2fb44977d3329e55e8b61408ab4af5239ecd3d80c5990fb5cd6bd0c91a854d62

Analysis

max time kernel
185s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 04:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

VirtualBox-7.0.16-162802-Win.exe
Size

106.1MB
MD5

5f6a8d381b1b622f168359515c0a5428
SHA1

53eca4549abfa5ea8daf19eaa182c0bbb0f2b35a
SHA256

2fb44977d3329e55e8b61408ab4af5239ecd3d80c5990fb5cd6bd0c91a854d62
SHA512

68691dcba2effdde006cc1f9d9cc973f11cb531afef11ea2d144d70a5c999822d68d24807584d4212f92b39996a9978c44aafb55df610b5194356cdaaa3e5e18
SSDEEP

3145728:7MJjEDfPXdWDLpN9ZMuxAELVqMV9p6Ox7GX0Ik4Ebx:7wETfdWHHnxAI7yu7GX+4E1

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\SETA2F7.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETB9BC.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETB9BC.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETA2F7.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETA43F.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETA43F.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETB45C.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETB45C.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetLwf.sys	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\X:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\N:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\H:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\K:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\J:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\O:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.0.16-162802-Win.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05ebf62074d05277\VBoxUSB.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05ebf62074d05277\VBoxUSB.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}\SETB7C9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_9C89CB0C12E03C10C5E519920A9889B3DF24FD0E\VBoxUSBMon.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05ebf62074d05277\VBoxUSB.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_07c66270d65d7517\vboxnetlwf.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1a0467c2-43cd-2f4d-a2e4-755112a90487}\VBoxNetAdp6.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxSup_9234ADAB429A567BD7BDDF3E990472199AEE9F61\VBoxSup.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxusb.inf_amd64_05ebf62074d05277\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_50e0206614e8393f\VBoxNetAdp6.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}\SETB7B7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}\SETB7C9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{1a0467c2-43cd-2f4d-a2e4-755112a90487}\SETB364.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}\VBoxNetLwf.inf	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_9C89CB0C12E03C10C5E519920A9889B3DF24FD0E\VBoxUSBMon.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}\SETB7B7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_9234ADAB429A567BD7BDDF3E990472199AEE9F61\VBoxSup.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1a0467c2-43cd-2f4d-a2e4-755112a90487}\VBoxNetAdp6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a24f819f-88a1-204e-8828-9e0a129672ce}\SETA50A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1a0467c2-43cd-2f4d-a2e4-755112a90487}\SETB352.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1a0467c2-43cd-2f4d-a2e4-755112a90487}\SETB353.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_07c66270d65d7517\VBoxNetLwf.sys	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_9234ADAB429A567BD7BDDF3E990472199AEE9F61\VBoxSup.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxUSBMon_9C89CB0C12E03C10C5E519920A9889B3DF24FD0E\VBoxUSBMon.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}\VBoxNetLwf.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{a24f819f-88a1-204e-8828-9e0a129672ce}\SETA50A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1a0467c2-43cd-2f4d-a2e4-755112a90487}\SETB352.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1a0467c2-43cd-2f4d-a2e4-755112a90487}\SETB353.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_50e0206614e8393f\VBoxNetAdp6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}\SETB7C8.tmp	DrvInst.exe
File created	C:\Windows\system32\DRVSTORE\VBoxSup_9234ADAB429A567BD7BDDF3E990472199AEE9F61\VBoxSup.cat	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{a24f819f-88a1-204e-8828-9e0a129672ce}\SETA50B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a24f819f-88a1-204e-8828-9e0a129672ce}\SETA51B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a24f819f-88a1-204e-8828-9e0a129672ce}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\VirtualBox\VBoxSDS.log	VBoxSDS.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a24f819f-88a1-204e-8828-9e0a129672ce}\VBoxUSB.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a24f819f-88a1-204e-8828-9e0a129672ce}\SETA51B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1a0467c2-43cd-2f4d-a2e4-755112a90487}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}\VBoxNetLwf.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1a0467c2-43cd-2f4d-a2e4-755112a90487}\VBoxNetAdp6.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_50e0206614e8393f\VBoxNetAdp6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_07c66270d65d7517\VBoxNetLwf.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a24f819f-88a1-204e-8828-9e0a129672ce}\VBoxUSB.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a24f819f-88a1-204e-8828-9e0a129672ce}\SETA50B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}\SETB7C8.tmp	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestPropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat67_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel5_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\License_en_US.rtf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5SqlVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qminimal.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_nl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHeadless.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHostChannel.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5GuiVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\styles\qwindowsvistastyle.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\vbox-img.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel3_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxClient-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qoffscreen.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDDR0.r0	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDTrace.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_zh_TW.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox.VisualElementsManifest.xml	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxWebSrv.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\rhel4_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBalloonCtrl.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDD.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\lgw_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UserManual.qch	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDD2.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxExtPackHelperApp.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_preseed.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_postinstall.cmd	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxRes.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_70px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_id.qm	msiexec.exe

Drops file in Windows directory 44 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e579201.msi	msiexec.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA3FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95CB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC0E.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{ED04AD5D-C4A4-4112-A6FC-7DA557F358D1}	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem1.PNF	MsiExec.exe
File created	C:\Windows\Installer\e5791ff.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95BA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB321.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA57.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5791ff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI958A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI983F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI989D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA47A.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI94CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB758.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB778.tmp	msiexec.exe
File created	C:\Windows\INF\oem3.PNF	MsiExec.exe
File created	C:\Windows\INF\oem5.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI9C67.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CA7.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\Installer\{ED04AD5D-C4A4-4112-A6FC-7DA557F358D1}\IconVirtualBox	msiexec.exe
File created	C:\Windows\INF\oem0.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIBC2E.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA245.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{ED04AD5D-C4A4-4112-A6FC-7DA557F358D1}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI9659.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
2168	VirtualBox.exe
1980	VBoxSVC.exe
5232	VBoxSDS.exe

Loads dropped DLL 41 IoCs

pid	Process
3364	MsiExec.exe
3364	MsiExec.exe
3364	MsiExec.exe
3364	MsiExec.exe
3364	MsiExec.exe
3364	MsiExec.exe
2144	MsiExec.exe
2144	MsiExec.exe
2144	MsiExec.exe
2144	MsiExec.exe
4540	MsiExec.exe
2144	MsiExec.exe
2144	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
4276	MsiExec.exe
2144	MsiExec.exe
2144	MsiExec.exe
2168	VirtualBox.exe
2168	VirtualBox.exe
2168	VirtualBox.exe
2168	VirtualBox.exe
2168	VirtualBox.exe
2168	VirtualBox.exe
2168	VirtualBox.exe
2168	VirtualBox.exe
2168	VirtualBox.exe
2168	VirtualBox.exe
2168	VirtualBox.exe
2168	VirtualBox.exe
1980	VBoxSVC.exe
1980	VBoxSVC.exe
5232	VBoxSDS.exe
5232	VBoxSDS.exe
1980	VBoxSVC.exe

Registers COM server for autorun 1 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32	VirtualBox.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003013bddf4a62308e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003013bddf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003013bddf000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3013bddf000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003013bddf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	MsiExec.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97C78FCD-D4FC-485F-8613-5AF88BFCFCDC}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6F89464F-7773-436A-A4DF-592E4E537FA0}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8D984A7E-B855-40B8-AB0C-44D3515B4528}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCF47A1D-ED70-4DB8-9A4B-2646BD166905}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74ab5ffe-8726-4435-aa7e-876d705bcba5}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{243829CB-15B7-42A4-8664-7AA4E34993DA}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9B6E1AEE-35F3-4F4D-B5BB-ED0ECEFD8538}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86A98347-7619-41AA-AECE-B21AC5C1A7E6}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2F7FAE4-4A06-81FC-A916-78B2DA1FA0E5}\ProxyStubClsid32	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6DDEF35E-4737-457B-99FC-BC52C851A44F}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{966303D0-36A8-4180-8971-18650B0D1055}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BA329DC-659C-488B-835C-4ECA7AE71C6C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{FF58A51D-54A1-411C-93E9-3047EB4DCD21}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CB6F0F2C-8384-11E9-921D-8B984E28A686}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{081FC833-C6FA-430E-6020-6A505D086387}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D5ABC823-04D0-4DB6-8D66-DC2F033120E1}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DAAF9016-1F04-4191-AA2F-1FAC9646AE4C}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{537707F7-EBF9-4D5C-7AEA-877BFC4256BA}\ProxyStubClsid32	VirtualBox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{024F00CE-6E0B-492A-A8D0-968472A94DC7}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B5DDB370-08A7-4C8F-910D-47AABD67253A}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E28E227A-F231-11EA-9641-9B500C6D5365}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{CC830458-4974-A19C-4DC6-CC98C2269626}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4B1B5F4-8CDF-4923-9EF6-B92476A84109}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01510F40-C196-4D26-B8DB-4C8C389F1F82}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41304F1B-7E72-4F34-B8F6-682785620C57}\ = "IExtPackFile"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8D984A7E-B855-40B8-AB0C-44D3515B4528}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CADEF0A2-A1A9-4AC2-8E80-C049AF69DAC8}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB000A0E-2079-4F47-BBCC-C6B28A4E50DF}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22363CFC-07DA-41EC-AC4A-3DD99DB35594}\NumMethods\ = "44"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B55CF856-1F8B-4692-ABB4-462429FAE5E9}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{00727A73-000A-4C4A-006D-E7D300351186}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6620DB85-44E0-CA69-E9E0-D4907CECCBE5}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{758D7EAC-E4B1-486A-8F2E-747AE346C3E9}\NumMethods\ = "23"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{A3D2799E-D3AD-4F73-91EF-7D839689F6D6}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D947ADF5-4022-DC80-5535-6FB116815604}\NumMethods\ = "14"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{28935887-782B-4C94-8410-CE557B9CFE44}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89A63ACE-0C65-11EA-AD23-0FF257C71A7F}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{6AC83D89-6EE7-4E33-8AE6-B257B2E81BE8}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A54D9CCA-F23F-11EA-9755-EFD0F1F792D9}\NumMethods\ = "13"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E106366-4521-44CC-DF95-186E4D057C83}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxSDS.1\CLSID\ = "{74AB5FFE-8726-4435-AA7E-876D705BCBA5}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6ddef35e-4737-457b-99fc-bc52c851a44f}	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{334DF94A-7556-4CBC-8C04-043096B02D82}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C984D15F-E191-400B-840E-970F3DAD7296}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DD6A1080-E1B7-4339-A549-F0878115596E}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1474BB3A-F096-4CD7-A857-8D8E3CEA7331}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9709DB9B-3346-49D6-8F1C-41B0C4784FF2}\ = "IUSBDeviceFilters"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C1844087-EC6B-488D-AFBB-C90F6452A04B}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\NumMethods\ = "44"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{78861431-D545-44AA-8013-181B8C288554}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{813C99FC-9849-4F47-813E-24A75DC85615}\NumMethods	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\TypeLib	VirtualBox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{081FC833-C6FA-430E-6020-6A505D086387}\NumMethods	VirtualBox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59A235AC-2F1A-4D6C-81FC-E3FA843F49AE}\ = "IFile"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{300763AF-5D6B-46E6-AA96-273EAC15538A}\ = "IMachine"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8E3496E-735F-4FDE-8A54-427D49409B5F}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9E106366-4521-44CC-DF95-186E4D057C83}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0447716-FF5A-4795-B57A-ECD5FFFA18A4}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27C0B3D-6038-422C-B45E-6D4A0503D9F1}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2168	VirtualBox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	msiexec.exe
2788	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2168	VirtualBox.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeIncreaseQuotaPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeSecurityPrivilege	2788	msiexec.exe
Token: SeCreateTokenPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeAssignPrimaryTokenPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeLockMemoryPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeIncreaseQuotaPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeMachineAccountPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeTcbPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeSecurityPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeTakeOwnershipPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeLoadDriverPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeSystemProfilePrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeSystemtimePrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeProfSingleProcessPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeIncBasePriorityPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeCreatePagefilePrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeCreatePermanentPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeBackupPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeRestorePrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeShutdownPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeDebugPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeAuditPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeSystemEnvironmentPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeChangeNotifyPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeRemoteShutdownPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeUndockPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeSyncAgentPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeEnableDelegationPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeManageVolumePrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeImpersonatePrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeCreateGlobalPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeCreateTokenPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeAssignPrimaryTokenPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeLockMemoryPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeIncreaseQuotaPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeMachineAccountPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeTcbPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeSecurityPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeTakeOwnershipPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeLoadDriverPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeSystemProfilePrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeSystemtimePrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeProfSingleProcessPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeIncBasePriorityPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeCreatePagefilePrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeCreatePermanentPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeBackupPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeRestorePrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeShutdownPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeDebugPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeAuditPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeSystemEnvironmentPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeChangeNotifyPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeRemoteShutdownPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeUndockPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeSyncAgentPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeEnableDelegationPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeManageVolumePrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeImpersonatePrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeCreateGlobalPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeCreateTokenPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeAssignPrimaryTokenPrivilege	692	VirtualBox-7.0.16-162802-Win.exe
Token: SeLockMemoryPrivilege	692	VirtualBox-7.0.16-162802-Win.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
692	VirtualBox-7.0.16-162802-Win.exe
692	VirtualBox-7.0.16-162802-Win.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2168	VirtualBox.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 3364	2788	msiexec.exe	92
PID 2788 wrote to memory of 3364	2788	msiexec.exe	92
PID 2788 wrote to memory of 3452	2788	msiexec.exe	107
PID 2788 wrote to memory of 3452	2788	msiexec.exe	107
PID 2788 wrote to memory of 2144	2788	msiexec.exe	109
PID 2788 wrote to memory of 2144	2788	msiexec.exe	109
PID 2788 wrote to memory of 4540	2788	msiexec.exe	110
PID 2788 wrote to memory of 4540	2788	msiexec.exe	110
PID 2788 wrote to memory of 4540	2788	msiexec.exe	110
PID 2788 wrote to memory of 4276	2788	msiexec.exe	111
PID 2788 wrote to memory of 4276	2788	msiexec.exe	111
PID 4020 wrote to memory of 1608	4020	svchost.exe	113
PID 4020 wrote to memory of 1608	4020	svchost.exe	113
PID 2788 wrote to memory of 208	2788	msiexec.exe	117
PID 2788 wrote to memory of 208	2788	msiexec.exe	117
PID 2788 wrote to memory of 208	2788	msiexec.exe	117
PID 4020 wrote to memory of 4520	4020	svchost.exe	118
PID 4020 wrote to memory of 4520	4020	svchost.exe	118
PID 4020 wrote to memory of 5508	4020	svchost.exe	120
PID 4020 wrote to memory of 5508	4020	svchost.exe	120
PID 692 wrote to memory of 2168	692	VirtualBox-7.0.16-162802-Win.exe	121
PID 692 wrote to memory of 2168	692	VirtualBox-7.0.16-162802-Win.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.16-162802-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.16-162802-Win.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:692
- C:\Program Files\Oracle\VirtualBox\VirtualBox.exe
  "C:\Program Files\Oracle\VirtualBox\VirtualBox.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 720A97F7F10C400377E0EEF2C355636C C
  2⤵
  - Loads dropped DLL
  PID:3364
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3452
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding AE1B1F815D0ED860D376386FDE974F84
  2⤵
  - Loads dropped DLL
  PID:2144
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C5B690888CD93659F1E8C37F9F17009C
  2⤵
  - Loads dropped DLL
  PID:4540
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B7F927B645B790C49112925353DECA97 E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4276
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9353AE7D39BC7D0C382148439A225803 M Global\MSI0000
  2⤵
  PID:208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf" "9" "48f6bcb47" "000000000000013C" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Oracle\VirtualBox\drivers\USB\device"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:1608
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf" "9" "473b17b7b" "0000000000000160" "WinSta0\Default" "0000000000000164" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4520
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf" "9" "431e52bcb" "0000000000000164" "WinSta0\Default" "0000000000000154" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5508

C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980

C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe
"C:\Program Files\Oracle\VirtualBox\VBoxSDS.exe"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
PID:5232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579200.rbs

Filesize
2.6MB

MD5
8c543d5ac592522e738867461084d0cc

SHA1
ffb2912e16d4f0420d1292e92f28160e6f7335b7

SHA256
56ea04906a9bee8b9a75959655484079f47938ca1ae89f76d3dee46973e68fe1

SHA512
ceae08c38103500adc8e35dca12712981e282c9a8cc4770ade087970687c2bd0322d2b050bf833161876d65638fefdf34f29e28632e8955b2311693f852df32d

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.cat

Filesize
11KB

MD5
a248543a64474dc1b1e2b0dbb5bb240d

SHA1
f42e407e2bc109e03651443542a6f11aabd99ccc

SHA256
595dee8737f6bc3045e950b263c0ba6326e02cc039351b9e1f76f61565c0d907

SHA512
b3e539c6403fefaf530a4aa00ca85e033213ea962b7a3c2cbaad097448c3c10222411cdf8fb41b8deffbc8843ade17dc67ef192f2f9818447d77262577c371f1

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\USB\device\VBoxUSB.sys

Filesize
184KB

MD5
f6348f8c0f8c9540c599593b2d30a89e

SHA1
0cdb705890ef3fd5d242df4b13dabf425eb1b0ff

SHA256
52d3b5294c16a7bfbde38b0fed8335b4fb7cb7853fb59c2c8cee3efb5933c521

SHA512
c6e386c9db148111ae07c14688ac0b8bd2efd0c1cfeb5cca297e5f1ea29cc723dcc4b1481154085400d5e78b3d91e360e0e53d88c8f1b4adacd34da4e5ca2c63

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.cat

Filesize
11KB

MD5
cf0d4c8af5bd5912448ce28f45dddd48

SHA1
c6cddb49e2cc8230eb80aa737a08720a3e6aca74

SHA256
5c13e3007e07ece5bc09b288caa618b62b8fc9c3c1e55e696379ee808340c185

SHA512
554a193123d64addf53ea48606d63a6eb698992d530ddeeaa56781edf5946879af05085ec7b63fa5222180921812a43d92f9e10f44460fc0f375f73bd9263e5b

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.sys

Filesize
248KB

MD5
a80d1f16ac8c34a64b3bd77bc4e4f872

SHA1
186cff26b3204d7f86c50528e74b8d23e1be5a43

SHA256
6845118d468d6137a2f41f3d6cf4b4122656a583659eb7e5917365079f640adc

SHA512
cd4af7be76cf78e060c5ca3e9fa5926aea1e5e02f03cdd64a0b783330fbb20aea02e9509b130d7d9139f0c5fb8e1480bbc5fe82e422db42db68ed78a2e1c2d20

Download Submit
C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

Filesize
887KB

MD5
983416bbd5e0546c0ed52eb86f18e1fb

SHA1
16b1c5139260ba846932943a4174c66059c3b3ca

SHA256
79b1e256915f89f0c3c103ae96097c3476091cd61ea912868572f995b587c951

SHA512
e69e82e66860dc022877e351af3b72c65f528f692a48d7f8f31a4f3d8a59fee5736ba01191dc46df958acdab44f6b8d7fee0ba77a07b38603918fd61deedc598

Download Submit
C:\Program Files\Oracle\VirtualBox\VirtualBox.exe

Filesize
2.6MB

MD5
bf9d27544c8da7c6aa64bf06a117117b

SHA1
376a46ee1473dfb5aa528bfb1f48295d2961033b

SHA256
059f0273578c56fc5b51bbf645396b51ce4b6067489e18c7c9f7a983caa240eb

SHA512
3167a2ae3e460dbf829a3d53b8551d8a1e14aadbeded401447105c4745142cf9e7bc3c41b71f2c6a367c6bac36cc5ad2da3fcda29ede1d09a2cb7df11e5c5426

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.inf

Filesize
2KB

MD5
a526fcb464e27b0c2291bb79a98e7853

SHA1
2efcdf4ae5fd16ec4cf286456449244576c35231

SHA256
0690bbee48fe92cc7dd00e55791212175432e12662c20a644147a3ca8f52c046

SHA512
bc78d8966936db843fd0e7fcaa6130711b6412eff47654154de3ab34e3346d29ae76d2e405c155364d953fcd229f04e32ded28b7e0ac72548ac14a62db5ee35f

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.cat

Filesize
11KB

MD5
c892340a557957489afa992ea31e4ba7

SHA1
9c89cb0c12e03c10c5e519920a9889b3df24fd0e

SHA256
18be9a5acd600d64e925fbe77ff38a4ace42014d965e9b09cf69b3c5371fca07

SHA512
7dfe49e973795154a2e725d5d008ed86c99a6b12b5fd8c15381ec92714b61832f70a67bf7058c08be5700e532898fe994cd34c50454b0518139bd2bdba35c69f

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.inf

Filesize
3KB

MD5
a0f1c7815280e4640aa0257f42eb438e

SHA1
a3f3f509c0de218f2f3e569bed1beeaad971300e

SHA256
08dd010f2ccb05d7f0766bfd404b775e7379214f4f74b829b85f4fd0b9d0d245

SHA512
073e3ac7edd414470b8f1d1d5b639e847e6c270604dedb0317d846e17aa2448ebf44835c338e7c3e47f0b145b2826b6e7cff03e17fca92d815e5f68a966e3065

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys

Filesize
199KB

MD5
99e5ef6c3e898218149e1030f70bcada

SHA1
b6af7fb81dd44e262da8fe2216e6f50b76cb457b

SHA256
b6e4bf1b1d8702630cee588c8e6be5f4aa618af147e3c48442acdb66f44bba4c

SHA512
dd8f142d73914e6e27991770cc54e2953464e22035cb98e9b7b0999114e45aab9befd3af1b396b6d7c6bcba0bd9fdb71a1e47864b4d2cba9580d1f00dce9ee87

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf

Filesize
3KB

MD5
9a3bf9a037804314e14a7e3723a68b9b

SHA1
725f20a3f9c372f6703e1659bfc58b6e094ed5d1

SHA256
77b41c3a8e09a9a24a13e76bf1dd172b07950b086542ef3450333e3ff0a03b1f

SHA512
814c3cdc26dd1a744ee635c28c1ac9e06e212a0d939ac84ffde59892f6abab6cf2a1276b7b63f8bcb1bf50ecab7d651526c0b580cd7814230057dfd4165f195d

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat

Filesize
11KB

MD5
a419d475105429fa2397a8d13056221b

SHA1
9234adab429a567bd7bddf3e990472199aee9f61

SHA256
8916663dfc49ce70bf477c5f0313bd9c78e7a3ead5e0373b3f6488f35e048191

SHA512
819468d130fffe2e44451399c76646072a5483307ea330e9755415f184ddd8e94267cf6f3abb57cc967deb58f07da331e6ba9ced3c2adfca701b80e6e03dfe04

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf

Filesize
3KB

MD5
15013374fbfd1bed15e3c9d43bfd373e

SHA1
ca3fe426dfd1153ce7fd39cebf4cb888e69c0654

SHA256
8f89a77d192f72eaed366563ea24aa44fd1cee1837dbc3f70578b27813262642

SHA512
73fdf34760a09cebfec3ef03f9735f2d2fbce54f8f01435030f0cc7afbcd80d8a87a5c5c5952100792fc342b0f4d21a79240b48a940687d5cea227b818ea90e7

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.sys

Filesize
1.0MB

MD5
fe44426a75420dccc159da547133456b

SHA1
99cdc1f9195115e3b6d4b3657790b086b568da1c

SHA256
c1ddd573e00c379da2c5c8e955d9a7853d3f4ac3e4584f5abefebe1f7ca2a853

SHA512
aa85deeab743e4d8eaba58db98fae2a7440c8ad99b2e4d4c4260b42a0925945537977c98bc52c2e8bcf5c366a8ebd02420c049b0f0980383ff58aaba249a5aab

Download Submit
C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

Filesize
666KB

MD5
25a2471239513d8694374ebbf43b823b

SHA1
54e1ebf4762b3322d84631ff01aa48b06e69e357

SHA256
433862bef2d31d946f4f195a8aced29e1096e45e56de863b4bd92419836a8781

SHA512
525c7fa20bb225ecf5c8518c5ca6610786e5dd3e76f0905910132279518b496ff3be526a407953f36ace9af61c9d862698a5f35678df7d6a1db19d8f2e686281

Download Submit
C:\Users\Admin\.VirtualBox\VirtualBox.xml

Filesize
1KB

MD5
d9d28bd2ef7192fb0efb99607d7a0807

SHA1
7fb6f32f1c0f227118613dd7779e1bf0a6e2ce4a

SHA256
dad710b076d96b3de34a58363a3241935bfe205b7240ce57f9d85bf2058e6dd5

SHA512
e058987d5fd8ea6cd3c3081c7ac45ce1e3719c4a38b46390133b19539fad35a0d8ad699023a3d934d18e3356cb6def62bd197b5a32ad496b620469c55d9efb13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
c4ae2e5546d1d1cddf5c458027c2bf36

SHA1
16c54904e4be4bff93f6bde2b223a5bb257150fe

SHA256
fcb396c990b74afc267c8121612cb3ec4875a2ae200ee405696f3c7cc9139d28

SHA512
ddb0411cf538fa15cb33fa50096de4c14fe8b76bf25d9938a916d5ea3ea012cc7cd90a6dd432a72aabc2c1cc4c60ab17a441e37c33471b1b473f6b81cbbc6dad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_683B8EA584E734D2258F215F97D5554B

Filesize
471B

MD5
92aa820b5ab81237fa52c2c8db134b13

SHA1
af8ee6f4b3d6ea4e1c3b0ea08ac2c27d484bb788

SHA256
c679676046e21b5e8ee9847cf95d892dbeb68dd398d5364d6c35bb97eb3c9568

SHA512
6368e59393c8fb72989d4f7a82faaecee6829d1e16b8c08bf53795011806b1e0058d8f886dac1a3e229c3e28ccfae0035c65ce661d34b213571926b8a6f61c79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
e8cd6a835951cdd4aa0ffee31fbac60e

SHA1
458a117263709a1e1cfeecd28f3fca144dda79ae

SHA256
f204dfc853db380debec641541382e2c8763c5f2f4fdfb52b19dc78d412613d1

SHA512
2e67e9202ed895706c56a48fe8975f25404886db8c6b432bc161cb26c0005da90dbe418c152f772b8de32d6f9b83dfc888d8de865bbab6876eb14a19df575aeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_683B8EA584E734D2258F215F97D5554B

Filesize
404B

MD5
3957c3535b91a476e5d8e1797a2a686c

SHA1
41b37c4a893026f2bbc27312b7eb21c0fd1d1636

SHA256
2f7ba08ab6e4bff8552ee26b1815dce1e9739fc6b90accefcd8fddd00cf15d61

SHA512
e484231a6e228e3bd24694a65e41eae44bc85737f24843eb170a1edcaea462c050bbc7ce4b4be1b58792a78434331cf5e165dc1e4ddecc4123f490bd3273ba88

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3EBE.tmp

Filesize
334KB

MD5
af3265e9034acb6495c2ef2c3a815969

SHA1
7cd1730e9b7a6f16999ac46287c7254279acdb50

SHA256
3b26c0951c46edf00257d10a6f86d82e35189db24ca774e06b8a6b4c58a753c2

SHA512
e7584cd50badc102fd8ac2120a98e6da2818366c69b94a1a62d13a9d89bba107f37d89656cfcadd37f4c18780e9279bcbeb112b348f230046518718a287c3465

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8v3ixqzqejlc7opqgxokfts\8s6zmf5j094hycqbuyxija1j.msi

Filesize
105.5MB

MD5
c1dc7a40ed171beacfa07daa8b832ede

SHA1
77ac388f822a2b119e25aeca41c7ae81e25f5e66

SHA256
4799e281a8c8fb5ffdcac791d9bd1bacee280a7111620861044cb5bf12e4e0d5

SHA512
37485a847539c556b173fe96a8e9f1485edc846be26cd0649059a5c296c9df2a7374a39dc0befc2e4793c2fad745f5713aac2c81886230858c71f264b8a6f4e0

Download Submit
C:\Windows\Installer\MSI95EB.tmp

Filesize
234KB

MD5
8edc1557e9fc7f25f89ad384d01bcec4

SHA1
98e64d7f92b8254fe3f258e3238b9e0f033b5a9c

SHA256
78860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5

SHA512
d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd

Download Submit
C:\Windows\Installer\MSI989D.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
C:\Windows\Installer\MSIA245.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
22KB

MD5
b0648b7b50ebda4ae3b03fd66dc8708b

SHA1
eb7c32e79d37ec21598bcb50fecd48f0da938b80

SHA256
3e0de853ff2ddf8b8fc0ee3a1a8b5cbd703896eca329c4d7ba1834f248189237

SHA512
84b8843c7f1523732162a91e5bf27fb1e7189d4f248710271b3a5944bb69d79938e2317dc7184b69f668a559b30a7c24c1166f92ca047e13436376a82893e399

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
22KB

MD5
7a1965158e6f0ab55fbe3dcec841354a

SHA1
fa7c38b8b5fcdf5636cca61dca1e4ccaf49bb83e

SHA256
29d5cc3c1dc66d197eac178c72a04ea054a1f5a0cb57b80729c914b8056b953e

SHA512
39902f6a18fe6c03bf10af54309dc728da5626e6b5123eb94b0cf28a8fde7f966e03b3d0c95f367a471accbfa54849c74bbcf91accac424d2b7b5746c1763a9b

Download Submit
C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}\VBoxNetLwf.cat

Filesize
11KB

MD5
035dee8dc971f4453bf8ebfad0fe2b84

SHA1
81fa4e47a76405894e3001e9cef4fcc6ad137e52

SHA256
862190e8017dfbd8540379ee61acc0b5d6829e664ab4dca9928622e4df2692bc

SHA512
f92d31623396af51772c8aa0eb14826eab3cb0a6fd8c6f223e0e48431c84f3c94674c34edacbc2b11de59792ef057aace17851f41a1fa4af3a01bb3efb1740a1

Download Submit
C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}\VBoxNetLwf.inf

Filesize
4KB

MD5
d8583ce91e8f12941a07fed65aea7503

SHA1
fb5a8142941b102c41f5577094e7a210d585be02

SHA256
7f390c13fc10ff293b641527d34833334080839e05704236f9d3dd1070fbd38d

SHA512
843812c9d9824c0bfae536a5e7f6abde9b4b676117a18440cb685c40529a4f8b52bb6c312a33362e0816a29ca883d57fa312166d444a384bc79205c13c72aa7c

Download Submit
C:\Windows\System32\DriverStore\Temp\{94e9cdbf-df92-7b42-9c06-84035ebd08cb}\VBoxNetLwf.sys

Filesize
259KB

MD5
7c7c82cd0ca2a085642a2bd7fd5b96e0

SHA1
4acd6bc241b92fb56999a4c23438217e77c5863d

SHA256
382ba434508383e9d8f9a341292278fee5042393a898c2cd73c861d645fafe79

SHA512
7d31e57635e002255d74cb8dfe15b90d00b43b82e8a3acb99a5c332667a1d876addfafde64230015e88c66f88e6372304f32675038c9ac92e237c61e8f680c56

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
22KB

MD5
f215c6b41cb83d620e025f0660da5250

SHA1
1fc0e38e42d53fadc814a0955b8339abcedefc2f

SHA256
684d2dfdbecfc1f5fa2fa0570a93c69e7957773013950d8f5aeb62c8c2167abc

SHA512
74e34a963d0b7647ecb118b699a6a2a1748221d0ee3f84e27b1782139ac2d85524363c3dd8e150025f9c1f0718c03446e3e87eebb52ab78aacc6aac28fb81f9b

Download Submit
memory/2168-548-0x00007FFFD6C60000-0x00007FFFD883E000-memory.dmp

Filesize
27.9MB

Download
memory/2168-584-0x000002765CF50000-0x000002765CF60000-memory.dmp

Filesize
64KB

Download
memory/2168-549-0x0000027657C80000-0x0000027657C90000-memory.dmp

Filesize
64KB

Download
memory/2168-546-0x00007FF7141A0000-0x00007FF714424000-memory.dmp

Filesize
2.5MB

Download
memory/2168-570-0x0000027657C80000-0x0000027657C90000-memory.dmp

Filesize
64KB

Download
memory/2168-571-0x000002765CE50000-0x000002765CE60000-memory.dmp

Filesize
64KB

Download
memory/2168-572-0x000002765CE60000-0x000002765CE70000-memory.dmp

Filesize
64KB

Download
memory/2168-573-0x000002765CE70000-0x000002765CE80000-memory.dmp

Filesize
64KB

Download
memory/2168-574-0x000002765CE80000-0x000002765CE90000-memory.dmp

Filesize
64KB

Download
memory/2168-575-0x000002765CE90000-0x000002765CEA0000-memory.dmp

Filesize
64KB

Download
memory/2168-576-0x000002765CEA0000-0x000002765CEB0000-memory.dmp

Filesize
64KB

Download
memory/2168-577-0x000002765CEB0000-0x000002765CEC0000-memory.dmp

Filesize
64KB

Download
memory/2168-578-0x000002765CED0000-0x000002765CEE0000-memory.dmp

Filesize
64KB

Download
memory/2168-579-0x000002765CF00000-0x000002765CF10000-memory.dmp

Filesize
64KB

Download
memory/2168-580-0x000002765CF10000-0x000002765CF20000-memory.dmp

Filesize
64KB

Download
memory/2168-581-0x000002765CF20000-0x000002765CF30000-memory.dmp

Filesize
64KB

Download
memory/2168-582-0x000002765CF30000-0x000002765CF40000-memory.dmp

Filesize
64KB

Download
memory/2168-583-0x000002765CF40000-0x000002765CF50000-memory.dmp

Filesize
64KB

Download
memory/2168-585-0x000002765CF60000-0x000002765CF70000-memory.dmp

Filesize
64KB

Download
memory/2168-547-0x00007FFFD3080000-0x00007FFFD35C1000-memory.dmp

Filesize
5.3MB

Download
memory/2168-586-0x000002765CF70000-0x000002765CF80000-memory.dmp

Filesize
64KB

Download
memory/2168-590-0x000002765CFB0000-0x000002765CFC0000-memory.dmp

Filesize
64KB

Download
memory/2168-589-0x000002765CFA0000-0x000002765CFB0000-memory.dmp

Filesize
64KB

Download
memory/2168-595-0x000002765D000000-0x000002765D010000-memory.dmp

Filesize
64KB

Download
memory/2168-594-0x000002765CFF0000-0x000002765D000000-memory.dmp

Filesize
64KB

Download
memory/2168-593-0x000002765CFE0000-0x000002765CFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-592-0x000002765CFD0000-0x000002765CFE0000-memory.dmp

Filesize
64KB

Download
memory/2168-591-0x000002765CFC0000-0x000002765CFD0000-memory.dmp

Filesize
64KB

Download
memory/2168-588-0x000002765CF90000-0x000002765CFA0000-memory.dmp

Filesize
64KB

Download
memory/2168-587-0x000002765CF80000-0x000002765CF90000-memory.dmp

Filesize
64KB

Download
memory/2168-597-0x000002765CF90000-0x000002765CFA0000-memory.dmp

Filesize
64KB

Download
memory/2168-598-0x000002765CFA0000-0x000002765CFB0000-memory.dmp

Filesize
64KB

Download
memory/2168-599-0x000002765CFB0000-0x000002765CFC0000-memory.dmp

Filesize
64KB

Download
memory/2168-600-0x000002765CFC0000-0x000002765CFD0000-memory.dmp

Filesize
64KB

Download
memory/2168-601-0x000002765CFD0000-0x000002765CFE0000-memory.dmp

Filesize
64KB

Download
memory/2168-602-0x000002765CFE0000-0x000002765CFF0000-memory.dmp

Filesize
64KB

Download
memory/2168-603-0x000002765CFF0000-0x000002765D000000-memory.dmp

Filesize
64KB

Download
memory/2168-604-0x000002765D000000-0x000002765D010000-memory.dmp

Filesize
64KB

Download