Malware Analysis Report

2025-01-18 22:27

Sample ID 240503-r7k7gshe7z
Target BoxDrive.msi
SHA256 83accb81725dea5372a13799d6d77ba9769de7c985506220e52cbc9acbe5e3d6
Tags
adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83accb81725dea5372a13799d6d77ba9769de7c985506220e52cbc9acbe5e3d6

Threat Level: Known bad

The file BoxDrive.msi was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer

Adds autorun key to be loaded by Explorer.exe on startup

Drops file in Drivers directory

Modifies Shared Task Scheduler registry keys

Adds Run key to start application

Modifies Installed Components in the registry

Blocklisted process makes network request

Installs/modifies Browser Helper Object

Drops desktop.ini file(s)

Sets file execution options in registry

Enumerates connected drives

Drops file in System32 directory

Registers COM server for autorun

Drops file in Program Files directory

Drops file in Windows directory

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-03 14:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 14:50

Reported

2024-05-03 14:53

Platform

win10-20240404-en

Max time kernel

134s

Max time network

139s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\BoxDrive.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57948f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57948f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI95D7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9720.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI979E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI97CE.tmp C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 C:\Windows\system32\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 2504 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4588 wrote to memory of 2504 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4588 wrote to memory of 4528 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4588 wrote to memory of 4528 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4588 wrote to memory of 4528 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\BoxDrive.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DD850B1E4B1BCC804BE3075DECD9A353

Network

Country Destination Domain Proto
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI76755.LOG

MD5 aec822b2eb2e237a2523d4e49312aa02
SHA1 aca704b9d571e1384576c7c4a3643a699e2a0422
SHA256 15b8a13bde0699aaef3779582f758a64c381aa7ae02067c4618064c6e6bbe1a9
SHA512 6633f534fcb3a3aac6b7152e2a01a9cb09652badea3ecd023a6c9d1b1b12ec3f5658efd7e23501099d85bafabded5aff6d6474461741c8939284382f486276ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_1087D831978A422F28E1D1E590C230EB

MD5 b827c0223a5704c213036aa89af6aed5
SHA1 8b81ef1759d6adae7c80efbb0dff16550b6ce205
SHA256 e0bad2a4c5815d0b4ac6dd7dbf34d0840748d93c15e63f27e11b4e22ecf3a5c5
SHA512 a4a8afe443b7a67fce38b5c425b8947f02bad37f47e8d1cd23123e1875e7fb321fc57f4137bbd265c19fd45de056970ebe9e6497d5d2356c8ae492e420bab165

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_1087D831978A422F28E1D1E590C230EB

MD5 e016adf7b008f4018974bab93f111787
SHA1 cb5bd353a1d7de3ea17c60de53803587290d18fc
SHA256 7924da6d99c4aa7cd702768a6a9dbf43a38eef6ec4526020701f8f58d81b4e77
SHA512 10fee0608b15a75a3099f916e7f2884dbb366e272282e5d6dc67a1f3d58fbfcce05d35c6375d270d790ed52438031ca64313a8823b42ccec0bbe06aef172ed5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 4cc06221809fafdb51ce64735524350f
SHA1 03f34273352731e39d8fb4a37b2e6cdfe380c085
SHA256 1ac03a272dc172a2efb8b016bedb313fc6a4402933547b153fabce7004747a48
SHA512 56a98572c948861c0b10f1376f3e11bbff570339928fe833064b6ea4832b4666c0c8002c38209271b0f5cd20c4fc985b6a3297343a1f1ffbd3233be07ad8bffa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 007b3cb292514c771a27ecc4f2bf5976
SHA1 2087c3a82670ad75238755f767f5ba0646c3485c
SHA256 44cc82b03c9722648ae88ac086e6b25ff6c1d8d4c14ff44e44e3d48bc3042828
SHA512 30954aa681ef4ee28061c73dbe0341d67d41848eb99dbfb7808c5fbea520e45e99cf3c5b770955b3cb4d382e2ad6e0f7fe6aa5874e5eaf59c8697b483111fef0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 d190fb454568a217de72a718d2b6f945
SHA1 9bc15378a293032d990f44a2cc47913f57d22dfb
SHA256 c3082d52dac402dba2000b4ec3f94baa6ac0b92cc9ec0165e25000effa5e2464
SHA512 9350839b154854f3535333f55c67d14c6aeb60ba4e4f1871e0931ffc63ddd1751df75aba99bfa8f8abf1f6fe9dba93cfb9d07543760d9a7fefff03067bd36518

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 e1da1c8be3817c307fb30cb9560e052b
SHA1 d7e076ece05a1d31e291b0c271158af2da18ca09
SHA256 356f43581064ac88fe892f600bee883e350e1364a9ff0f2fc6de7a888bebfb14
SHA512 34287ae457319aaaa1e1e5c480ccac85eefcbd79e7f95c22fc2c56f70e08dc67bb0c4f056d231643f9df366553c76245481589e2e5577c61f114d60b6824a2c6

C:\Windows\Installer\MSI95D7.tmp

MD5 aaab8d3f7e9e8f143a17a0d15a1d1715
SHA1 8aca4e362e4cdc68c2f8f8f35f200126716f9c74
SHA256 fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889
SHA512 1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

\??\Volume{38fc7460-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{360c9508-9aad-4426-b54d-9f65996dd679}_OnDiskSnapshotProp

MD5 2beedcd45e653df3994fa3846ba0bdf6
SHA1 973bc1b3f3dcfdc460e7e33c3d9011f48f828fd0
SHA256 dda0fef216adccc5d48d93241198700a7e00384fbe43abd154089ee2a161e2ba
SHA512 59ed28fded4a2343a3a4a0cb638c6eb86c2e24c3f54719418a0341e38422b01dbf20919f4cf6346a5e518bb0d029c8632eba637f3cf6a28fb612d9d58bc48371

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 626d1babc0d211a773dadfa75f86617e
SHA1 da1e5e5df9806c9f8382f0a49a52d05da02581a7
SHA256 2f1828e51a86a80d95b759f6f56dc0785a3052365e49157d35aa4d6121443de5
SHA512 ac62d43935484ff3aea6cada5515beb95af6a108d04fcb5bca060e9294e7b170482b1d22452c4d0df12d6736da5200cfb3fdc1271f431dd2d9059230ab98e153

C:\Windows\Installer\MSI97CE.tmp

MD5 3eb31b9a689d506f3b1d3738d28ab640
SHA1 1681fe3bbdcbe617a034b092ea77249dd4c3e986
SHA256 3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46
SHA512 2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 14:50

Reported

2024-05-03 14:53

Platform

win10v2004-20240419-en

Max time kernel

52s

Max time network

152s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\BoxDrive.msi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CallbackTechMountNotificator-cbfsconnect2017 = "{69F20FCD-D555-44FB-BF6C-9A1BB31D8375}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CallbackTechMountNotificator-cbfsconnect2017 = "{69F20FCD-D555-44FB-BF6C-9A1BB31D8375}" C:\Program Files\Box\Box\FS\streem.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\cbfsconnect2017.sys C:\Program Files\Box\Box\FS\streem.exe N/A

Modifies Shared Task Scheduler registry keys

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{69F20FCD-D555-44FB-BF6C-9A1BB31D8375} = "Virtual Storage Mount Notification" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler C:\Program Files\Box\Box\FS\streem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{69F20FCD-D555-44FB-BF6C-9A1BB31D8375} = "Virtual Storage Mount Notification" C:\Program Files\Box\Box\FS\streem.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Box = "\"C:\\Program Files\\Box\\Box\\Box.exe\"" C:\Windows\system32\msiexec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Program Files\Box\Box\FS\streem.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69F20FCD-D555-44FB-BF6C-9A1BB31D8375}' C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69F20FCD-D555-44FB-BF6C-9A1BB31D8375}'\ = "Virtual Storage Mount Notification" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69F20FCD-D555-44FB-BF6C-9A1BB31D8375}'\NoInternetExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69F20FCD-D555-44FB-BF6C-9A1BB31D8375}' C:\Program Files\Box\Box\FS\streem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69F20FCD-D555-44FB-BF6C-9A1BB31D8375}'\ = "Virtual Storage Mount Notification" C:\Program Files\Box\Box\FS\streem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69F20FCD-D555-44FB-BF6C-9A1BB31D8375}'\NoInternetExplorer = "1" C:\Program Files\Box\Box\FS\streem.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BoxUI.exe C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BoxUI.exe\GlobalFlag = "512" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\streem.exe C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\streem.exe\GlobalFlag = "512" C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\cbfsconnectevtmsg.dll C:\Program Files\Box\Box\FS\streem.exe N/A
File opened for modification C:\Windows\system32\cbfsconnectevtmsg.dll C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Windows\system32\cbfsconnectMntNtf2017.dll C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Windows\SysWOW64\cbfsconnectMntNtf2017.dll C:\Program Files\Box\Box\FS\streem.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Box\Box\BoxShellExtShim-2.37.142.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\_bz2.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\base_library.zip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\SHA1\vpnpbus.cat C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\ia64\SHA1\vpnpbus.inf C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\_hashlib.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\_sqlite3.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\ko-KR\BoxUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\sv-SE\BoxPrompt.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\zh-TW\BoxPrompt.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\i386\SHA1\vpnpbus.cat C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\UI\BoxUI.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\ru-RU\BoxPrompt.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\cryptography\hazmat\bindings\_rust.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\it-IT\BoxUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\pythoncom310.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\i386\vpnpbus.cat C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\i386\cbfsconnectNetRdr2017.dll C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\win32event.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\pl-PL\BoxUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\BoxAvailableOffline.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\BoxPrompt.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\runtimes\win-x64\native\WebView2Loader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\vpnpbus.inf C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\certifi\cacert.pem C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\sqlite3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\Thrift45.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\WixToolset.Dtf.WindowsInstaller.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\SHA1\cbfsconnect2017.sys C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\vpnpbus.sys C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\Box.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\bn-IN\BoxPrompt.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\fi-FI\BoxPrompt.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\Box.Desktop.UpdateService.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\fi-FI\BoxUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\_asyncio.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\Microsoft.Web.WebView2.WinForms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\cbfsconnect2017.sys C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\i386\SHA1\vpnpbus.sys C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\i386\vpnpbus.inf C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\i386\cbfsconnectMntNtf2017.dll C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\Box.Desktop.UpdateService.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\CommandLine.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\VCRUNTIME140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\libssl-1_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\wrapt\_wrappers.cp310-win_amd64.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\ia64\SHA1\cbfsconnect2017.sys C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\ia64\SHA1\vpnpbus.cat C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\ia64\cbfsconnectMntNtf2017.dll C:\Program Files\Box\Box\FS\streem.exe N/A
File created C:\Program Files\Box\Box\_socket.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\SyncUIIPC.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\nl-NL\BoxUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\BoxPrompt.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\_yappi.cp310-win_amd64.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\psutil\_psutil_windows.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\WindowsFolder.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\zh-TW\BoxUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\InstallerHelper.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\FS\streem.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\_queue.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\en-GB\BoxPrompt.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\win32trace.pyd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\UI\bn-IN\BoxUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\i386\SHA1\cbfsconnect2017.sys C:\Program Files\Box\Box\FS\streem.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\$PatchCache$\Managed\540FCC7EF34D75B4488F1B21AE8A1363\2.37.142\concrt140.dll.A5C49E27_90D3_35F6_A5E8_DB6F691C3C33 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\540FCC7EF34D75B4488F1B21AE8A1363\2.37.142\concrt140.dll.A5C49E27_90D3_35F6_A5E8_DB6F691C3C33 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\540FCC7EF34D75B4488F1B21AE8A1363\2.37.142\msvcp140.dll.A5C49E27_90D3_35F6_A5E8_DB6F691C3C33 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\540FCC7EF34D75B4488F1B21AE8A1363\2.37.142\vcruntime140.dll.A5C49E27_90D3_35F6_A5E8_DB6F691C3C33 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\ext.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e576fc1.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{E7CCF045-D43F-4B57-84F8-B112EAA83136} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\540FCC7EF34D75B4488F1B21AE8A1363 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\540FCC7EF34D75B4488F1B21AE8A1363\2.37.142\vccorlib140.dll.A5C49E27_90D3_35F6_A5E8_DB6F691C3C33 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\ext.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI71E5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI84B9.tmp-\Box.Desktop.Installer.CustomActions.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI7863.tmp-\Box.Desktop.Installer.CustomActions.dll C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\Installer\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\boxicon_1.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9238.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9238.tmp-\WixToolset.Dtf.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\e576fc1.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7863.tmp-\WixToolset.Dtf.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI7863.tmp-\Box.Updater.Common.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\ext_1.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9238.tmp-\Box.Desktop.Installer.CustomActions.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI7293.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\boxicon_1.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI84B9.tmp-\Box.Updater.Common.dll C:\Windows\system32\rundll32.exe N/A
File created C:\Windows\Installer\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\ext_1.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\ext_4.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\ext_3.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI911D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9238.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI7167.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI84B9.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI911D.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI7525.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\540FCC7EF34D75B4488F1B21AE8A1363\2.37.142 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\540FCC7EF34D75B4488F1B21AE8A1363\2.37.142\msvcp140.dll.A5C49E27_90D3_35F6_A5E8_DB6F691C3C33 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI84B9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7545.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\ext_4.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\ext_2.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI911D.tmp-\WixToolset.Dtf.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7863.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI911D.tmp-\Box.Updater.Common.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI84B9.tmp-\WixToolset.Dtf.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI911D.tmp-\Box.Desktop.Installer.CustomActions.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI7205.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\540FCC7EF34D75B4488F1B21AE8A1363\2.37.142\vcruntime140.dll.A5C49E27_90D3_35F6_A5E8_DB6F691C3C33 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e576fc5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9238.tmp-\Box.Updater.Common.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI7863.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\ext_3.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\ext_2.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI735F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\540FCC7EF34D75B4488F1B21AE8A1363\2.37.142\vccorlib140.dll.A5C49E27_90D3_35F6_A5E8_DB6F691C3C33 C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.Desktop.UpdateService.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.Desktop.UpdateService.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.Desktop.UpdateService.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.Desktop.UpdateService.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Program Files\Box\Box\FS\streem.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A
N/A N/A C:\Program Files\Box\Box\Box.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73C8BC94-4A51-413B-B927-829449EAFA75}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8D0A4E1B-C25A-4AF8-8DA7-531929C02958}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69F20FCD-D555-44FB-BF6C-9A1BB31D8375}\InprocServer32\ = "C:\\Windows\\system32\\cbfsconnectMntNtf2017.dll" C:\Program Files\Box\Box\FS\streem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{551FA783-BF39-4CC0-9ADD-34E431E0CE34}\InprocServer32 C:\Program Files\Box\Box\FS\streem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83FBE3B2-E43E-4A5A-BE16-4D03809CBEBF}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83FBE3B2-E43E-4A5A-BE16-4D03809CBEBF}\InProcServer32\ = "C:\\Program Files\\Box\\Box\\BoxShellExtShim-2.37.142.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{345B91D6-935F-4773-9926-210C335241F9}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F178C11B-B6C5-4D71-B528-64381D2024FC}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D0A4E1B-C25A-4AF8-8DA7-531929C02958}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69F20FCD-D555-44FB-BF6C-9A1BB31D8375}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Box\Box\FS\streem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04B9BDFA-0C53-4F36-A77F-51F53E3EF3EC}\InProcServer32\ = "C:\\Program Files\\Box\\Box\\BoxShellExtShim-2.37.142.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B927815-D431-48B1-A746-6FF91FB35431}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2FFF193C-5891-4B26-B363-40D3B5257FE9}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{345B91D6-935F-4773-9926-210C335241F9}\InProcServer32\ = "C:\\Program Files\\Box\\Box\\BoxShellExtShim-2.37.142.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{04B9BDFA-0C53-4F36-A77F-51F53E3EF3EC}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BBBCFB6-60E2-4C0F-BB31-10434068E2BE}\InProcServer32\ = "C:\\Program Files\\Box\\Box\\BoxShellExtShim-2.37.142.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F178C11B-B6C5-4D71-B528-64381D2024FC}\InProcServer32\ = "C:\\Program Files\\Box\\Box\\BoxShellExtShim-2.37.142.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D0A4E1B-C25A-4AF8-8DA7-531929C02958}\InProcServer32\ = "C:\\Program Files\\Box\\Box\\BoxShellExtShim-2.37.142.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{551FA783-BF39-4CC0-9ADD-34E431E0CE34}\InprocServer32\ = "C:\\Windows\\system32\\cbfsconnectMntNtf2017.dll" C:\Program Files\Box\Box\FS\streem.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{83FBE3B2-E43E-4A5A-BE16-4D03809CBEBF}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BBBCFB6-60E2-4C0F-BB31-10434068E2BE}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BBBCFB6-60E2-4C0F-BB31-10434068E2BE}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8BBBCFB6-60E2-4C0F-BB31-10434068E2BE}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{1B927815-D431-48B1-A746-6FF91FB35431}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{2FFF193C-5891-4B26-B363-40D3B5257FE9}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2FFF193C-5891-4B26-B363-40D3B5257FE9}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{F178C11B-B6C5-4D71-B528-64381D2024FC}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83FBE3B2-E43E-4A5A-BE16-4D03809CBEBF}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{345B91D6-935F-4773-9926-210C335241F9}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73C8BC94-4A51-413B-B927-829449EAFA75}\InProcServer32\ = "C:\\Program Files\\Box\\Box\\BoxShellExtShim-2.37.142.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04B9BDFA-0C53-4F36-A77F-51F53E3EF3EC}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73C8BC94-4A51-413B-B927-829449EAFA75}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D0A4E1B-C25A-4AF8-8DA7-531929C02958}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{69F20FCD-D555-44FB-BF6C-9A1BB31D8375}\InprocServer32 C:\Program Files\Box\Box\FS\streem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B927815-D431-48B1-A746-6FF91FB35431}\InProcServer32\ = "C:\\Program Files\\Box\\Box\\BoxShellExtShim-2.37.142.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1B927815-D431-48B1-A746-6FF91FB35431}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2FFF193C-5891-4B26-B363-40D3B5257FE9}\InProcServer32\ = "C:\\Program Files\\Box\\Box\\BoxShellExtShim-2.37.142.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04B9BDFA-0C53-4F36-A77F-51F53E3EF3EC}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{73C8BC94-4A51-413B-B927-829449EAFA75}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{551FA783-BF39-4CC0-9ADD-34E431E0CE34}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files\Box\Box\FS\streem.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Box.exe = "11000" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\BoxUI.exe = "11000" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL\BoxUI.exe = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\Box.exe = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Box\Box\FS\streem.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Box\Box\FS\streem.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Program Files\Box\Box\FS\streem.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a8f5de66-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Program Files\Box\Box\FS\streem.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Box\Box\FS\streem.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6" C:\Program Files\Box\Box\FS\streem.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Program Files\Box\Box\FS\streem.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a8f5de66-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Program Files\Box\Box\FS\streem.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\Box\Box\FS\streem.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a8f5de66-0000-0000-0000-d01200000000} C:\Program Files\Box\Box\FS\streem.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\Box\Box\Box.Desktop.UpdateService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Box\Box\FS\streem.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Program Files\Box\Box\FS\streem.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{345B91D6-935F-4773-9926-210C335241F9}\ = "Box" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83FBE3B2-E43E-4A5A-BE16-4D03809CBEBF} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Paul - French (France)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ichiro" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Zira - English (United States)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; address=NativeSupported; message=NativeSupported; url=NativeSupported; currency=NativeSupported; alphanumeric=NativeSupported" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2E1192D2-8667-4987-A464-824357FC4857}\2.0\0\win64\ = "C:\\Program Files\\Box\\Box\\Temp\\cbfsconnect2017-Box\\x64\\cbfsconnectMntNtf2017.dll" C:\Program Files\Box\Box\FS\streem.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR Engine (11.0) Text Normalization" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83FBE3B2-E43E-4A5A-BE16-4D03809CBEBF}\InProcServer32\ = "C:\\Program Files\\Box\\Box\\BoxShellExtShim32-2.37.142.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\tn1041.bin" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "407" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BoxDesktop.gslides\shell\ = "open" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BoxDesktop.gslide\DefaultIcon\ = "C:\\Windows\\Installer\\{E7CCF045-D43F-4B57-84F8-B112EAA83136}\\ext_3.exe,0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "{57523D96-B7F6-4D2C-8AFC-BCC5F5392E94}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\MSTTSLocfrFR.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{83FBE3B2-E43E-4A5A-BE16-4D03809CBEBF}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D0A4E1B-C25A-4AF8-8DA7-531929C02958}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{8D0A4E1B-C25A-4AF8-8DA7-531929C02958}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Has seleccionado %1 como voz predeterminada." C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Haruka" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{2FFF193C-5891-4B26-B363-40D3B5257FE9}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech SW Voice Activation - Japanese (Japan)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "SR fr-FR Lookup Lexicon" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\lsr1041.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BoxDesktop.gslides\shell\open C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73C8BC94-4A51-413B-B927-829449EAFA75}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B927815-D431-48B1-A746-6FF91FB35431}\InProcServer32\ = "C:\\Program Files\\Box\\Box\\BoxShellExtShim32-2.37.142.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{345B91D6-935F-4773-9926-210C335241F9}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{1B927815-D431-48B1-A746-6FF91FB35431}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "MS-1041-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\540FCC7EF34D75B4488F1B21AE8A1363\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "French Phone Converter" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Female" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\TTS\\it-IT\\MSTTSLocitIT.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\boxdrive C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "1" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2E1192D2-8667-4987-A464-824357FC4857}\2.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Julie - French (France)" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Elsa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{73C8BC94-4A51-413B-B927-829449EAFA75} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83FBE3B2-E43E-4A5A-BE16-4D03809CBEBF}\InProcServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\r1031sr.lxa" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Mark" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "40A;C0A" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Male" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "Microsoft Zira" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BoxDesktop.gsheet\shell\open\command C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A
N/A N/A C:\Program Files\Box\Box\ui\BoxUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3820 wrote to memory of 4564 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3820 wrote to memory of 4564 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3820 wrote to memory of 3376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3820 wrote to memory of 3376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3820 wrote to memory of 3376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3820 wrote to memory of 4844 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3820 wrote to memory of 4844 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4844 wrote to memory of 2460 N/A C:\Windows\System32\MsiExec.exe C:\Windows\system32\rundll32.exe
PID 4844 wrote to memory of 2460 N/A C:\Windows\System32\MsiExec.exe C:\Windows\system32\rundll32.exe
PID 4844 wrote to memory of 3548 N/A C:\Windows\System32\MsiExec.exe C:\Windows\system32\rundll32.exe
PID 4844 wrote to memory of 3548 N/A C:\Windows\System32\MsiExec.exe C:\Windows\system32\rundll32.exe
PID 3548 wrote to memory of 868 N/A C:\Windows\system32\rundll32.exe C:\Program Files\Box\Box\FS\streem.exe
PID 3548 wrote to memory of 868 N/A C:\Windows\system32\rundll32.exe C:\Program Files\Box\Box\FS\streem.exe
PID 868 wrote to memory of 4392 N/A C:\Program Files\Box\Box\FS\streem.exe C:\Windows\system32\rundll32.exe
PID 868 wrote to memory of 4392 N/A C:\Program Files\Box\Box\FS\streem.exe C:\Windows\system32\rundll32.exe
PID 868 wrote to memory of 4392 N/A C:\Program Files\Box\Box\FS\streem.exe C:\Windows\system32\rundll32.exe
PID 3820 wrote to memory of 3612 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3820 wrote to memory of 3612 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3612 wrote to memory of 4392 N/A C:\Windows\System32\MsiExec.exe C:\Windows\system32\rundll32.exe
PID 3612 wrote to memory of 4392 N/A C:\Windows\System32\MsiExec.exe C:\Windows\system32\rundll32.exe
PID 3612 wrote to memory of 4504 N/A C:\Windows\System32\MsiExec.exe C:\Windows\system32\rundll32.exe
PID 3612 wrote to memory of 4504 N/A C:\Windows\System32\MsiExec.exe C:\Windows\system32\rundll32.exe
PID 3820 wrote to memory of 3640 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Box\Box\Box.exe
PID 3820 wrote to memory of 3640 N/A C:\Windows\system32\msiexec.exe C:\Program Files\Box\Box\Box.exe
PID 3640 wrote to memory of 3732 N/A C:\Program Files\Box\Box\Box.exe C:\Windows\system32\cmd.exe
PID 3640 wrote to memory of 3732 N/A C:\Program Files\Box\Box\Box.exe C:\Windows\system32\cmd.exe
PID 3640 wrote to memory of 2096 N/A C:\Program Files\Box\Box\Box.exe C:\Program Files\Box\Box\ui\BoxUI.exe
PID 3640 wrote to memory of 2096 N/A C:\Program Files\Box\Box\Box.exe C:\Program Files\Box\Box\ui\BoxUI.exe
PID 2096 wrote to memory of 3832 N/A C:\Program Files\Box\Box\ui\BoxUI.exe C:\Windows\explorer.exe
PID 2096 wrote to memory of 3832 N/A C:\Program Files\Box\Box\ui\BoxUI.exe C:\Windows\explorer.exe
PID 2096 wrote to memory of 3832 N/A C:\Program Files\Box\Box\ui\BoxUI.exe C:\Windows\explorer.exe
PID 2096 wrote to memory of 3832 N/A C:\Program Files\Box\Box\ui\BoxUI.exe C:\Windows\explorer.exe
PID 2096 wrote to memory of 3832 N/A C:\Program Files\Box\Box\ui\BoxUI.exe C:\Windows\explorer.exe
PID 2096 wrote to memory of 3832 N/A C:\Program Files\Box\Box\ui\BoxUI.exe C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\BoxDrive.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C1E529DFDC7BC7F1536BD68B3F531801

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding BFB8E0EC2691567407AE2DE6C066ADFC E Global\MSI0000

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI7863.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240613578 41 Box.Desktop.Installer.CustomActions!CustomActions.CustomActions.CreateFallbackDeviceIDKey

C:\Program Files\Box\Box\Box.Desktop.UpdateService.exe

"C:\Program Files\Box\Box\Box.Desktop.UpdateService.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI84B9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240616656 47 Box.Desktop.Installer.CustomActions!Box.Desktop.Installer.CustomActions.CbfsInstallerCustomActions.InstallCbfs

C:\Program Files\Box\Box\FS\streem.exe

"C:\Program Files\Box\Box\FS\streem.exe" --install-cbfs --cbfs-cab-path "C:\Program Files\Box\Box\FS\cbfsconnect.cab"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\SysWOW64\regsvr32.exe" /n /s /i:"cbfsconnect2017-Box" "C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\i386\cbfsconnectMntNtf2017.dll"

C:\Windows\system32\WerFault.exe

"C:\Windows\system32\WerFault.exe" -s -t 3228 -i 868 -e 868 -c 0

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 2CD7F0A27D4B93E1C5FDF2E294507B26

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI911D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240619843 65 Box.Desktop.Installer.CustomActions!CustomActions.CustomActions.KillExplorer

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI9238.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240620109 75 Box.Desktop.Installer.CustomActions!CustomActions.CustomActions.GenerateDeviceId

C:\Program Files\Box\Box\Box.exe

"C:\Program Files\Box\Box\Box.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Program Files\Box\Box\ui\BoxUI.exe

"C:\Program Files\Box\Box\ui\BoxUI.exe" --product-name Box

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\WerFault.exe

"C:\Windows\system32\WerFault.exe" -s -t 1508 -i 2096 -e 2096 -c 0

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 cdn07.boxcdn.net udp
US 104.18.34.223:443 cdn07.boxcdn.net tcp
US 8.8.8.8:53 223.34.18.104.in-addr.arpa udp
US 104.18.34.223:443 cdn07.boxcdn.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 219.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI73aa7.LOG

MD5 d3961cfe1afe1ca800b196a6f1726d1a
SHA1 6040706e6817bcbce992697ec4cd55121a84459e
SHA256 54608cf301118cfeb794c0ad92d07d775bc77102adea8394ff36f7fca2c32732
SHA512 b1180e3370ce71144f16ed1fde01c9a817e96ff4d22207f41337f724816c66fff1b84d976cafd2f279dc61ae2aa112315902d967afb8dc3981e20fc055dec6ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_1087D831978A422F28E1D1E590C230EB

MD5 b827c0223a5704c213036aa89af6aed5
SHA1 8b81ef1759d6adae7c80efbb0dff16550b6ce205
SHA256 e0bad2a4c5815d0b4ac6dd7dbf34d0840748d93c15e63f27e11b4e22ecf3a5c5
SHA512 a4a8afe443b7a67fce38b5c425b8947f02bad37f47e8d1cd23123e1875e7fb321fc57f4137bbd265c19fd45de056970ebe9e6497d5d2356c8ae492e420bab165

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_1087D831978A422F28E1D1E590C230EB

MD5 619fc9cd0e6bac5239fc59c977d1213f
SHA1 1b789379998639f54986313d6f8618d59fbb2c82
SHA256 7eab506d43ebd72929545c039619432250b8031150e788dca011ecf24013b94f
SHA512 89de38284928ce913ce2fe93b22c77c689eeef40946f88e02cd3f5ea70d0314b96988e2444d5943be79d439d017ec30a424a8a537ba3b1500fede3789a6a1f32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 4cc06221809fafdb51ce64735524350f
SHA1 03f34273352731e39d8fb4a37b2e6cdfe380c085
SHA256 1ac03a272dc172a2efb8b016bedb313fc6a4402933547b153fabce7004747a48
SHA512 56a98572c948861c0b10f1376f3e11bbff570339928fe833064b6ea4832b4666c0c8002c38209271b0f5cd20c4fc985b6a3297343a1f1ffbd3233be07ad8bffa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

MD5 fd75f66e2944881959c90d37a888ade9
SHA1 36a0464f180b65b7fabcf1c311322af487c16d7f
SHA256 531253332df2dff4177b6872498e3d8ff7458fdfdb74bd19751e57434707571f
SHA512 aff5c2c546927d6e1c52fe02f6d330ae82e1dd0deb05e0e3215ec88c7c2b79ae6e4aa69fc37ee104bb4ab17adbf915789cd7aad04939ecc4a31341742fe4c74a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 d190fb454568a217de72a718d2b6f945
SHA1 9bc15378a293032d990f44a2cc47913f57d22dfb
SHA256 c3082d52dac402dba2000b4ec3f94baa6ac0b92cc9ec0165e25000effa5e2464
SHA512 9350839b154854f3535333f55c67d14c6aeb60ba4e4f1871e0931ffc63ddd1751df75aba99bfa8f8abf1f6fe9dba93cfb9d07543760d9a7fefff03067bd36518

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

MD5 eb5b1949f107e3967f7a288c3131adf6
SHA1 5e651ea82a431d8c47c24b9081a32c924689b986
SHA256 20e271882dfd53661c214f579eed0aeea0033c75afba402bbdf445807cd3f5b9
SHA512 7d06009eca1e5bfd4f3a8d5ba59120d7424238a7d3c72d7e894fa6b30666e83e5db64eb2f40cf21130e6cf1a39381b16d77bd46014a947728341f1bab25e452f

C:\Windows\Installer\MSI7167.tmp

MD5 aaab8d3f7e9e8f143a17a0d15a1d1715
SHA1 8aca4e362e4cdc68c2f8f8f35f200126716f9c74
SHA256 fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889
SHA512 1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

\??\Volume{a8f5de66-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{82e7f9ce-64ef-4014-9cfc-7627171750fa}_OnDiskSnapshotProp

MD5 67ff1bb7dc71b3b7a6cc5da640891d87
SHA1 e4403ff3ad79fba56ccc6161ec569855a46947c9
SHA256 9607f466541b0f1525e9e87fb274a1731bc51454aff16e10bd90f855444a2b17
SHA512 ce7b710599882408c436b217d83802c3c485bfd379a50d77bc38b9e15ada733714a32db7282668403eeb6dcd78ecf4ce3e24812067212b1e6b5695dbe2bf8fab

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 0a3d4f93ed89bbab2531c4dd387a47c2
SHA1 870548b5a5764f897bc6b1f45505df4e35d9db46
SHA256 f9e301e26a944ac2eddca91e306ba0670e8f8044e5c9f297a3d18d172d95ffb6
SHA512 a33b216470b93795876eecdf6d4b87368290615cda7bf6a7e72a6378eac0b97113ecfab29f8c9038cdf90e9e4e21cf9a3940052fd8f6743c58bd0a17489cdaf5

C:\Windows\Installer\MSI7293.tmp

MD5 3eb31b9a689d506f3b1d3738d28ab640
SHA1 1681fe3bbdcbe617a034b092ea77249dd4c3e986
SHA256 3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46
SHA512 2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

C:\Windows\Installer\MSI7545.tmp

MD5 f5cc49103be002b80429c0ebe73175b9
SHA1 8b7077a4348d2355a4470cbf53ffa524d3a28b9e
SHA256 5fad8ac0929c29ff522bde7025f17774f2e996137cb349844b9595250d457cba
SHA512 fe7f01ff6b9b476085961bf953f723e1ced8be9339802bfdb156bee3b20b0e5dce79726c5e40a7338beac35eceec5b516c46b8fd0f0722ed5d43ef2693be74a4

C:\Windows\Installer\MSI7863.tmp

MD5 edf90f2ea63e5115762abdbedd00f3b7
SHA1 8c4c761078157c37ac99bdf22e17899502d681ba
SHA256 396e7167d7293a12476bda4d5ea765505b0a94bd5647a1a3e345ef6998966c0f
SHA512 4db2f6d0b31179e64e5d0be01ccb222503dd435b6b5305a47e9af64aac7049b6782ef428fb764ee2e26d62f0afcd6fe904d7a6476d596f42f1f19eeeea312a97

memory/2460-62-0x000002FB87470000-0x000002FB874A4000-memory.dmp

C:\Windows\Installer\MSI7863.tmp-\Box.Desktop.Installer.CustomActions.dll

MD5 a6ef110b6bd9dcdd5aabe3e02f221d05
SHA1 b18493803432fbec3e90ae21eab7b0bda055605f
SHA256 939c373030bbbe74c7e4198e9ac405a174ad7a4956179c8a5590123c128ec0ba
SHA512 1ac40e54614e514da6ed33e997fcec79528bea22b640b5478d925f1b42db7645e38014c2a4ddb3b80eabac22942783741782d85e140e345bbf553e9ac7085728

memory/2460-66-0x000002FB87430000-0x000002FB87442000-memory.dmp

C:\Program Files\Box\Box\Box.Desktop.UpdateService.exe

MD5 0319cdeb5b8458573a382e8c685a6c48
SHA1 017c6c009363ecc7a6779c8a066392bfe893513d
SHA256 986388438eda07d9b13cb9af9a716c4303be923502b589e91f93e32f1879528a
SHA512 f46806a133d6b5c0c8605da808703f7eb6d782a4efdb938af003c4bea4ec6d2bfae1950631a3f9206ade3ae83e6cf83275b58c74bdc966374f9fc0e72c776c06

C:\Program Files\Box\Box\Box.Desktop.UpdateService.exe.config

MD5 028858153f24c95c36cd53c07cac46da
SHA1 64b279cee7d4bf262fc48b570053a5b4707a32ad
SHA256 c7e2c1cf5f11deaea818badcec637913ff438b6cea3d9209c86fc42bb49620d1
SHA512 6aaddf6aadfd8aae4c0eb967081bed6a5314b04418d0d68860f2ad21eaed2d1a1de7fd08293477e90eda949f985559567d3241253e014ae05bd1e3705b612011

memory/4964-235-0x00000230339E0000-0x00000230339FA000-memory.dmp

C:\Program Files\Box\Box\Box.Updater.Common.dll

MD5 962d71f8bf4987a4f9223affbdb44394
SHA1 b892c04d3a2dc3ce24127f8a1c1812875f704be6
SHA256 ba101155809fd2554b4d12d0efac9d98daaa4690a9fe1416b8c132a3590407dd
SHA512 28befe9b78548b21fdde3e2f5895b051ec1751f40717226a5b652272c983aab13dc98b1dfa295107532f66395767e7779063c397cba310719cc61bfdec6675f8

memory/4964-239-0x0000023033EC0000-0x0000023033ED8000-memory.dmp

C:\Program Files\Box\Box\Logger.dll

MD5 ee779c656c9c7c73750ec089cee6e09d
SHA1 a18a85f33de0f36c6dcf6520d5029217df93ae45
SHA256 3c9a2e7799be97c6a13157ad59354137748a99d7ec78ac1adb24c628ae40f3a2
SHA512 15ada016746ef6b808ef7d1db973b984a236e5857d1fcfeeb429f91f5f763599080ba800a0ce016e76cc76605c963c91c7301fefeec97e33dc90223244fbc090

memory/4964-242-0x000002304CEB0000-0x000002304CEC2000-memory.dmp

memory/4964-243-0x000002304CF10000-0x000002304CF4C000-memory.dmp

C:\Program Files\Box\Box\MetricsCollector.dll

MD5 5780d77ec1e66d912addb476707088cf
SHA1 946914109496b67311332d89b4b494c6fee8fcc1
SHA256 294fe25a2d1213fe24a5826bc8cedb762870a8f87a09a4c0275334ec23a6b1e9
SHA512 292909a299b62e8acfe927f182ee93e30a830c4382b51856b1f3fc40ff26e6e9207a4d642afbbc22b486fa129b90abca4edb2bb24c1beda95bd4d367e18c3107

C:\Windows\Installer\e576fc5.msi

MD5 f3d4ffbd09835fbafd035fc68f7ec5f1
SHA1 527197ada4a805889297e021371d3065a390bb9b
SHA256 83accb81725dea5372a13799d6d77ba9769de7c985506220e52cbc9acbe5e3d6
SHA512 d69453d0f9a30ba92bb002bcaab0506a8a093f6dca599fe4f23a3dfe0b9f59a02e4b6186027077f4b9f6dffa7194c94d5dd07b67eecc1077a286f3b806ee6ae9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

MD5 00bfeb783aeff425ce898d55718d506d
SHA1 aac7a973dc1f9ca7abc529c7ea37ad7eaf491b8f
SHA256 d06099ef43eb002055378b1b6d9853f9b1f891ada476932ba575d1f97065a580
SHA512 2209d5f4999cb36ebf26c6b8cb3195cc9fc0f0a103f4a28dd77b04605d7c6e79d47d806454c63b8d42bbe32864be7cdb56df3cccf71a6c27fe0b331d8304e1ff

C:\Windows\Installer\MSI84B9.tmp-\CustomAction.config

MD5 e1cdaa76ff312fc2bbe5ba00bf962d3d
SHA1 ceaa689246f56cde2539b38e58bc9c8327261c90
SHA256 25c34915dae931917d9cf8a9b7b96b2983b44898b5037dca05dd4c9c65fe497f
SHA512 98062f0354742b7a6f723c088f9f3471f710a88af77c22c8648b56ff1144417d6b35122db3cbe9a5c903dfd6361cdebf9773cf7c5418aa15ef4c636a2e7e00dc

C:\Windows\Installer\MSI84B9.tmp-\WixToolset.Dtf.WindowsInstaller.dll

MD5 b82b13d16e7f3d3607026f61b7295224
SHA1 d17b76907ea442b6cc5a79361a8fcec91075e20d
SHA256 bcc548e72b190d8f39dcb19538444e2576617a21caba6adcb4116511e1d2ddee
SHA512 be8c0b8b585fc77693e7481ca5d3f57a8b213c1190782fd4700676af9c0b671523c1a4fa58f15947a14c1ff6d4cda65d7353c6ba848a3a247dfcda864869e93f

C:\Program Files\Box\Box\FS\streem.exe

MD5 e45625f419879ed9b83d4b9993ecafca
SHA1 9843d897a98c787e60ee3f3e26fb15a65fb8fad5
SHA256 2d3e6fef5f6bd72d668c3eac3ec0c9f260708ef1464a0e55a34ffa02cd3edbba
SHA512 7f4c03bd67b8eba02c64e159110f7689321ce47376cd02a952883af34a0b7a8e05cf98da3db084e0924b7ffcd2e2e51aa99b486fb5466e06c57e7a3a44e34b48

C:\Program Files\Box\Box\FS\cbfsconnect.cab

MD5 f3da6ed4a1d828a5f8eef8e22cd38218
SHA1 aec09f40d5f084b2c3773ee7f6ae360c637ba1f0
SHA256 0203524031ab865791a4ecc4b4f0eb36cb5748e5bafdc63b6a3f7fd8d218f659
SHA512 677a51b9fdf744a3e22071f47c13240ada1bcfec3fc9a0663b396b687eeee85795d15441bfba43b7f13fb5c79e9ed6e62a464854ee3d8556c89010a183c8e7d2

C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\ia64\SHA1\vpnpbus.inf

MD5 1d992ea7dd85d14453fce31efccd880b
SHA1 158f0140bb1511d22845177f7995cc2a153be819
SHA256 586cc28d61aed1819c321014fa757623693d49b327ecbae3bd77d288850de84f
SHA512 435b5a496c452082ba8782c4d299e8d0d262b28c98356170f5eba5db0d6bdef79037781a9d862d0dad5620deb3310d96f9f4ce62feff705985abf1f6715e5215

C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\cbfsconnectevtmsg.dll

MD5 136bf75c3339446ba1edafcbf40b3a34
SHA1 3efcc1d5325b978508258dc6c5069986a645add9
SHA256 e49a24a201c9433f4f8168f278325c94ff83a5f69cae9eb58223f0053cfbb433
SHA512 fa80c93ee03e51dc8d9e0838d5af436a319dba5e6f0f5b35a4c04be3312ceefe94e7547e90e3737bd676134f397578ef82ac25efb23de60e0055b52cfb7aa7bb

C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\cbfsconnectMntNtf2017.dll

MD5 a88907698c38b50a0048a41fa1099811
SHA1 bcb9e98f1bafd263599809935f7ee61e1baa2a9f
SHA256 82df2628a5b525a9f0ba529644c83ea8cb6a7ed894a84ab82448fed5c064d120
SHA512 3ecdba7241d793811792d33607cfbb673438166d217089710ef4040c380bae230a2c8e51b761c850780336d46e89529d2f1f1da543ed36a3733ff5f9f3c9ef32

C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\i386\cbfsconnectMntNtf2017.dll

MD5 a1f40342e2235096a44c4b5275f15920
SHA1 416419620501d2945f67d42b08e4f77a762f7d55
SHA256 584bea9e5a48f13ed73922eb2c716d1478a092bdc637cc16dbc432e119919ce6
SHA512 ed0ad14c9316f49f3a47b4a033c9410f84db742a0a3258d01797897103145c09d8a5be88405d30e2afe496301280e9bb746aa1a9a3258913ea98739e97213463

C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\cbfsconnect2017.sys

MD5 a375c776b4b4e7148bd13a5bb1c9b360
SHA1 8753f5dfb7a4dc9938d1c5ee008dbd6fc8344a12
SHA256 6852854b5edba760ffe1fb159f71a9c0c95b9e0bfc12e335fd9e6bdff6a9b38d
SHA512 c161082a58ba93ffe2c4be4ac68d79502cc61f0e1a7548b50c707ee6f794f780b462cf9e1381d9ba3106df86ca59b0ff49e9bdb57f1b612945fcdb568fd5be6f

C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\cbfsconnectNetRdr2017.dll

MD5 e594d34304ddb09cb359a3e95e67c7a1
SHA1 31246ec8ffaa0931a21a325616a619e53897c40e
SHA256 e5b69b230afd24b6b5cfe8b82c0bab87b58adf4f93dbac6f7ffbe310bae16074
SHA512 d7bfb6c22c213f35d01be67e8f1241964fe56c423bd90228b96c14f4517cdea26d9f5b1654800a0623783328a50492092cc156550ea4e6e29382374daad86204

C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\SHA1\vpnpbus.cat

MD5 bd142677d640d66b2250a14c23d48604
SHA1 2909ecf28d21d8f182727d7f195a83415413e82f
SHA256 110ad61efd1739cefb7d6b8795ee8f71c5c124a991bb4751d7dc8eaaaabe4510
SHA512 9171ed572b4c9eab0aaecdaa80c64e94f3061b92ec631020b240129078cabff1b4a2be20123d119a78810855004af0adaa213489328ad4c921b9ec167710e71b

C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\vpnpbus.sys

MD5 a53fdf6ced9f56a67dd479f75cbf237d
SHA1 f87f6cb3f27c468de9f2cbe7c8cdc6d5806afd72
SHA256 f513a07fe88a43b6b4a2cafb4f24e2a6e5cbbe27877f984776b0fb9e5397c41f
SHA512 9e9d123358c763721d2664f1e7bd5de3aeb6bd14f841a0b21bae957d2579b0f41f6ef04181b76fde422cc971cb953f2d6eaaac20551d3b42e732b256800c57cd

C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\vpnpbus.cat

MD5 4191ba3b87e91483abebf12e7dee9d14
SHA1 0f38f0b690ab401ce4db77b382818c818bd06ab3
SHA256 8ae7d389b8a48de07345b54fff2fcbdea02cad6ee51998a97abaee448d976055
SHA512 97746d79b85770f5e656b1110191ae0c1a298f2fa1a0a68ce501abdf839e398e7ac2068a1b484e34de7b6272b4e3597bd20264354cf42eb2f9237ab8256643f9

C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\SHA1\vpnpbus.sys

MD5 365d3f5287499804093a7f2d87d7edc6
SHA1 8e33ceea8b7c04dd7375ffc912904712c8d0db76
SHA256 1f0d74127c21db1e3f1c51226c9b9d352982b89881acb50cdf6b66a655e702a6
SHA512 b2c0f3d932120fbd79e6260ab3c9e46decac3f92506e6e4a89e3183b5c4d175bae96b5c48ee99d12436fedb0fd8aa4c6b203789fcd7b6da94e20d445034fdf41

C:\Program Files\Box\Box\Temp\cbfsconnect2017-Box\x64\SHA1\cbfsconnect2017.sys

MD5 069c3a913dc0c06bcf7e01b6f0ba1a02
SHA1 7876cbf5c504894297fcd76ea66634b5d5fd48e1
SHA256 4ef226e535412c917f68b42773f540381cd0c16ab6ef6bedccd5f2751469af27
SHA512 1f89d4d3742cc7640ffedf5d2eb9bad811e855ce50e53b471967189e8feae09769937fbbbb4df931b33f1c99afef3b3a8043a5b86a87433c6bf6296effc5a558

C:\Config.Msi\e576fc4.rbs

MD5 c36c1f685eabecebe523f07510854dc0
SHA1 1cb7d9ffe7f69c5b629fa81e81882a0ed8152371
SHA256 e067b3681d2bbbcf8510b5ebba45e58930ba4849bd1ef8cbbce9890aa7394480
SHA512 a6993d0b080b44251beaf884d98853eba5cd28ab70953fd4723709ea808ec587341db9a35221aa7ed7367a331943df0afa98ddc79949dd5c082a44757c66846d

memory/4504-409-0x000002270E440000-0x000002270E458000-memory.dmp

C:\Windows\Installer\MSI9238.tmp-\Box.Updater.Common.dll

MD5 f1170452ec89f42a8193a701d11f8c3a
SHA1 fc7d338df199388b28ff1729cad6784b89e4fad1
SHA256 8ffe528b83fa646928c038a7c89f97224a555510e035623c66ac024c4eac6216
SHA512 206e51a03b223540f5a5e3c1e3f341db93d24d4f1356d4fe2cd6f5c4025cc4227840486b5fc2d57dfbd68638d74ef1054ab31c9b06bcba97da3f77fa371afc6c

memory/3640-425-0x00007FFD142D0000-0x00007FFD142DA000-memory.dmp

memory/3640-426-0x00000293E73D0000-0x00000293E743C000-memory.dmp

memory/3640-424-0x00000293CE4B0000-0x00000293CE4BA000-memory.dmp

memory/3640-427-0x00000293CEE80000-0x00000293CEE9A000-memory.dmp

memory/3640-428-0x00000293CEE70000-0x00000293CEE78000-memory.dmp

memory/3640-429-0x00000293CEEB0000-0x00000293CEEB8000-memory.dmp

memory/3640-432-0x00000293E8BE0000-0x00000293E8C02000-memory.dmp

memory/3640-433-0x00000293E7430000-0x00000293E7438000-memory.dmp

memory/3640-434-0x00000293E8C50000-0x00000293E8C90000-memory.dmp

memory/3640-444-0x00000293EA410000-0x00000293EA9B4000-memory.dmp

memory/3640-445-0x00000293EA000000-0x00000293EA09C000-memory.dmp

memory/3640-446-0x00000293EA0F0000-0x00000293EA276000-memory.dmp

memory/3640-447-0x00000293E8790000-0x00000293E8798000-memory.dmp

memory/3640-469-0x00000293E8C10000-0x00000293E8C18000-memory.dmp

C:\Users\Admin\AppData\Local\Box\Box\data\analytics_metrics.db

MD5 a7f4a7c3ab35aef02184311b01c85152
SHA1 65823393cf5f1d815146cbd641a351eabd47b242
SHA256 e05c67635b6fe4cce8e56c8f0beba05c1346d96bb5514ae65e5273a3e821b7bb
SHA512 c1c2e1daa9ab5be77b48a36190c9d9017c827fe3ca75d454c6d6976eda724762e7c2dd70c579205bd8b018022ef5b670e03d1d2326e029e09dfb6d17a3baeef4

memory/3640-470-0x00000293EB780000-0x00000293EBCA8000-memory.dmp

memory/3640-471-0x00000293E8C40000-0x00000293E8C52000-memory.dmp

memory/3640-472-0x00000293E8C60000-0x00000293E8C80000-memory.dmp

memory/3640-473-0x00000293EA0A0000-0x00000293EA0D2000-memory.dmp

memory/2096-474-0x0000018F74E40000-0x0000018F75632000-memory.dmp

memory/2096-475-0x0000018F771A0000-0x0000018F771AA000-memory.dmp

memory/2096-476-0x0000018F771F0000-0x0000018F77204000-memory.dmp

memory/2096-477-0x0000018F788F0000-0x0000018F78924000-memory.dmp

memory/2096-478-0x0000018F78930000-0x0000018F78948000-memory.dmp

memory/2096-479-0x0000018F79160000-0x0000018F79168000-memory.dmp

memory/2096-480-0x0000018F79040000-0x0000018F79078000-memory.dmp

memory/2096-481-0x0000018F79010000-0x0000018F7901E000-memory.dmp

memory/2096-483-0x0000018F790B0000-0x0000018F790DE000-memory.dmp

memory/2096-484-0x0000018F79AD0000-0x0000018F79B2A000-memory.dmp

memory/3832-486-0x0000000003530000-0x0000000003531000-memory.dmp

memory/1000-489-0x000002BA35780000-0x000002BA35880000-memory.dmp

memory/1000-488-0x000002BA35780000-0x000002BA35880000-memory.dmp

memory/1000-521-0x000002BA36D70000-0x000002BA36D90000-memory.dmp

memory/1000-505-0x000002BA36560000-0x000002BA36580000-memory.dmp

memory/1000-487-0x000002BA35780000-0x000002BA35880000-memory.dmp

memory/1000-492-0x000002BA365A0000-0x000002BA365C0000-memory.dmp

C:\Users\Admin\AppData\Local\Box\Box\data\cacert.pem

MD5 bd67b12dcc1719175086227313e39934
SHA1 caa654d35c8ceee571408e08511eee147a844b4b
SHA256 fb31aaccade1e5f401aab044837a8f74eb9ba67f16ff62a2f7a1f722d46df2cb
SHA512 b2af6a63ad7f0483e1cb5ca111bd873a9cbb37c0ab89735a3ec15613b3fd5ee15473aa74da6442e10e852136a93fe36be431e7ec018d1622568891ae013f4492

memory/6108-639-0x0000000003400000-0x0000000003401000-memory.dmp

memory/5536-643-0x0000022032900000-0x0000022032A00000-memory.dmp

memory/5536-642-0x0000022032900000-0x0000022032A00000-memory.dmp

memory/5536-646-0x0000022033A60000-0x0000022033A80000-memory.dmp

memory/5536-641-0x0000022032900000-0x0000022032A00000-memory.dmp

memory/5536-677-0x0000022033E20000-0x0000022033E40000-memory.dmp

memory/5536-666-0x0000022033A20000-0x0000022033A40000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\TZRV4DXW\microsoft.windows[1].xml

MD5 1dd4d46b1ac22328d0f2070179660629
SHA1 decc334f1db6ab2900d68aec8fb2ebb86ad9d863
SHA256 835d0310a60df700d9fff19eedbc368cea133df77bef21f1868218046d5e4a88
SHA512 3122e98c8b41f30234fca18728b1a3ff669a45ade3a870e0d956d3bb98c0dff881fde4942cc6c67a8a04fce2fac28014641339d0391d054b1c53f433c0c45ce2

memory/1416-779-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/3912-786-0x000001B63B0D0000-0x000001B63B0F0000-memory.dmp

memory/3912-816-0x000001B63B6A0000-0x000001B63B6C0000-memory.dmp

memory/3912-797-0x000001B63B090000-0x000001B63B0B0000-memory.dmp

memory/5460-932-0x0000000004900000-0x0000000004901000-memory.dmp

memory/4060-935-0x0000020A88D00000-0x0000020A88E00000-memory.dmp

memory/4060-936-0x0000020A88D00000-0x0000020A88E00000-memory.dmp

memory/4060-939-0x0000020A89E60000-0x0000020A89E80000-memory.dmp

memory/4060-934-0x0000020A88D00000-0x0000020A88E00000-memory.dmp

memory/4060-951-0x0000020A89E20000-0x0000020A89E40000-memory.dmp

memory/4060-970-0x0000020A8A220000-0x0000020A8A240000-memory.dmp

memory/8-1076-0x0000000004830000-0x0000000004831000-memory.dmp

memory/6012-1100-0x000001B8514A0000-0x000001B8514C0000-memory.dmp

memory/6012-1083-0x000001B8514E0000-0x000001B851500000-memory.dmp

memory/6012-1114-0x000001B851AC0000-0x000001B851AE0000-memory.dmp

memory/3680-1223-0x0000000004920000-0x0000000004921000-memory.dmp

memory/5444-1230-0x000001BF8EA80000-0x000001BF8EAA0000-memory.dmp

memory/5444-1225-0x000001BF8D920000-0x000001BF8DA20000-memory.dmp

memory/5444-1260-0x000001BF8EE50000-0x000001BF8EE70000-memory.dmp

memory/5444-1258-0x000001BF8EA40000-0x000001BF8EA60000-memory.dmp

memory/5996-1371-0x00000000043F0000-0x00000000043F1000-memory.dmp

memory/2464-1372-0x0000022945600000-0x0000022945700000-memory.dmp

memory/2464-1374-0x0000022945600000-0x0000022945700000-memory.dmp

memory/2464-1377-0x0000022946760000-0x0000022946780000-memory.dmp

memory/2464-1373-0x0000022945600000-0x0000022945700000-memory.dmp

memory/2464-1378-0x0000022946720000-0x0000022946740000-memory.dmp

memory/2464-1389-0x0000022946B30000-0x0000022946B50000-memory.dmp

memory/1932-1524-0x0000000004220000-0x0000000004221000-memory.dmp

memory/5172-1531-0x000002317E3D0000-0x000002317E3F0000-memory.dmp

memory/5172-1527-0x000002317D300000-0x000002317D400000-memory.dmp

memory/5172-1542-0x000002317E390000-0x000002317E3B0000-memory.dmp

memory/5172-1562-0x000002317E7A0000-0x000002317E7C0000-memory.dmp

memory/5172-1526-0x000002317D300000-0x000002317D400000-memory.dmp

memory/5236-1669-0x0000000004780000-0x0000000004781000-memory.dmp

memory/5832-1670-0x000001ED45600000-0x000001ED45700000-memory.dmp

memory/5832-1675-0x000001ED46510000-0x000001ED46530000-memory.dmp

memory/5832-1704-0x000001ED464D0000-0x000001ED464F0000-memory.dmp

memory/5832-1706-0x000001ED46B20000-0x000001ED46B40000-memory.dmp

memory/5368-1813-0x0000000004C30000-0x0000000004C31000-memory.dmp

memory/3328-1817-0x000001B3DE720000-0x000001B3DE820000-memory.dmp

memory/3328-1816-0x000001B3DE720000-0x000001B3DE820000-memory.dmp

memory/3328-1840-0x000001B3DFC40000-0x000001B3DFC60000-memory.dmp

memory/3328-1828-0x000001B3DF830000-0x000001B3DF850000-memory.dmp

memory/3328-1820-0x000001B3DF870000-0x000001B3DF890000-memory.dmp

memory/3328-1815-0x000001B3DE720000-0x000001B3DE820000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15

MD5 0e2a09c8b94747fa78ec836b5711c0c0
SHA1 92495421ad887f27f53784c470884802797025ad
SHA256 0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36
SHA512 61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer

MD5 ab0262f72142aab53d5402e6d0cb5d24
SHA1 eaf95bb31ae1d4c0010f50e789bdc8b8e3116116
SHA256 20a108577209b2499cfdba77645477dd0d9771a77d42a53c6315156761efcfbb
SHA512 bf9580f3e5d1102cf758503e18a2cf98c799c4a252eedf9344f7c5626da3a1cf141353f01601a3b549234cc3f2978ad31f928068395b56f9f0885c07dbe81da1