7ea950bdf4c5ec5b21bb3a9bbbbc068d0867bb4988b7a649715964682aa1a3d5

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
e5f0ad39b013a57b64293dff8fc66a4d

SHA1
164a462d765fa61b3e83b87e49c0f9ae054d4f4d

SHA256
57a9d1a2f2d736fb89fc531ee661b0ca2f19d6f2d50ff7f874abbaa7ace9235b

SHA512
3696657bb27700a7b33823eafc940621773b54a0111b2c41f7259905f01d02e31822b82218260586b993fdc267431c247ad051aec937aa70d37c64ff40156308

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
19KB

MD5
e50df1b827da1becbdc5a7daffca36f0

SHA1
58917653c78644ae8a7e91acfe55e99c73752150

SHA256
685510a039566ed2a1c6ffbbbe9fd6d829d34209253df788b62c865b83103da2

SHA512
9b7565c5f9be595ccd28494ae33bc7654a8c88c1bd99f58281eeaa328f8977b2e1bcaaaf2d87e4876d96bcce8082e588aae94d3519110b81fe59f54cb000ea18

Download Submit
C:\Windows\System32\DRVSTORE\VBoxSup_5018924056E84EABA285BB0DE5B18677DC64C518\VBoxSup.sys

Filesize
557KB

MD5
8d30aebec1324a38700e7c0081b3a211

SHA1
b78900260ef79c45df2e847cbe2660bde05856ec

SHA256
e9e6261affb00410b1967a8adfd3bafec8ee8435951210cc367e6ba917a65662

SHA512
9b4744af154152627f6f3194cc1ad0cfefae0f4f0045f723727e1849306201056d6e1761d4d04b025f88927c53eac1ededbd91f5bdda3cf7b37f73cedf9b3f4e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
6.4MB

MD5
7cc07c777aea9d7a42363951e04b86d2

SHA1
c99d6496fce703970203edd65d190bec60b9887d

SHA256
3008788604680d440e7567d11d91819fe9a8af664c67414b4ae7371e75a7845e

SHA512
4dc01113c6fdb2483054bad0c8a3399c475fb87c5af06c1c20479ec2c3ddd685e87ef8a30997403c5831e9518696755fd0dec781e578cd4dcc405c71d23057fd

Download Submit
\??\Volume{64fb06ed-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b6c61590-f7e5-49f4-8114-2a91fa804b62}_OnDiskSnapshotProp

Filesize
6KB

MD5
3b5647dacc860ecc4949861ce3c4cda4

SHA1
1bd977d00efbf27d8700bfbddcc80ade5129797f

SHA256
f5efed0ecbdf9043b43a9fbd7bf8e51ee9c32f9917b269a61ef03888eb5bf8ee

SHA512
208e57a6764392903c0c680e5c48804f590f9a04bb1ab3dfd07523aa21850f65fdfd704dc30e778a36ba7a60dace535b93e4cb03e377936056215119967d8241

Download Submit